xmrig | f77d2eb252ef558582d8a92ac08b300bfb4a7d5ee1d3a8913f6c730feb3e2e8e

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
Size

979KB
MD5

07ba17b852a45cd23dacc3cdc3e02e73
SHA1

9c0585bd03745e8b5a5b54be986ee48b6f50e996
SHA256

f77d2eb252ef558582d8a92ac08b300bfb4a7d5ee1d3a8913f6c730feb3e2e8e
SHA512

aca1cb32733f29f19deeeb99c67ea2c9927a201de66b13d5701ab4d588d4b80eac5accd14fb00f28809149ded2c060bc886992935129aae8f3f93eeb83222aca
SSDEEP

24576:JanwhSe11QSONCpGJCjETPl+Me7bPMS8YkgcWOS:knw9oUUEEDl+xTMS8Tg1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3116-53-0x00007FF7E8520000-0x00007FF7E8911000-memory.dmp	xmrig
behavioral2/memory/4592-58-0x00007FF666E10000-0x00007FF667201000-memory.dmp	xmrig
behavioral2/memory/4476-57-0x00007FF77B120000-0x00007FF77B511000-memory.dmp	xmrig
behavioral2/memory/1544-47-0x00007FF7E8750000-0x00007FF7E8B41000-memory.dmp	xmrig
behavioral2/memory/1152-273-0x00007FF622890000-0x00007FF622C81000-memory.dmp	xmrig
behavioral2/memory/4108-288-0x00007FF7D6470000-0x00007FF7D6861000-memory.dmp	xmrig
behavioral2/memory/4464-292-0x00007FF763A40000-0x00007FF763E31000-memory.dmp	xmrig
behavioral2/memory/1228-304-0x00007FF61AAB0000-0x00007FF61AEA1000-memory.dmp	xmrig
behavioral2/memory/2488-305-0x00007FF730C50000-0x00007FF731041000-memory.dmp	xmrig
behavioral2/memory/3092-308-0x00007FF720130000-0x00007FF720521000-memory.dmp	xmrig
behavioral2/memory/3052-319-0x00007FF67DBB0000-0x00007FF67DFA1000-memory.dmp	xmrig
behavioral2/memory/4388-331-0x00007FF73D390000-0x00007FF73D781000-memory.dmp	xmrig
behavioral2/memory/1096-333-0x00007FF6E7D90000-0x00007FF6E8181000-memory.dmp	xmrig
behavioral2/memory/3892-332-0x00007FF748000000-0x00007FF7483F1000-memory.dmp	xmrig
behavioral2/memory/332-329-0x00007FF668310000-0x00007FF668701000-memory.dmp	xmrig
behavioral2/memory/2108-284-0x00007FF6BF790000-0x00007FF6BFB81000-memory.dmp	xmrig
behavioral2/memory/5012-71-0x00007FF74FFA0000-0x00007FF750391000-memory.dmp	xmrig
behavioral2/memory/1380-63-0x00007FF757610000-0x00007FF757A01000-memory.dmp	xmrig
behavioral2/memory/4276-61-0x00007FF66A190000-0x00007FF66A581000-memory.dmp	xmrig
behavioral2/memory/2784-1989-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp	xmrig
behavioral2/memory/4280-1990-0x00007FF7A41B0000-0x00007FF7A45A1000-memory.dmp	xmrig
behavioral2/memory/3044-2004-0x00007FF62A790000-0x00007FF62AB81000-memory.dmp	xmrig
behavioral2/memory/2884-2026-0x00007FF670A20000-0x00007FF670E11000-memory.dmp	xmrig
behavioral2/memory/2420-2046-0x00007FF791220000-0x00007FF791611000-memory.dmp	xmrig
behavioral2/memory/4276-2048-0x00007FF66A190000-0x00007FF66A581000-memory.dmp	xmrig
behavioral2/memory/2784-2050-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp	xmrig
behavioral2/memory/4592-2062-0x00007FF666E10000-0x00007FF667201000-memory.dmp	xmrig
behavioral2/memory/3044-2066-0x00007FF62A790000-0x00007FF62AB81000-memory.dmp	xmrig
behavioral2/memory/5012-2064-0x00007FF74FFA0000-0x00007FF750391000-memory.dmp	xmrig
behavioral2/memory/1380-2060-0x00007FF757610000-0x00007FF757A01000-memory.dmp	xmrig
behavioral2/memory/4476-2058-0x00007FF77B120000-0x00007FF77B511000-memory.dmp	xmrig
behavioral2/memory/3116-2056-0x00007FF7E8520000-0x00007FF7E8911000-memory.dmp	xmrig
behavioral2/memory/1544-2052-0x00007FF7E8750000-0x00007FF7E8B41000-memory.dmp	xmrig
behavioral2/memory/4280-2054-0x00007FF7A41B0000-0x00007FF7A45A1000-memory.dmp	xmrig
behavioral2/memory/2108-2070-0x00007FF6BF790000-0x00007FF6BFB81000-memory.dmp	xmrig
behavioral2/memory/4108-2101-0x00007FF7D6470000-0x00007FF7D6861000-memory.dmp	xmrig
behavioral2/memory/1096-2105-0x00007FF6E7D90000-0x00007FF6E8181000-memory.dmp	xmrig
behavioral2/memory/332-2103-0x00007FF668310000-0x00007FF668701000-memory.dmp	xmrig
behavioral2/memory/4464-2099-0x00007FF763A40000-0x00007FF763E31000-memory.dmp	xmrig
behavioral2/memory/4388-2080-0x00007FF73D390000-0x00007FF73D781000-memory.dmp	xmrig
behavioral2/memory/3892-2076-0x00007FF748000000-0x00007FF7483F1000-memory.dmp	xmrig
behavioral2/memory/3092-2072-0x00007FF720130000-0x00007FF720521000-memory.dmp	xmrig
behavioral2/memory/1228-2097-0x00007FF61AAB0000-0x00007FF61AEA1000-memory.dmp	xmrig
behavioral2/memory/2488-2095-0x00007FF730C50000-0x00007FF731041000-memory.dmp	xmrig
behavioral2/memory/1152-2078-0x00007FF622890000-0x00007FF622C81000-memory.dmp	xmrig
behavioral2/memory/3052-2074-0x00007FF67DBB0000-0x00007FF67DFA1000-memory.dmp	xmrig
behavioral2/memory/2884-2068-0x00007FF670A20000-0x00007FF670E11000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2420	ruvFSCD.exe
2784	Uugrnte.exe
4276	tbiChVm.exe
4280	SRelYCB.exe
1544	efvpPgi.exe
1380	qTFexWq.exe
3116	izQdAdB.exe
4476	unepaiN.exe
4592	qSgjBYF.exe
3044	bqEZEeB.exe
5012	EWuXUKs.exe
2884	fCrSPdi.exe
1152	zTLsHnS.exe
2108	wOjFRzn.exe
4108	IQIFanD.exe
4464	UOhYtMe.exe
1228	VtvXCle.exe
2488	snClGwt.exe
3092	POIPhIE.exe
3052	ZmHGbjS.exe
332	ktUXKqs.exe
4388	EtOgRUt.exe
3892	xhYwHvg.exe
1096	zGAnouK.exe
4768	pbBGvfQ.exe
4652	CSfINkr.exe
3940	GrfwsEk.exe
1444	WUpfxYL.exe
2252	JxqgfeD.exe
4448	cJRQtMv.exe
2292	pxnxZam.exe
3964	EfZOEcl.exe
1176	GgjBqWL.exe
1020	RpHtBVY.exe
4400	aCIXDtr.exe
3984	mFvYhYl.exe
3280	Qatnqgd.exe
3556	UkiYkaC.exe
2492	XfBbKXy.exe
2520	NzRXExE.exe
2068	vNXSSCg.exe
2656	hDZJdCg.exe
5008	eJfzhku.exe
3196	mcilJuF.exe
740	FSiAkyI.exe
4340	vtvZhup.exe
1404	VueIshu.exe
4780	qurwYSH.exe
3356	LHgjQIf.exe
2324	PAdtxEl.exe
1640	bFkapmo.exe
4548	dLZUWkM.exe
752	bbPkxXS.exe
3824	IuerOOu.exe
3736	OIBpzaH.exe
1828	IkEizJr.exe
3716	rOLPJUX.exe
3764	liAuJxL.exe
4788	IlTJYDS.exe
3464	lTybkEZ.exe
4732	NiDFgxY.exe
4240	uHoLXIy.exe
4800	ZMQloCu.exe
4740	LfHdPTs.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1480-0-0x00007FF74C860000-0x00007FF74CC51000-memory.dmp	upx
behavioral2/files/0x000c000000023bbe-5.dat	upx
behavioral2/files/0x000a000000023bc3-21.dat	upx
behavioral2/memory/2784-30-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp	upx
behavioral2/files/0x000a000000023bc4-41.dat	upx
behavioral2/files/0x000a000000023bc7-44.dat	upx
behavioral2/memory/3116-53-0x00007FF7E8520000-0x00007FF7E8911000-memory.dmp	upx
behavioral2/memory/4592-58-0x00007FF666E10000-0x00007FF667201000-memory.dmp	upx
behavioral2/memory/4476-57-0x00007FF77B120000-0x00007FF77B511000-memory.dmp	upx
behavioral2/files/0x000a000000023bca-55.dat	upx
behavioral2/files/0x000a000000023bc6-52.dat	upx
behavioral2/memory/1544-47-0x00007FF7E8750000-0x00007FF7E8B41000-memory.dmp	upx
behavioral2/files/0x000a000000023bc8-46.dat	upx
behavioral2/files/0x000a000000023bc9-48.dat	upx
behavioral2/memory/4280-35-0x00007FF7A41B0000-0x00007FF7A45A1000-memory.dmp	upx
behavioral2/files/0x000a000000023bc5-33.dat	upx
behavioral2/files/0x000a000000023bc2-25.dat	upx
behavioral2/memory/2420-18-0x00007FF791220000-0x00007FF791611000-memory.dmp	upx
behavioral2/files/0x000b000000023be0-173.dat	upx
behavioral2/files/0x000b000000023bdf-168.dat	upx
behavioral2/files/0x000a000000023bde-164.dat	upx
behavioral2/files/0x000a000000023bdd-158.dat	upx
behavioral2/files/0x000a000000023bdc-154.dat	upx
behavioral2/files/0x000a000000023bdb-148.dat	upx
behavioral2/files/0x000a000000023bda-143.dat	upx
behavioral2/files/0x000a000000023bd9-138.dat	upx
behavioral2/files/0x000a000000023bd8-133.dat	upx
behavioral2/files/0x000a000000023bd7-128.dat	upx
behavioral2/files/0x000a000000023bd6-124.dat	upx
behavioral2/files/0x000a000000023bd5-119.dat	upx
behavioral2/memory/1152-273-0x00007FF622890000-0x00007FF622C81000-memory.dmp	upx
behavioral2/memory/4108-288-0x00007FF7D6470000-0x00007FF7D6861000-memory.dmp	upx
behavioral2/memory/4464-292-0x00007FF763A40000-0x00007FF763E31000-memory.dmp	upx
behavioral2/memory/1228-304-0x00007FF61AAB0000-0x00007FF61AEA1000-memory.dmp	upx
behavioral2/memory/2488-305-0x00007FF730C50000-0x00007FF731041000-memory.dmp	upx
behavioral2/memory/3092-308-0x00007FF720130000-0x00007FF720521000-memory.dmp	upx
behavioral2/memory/3052-319-0x00007FF67DBB0000-0x00007FF67DFA1000-memory.dmp	upx
behavioral2/memory/4388-331-0x00007FF73D390000-0x00007FF73D781000-memory.dmp	upx
behavioral2/memory/1096-333-0x00007FF6E7D90000-0x00007FF6E8181000-memory.dmp	upx
behavioral2/memory/3892-332-0x00007FF748000000-0x00007FF7483F1000-memory.dmp	upx
behavioral2/memory/332-329-0x00007FF668310000-0x00007FF668701000-memory.dmp	upx
behavioral2/memory/2108-284-0x00007FF6BF790000-0x00007FF6BFB81000-memory.dmp	upx
behavioral2/files/0x000a000000023bd4-113.dat	upx
behavioral2/files/0x000a000000023bd3-108.dat	upx
behavioral2/files/0x000a000000023bd2-104.dat	upx
behavioral2/files/0x000a000000023bd1-99.dat	upx
behavioral2/files/0x000a000000023bd0-93.dat	upx
behavioral2/files/0x000a000000023bcf-89.dat	upx
behavioral2/files/0x000a000000023bce-83.dat	upx
behavioral2/files/0x000a000000023bcd-79.dat	upx
behavioral2/files/0x000a000000023bcc-73.dat	upx
behavioral2/memory/2884-72-0x00007FF670A20000-0x00007FF670E11000-memory.dmp	upx
behavioral2/memory/5012-71-0x00007FF74FFA0000-0x00007FF750391000-memory.dmp	upx
behavioral2/memory/3044-69-0x00007FF62A790000-0x00007FF62AB81000-memory.dmp	upx
behavioral2/files/0x000a000000023bcb-64.dat	upx
behavioral2/memory/1380-63-0x00007FF757610000-0x00007FF757A01000-memory.dmp	upx
behavioral2/memory/4276-61-0x00007FF66A190000-0x00007FF66A581000-memory.dmp	upx
behavioral2/memory/2784-1989-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp	upx
behavioral2/memory/4280-1990-0x00007FF7A41B0000-0x00007FF7A45A1000-memory.dmp	upx
behavioral2/memory/3044-2004-0x00007FF62A790000-0x00007FF62AB81000-memory.dmp	upx
behavioral2/memory/2884-2026-0x00007FF670A20000-0x00007FF670E11000-memory.dmp	upx
behavioral2/memory/2420-2046-0x00007FF791220000-0x00007FF791611000-memory.dmp	upx
behavioral2/memory/4276-2048-0x00007FF66A190000-0x00007FF66A581000-memory.dmp	upx
behavioral2/memory/2784-2050-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\YOCKSYh.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\UzpWArY.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\sRPCVpD.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\xWsNdRQ.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\WbkucGS.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\LDWXYyS.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\vJDPJmk.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\nTYKqIK.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\FYLzpwD.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\DGUXdHW.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\TvgZIpB.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\ATVsUIN.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\MRxUYli.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\qEGvvYx.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\PLzpKRI.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\wILPLGl.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\ojSvAVk.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\TgNdhzf.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\VdErssJ.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\rzPkEkL.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\EnSkkdu.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\IlTJYDS.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\bdRqLLH.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\kshKWIE.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\IpzMZXc.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\XNklkQA.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\dBEDyUe.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\HPYjjMU.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\MXkgOBy.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\jmkzjBm.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\LojgReg.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\xcFnqUr.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\FObmLbo.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\TLideJH.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\qurwYSH.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\uHoLXIy.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\jDhAEzC.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\Krkyowz.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\khSXamE.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\mebXrQJ.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\nrfIkDd.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\GmdfmLh.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\pnPinrK.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\naJYjuL.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\iJiEAbT.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\QwYEABP.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\Zcbzogo.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\oAcjfnO.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\jmItxxg.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\ROBtNBg.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\LBQZLBh.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\puNAGlj.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\fTkQYeA.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\QmzeYtp.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\tCpjxzy.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\EUWhqZc.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\aLnpGoI.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\EtOgRUt.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\OflZQuO.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\lfkDRLF.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\iUZTtNy.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\xKVNAQv.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\hthgUqH.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
File created	C:\Windows\System32\hDZJdCg.exe	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13024	dwm.exe
Token: SeChangeNotifyPrivilege	13024	dwm.exe
Token: 33	13024	dwm.exe
Token: SeIncBasePriorityPrivilege	13024	dwm.exe
Token: SeShutdownPrivilege	13024	dwm.exe
Token: SeCreatePagefilePrivilege	13024	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2420	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	85
PID 1480 wrote to memory of 2420	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	85
PID 1480 wrote to memory of 2784	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	86
PID 1480 wrote to memory of 2784	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	86
PID 1480 wrote to memory of 4276	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	87
PID 1480 wrote to memory of 4276	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	87
PID 1480 wrote to memory of 4280	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	88
PID 1480 wrote to memory of 4280	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	88
PID 1480 wrote to memory of 1544	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	89
PID 1480 wrote to memory of 1544	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	89
PID 1480 wrote to memory of 1380	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	90
PID 1480 wrote to memory of 1380	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	90
PID 1480 wrote to memory of 3116	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	91
PID 1480 wrote to memory of 3116	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	91
PID 1480 wrote to memory of 4476	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	92
PID 1480 wrote to memory of 4476	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	92
PID 1480 wrote to memory of 4592	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	93
PID 1480 wrote to memory of 4592	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	93
PID 1480 wrote to memory of 3044	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	94
PID 1480 wrote to memory of 3044	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	94
PID 1480 wrote to memory of 5012	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	95
PID 1480 wrote to memory of 5012	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	95
PID 1480 wrote to memory of 2884	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	96
PID 1480 wrote to memory of 2884	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	96
PID 1480 wrote to memory of 1152	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	97
PID 1480 wrote to memory of 1152	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	97
PID 1480 wrote to memory of 2108	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	98
PID 1480 wrote to memory of 2108	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	98
PID 1480 wrote to memory of 4108	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	99
PID 1480 wrote to memory of 4108	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	99
PID 1480 wrote to memory of 4464	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	100
PID 1480 wrote to memory of 4464	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	100
PID 1480 wrote to memory of 1228	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	101
PID 1480 wrote to memory of 1228	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	101
PID 1480 wrote to memory of 2488	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	102
PID 1480 wrote to memory of 2488	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	102
PID 1480 wrote to memory of 3092	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	103
PID 1480 wrote to memory of 3092	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	103
PID 1480 wrote to memory of 3052	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	104
PID 1480 wrote to memory of 3052	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	104
PID 1480 wrote to memory of 332	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	105
PID 1480 wrote to memory of 332	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	105
PID 1480 wrote to memory of 4388	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	106
PID 1480 wrote to memory of 4388	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	106
PID 1480 wrote to memory of 3892	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	107
PID 1480 wrote to memory of 3892	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	107
PID 1480 wrote to memory of 1096	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	108
PID 1480 wrote to memory of 1096	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	108
PID 1480 wrote to memory of 4768	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	109
PID 1480 wrote to memory of 4768	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	109
PID 1480 wrote to memory of 4652	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	110
PID 1480 wrote to memory of 4652	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	110
PID 1480 wrote to memory of 3940	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	111
PID 1480 wrote to memory of 3940	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	111
PID 1480 wrote to memory of 1444	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	112
PID 1480 wrote to memory of 1444	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	112
PID 1480 wrote to memory of 2252	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	113
PID 1480 wrote to memory of 2252	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	113
PID 1480 wrote to memory of 4448	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	114
PID 1480 wrote to memory of 4448	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	114
PID 1480 wrote to memory of 2292	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	115
PID 1480 wrote to memory of 2292	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	115
PID 1480 wrote to memory of 3964	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	116
PID 1480 wrote to memory of 3964	1480	07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07ba17b852a45cd23dacc3cdc3e02e73_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\ruvFSCD.exe
  C:\Windows\System32\ruvFSCD.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\Uugrnte.exe
  C:\Windows\System32\Uugrnte.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\tbiChVm.exe
  C:\Windows\System32\tbiChVm.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\SRelYCB.exe
  C:\Windows\System32\SRelYCB.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\efvpPgi.exe
  C:\Windows\System32\efvpPgi.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\qTFexWq.exe
  C:\Windows\System32\qTFexWq.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\izQdAdB.exe
  C:\Windows\System32\izQdAdB.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System32\unepaiN.exe
  C:\Windows\System32\unepaiN.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System32\qSgjBYF.exe
  C:\Windows\System32\qSgjBYF.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System32\bqEZEeB.exe
  C:\Windows\System32\bqEZEeB.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System32\EWuXUKs.exe
  C:\Windows\System32\EWuXUKs.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\fCrSPdi.exe
  C:\Windows\System32\fCrSPdi.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System32\zTLsHnS.exe
  C:\Windows\System32\zTLsHnS.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System32\wOjFRzn.exe
  C:\Windows\System32\wOjFRzn.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\IQIFanD.exe
  C:\Windows\System32\IQIFanD.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\UOhYtMe.exe
  C:\Windows\System32\UOhYtMe.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\VtvXCle.exe
  C:\Windows\System32\VtvXCle.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System32\snClGwt.exe
  C:\Windows\System32\snClGwt.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\POIPhIE.exe
  C:\Windows\System32\POIPhIE.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\ZmHGbjS.exe
  C:\Windows\System32\ZmHGbjS.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\ktUXKqs.exe
  C:\Windows\System32\ktUXKqs.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System32\EtOgRUt.exe
  C:\Windows\System32\EtOgRUt.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\xhYwHvg.exe
  C:\Windows\System32\xhYwHvg.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System32\zGAnouK.exe
  C:\Windows\System32\zGAnouK.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System32\pbBGvfQ.exe
  C:\Windows\System32\pbBGvfQ.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\CSfINkr.exe
  C:\Windows\System32\CSfINkr.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\GrfwsEk.exe
  C:\Windows\System32\GrfwsEk.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System32\WUpfxYL.exe
  C:\Windows\System32\WUpfxYL.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System32\JxqgfeD.exe
  C:\Windows\System32\JxqgfeD.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System32\cJRQtMv.exe
  C:\Windows\System32\cJRQtMv.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\pxnxZam.exe
  C:\Windows\System32\pxnxZam.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\EfZOEcl.exe
  C:\Windows\System32\EfZOEcl.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System32\GgjBqWL.exe
  C:\Windows\System32\GgjBqWL.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\RpHtBVY.exe
  C:\Windows\System32\RpHtBVY.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System32\aCIXDtr.exe
  C:\Windows\System32\aCIXDtr.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\mFvYhYl.exe
  C:\Windows\System32\mFvYhYl.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System32\Qatnqgd.exe
  C:\Windows\System32\Qatnqgd.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System32\UkiYkaC.exe
  C:\Windows\System32\UkiYkaC.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\XfBbKXy.exe
  C:\Windows\System32\XfBbKXy.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System32\NzRXExE.exe
  C:\Windows\System32\NzRXExE.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System32\vNXSSCg.exe
  C:\Windows\System32\vNXSSCg.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\hDZJdCg.exe
  C:\Windows\System32\hDZJdCg.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System32\eJfzhku.exe
  C:\Windows\System32\eJfzhku.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\mcilJuF.exe
  C:\Windows\System32\mcilJuF.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\FSiAkyI.exe
  C:\Windows\System32\FSiAkyI.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\vtvZhup.exe
  C:\Windows\System32\vtvZhup.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\VueIshu.exe
  C:\Windows\System32\VueIshu.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System32\qurwYSH.exe
  C:\Windows\System32\qurwYSH.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\LHgjQIf.exe
  C:\Windows\System32\LHgjQIf.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\PAdtxEl.exe
  C:\Windows\System32\PAdtxEl.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System32\bFkapmo.exe
  C:\Windows\System32\bFkapmo.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\dLZUWkM.exe
  C:\Windows\System32\dLZUWkM.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\bbPkxXS.exe
  C:\Windows\System32\bbPkxXS.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System32\IuerOOu.exe
  C:\Windows\System32\IuerOOu.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System32\OIBpzaH.exe
  C:\Windows\System32\OIBpzaH.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\IkEizJr.exe
  C:\Windows\System32\IkEizJr.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System32\rOLPJUX.exe
  C:\Windows\System32\rOLPJUX.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\liAuJxL.exe
  C:\Windows\System32\liAuJxL.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\IlTJYDS.exe
  C:\Windows\System32\IlTJYDS.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\lTybkEZ.exe
  C:\Windows\System32\lTybkEZ.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\NiDFgxY.exe
  C:\Windows\System32\NiDFgxY.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System32\uHoLXIy.exe
  C:\Windows\System32\uHoLXIy.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\ZMQloCu.exe
  C:\Windows\System32\ZMQloCu.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System32\LfHdPTs.exe
  C:\Windows\System32\LfHdPTs.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\EPsHwtO.exe
  C:\Windows\System32\EPsHwtO.exe
  2⤵
  PID:2628
- C:\Windows\System32\PSAXTOD.exe
  C:\Windows\System32\PSAXTOD.exe
  2⤵
  PID:4572
- C:\Windows\System32\jDhAEzC.exe
  C:\Windows\System32\jDhAEzC.exe
  2⤵
  PID:2248
- C:\Windows\System32\VjsaXcw.exe
  C:\Windows\System32\VjsaXcw.exe
  2⤵
  PID:1696
- C:\Windows\System32\RFiHqBh.exe
  C:\Windows\System32\RFiHqBh.exe
  2⤵
  PID:2088
- C:\Windows\System32\cCnIcsA.exe
  C:\Windows\System32\cCnIcsA.exe
  2⤵
  PID:964
- C:\Windows\System32\OflZQuO.exe
  C:\Windows\System32\OflZQuO.exe
  2⤵
  PID:5084
- C:\Windows\System32\HClpzHW.exe
  C:\Windows\System32\HClpzHW.exe
  2⤵
  PID:2564
- C:\Windows\System32\KtkpuDv.exe
  C:\Windows\System32\KtkpuDv.exe
  2⤵
  PID:2848
- C:\Windows\System32\xaTFiyj.exe
  C:\Windows\System32\xaTFiyj.exe
  2⤵
  PID:3424
- C:\Windows\System32\cAxcZIs.exe
  C:\Windows\System32\cAxcZIs.exe
  2⤵
  PID:1612
- C:\Windows\System32\pPIxkIx.exe
  C:\Windows\System32\pPIxkIx.exe
  2⤵
  PID:1756
- C:\Windows\System32\PaMGzuF.exe
  C:\Windows\System32\PaMGzuF.exe
  2⤵
  PID:4320
- C:\Windows\System32\NiXPKcn.exe
  C:\Windows\System32\NiXPKcn.exe
  2⤵
  PID:4560
- C:\Windows\System32\GktrAGa.exe
  C:\Windows\System32\GktrAGa.exe
  2⤵
  PID:4820
- C:\Windows\System32\JRdMmXK.exe
  C:\Windows\System32\JRdMmXK.exe
  2⤵
  PID:4936
- C:\Windows\System32\JhOAyzQ.exe
  C:\Windows\System32\JhOAyzQ.exe
  2⤵
  PID:4032
- C:\Windows\System32\BxyxuQV.exe
  C:\Windows\System32\BxyxuQV.exe
  2⤵
  PID:4048
- C:\Windows\System32\BHZKiTI.exe
  C:\Windows\System32\BHZKiTI.exe
  2⤵
  PID:1468
- C:\Windows\System32\tMpNJVo.exe
  C:\Windows\System32\tMpNJVo.exe
  2⤵
  PID:1112
- C:\Windows\System32\kkWUIoa.exe
  C:\Windows\System32\kkWUIoa.exe
  2⤵
  PID:4104
- C:\Windows\System32\RGmuKIr.exe
  C:\Windows\System32\RGmuKIr.exe
  2⤵
  PID:2232
- C:\Windows\System32\qQvMSDC.exe
  C:\Windows\System32\qQvMSDC.exe
  2⤵
  PID:4472
- C:\Windows\System32\NknYGqO.exe
  C:\Windows\System32\NknYGqO.exe
  2⤵
  PID:3108
- C:\Windows\System32\SZExXWI.exe
  C:\Windows\System32\SZExXWI.exe
  2⤵
  PID:3460
- C:\Windows\System32\bOXhInE.exe
  C:\Windows\System32\bOXhInE.exe
  2⤵
  PID:3416
- C:\Windows\System32\VJjdJSD.exe
  C:\Windows\System32\VJjdJSD.exe
  2⤵
  PID:4100
- C:\Windows\System32\gogqkqr.exe
  C:\Windows\System32\gogqkqr.exe
  2⤵
  PID:3648
- C:\Windows\System32\HewvzJJ.exe
  C:\Windows\System32\HewvzJJ.exe
  2⤵
  PID:4528
- C:\Windows\System32\NIbvZxg.exe
  C:\Windows\System32\NIbvZxg.exe
  2⤵
  PID:4568
- C:\Windows\System32\TXiTEkh.exe
  C:\Windows\System32\TXiTEkh.exe
  2⤵
  PID:5140
- C:\Windows\System32\Krkyowz.exe
  C:\Windows\System32\Krkyowz.exe
  2⤵
  PID:5168
- C:\Windows\System32\njSQCNT.exe
  C:\Windows\System32\njSQCNT.exe
  2⤵
  PID:5196
- C:\Windows\System32\iZQTAKb.exe
  C:\Windows\System32\iZQTAKb.exe
  2⤵
  PID:5232
- C:\Windows\System32\tCpjxzy.exe
  C:\Windows\System32\tCpjxzy.exe
  2⤵
  PID:5256
- C:\Windows\System32\OxDvpdX.exe
  C:\Windows\System32\OxDvpdX.exe
  2⤵
  PID:5280
- C:\Windows\System32\GVkUmzq.exe
  C:\Windows\System32\GVkUmzq.exe
  2⤵
  PID:5316
- C:\Windows\System32\KGFXqzN.exe
  C:\Windows\System32\KGFXqzN.exe
  2⤵
  PID:5344
- C:\Windows\System32\vHUNORT.exe
  C:\Windows\System32\vHUNORT.exe
  2⤵
  PID:5368
- C:\Windows\System32\EtudEeQ.exe
  C:\Windows\System32\EtudEeQ.exe
  2⤵
  PID:5404
- C:\Windows\System32\tUasXzS.exe
  C:\Windows\System32\tUasXzS.exe
  2⤵
  PID:5440
- C:\Windows\System32\ysMREUn.exe
  C:\Windows\System32\ysMREUn.exe
  2⤵
  PID:5456
- C:\Windows\System32\CtFmmMD.exe
  C:\Windows\System32\CtFmmMD.exe
  2⤵
  PID:5480
- C:\Windows\System32\iNpvGXo.exe
  C:\Windows\System32\iNpvGXo.exe
  2⤵
  PID:5512
- C:\Windows\System32\XbZAKpW.exe
  C:\Windows\System32\XbZAKpW.exe
  2⤵
  PID:5540
- C:\Windows\System32\WRVligK.exe
  C:\Windows\System32\WRVligK.exe
  2⤵
  PID:5568
- C:\Windows\System32\wJEvuvX.exe
  C:\Windows\System32\wJEvuvX.exe
  2⤵
  PID:5592
- C:\Windows\System32\myXBxbg.exe
  C:\Windows\System32\myXBxbg.exe
  2⤵
  PID:5616
- C:\Windows\System32\flgxuej.exe
  C:\Windows\System32\flgxuej.exe
  2⤵
  PID:5632
- C:\Windows\System32\OmTicUE.exe
  C:\Windows\System32\OmTicUE.exe
  2⤵
  PID:5656
- C:\Windows\System32\qRTYkpf.exe
  C:\Windows\System32\qRTYkpf.exe
  2⤵
  PID:5680
- C:\Windows\System32\yQwfnlM.exe
  C:\Windows\System32\yQwfnlM.exe
  2⤵
  PID:5720
- C:\Windows\System32\vIJIAEI.exe
  C:\Windows\System32\vIJIAEI.exe
  2⤵
  PID:5740
- C:\Windows\System32\eZLWZyx.exe
  C:\Windows\System32\eZLWZyx.exe
  2⤵
  PID:5760
- C:\Windows\System32\eDHEGMx.exe
  C:\Windows\System32\eDHEGMx.exe
  2⤵
  PID:5784
- C:\Windows\System32\MRxUYli.exe
  C:\Windows\System32\MRxUYli.exe
  2⤵
  PID:5820
- C:\Windows\System32\KgMIRoK.exe
  C:\Windows\System32\KgMIRoK.exe
  2⤵
  PID:5840
- C:\Windows\System32\lfkDRLF.exe
  C:\Windows\System32\lfkDRLF.exe
  2⤵
  PID:5864
- C:\Windows\System32\TgyxfPf.exe
  C:\Windows\System32\TgyxfPf.exe
  2⤵
  PID:5892
- C:\Windows\System32\OjYazPd.exe
  C:\Windows\System32\OjYazPd.exe
  2⤵
  PID:5912
- C:\Windows\System32\QiOOLoF.exe
  C:\Windows\System32\QiOOLoF.exe
  2⤵
  PID:5932
- C:\Windows\System32\xGdoTqD.exe
  C:\Windows\System32\xGdoTqD.exe
  2⤵
  PID:5952
- C:\Windows\System32\rMkzofW.exe
  C:\Windows\System32\rMkzofW.exe
  2⤵
  PID:5992
- C:\Windows\System32\MkvIjOb.exe
  C:\Windows\System32\MkvIjOb.exe
  2⤵
  PID:6016
- C:\Windows\System32\JVInFbY.exe
  C:\Windows\System32\JVInFbY.exe
  2⤵
  PID:6032
- C:\Windows\System32\dRPOcoS.exe
  C:\Windows\System32\dRPOcoS.exe
  2⤵
  PID:6120
- C:\Windows\System32\ICUBkdb.exe
  C:\Windows\System32\ICUBkdb.exe
  2⤵
  PID:6140
- C:\Windows\System32\dtBdpcM.exe
  C:\Windows\System32\dtBdpcM.exe
  2⤵
  PID:5212
- C:\Windows\System32\naJYjuL.exe
  C:\Windows\System32\naJYjuL.exe
  2⤵
  PID:5128
- C:\Windows\System32\jSvcjlt.exe
  C:\Windows\System32\jSvcjlt.exe
  2⤵
  PID:408
- C:\Windows\System32\ILwTsur.exe
  C:\Windows\System32\ILwTsur.exe
  2⤵
  PID:1712
- C:\Windows\System32\nTYKqIK.exe
  C:\Windows\System32\nTYKqIK.exe
  2⤵
  PID:4916
- C:\Windows\System32\zJShCNx.exe
  C:\Windows\System32\zJShCNx.exe
  2⤵
  PID:1048
- C:\Windows\System32\WliNNuq.exe
  C:\Windows\System32\WliNNuq.exe
  2⤵
  PID:2540
- C:\Windows\System32\HFXXaWm.exe
  C:\Windows\System32\HFXXaWm.exe
  2⤵
  PID:5272
- C:\Windows\System32\YUHvIGg.exe
  C:\Windows\System32\YUHvIGg.exe
  2⤵
  PID:5328
- C:\Windows\System32\OzJlciG.exe
  C:\Windows\System32\OzJlciG.exe
  2⤵
  PID:5340
- C:\Windows\System32\ablzvns.exe
  C:\Windows\System32\ablzvns.exe
  2⤵
  PID:5388
- C:\Windows\System32\CUpHggF.exe
  C:\Windows\System32\CUpHggF.exe
  2⤵
  PID:5448
- C:\Windows\System32\hmtRwOk.exe
  C:\Windows\System32\hmtRwOk.exe
  2⤵
  PID:5468
- C:\Windows\System32\qQjvFAz.exe
  C:\Windows\System32\qQjvFAz.exe
  2⤵
  PID:5576
- C:\Windows\System32\tbxIQQC.exe
  C:\Windows\System32\tbxIQQC.exe
  2⤵
  PID:5628
- C:\Windows\System32\CLuKAzu.exe
  C:\Windows\System32\CLuKAzu.exe
  2⤵
  PID:5644
- C:\Windows\System32\mqVmjFy.exe
  C:\Windows\System32\mqVmjFy.exe
  2⤵
  PID:5816
- C:\Windows\System32\fWAwgfJ.exe
  C:\Windows\System32\fWAwgfJ.exe
  2⤵
  PID:5792
- C:\Windows\System32\QsQKfHw.exe
  C:\Windows\System32\QsQKfHw.exe
  2⤵
  PID:5968
- C:\Windows\System32\oMYzMjQ.exe
  C:\Windows\System32\oMYzMjQ.exe
  2⤵
  PID:5904
- C:\Windows\System32\LAmIJDw.exe
  C:\Windows\System32\LAmIJDw.exe
  2⤵
  PID:6000
- C:\Windows\System32\fQoVakv.exe
  C:\Windows\System32\fQoVakv.exe
  2⤵
  PID:6040
- C:\Windows\System32\WoDWEXz.exe
  C:\Windows\System32\WoDWEXz.exe
  2⤵
  PID:5204
- C:\Windows\System32\TueyIQx.exe
  C:\Windows\System32\TueyIQx.exe
  2⤵
  PID:1800
- C:\Windows\System32\LhpAnTP.exe
  C:\Windows\System32\LhpAnTP.exe
  2⤵
  PID:2756
- C:\Windows\System32\YKRWkAU.exe
  C:\Windows\System32\YKRWkAU.exe
  2⤵
  PID:4932
- C:\Windows\System32\PcrPJUV.exe
  C:\Windows\System32\PcrPJUV.exe
  2⤵
  PID:4868
- C:\Windows\System32\KivaaBv.exe
  C:\Windows\System32\KivaaBv.exe
  2⤵
  PID:5352
- C:\Windows\System32\vyrxhqz.exe
  C:\Windows\System32\vyrxhqz.exe
  2⤵
  PID:5528
- C:\Windows\System32\qXzcJyE.exe
  C:\Windows\System32\qXzcJyE.exe
  2⤵
  PID:5668
- C:\Windows\System32\mndoEMt.exe
  C:\Windows\System32\mndoEMt.exe
  2⤵
  PID:5752
- C:\Windows\System32\cxuGHmS.exe
  C:\Windows\System32\cxuGHmS.exe
  2⤵
  PID:5836
- C:\Windows\System32\KqMDFoJ.exe
  C:\Windows\System32\KqMDFoJ.exe
  2⤵
  PID:3012
- C:\Windows\System32\AzgFraE.exe
  C:\Windows\System32\AzgFraE.exe
  2⤵
  PID:5076
- C:\Windows\System32\eQaASHV.exe
  C:\Windows\System32\eQaASHV.exe
  2⤵
  PID:1992
- C:\Windows\System32\rYfyZTY.exe
  C:\Windows\System32\rYfyZTY.exe
  2⤵
  PID:5920
- C:\Windows\System32\piznlDT.exe
  C:\Windows\System32\piznlDT.exe
  2⤵
  PID:1064
- C:\Windows\System32\dYnXiaM.exe
  C:\Windows\System32\dYnXiaM.exe
  2⤵
  PID:5520
- C:\Windows\System32\TcLdPKU.exe
  C:\Windows\System32\TcLdPKU.exe
  2⤵
  PID:5852
- C:\Windows\System32\xLbqQBe.exe
  C:\Windows\System32\xLbqQBe.exe
  2⤵
  PID:6176
- C:\Windows\System32\PrzbpNL.exe
  C:\Windows\System32\PrzbpNL.exe
  2⤵
  PID:6196
- C:\Windows\System32\LsAJBZD.exe
  C:\Windows\System32\LsAJBZD.exe
  2⤵
  PID:6216
- C:\Windows\System32\aKPIyli.exe
  C:\Windows\System32\aKPIyli.exe
  2⤵
  PID:6232
- C:\Windows\System32\UzgUUZg.exe
  C:\Windows\System32\UzgUUZg.exe
  2⤵
  PID:6276
- C:\Windows\System32\yIbhccj.exe
  C:\Windows\System32\yIbhccj.exe
  2⤵
  PID:6304
- C:\Windows\System32\VPiJvWM.exe
  C:\Windows\System32\VPiJvWM.exe
  2⤵
  PID:6320
- C:\Windows\System32\HrYLlRw.exe
  C:\Windows\System32\HrYLlRw.exe
  2⤵
  PID:6368
- C:\Windows\System32\ZgKJpIc.exe
  C:\Windows\System32\ZgKJpIc.exe
  2⤵
  PID:6388
- C:\Windows\System32\DwVdihY.exe
  C:\Windows\System32\DwVdihY.exe
  2⤵
  PID:6428
- C:\Windows\System32\ZDLIFGw.exe
  C:\Windows\System32\ZDLIFGw.exe
  2⤵
  PID:6464
- C:\Windows\System32\VeWeTBp.exe
  C:\Windows\System32\VeWeTBp.exe
  2⤵
  PID:6488
- C:\Windows\System32\jfnZANf.exe
  C:\Windows\System32\jfnZANf.exe
  2⤵
  PID:6508
- C:\Windows\System32\LACaVKk.exe
  C:\Windows\System32\LACaVKk.exe
  2⤵
  PID:6548
- C:\Windows\System32\JXccnDC.exe
  C:\Windows\System32\JXccnDC.exe
  2⤵
  PID:6572
- C:\Windows\System32\MXkgOBy.exe
  C:\Windows\System32\MXkgOBy.exe
  2⤵
  PID:6600
- C:\Windows\System32\YOCKSYh.exe
  C:\Windows\System32\YOCKSYh.exe
  2⤵
  PID:6628
- C:\Windows\System32\fgsOhOp.exe
  C:\Windows\System32\fgsOhOp.exe
  2⤵
  PID:6648
- C:\Windows\System32\bdRqLLH.exe
  C:\Windows\System32\bdRqLLH.exe
  2⤵
  PID:6668
- C:\Windows\System32\eCxnGPB.exe
  C:\Windows\System32\eCxnGPB.exe
  2⤵
  PID:6692
- C:\Windows\System32\iJiEAbT.exe
  C:\Windows\System32\iJiEAbT.exe
  2⤵
  PID:6732
- C:\Windows\System32\lMigdCL.exe
  C:\Windows\System32\lMigdCL.exe
  2⤵
  PID:6780
- C:\Windows\System32\YficWUn.exe
  C:\Windows\System32\YficWUn.exe
  2⤵
  PID:6800
- C:\Windows\System32\jOfJfab.exe
  C:\Windows\System32\jOfJfab.exe
  2⤵
  PID:6816
- C:\Windows\System32\scneacv.exe
  C:\Windows\System32\scneacv.exe
  2⤵
  PID:6836
- C:\Windows\System32\ZoAySCo.exe
  C:\Windows\System32\ZoAySCo.exe
  2⤵
  PID:6860
- C:\Windows\System32\QxwZhvS.exe
  C:\Windows\System32\QxwZhvS.exe
  2⤵
  PID:6888
- C:\Windows\System32\fSqWNgz.exe
  C:\Windows\System32\fSqWNgz.exe
  2⤵
  PID:6908
- C:\Windows\System32\kshKWIE.exe
  C:\Windows\System32\kshKWIE.exe
  2⤵
  PID:6964
- C:\Windows\System32\OrrROWU.exe
  C:\Windows\System32\OrrROWU.exe
  2⤵
  PID:6996
- C:\Windows\System32\VJyDlCg.exe
  C:\Windows\System32\VJyDlCg.exe
  2⤵
  PID:7024
- C:\Windows\System32\OyRpWqE.exe
  C:\Windows\System32\OyRpWqE.exe
  2⤵
  PID:7044
- C:\Windows\System32\eJJzJcG.exe
  C:\Windows\System32\eJJzJcG.exe
  2⤵
  PID:7064
- C:\Windows\System32\XmwhHiM.exe
  C:\Windows\System32\XmwhHiM.exe
  2⤵
  PID:7084
- C:\Windows\System32\tSijqjt.exe
  C:\Windows\System32\tSijqjt.exe
  2⤵
  PID:7108
- C:\Windows\System32\hMZYXGs.exe
  C:\Windows\System32\hMZYXGs.exe
  2⤵
  PID:7128
- C:\Windows\System32\mNDljNM.exe
  C:\Windows\System32\mNDljNM.exe
  2⤵
  PID:6152
- C:\Windows\System32\FdaxIOZ.exe
  C:\Windows\System32\FdaxIOZ.exe
  2⤵
  PID:6204
- C:\Windows\System32\ExzIQHC.exe
  C:\Windows\System32\ExzIQHC.exe
  2⤵
  PID:6288
- C:\Windows\System32\gjZzrCq.exe
  C:\Windows\System32\gjZzrCq.exe
  2⤵
  PID:6332
- C:\Windows\System32\GmvBsXO.exe
  C:\Windows\System32\GmvBsXO.exe
  2⤵
  PID:6436
- C:\Windows\System32\slAMUBM.exe
  C:\Windows\System32\slAMUBM.exe
  2⤵
  PID:6500
- C:\Windows\System32\xzykFTC.exe
  C:\Windows\System32\xzykFTC.exe
  2⤵
  PID:6568
- C:\Windows\System32\jmkzjBm.exe
  C:\Windows\System32\jmkzjBm.exe
  2⤵
  PID:6644
- C:\Windows\System32\MEMySBe.exe
  C:\Windows\System32\MEMySBe.exe
  2⤵
  PID:6688
- C:\Windows\System32\sWdcFsB.exe
  C:\Windows\System32\sWdcFsB.exe
  2⤵
  PID:6768
- C:\Windows\System32\ZvDjsEa.exe
  C:\Windows\System32\ZvDjsEa.exe
  2⤵
  PID:6808
- C:\Windows\System32\RibDKIl.exe
  C:\Windows\System32\RibDKIl.exe
  2⤵
  PID:6832
- C:\Windows\System32\ohRGwXc.exe
  C:\Windows\System32\ohRGwXc.exe
  2⤵
  PID:6904
- C:\Windows\System32\fSlDNTD.exe
  C:\Windows\System32\fSlDNTD.exe
  2⤵
  PID:6992
- C:\Windows\System32\cQPAWnC.exe
  C:\Windows\System32\cQPAWnC.exe
  2⤵
  PID:7100
- C:\Windows\System32\mcKcnOf.exe
  C:\Windows\System32\mcKcnOf.exe
  2⤵
  PID:7116
- C:\Windows\System32\ppqHrgi.exe
  C:\Windows\System32\ppqHrgi.exe
  2⤵
  PID:1952
- C:\Windows\System32\nrfIkDd.exe
  C:\Windows\System32\nrfIkDd.exe
  2⤵
  PID:6376
- C:\Windows\System32\dopDIKV.exe
  C:\Windows\System32\dopDIKV.exe
  2⤵
  PID:6520
- C:\Windows\System32\djjlZiB.exe
  C:\Windows\System32\djjlZiB.exe
  2⤵
  PID:6640
- C:\Windows\System32\KuTJPZl.exe
  C:\Windows\System32\KuTJPZl.exe
  2⤵
  PID:6740
- C:\Windows\System32\vrgQPaT.exe
  C:\Windows\System32\vrgQPaT.exe
  2⤵
  PID:6900
- C:\Windows\System32\pTfqZKN.exe
  C:\Windows\System32\pTfqZKN.exe
  2⤵
  PID:7060
- C:\Windows\System32\beGXyKo.exe
  C:\Windows\System32\beGXyKo.exe
  2⤵
  PID:6240
- C:\Windows\System32\BRbgsia.exe
  C:\Windows\System32\BRbgsia.exe
  2⤵
  PID:6744
- C:\Windows\System32\WRwdMNA.exe
  C:\Windows\System32\WRwdMNA.exe
  2⤵
  PID:5424
- C:\Windows\System32\FYLzpwD.exe
  C:\Windows\System32\FYLzpwD.exe
  2⤵
  PID:7008
- C:\Windows\System32\nbjVEtb.exe
  C:\Windows\System32\nbjVEtb.exe
  2⤵
  PID:7176
- C:\Windows\System32\WrSZfSH.exe
  C:\Windows\System32\WrSZfSH.exe
  2⤵
  PID:7224
- C:\Windows\System32\FmjhALK.exe
  C:\Windows\System32\FmjhALK.exe
  2⤵
  PID:7240
- C:\Windows\System32\bfAJmaN.exe
  C:\Windows\System32\bfAJmaN.exe
  2⤵
  PID:7256
- C:\Windows\System32\PgOgdBm.exe
  C:\Windows\System32\PgOgdBm.exe
  2⤵
  PID:7284
- C:\Windows\System32\xWnSlgt.exe
  C:\Windows\System32\xWnSlgt.exe
  2⤵
  PID:7304
- C:\Windows\System32\ZFwdMed.exe
  C:\Windows\System32\ZFwdMed.exe
  2⤵
  PID:7320
- C:\Windows\System32\LuOTrQR.exe
  C:\Windows\System32\LuOTrQR.exe
  2⤵
  PID:7344
- C:\Windows\System32\UGuQijP.exe
  C:\Windows\System32\UGuQijP.exe
  2⤵
  PID:7360
- C:\Windows\System32\yWyeHZX.exe
  C:\Windows\System32\yWyeHZX.exe
  2⤵
  PID:7408
- C:\Windows\System32\yqhoQYk.exe
  C:\Windows\System32\yqhoQYk.exe
  2⤵
  PID:7464
- C:\Windows\System32\atJkSsG.exe
  C:\Windows\System32\atJkSsG.exe
  2⤵
  PID:7492
- C:\Windows\System32\RagsZec.exe
  C:\Windows\System32\RagsZec.exe
  2⤵
  PID:7528
- C:\Windows\System32\YvWDZox.exe
  C:\Windows\System32\YvWDZox.exe
  2⤵
  PID:7548
- C:\Windows\System32\CujAcrz.exe
  C:\Windows\System32\CujAcrz.exe
  2⤵
  PID:7572
- C:\Windows\System32\anGhNpx.exe
  C:\Windows\System32\anGhNpx.exe
  2⤵
  PID:7612
- C:\Windows\System32\GNEIkck.exe
  C:\Windows\System32\GNEIkck.exe
  2⤵
  PID:7640
- C:\Windows\System32\laVOeJG.exe
  C:\Windows\System32\laVOeJG.exe
  2⤵
  PID:7668
- C:\Windows\System32\KGPkzTJ.exe
  C:\Windows\System32\KGPkzTJ.exe
  2⤵
  PID:7684
- C:\Windows\System32\UzpWArY.exe
  C:\Windows\System32\UzpWArY.exe
  2⤵
  PID:7712
- C:\Windows\System32\wPvjkCi.exe
  C:\Windows\System32\wPvjkCi.exe
  2⤵
  PID:7732
- C:\Windows\System32\rqTqnGc.exe
  C:\Windows\System32\rqTqnGc.exe
  2⤵
  PID:7748
- C:\Windows\System32\kHCutaq.exe
  C:\Windows\System32\kHCutaq.exe
  2⤵
  PID:7784
- C:\Windows\System32\wmqjOTi.exe
  C:\Windows\System32\wmqjOTi.exe
  2⤵
  PID:7808
- C:\Windows\System32\fKuwixO.exe
  C:\Windows\System32\fKuwixO.exe
  2⤵
  PID:7828
- C:\Windows\System32\kNmjEIp.exe
  C:\Windows\System32\kNmjEIp.exe
  2⤵
  PID:7856
- C:\Windows\System32\PLRpGbA.exe
  C:\Windows\System32\PLRpGbA.exe
  2⤵
  PID:7924
- C:\Windows\System32\VejabVo.exe
  C:\Windows\System32\VejabVo.exe
  2⤵
  PID:7952
- C:\Windows\System32\hXLRjeV.exe
  C:\Windows\System32\hXLRjeV.exe
  2⤵
  PID:7972
- C:\Windows\System32\cOUzMlN.exe
  C:\Windows\System32\cOUzMlN.exe
  2⤵
  PID:7996
- C:\Windows\System32\ICHxzhs.exe
  C:\Windows\System32\ICHxzhs.exe
  2⤵
  PID:8012
- C:\Windows\System32\NNBizBS.exe
  C:\Windows\System32\NNBizBS.exe
  2⤵
  PID:8040
- C:\Windows\System32\tiwgbnt.exe
  C:\Windows\System32\tiwgbnt.exe
  2⤵
  PID:8056
- C:\Windows\System32\DjgpUQh.exe
  C:\Windows\System32\DjgpUQh.exe
  2⤵
  PID:8084
- C:\Windows\System32\sRPCVpD.exe
  C:\Windows\System32\sRPCVpD.exe
  2⤵
  PID:8104
- C:\Windows\System32\WBotdgq.exe
  C:\Windows\System32\WBotdgq.exe
  2⤵
  PID:8128
- C:\Windows\System32\tGYPGDB.exe
  C:\Windows\System32\tGYPGDB.exe
  2⤵
  PID:8168
- C:\Windows\System32\sLuUaAz.exe
  C:\Windows\System32\sLuUaAz.exe
  2⤵
  PID:8188
- C:\Windows\System32\XQuNcaP.exe
  C:\Windows\System32\XQuNcaP.exe
  2⤵
  PID:7300
- C:\Windows\System32\fGEexhB.exe
  C:\Windows\System32\fGEexhB.exe
  2⤵
  PID:7332
- C:\Windows\System32\PZYqGwb.exe
  C:\Windows\System32\PZYqGwb.exe
  2⤵
  PID:7384
- C:\Windows\System32\dDJDIrA.exe
  C:\Windows\System32\dDJDIrA.exe
  2⤵
  PID:7452
- C:\Windows\System32\shgIfSq.exe
  C:\Windows\System32\shgIfSq.exe
  2⤵
  PID:7636
- C:\Windows\System32\SSswDbN.exe
  C:\Windows\System32\SSswDbN.exe
  2⤵
  PID:7696
- C:\Windows\System32\ACGmuOI.exe
  C:\Windows\System32\ACGmuOI.exe
  2⤵
  PID:7756
- C:\Windows\System32\khSXamE.exe
  C:\Windows\System32\khSXamE.exe
  2⤵
  PID:7724
- C:\Windows\System32\cIADGxL.exe
  C:\Windows\System32\cIADGxL.exe
  2⤵
  PID:7820
- C:\Windows\System32\FTEvpnK.exe
  C:\Windows\System32\FTEvpnK.exe
  2⤵
  PID:7884
- C:\Windows\System32\LxnjJxM.exe
  C:\Windows\System32\LxnjJxM.exe
  2⤵
  PID:7908
- C:\Windows\System32\QeVylfC.exe
  C:\Windows\System32\QeVylfC.exe
  2⤵
  PID:8036
- C:\Windows\System32\QgyoiJj.exe
  C:\Windows\System32\QgyoiJj.exe
  2⤵
  PID:8096
- C:\Windows\System32\rBINejC.exe
  C:\Windows\System32\rBINejC.exe
  2⤵
  PID:8156
- C:\Windows\System32\yBfUFPs.exe
  C:\Windows\System32\yBfUFPs.exe
  2⤵
  PID:8180
- C:\Windows\System32\KAMSnuq.exe
  C:\Windows\System32\KAMSnuq.exe
  2⤵
  PID:7392
- C:\Windows\System32\CnbTHqV.exe
  C:\Windows\System32\CnbTHqV.exe
  2⤵
  PID:7388
- C:\Windows\System32\BZiyNVy.exe
  C:\Windows\System32\BZiyNVy.exe
  2⤵
  PID:7792
- C:\Windows\System32\zLcxjpc.exe
  C:\Windows\System32\zLcxjpc.exe
  2⤵
  PID:7936
- C:\Windows\System32\yJYsoZy.exe
  C:\Windows\System32\yJYsoZy.exe
  2⤵
  PID:7964
- C:\Windows\System32\qJWrJOp.exe
  C:\Windows\System32\qJWrJOp.exe
  2⤵
  PID:6624
- C:\Windows\System32\UqKvces.exe
  C:\Windows\System32\UqKvces.exe
  2⤵
  PID:7232
- C:\Windows\System32\BKcToPg.exe
  C:\Windows\System32\BKcToPg.exe
  2⤵
  PID:7520
- C:\Windows\System32\MjBMhhD.exe
  C:\Windows\System32\MjBMhhD.exe
  2⤵
  PID:8148
- C:\Windows\System32\CzuyLMz.exe
  C:\Windows\System32\CzuyLMz.exe
  2⤵
  PID:8264
- C:\Windows\System32\LBQZLBh.exe
  C:\Windows\System32\LBQZLBh.exe
  2⤵
  PID:8292
- C:\Windows\System32\VIeACgY.exe
  C:\Windows\System32\VIeACgY.exe
  2⤵
  PID:8312
- C:\Windows\System32\sDgsMDn.exe
  C:\Windows\System32\sDgsMDn.exe
  2⤵
  PID:8332
- C:\Windows\System32\NJFsSXm.exe
  C:\Windows\System32\NJFsSXm.exe
  2⤵
  PID:8348
- C:\Windows\System32\iYTAQvB.exe
  C:\Windows\System32\iYTAQvB.exe
  2⤵
  PID:8364
- C:\Windows\System32\GuTGEbb.exe
  C:\Windows\System32\GuTGEbb.exe
  2⤵
  PID:8380
- C:\Windows\System32\DGUXdHW.exe
  C:\Windows\System32\DGUXdHW.exe
  2⤵
  PID:8396
- C:\Windows\System32\fxRsZZI.exe
  C:\Windows\System32\fxRsZZI.exe
  2⤵
  PID:8412
- C:\Windows\System32\TVZOOlG.exe
  C:\Windows\System32\TVZOOlG.exe
  2⤵
  PID:8428
- C:\Windows\System32\QwYEABP.exe
  C:\Windows\System32\QwYEABP.exe
  2⤵
  PID:8444
- C:\Windows\System32\HnRqTKZ.exe
  C:\Windows\System32\HnRqTKZ.exe
  2⤵
  PID:8460
- C:\Windows\System32\GYuBONo.exe
  C:\Windows\System32\GYuBONo.exe
  2⤵
  PID:8476
- C:\Windows\System32\rWbTlKn.exe
  C:\Windows\System32\rWbTlKn.exe
  2⤵
  PID:8492
- C:\Windows\System32\LojgReg.exe
  C:\Windows\System32\LojgReg.exe
  2⤵
  PID:8508
- C:\Windows\System32\gxvbVOw.exe
  C:\Windows\System32\gxvbVOw.exe
  2⤵
  PID:8604
- C:\Windows\System32\TvgZIpB.exe
  C:\Windows\System32\TvgZIpB.exe
  2⤵
  PID:8688
- C:\Windows\System32\IzGvOlt.exe
  C:\Windows\System32\IzGvOlt.exe
  2⤵
  PID:8716
- C:\Windows\System32\QqFMAEB.exe
  C:\Windows\System32\QqFMAEB.exe
  2⤵
  PID:8756
- C:\Windows\System32\tJthMrV.exe
  C:\Windows\System32\tJthMrV.exe
  2⤵
  PID:8776
- C:\Windows\System32\SwTAHPh.exe
  C:\Windows\System32\SwTAHPh.exe
  2⤵
  PID:8800
- C:\Windows\System32\BHcCCcX.exe
  C:\Windows\System32\BHcCCcX.exe
  2⤵
  PID:8824
- C:\Windows\System32\eYCZFwU.exe
  C:\Windows\System32\eYCZFwU.exe
  2⤵
  PID:8840
- C:\Windows\System32\YcBJoDK.exe
  C:\Windows\System32\YcBJoDK.exe
  2⤵
  PID:8856
- C:\Windows\System32\nAhJpTA.exe
  C:\Windows\System32\nAhJpTA.exe
  2⤵
  PID:8876
- C:\Windows\System32\lxQsRZF.exe
  C:\Windows\System32\lxQsRZF.exe
  2⤵
  PID:8892
- C:\Windows\System32\fFSurEP.exe
  C:\Windows\System32\fFSurEP.exe
  2⤵
  PID:8916
- C:\Windows\System32\qEGvvYx.exe
  C:\Windows\System32\qEGvvYx.exe
  2⤵
  PID:8988
- C:\Windows\System32\LrothDQ.exe
  C:\Windows\System32\LrothDQ.exe
  2⤵
  PID:9076
- C:\Windows\System32\QTvqzAA.exe
  C:\Windows\System32\QTvqzAA.exe
  2⤵
  PID:9108
- C:\Windows\System32\MdNjfmX.exe
  C:\Windows\System32\MdNjfmX.exe
  2⤵
  PID:9136
- C:\Windows\System32\dZxellb.exe
  C:\Windows\System32\dZxellb.exe
  2⤵
  PID:9152
- C:\Windows\System32\qHKIhMO.exe
  C:\Windows\System32\qHKIhMO.exe
  2⤵
  PID:9172
- C:\Windows\System32\VjdvxHF.exe
  C:\Windows\System32\VjdvxHF.exe
  2⤵
  PID:9212
- C:\Windows\System32\XRgnSJT.exe
  C:\Windows\System32\XRgnSJT.exe
  2⤵
  PID:7740
- C:\Windows\System32\UvGchoh.exe
  C:\Windows\System32\UvGchoh.exe
  2⤵
  PID:8344
- C:\Windows\System32\KBYImyC.exe
  C:\Windows\System32\KBYImyC.exe
  2⤵
  PID:8328
- C:\Windows\System32\fOyealm.exe
  C:\Windows\System32\fOyealm.exe
  2⤵
  PID:8236
- C:\Windows\System32\mwEQcmx.exe
  C:\Windows\System32\mwEQcmx.exe
  2⤵
  PID:8256
- C:\Windows\System32\HxUBHNS.exe
  C:\Windows\System32\HxUBHNS.exe
  2⤵
  PID:8524
- C:\Windows\System32\IpzMZXc.exe
  C:\Windows\System32\IpzMZXc.exe
  2⤵
  PID:8392
- C:\Windows\System32\rPkieRc.exe
  C:\Windows\System32\rPkieRc.exe
  2⤵
  PID:8440
- C:\Windows\System32\svsofer.exe
  C:\Windows\System32\svsofer.exe
  2⤵
  PID:8504
- C:\Windows\System32\DOqSuRl.exe
  C:\Windows\System32\DOqSuRl.exe
  2⤵
  PID:8656
- C:\Windows\System32\gdHaWXs.exe
  C:\Windows\System32\gdHaWXs.exe
  2⤵
  PID:8784
- C:\Windows\System32\SEDPCMz.exe
  C:\Windows\System32\SEDPCMz.exe
  2⤵
  PID:8864
- C:\Windows\System32\GdKDQFu.exe
  C:\Windows\System32\GdKDQFu.exe
  2⤵
  PID:8924
- C:\Windows\System32\iPKqehX.exe
  C:\Windows\System32\iPKqehX.exe
  2⤵
  PID:8868
- C:\Windows\System32\HQMKFbU.exe
  C:\Windows\System32\HQMKFbU.exe
  2⤵
  PID:9020
- C:\Windows\System32\tbnBOIe.exe
  C:\Windows\System32\tbnBOIe.exe
  2⤵
  PID:9068
- C:\Windows\System32\wQoDpvS.exe
  C:\Windows\System32\wQoDpvS.exe
  2⤵
  PID:9168
- C:\Windows\System32\kWVRHfe.exe
  C:\Windows\System32\kWVRHfe.exe
  2⤵
  PID:9204
- C:\Windows\System32\WnqHqqQ.exe
  C:\Windows\System32\WnqHqqQ.exe
  2⤵
  PID:8308
- C:\Windows\System32\WZCbiUc.exe
  C:\Windows\System32\WZCbiUc.exe
  2⤵
  PID:8500
- C:\Windows\System32\knutZqG.exe
  C:\Windows\System32\knutZqG.exe
  2⤵
  PID:8632
- C:\Windows\System32\AFLeXiB.exe
  C:\Windows\System32\AFLeXiB.exe
  2⤵
  PID:8772
- C:\Windows\System32\AKOxAJn.exe
  C:\Windows\System32\AKOxAJn.exe
  2⤵
  PID:8948
- C:\Windows\System32\DvhMpSb.exe
  C:\Windows\System32\DvhMpSb.exe
  2⤵
  PID:8964
- C:\Windows\System32\EUWhqZc.exe
  C:\Windows\System32\EUWhqZc.exe
  2⤵
  PID:9084
- C:\Windows\System32\LAuCaZB.exe
  C:\Windows\System32\LAuCaZB.exe
  2⤵
  PID:8240
- C:\Windows\System32\yXrgaVP.exe
  C:\Windows\System32\yXrgaVP.exe
  2⤵
  PID:8968
- C:\Windows\System32\jMavdPl.exe
  C:\Windows\System32\jMavdPl.exe
  2⤵
  PID:8996
- C:\Windows\System32\IxgNKTQ.exe
  C:\Windows\System32\IxgNKTQ.exe
  2⤵
  PID:8196
- C:\Windows\System32\kyhZRyR.exe
  C:\Windows\System32\kyhZRyR.exe
  2⤵
  PID:9224
- C:\Windows\System32\Zcbzogo.exe
  C:\Windows\System32\Zcbzogo.exe
  2⤵
  PID:9248
- C:\Windows\System32\mnMlkkY.exe
  C:\Windows\System32\mnMlkkY.exe
  2⤵
  PID:9264
- C:\Windows\System32\fkWnpVs.exe
  C:\Windows\System32\fkWnpVs.exe
  2⤵
  PID:9288
- C:\Windows\System32\EAfCJKk.exe
  C:\Windows\System32\EAfCJKk.exe
  2⤵
  PID:9340
- C:\Windows\System32\RFOtXWF.exe
  C:\Windows\System32\RFOtXWF.exe
  2⤵
  PID:9392
- C:\Windows\System32\clfrjxY.exe
  C:\Windows\System32\clfrjxY.exe
  2⤵
  PID:9416
- C:\Windows\System32\mlGBVgs.exe
  C:\Windows\System32\mlGBVgs.exe
  2⤵
  PID:9436
- C:\Windows\System32\rzPkEkL.exe
  C:\Windows\System32\rzPkEkL.exe
  2⤵
  PID:9464
- C:\Windows\System32\IDNDPAW.exe
  C:\Windows\System32\IDNDPAW.exe
  2⤵
  PID:9480
- C:\Windows\System32\QZhzclT.exe
  C:\Windows\System32\QZhzclT.exe
  2⤵
  PID:9528
- C:\Windows\System32\zxZAQsm.exe
  C:\Windows\System32\zxZAQsm.exe
  2⤵
  PID:9552
- C:\Windows\System32\TusSzwE.exe
  C:\Windows\System32\TusSzwE.exe
  2⤵
  PID:9584
- C:\Windows\System32\PSeXKxR.exe
  C:\Windows\System32\PSeXKxR.exe
  2⤵
  PID:9620
- C:\Windows\System32\rxuisOp.exe
  C:\Windows\System32\rxuisOp.exe
  2⤵
  PID:9640
- C:\Windows\System32\JmwNNUw.exe
  C:\Windows\System32\JmwNNUw.exe
  2⤵
  PID:9660
- C:\Windows\System32\obixxzy.exe
  C:\Windows\System32\obixxzy.exe
  2⤵
  PID:9676
- C:\Windows\System32\UaKepEN.exe
  C:\Windows\System32\UaKepEN.exe
  2⤵
  PID:9700
- C:\Windows\System32\kMELNIp.exe
  C:\Windows\System32\kMELNIp.exe
  2⤵
  PID:9720
- C:\Windows\System32\EClQooY.exe
  C:\Windows\System32\EClQooY.exe
  2⤵
  PID:9744
- C:\Windows\System32\wPZNnCm.exe
  C:\Windows\System32\wPZNnCm.exe
  2⤵
  PID:9764
- C:\Windows\System32\SnOxzBK.exe
  C:\Windows\System32\SnOxzBK.exe
  2⤵
  PID:9816
- C:\Windows\System32\xWsNdRQ.exe
  C:\Windows\System32\xWsNdRQ.exe
  2⤵
  PID:9876
- C:\Windows\System32\iisdxNq.exe
  C:\Windows\System32\iisdxNq.exe
  2⤵
  PID:9896
- C:\Windows\System32\DrdmRzL.exe
  C:\Windows\System32\DrdmRzL.exe
  2⤵
  PID:9920
- C:\Windows\System32\xcFnqUr.exe
  C:\Windows\System32\xcFnqUr.exe
  2⤵
  PID:9956
- C:\Windows\System32\TdYirBY.exe
  C:\Windows\System32\TdYirBY.exe
  2⤵
  PID:9996
- C:\Windows\System32\eaOsBgu.exe
  C:\Windows\System32\eaOsBgu.exe
  2⤵
  PID:10016
- C:\Windows\System32\ENRTcNP.exe
  C:\Windows\System32\ENRTcNP.exe
  2⤵
  PID:10040
- C:\Windows\System32\PUBmflB.exe
  C:\Windows\System32\PUBmflB.exe
  2⤵
  PID:10056
- C:\Windows\System32\HuKKcoW.exe
  C:\Windows\System32\HuKKcoW.exe
  2⤵
  PID:10076
- C:\Windows\System32\PDqpaxh.exe
  C:\Windows\System32\PDqpaxh.exe
  2⤵
  PID:10144
- C:\Windows\System32\cwJiprs.exe
  C:\Windows\System32\cwJiprs.exe
  2⤵
  PID:10160
- C:\Windows\System32\KbCXIsu.exe
  C:\Windows\System32\KbCXIsu.exe
  2⤵
  PID:10196
- C:\Windows\System32\TlwaSoI.exe
  C:\Windows\System32\TlwaSoI.exe
  2⤵
  PID:10216
- C:\Windows\System32\BCradvn.exe
  C:\Windows\System32\BCradvn.exe
  2⤵
  PID:10232
- C:\Windows\System32\EuFWflc.exe
  C:\Windows\System32\EuFWflc.exe
  2⤵
  PID:8696
- C:\Windows\System32\dVTgPia.exe
  C:\Windows\System32\dVTgPia.exe
  2⤵
  PID:9240
- C:\Windows\System32\mpcHnPw.exe
  C:\Windows\System32\mpcHnPw.exe
  2⤵
  PID:9260
- C:\Windows\System32\UzaSxha.exe
  C:\Windows\System32\UzaSxha.exe
  2⤵
  PID:9348
- C:\Windows\System32\bMMAsSt.exe
  C:\Windows\System32\bMMAsSt.exe
  2⤵
  PID:9476
- C:\Windows\System32\tEwrAZr.exe
  C:\Windows\System32\tEwrAZr.exe
  2⤵
  PID:9568
- C:\Windows\System32\puNAGlj.exe
  C:\Windows\System32\puNAGlj.exe
  2⤵
  PID:9632
- C:\Windows\System32\NigGWRR.exe
  C:\Windows\System32\NigGWRR.exe
  2⤵
  PID:9672
- C:\Windows\System32\dRwLhjr.exe
  C:\Windows\System32\dRwLhjr.exe
  2⤵
  PID:9728
- C:\Windows\System32\aqIdBWO.exe
  C:\Windows\System32\aqIdBWO.exe
  2⤵
  PID:9740
- C:\Windows\System32\VFNhvmD.exe
  C:\Windows\System32\VFNhvmD.exe
  2⤵
  PID:9908
- C:\Windows\System32\pipxBbw.exe
  C:\Windows\System32\pipxBbw.exe
  2⤵
  PID:9964
- C:\Windows\System32\lZsPBTx.exe
  C:\Windows\System32\lZsPBTx.exe
  2⤵
  PID:10012
- C:\Windows\System32\tqrRgGn.exe
  C:\Windows\System32\tqrRgGn.exe
  2⤵
  PID:10064
- C:\Windows\System32\nUwgFNC.exe
  C:\Windows\System32\nUwgFNC.exe
  2⤵
  PID:10112
- C:\Windows\System32\cZVTaWq.exe
  C:\Windows\System32\cZVTaWq.exe
  2⤵
  PID:10168
- C:\Windows\System32\ilUkKYw.exe
  C:\Windows\System32\ilUkKYw.exe
  2⤵
  PID:10208
- C:\Windows\System32\KKUbeeY.exe
  C:\Windows\System32\KKUbeeY.exe
  2⤵
  PID:9008
- C:\Windows\System32\fTkQYeA.exe
  C:\Windows\System32\fTkQYeA.exe
  2⤵
  PID:9360
- C:\Windows\System32\udrLlcc.exe
  C:\Windows\System32\udrLlcc.exe
  2⤵
  PID:9520
- C:\Windows\System32\cCEYBlA.exe
  C:\Windows\System32\cCEYBlA.exe
  2⤵
  PID:9712
- C:\Windows\System32\qbOfulH.exe
  C:\Windows\System32\qbOfulH.exe
  2⤵
  PID:9872
- C:\Windows\System32\axWfNeM.exe
  C:\Windows\System32\axWfNeM.exe
  2⤵
  PID:9988
- C:\Windows\System32\IBAlPmS.exe
  C:\Windows\System32\IBAlPmS.exe
  2⤵
  PID:10228
- C:\Windows\System32\GRgoFfy.exe
  C:\Windows\System32\GRgoFfy.exe
  2⤵
  PID:9316
- C:\Windows\System32\GmdfmLh.exe
  C:\Windows\System32\GmdfmLh.exe
  2⤵
  PID:10048
- C:\Windows\System32\xERqChE.exe
  C:\Windows\System32\xERqChE.exe
  2⤵
  PID:9656
- C:\Windows\System32\lyewXNA.exe
  C:\Windows\System32\lyewXNA.exe
  2⤵
  PID:9276
- C:\Windows\System32\FNIMJdq.exe
  C:\Windows\System32\FNIMJdq.exe
  2⤵
  PID:10264
- C:\Windows\System32\DzlUmwA.exe
  C:\Windows\System32\DzlUmwA.exe
  2⤵
  PID:10288
- C:\Windows\System32\KtxOJqL.exe
  C:\Windows\System32\KtxOJqL.exe
  2⤵
  PID:10328
- C:\Windows\System32\cTZpmNB.exe
  C:\Windows\System32\cTZpmNB.exe
  2⤵
  PID:10352
- C:\Windows\System32\vtykAVo.exe
  C:\Windows\System32\vtykAVo.exe
  2⤵
  PID:10368
- C:\Windows\System32\DZwnXvB.exe
  C:\Windows\System32\DZwnXvB.exe
  2⤵
  PID:10404
- C:\Windows\System32\tnHezgx.exe
  C:\Windows\System32\tnHezgx.exe
  2⤵
  PID:10436
- C:\Windows\System32\iUYKyYt.exe
  C:\Windows\System32\iUYKyYt.exe
  2⤵
  PID:10456
- C:\Windows\System32\XIAImoV.exe
  C:\Windows\System32\XIAImoV.exe
  2⤵
  PID:10484
- C:\Windows\System32\QUGCygO.exe
  C:\Windows\System32\QUGCygO.exe
  2⤵
  PID:10504
- C:\Windows\System32\SioBiko.exe
  C:\Windows\System32\SioBiko.exe
  2⤵
  PID:10544
- C:\Windows\System32\ZsDgxXT.exe
  C:\Windows\System32\ZsDgxXT.exe
  2⤵
  PID:10564
- C:\Windows\System32\WbkucGS.exe
  C:\Windows\System32\WbkucGS.exe
  2⤵
  PID:10592
- C:\Windows\System32\xFkXaLd.exe
  C:\Windows\System32\xFkXaLd.exe
  2⤵
  PID:10608
- C:\Windows\System32\unVpdmG.exe
  C:\Windows\System32\unVpdmG.exe
  2⤵
  PID:10624
- C:\Windows\System32\tNwscFZ.exe
  C:\Windows\System32\tNwscFZ.exe
  2⤵
  PID:10640
- C:\Windows\System32\ZlLUrux.exe
  C:\Windows\System32\ZlLUrux.exe
  2⤵
  PID:10672
- C:\Windows\System32\oAcjfnO.exe
  C:\Windows\System32\oAcjfnO.exe
  2⤵
  PID:10688
- C:\Windows\System32\olYpcaR.exe
  C:\Windows\System32\olYpcaR.exe
  2⤵
  PID:10704
- C:\Windows\System32\YEOfCRR.exe
  C:\Windows\System32\YEOfCRR.exe
  2⤵
  PID:10732
- C:\Windows\System32\evIcilx.exe
  C:\Windows\System32\evIcilx.exe
  2⤵
  PID:10788
- C:\Windows\System32\UHPcaCP.exe
  C:\Windows\System32\UHPcaCP.exe
  2⤵
  PID:10808
- C:\Windows\System32\ozYftDg.exe
  C:\Windows\System32\ozYftDg.exe
  2⤵
  PID:10852
- C:\Windows\System32\DAsyBUw.exe
  C:\Windows\System32\DAsyBUw.exe
  2⤵
  PID:10876
- C:\Windows\System32\jmItxxg.exe
  C:\Windows\System32\jmItxxg.exe
  2⤵
  PID:10924
- C:\Windows\System32\aHltJuk.exe
  C:\Windows\System32\aHltJuk.exe
  2⤵
  PID:10948
- C:\Windows\System32\eyamsIb.exe
  C:\Windows\System32\eyamsIb.exe
  2⤵
  PID:10972
- C:\Windows\System32\bemlEds.exe
  C:\Windows\System32\bemlEds.exe
  2⤵
  PID:10992
- C:\Windows\System32\UWxjKeb.exe
  C:\Windows\System32\UWxjKeb.exe
  2⤵
  PID:11012
- C:\Windows\System32\gxFSdCJ.exe
  C:\Windows\System32\gxFSdCJ.exe
  2⤵
  PID:11048
- C:\Windows\System32\AzWBawn.exe
  C:\Windows\System32\AzWBawn.exe
  2⤵
  PID:11104
- C:\Windows\System32\wOhilLD.exe
  C:\Windows\System32\wOhilLD.exe
  2⤵
  PID:11132
- C:\Windows\System32\LHmwcMK.exe
  C:\Windows\System32\LHmwcMK.exe
  2⤵
  PID:11148
- C:\Windows\System32\mqRdhkN.exe
  C:\Windows\System32\mqRdhkN.exe
  2⤵
  PID:11172
- C:\Windows\System32\tbsiNXP.exe
  C:\Windows\System32\tbsiNXP.exe
  2⤵
  PID:11188
- C:\Windows\System32\FmTkmyS.exe
  C:\Windows\System32\FmTkmyS.exe
  2⤵
  PID:11216
- C:\Windows\System32\qocEKuQ.exe
  C:\Windows\System32\qocEKuQ.exe
  2⤵
  PID:10256
- C:\Windows\System32\CVMFjwK.exe
  C:\Windows\System32\CVMFjwK.exe
  2⤵
  PID:10304
- C:\Windows\System32\JHGYBiT.exe
  C:\Windows\System32\JHGYBiT.exe
  2⤵
  PID:10384
- C:\Windows\System32\IDPptNL.exe
  C:\Windows\System32\IDPptNL.exe
  2⤵
  PID:10464
- C:\Windows\System32\cXOAQJZ.exe
  C:\Windows\System32\cXOAQJZ.exe
  2⤵
  PID:10532
- C:\Windows\System32\VqJpAzE.exe
  C:\Windows\System32\VqJpAzE.exe
  2⤵
  PID:10588
- C:\Windows\System32\DNRrEKm.exe
  C:\Windows\System32\DNRrEKm.exe
  2⤵
  PID:10656
- C:\Windows\System32\wdgztZV.exe
  C:\Windows\System32\wdgztZV.exe
  2⤵
  PID:10716
- C:\Windows\System32\ROBtNBg.exe
  C:\Windows\System32\ROBtNBg.exe
  2⤵
  PID:10776
- C:\Windows\System32\EYbFOEF.exe
  C:\Windows\System32\EYbFOEF.exe
  2⤵
  PID:10860
- C:\Windows\System32\gkUIAoY.exe
  C:\Windows\System32\gkUIAoY.exe
  2⤵
  PID:10984
- C:\Windows\System32\hPFklvm.exe
  C:\Windows\System32\hPFklvm.exe
  2⤵
  PID:11000
- C:\Windows\System32\ZQopnXs.exe
  C:\Windows\System32\ZQopnXs.exe
  2⤵
  PID:11080
- C:\Windows\System32\Pgrjtak.exe
  C:\Windows\System32\Pgrjtak.exe
  2⤵
  PID:11140
- C:\Windows\System32\KWTcEUW.exe
  C:\Windows\System32\KWTcEUW.exe
  2⤵
  PID:11124
- C:\Windows\System32\kwFKsxY.exe
  C:\Windows\System32\kwFKsxY.exe
  2⤵
  PID:11232
- C:\Windows\System32\UzEffls.exe
  C:\Windows\System32\UzEffls.exe
  2⤵
  PID:11256
- C:\Windows\System32\aKEcwwJ.exe
  C:\Windows\System32\aKEcwwJ.exe
  2⤵
  PID:10380
- C:\Windows\System32\IoKsjof.exe
  C:\Windows\System32\IoKsjof.exe
  2⤵
  PID:10520
- C:\Windows\System32\SwuLkUq.exe
  C:\Windows\System32\SwuLkUq.exe
  2⤵
  PID:10744
- C:\Windows\System32\IXAQXvc.exe
  C:\Windows\System32\IXAQXvc.exe
  2⤵
  PID:10904
- C:\Windows\System32\ijuYZRi.exe
  C:\Windows\System32\ijuYZRi.exe
  2⤵
  PID:10980
- C:\Windows\System32\tcqDQgB.exe
  C:\Windows\System32\tcqDQgB.exe
  2⤵
  PID:11112
- C:\Windows\System32\EcWkkDn.exe
  C:\Windows\System32\EcWkkDn.exe
  2⤵
  PID:10584
- C:\Windows\System32\QAFpFch.exe
  C:\Windows\System32\QAFpFch.exe
  2⤵
  PID:10800
- C:\Windows\System32\UWhbRPc.exe
  C:\Windows\System32\UWhbRPc.exe
  2⤵
  PID:10956
- C:\Windows\System32\vfZyxQS.exe
  C:\Windows\System32\vfZyxQS.exe
  2⤵
  PID:4984
- C:\Windows\System32\CvCtLDd.exe
  C:\Windows\System32\CvCtLDd.exe
  2⤵
  PID:11276
- C:\Windows\System32\XNklkQA.exe
  C:\Windows\System32\XNklkQA.exe
  2⤵
  PID:11300
- C:\Windows\System32\gtHMJkh.exe
  C:\Windows\System32\gtHMJkh.exe
  2⤵
  PID:11324
- C:\Windows\System32\zwRmMuC.exe
  C:\Windows\System32\zwRmMuC.exe
  2⤵
  PID:11372
- C:\Windows\System32\cEBDDHN.exe
  C:\Windows\System32\cEBDDHN.exe
  2⤵
  PID:11408
- C:\Windows\System32\ZYliXUB.exe
  C:\Windows\System32\ZYliXUB.exe
  2⤵
  PID:11432
- C:\Windows\System32\eKMYqHh.exe
  C:\Windows\System32\eKMYqHh.exe
  2⤵
  PID:11448
- C:\Windows\System32\WhHBAfk.exe
  C:\Windows\System32\WhHBAfk.exe
  2⤵
  PID:11476
- C:\Windows\System32\IQLAWyK.exe
  C:\Windows\System32\IQLAWyK.exe
  2⤵
  PID:11516
- C:\Windows\System32\hendQuq.exe
  C:\Windows\System32\hendQuq.exe
  2⤵
  PID:11536
- C:\Windows\System32\PLzpKRI.exe
  C:\Windows\System32\PLzpKRI.exe
  2⤵
  PID:11560
- C:\Windows\System32\RXhpuhx.exe
  C:\Windows\System32\RXhpuhx.exe
  2⤵
  PID:11592
- C:\Windows\System32\iSNjizC.exe
  C:\Windows\System32\iSNjizC.exe
  2⤵
  PID:11612
- C:\Windows\System32\IkYtTxS.exe
  C:\Windows\System32\IkYtTxS.exe
  2⤵
  PID:11656
- C:\Windows\System32\MhYwloq.exe
  C:\Windows\System32\MhYwloq.exe
  2⤵
  PID:11688
- C:\Windows\System32\wILPLGl.exe
  C:\Windows\System32\wILPLGl.exe
  2⤵
  PID:11712
- C:\Windows\System32\SklZGpF.exe
  C:\Windows\System32\SklZGpF.exe
  2⤵
  PID:11728
- C:\Windows\System32\wwaxBww.exe
  C:\Windows\System32\wwaxBww.exe
  2⤵
  PID:11748
- C:\Windows\System32\jJyXqfO.exe
  C:\Windows\System32\jJyXqfO.exe
  2⤵
  PID:11764
- C:\Windows\System32\yrCNPGJ.exe
  C:\Windows\System32\yrCNPGJ.exe
  2⤵
  PID:11808
- C:\Windows\System32\btDeQmE.exe
  C:\Windows\System32\btDeQmE.exe
  2⤵
  PID:11824
- C:\Windows\System32\XuwGTJS.exe
  C:\Windows\System32\XuwGTJS.exe
  2⤵
  PID:11860
- C:\Windows\System32\HLGQMNg.exe
  C:\Windows\System32\HLGQMNg.exe
  2⤵
  PID:11880
- C:\Windows\System32\mcQamZV.exe
  C:\Windows\System32\mcQamZV.exe
  2⤵
  PID:11928
- C:\Windows\System32\pXHhjaG.exe
  C:\Windows\System32\pXHhjaG.exe
  2⤵
  PID:12028
- C:\Windows\System32\TmRqhWq.exe
  C:\Windows\System32\TmRqhWq.exe
  2⤵
  PID:12044
- C:\Windows\System32\KMpWIVk.exe
  C:\Windows\System32\KMpWIVk.exe
  2⤵
  PID:12060
- C:\Windows\System32\LDWXYyS.exe
  C:\Windows\System32\LDWXYyS.exe
  2⤵
  PID:12080
- C:\Windows\System32\scGqkWn.exe
  C:\Windows\System32\scGqkWn.exe
  2⤵
  PID:12096
- C:\Windows\System32\MpZCIEZ.exe
  C:\Windows\System32\MpZCIEZ.exe
  2⤵
  PID:12112
- C:\Windows\System32\rTirdCG.exe
  C:\Windows\System32\rTirdCG.exe
  2⤵
  PID:12132
- C:\Windows\System32\lEKkGYt.exe
  C:\Windows\System32\lEKkGYt.exe
  2⤵
  PID:12148
- C:\Windows\System32\iNDPXwJ.exe
  C:\Windows\System32\iNDPXwJ.exe
  2⤵
  PID:12164
- C:\Windows\System32\kgWnrII.exe
  C:\Windows\System32\kgWnrII.exe
  2⤵
  PID:12180
- C:\Windows\System32\FHZnqld.exe
  C:\Windows\System32\FHZnqld.exe
  2⤵
  PID:12196
- C:\Windows\System32\NvTcIRa.exe
  C:\Windows\System32\NvTcIRa.exe
  2⤵
  PID:12212
- C:\Windows\System32\FRPigCe.exe
  C:\Windows\System32\FRPigCe.exe
  2⤵
  PID:12240
- C:\Windows\System32\EdnNKoP.exe
  C:\Windows\System32\EdnNKoP.exe
  2⤵
  PID:12256
- C:\Windows\System32\TPMAlKq.exe
  C:\Windows\System32\TPMAlKq.exe
  2⤵
  PID:10816
- C:\Windows\System32\zYAoRuV.exe
  C:\Windows\System32\zYAoRuV.exe
  2⤵
  PID:808
- C:\Windows\System32\ojSvAVk.exe
  C:\Windows\System32\ojSvAVk.exe
  2⤵
  PID:11420
- C:\Windows\System32\KvWGbfh.exe
  C:\Windows\System32\KvWGbfh.exe
  2⤵
  PID:11460
- C:\Windows\System32\crusZOn.exe
  C:\Windows\System32\crusZOn.exe
  2⤵
  PID:11676
- C:\Windows\System32\LMLcOnp.exe
  C:\Windows\System32\LMLcOnp.exe
  2⤵
  PID:11888
- C:\Windows\System32\nuIItKf.exe
  C:\Windows\System32\nuIItKf.exe
  2⤵
  PID:11868
- C:\Windows\System32\NtbuGdf.exe
  C:\Windows\System32\NtbuGdf.exe
  2⤵
  PID:12024
- C:\Windows\System32\UWUoCYD.exe
  C:\Windows\System32\UWUoCYD.exe
  2⤵
  PID:11936
- C:\Windows\System32\FObmLbo.exe
  C:\Windows\System32\FObmLbo.exe
  2⤵
  PID:11988
- C:\Windows\System32\ugEKlqx.exe
  C:\Windows\System32\ugEKlqx.exe
  2⤵
  PID:12016
- C:\Windows\System32\SvSVALL.exe
  C:\Windows\System32\SvSVALL.exe
  2⤵
  PID:12092
- C:\Windows\System32\HUTFzyX.exe
  C:\Windows\System32\HUTFzyX.exe
  2⤵
  PID:12232
- C:\Windows\System32\iUZTtNy.exe
  C:\Windows\System32\iUZTtNy.exe
  2⤵
  PID:12172
- C:\Windows\System32\KGiMLVc.exe
  C:\Windows\System32\KGiMLVc.exe
  2⤵
  PID:12252
- C:\Windows\System32\MfIZEnD.exe
  C:\Windows\System32\MfIZEnD.exe
  2⤵
  PID:12268
- C:\Windows\System32\QyWUWFa.exe
  C:\Windows\System32\QyWUWFa.exe
  2⤵
  PID:12248
- C:\Windows\System32\DHIAfOX.exe
  C:\Windows\System32\DHIAfOX.exe
  2⤵
  PID:11736
- C:\Windows\System32\aLnpGoI.exe
  C:\Windows\System32\aLnpGoI.exe
  2⤵
  PID:11908
- C:\Windows\System32\NuCdfrX.exe
  C:\Windows\System32\NuCdfrX.exe
  2⤵
  PID:11916
- C:\Windows\System32\OxKJdSS.exe
  C:\Windows\System32\OxKJdSS.exe
  2⤵
  PID:12040
- C:\Windows\System32\mUXlNpm.exe
  C:\Windows\System32\mUXlNpm.exe
  2⤵
  PID:12004
- C:\Windows\System32\CeIbLIy.exe
  C:\Windows\System32\CeIbLIy.exe
  2⤵
  PID:12220
- C:\Windows\System32\pnPinrK.exe
  C:\Windows\System32\pnPinrK.exe
  2⤵
  PID:11672
- C:\Windows\System32\bKkNXKO.exe
  C:\Windows\System32\bKkNXKO.exe
  2⤵
  PID:11996
- C:\Windows\System32\jBRUFDV.exe
  C:\Windows\System32\jBRUFDV.exe
  2⤵
  PID:4756
- C:\Windows\System32\BVIoryB.exe
  C:\Windows\System32\BVIoryB.exe
  2⤵
  PID:2244
- C:\Windows\System32\KKrXWgS.exe
  C:\Windows\System32\KKrXWgS.exe
  2⤵
  PID:12068
- C:\Windows\System32\QxRoxWJ.exe
  C:\Windows\System32\QxRoxWJ.exe
  2⤵
  PID:11960
- C:\Windows\System32\qnbOiWZ.exe
  C:\Windows\System32\qnbOiWZ.exe
  2⤵
  PID:1440
- C:\Windows\System32\PoNVGga.exe
  C:\Windows\System32\PoNVGga.exe
  2⤵
  PID:12308
- C:\Windows\System32\vygbkcJ.exe
  C:\Windows\System32\vygbkcJ.exe
  2⤵
  PID:12324
- C:\Windows\System32\mkbhchQ.exe
  C:\Windows\System32\mkbhchQ.exe
  2⤵
  PID:12368
- C:\Windows\System32\tVvzOrh.exe
  C:\Windows\System32\tVvzOrh.exe
  2⤵
  PID:12384
- C:\Windows\System32\TgNdhzf.exe
  C:\Windows\System32\TgNdhzf.exe
  2⤵
  PID:12412
- C:\Windows\System32\bMQvAbM.exe
  C:\Windows\System32\bMQvAbM.exe
  2⤵
  PID:12428
- C:\Windows\System32\OGMDsCs.exe
  C:\Windows\System32\OGMDsCs.exe
  2⤵
  PID:12452
- C:\Windows\System32\dBEDyUe.exe
  C:\Windows\System32\dBEDyUe.exe
  2⤵
  PID:12468
- C:\Windows\System32\DygGJYH.exe
  C:\Windows\System32\DygGJYH.exe
  2⤵
  PID:12536
- C:\Windows\System32\NCEkeUv.exe
  C:\Windows\System32\NCEkeUv.exe
  2⤵
  PID:12560
- C:\Windows\System32\YSeMDDe.exe
  C:\Windows\System32\YSeMDDe.exe
  2⤵
  PID:12580
- C:\Windows\System32\ZLStWLy.exe
  C:\Windows\System32\ZLStWLy.exe
  2⤵
  PID:12596
- C:\Windows\System32\AgZDDvd.exe
  C:\Windows\System32\AgZDDvd.exe
  2⤵
  PID:12644
- C:\Windows\System32\bwzcBEa.exe
  C:\Windows\System32\bwzcBEa.exe
  2⤵
  PID:12664
- C:\Windows\System32\JEPmfXV.exe
  C:\Windows\System32\JEPmfXV.exe
  2⤵
  PID:12684
- C:\Windows\System32\QmzeYtp.exe
  C:\Windows\System32\QmzeYtp.exe
  2⤵
  PID:12704
- C:\Windows\System32\tUYJEkx.exe
  C:\Windows\System32\tUYJEkx.exe
  2⤵
  PID:12744
- C:\Windows\System32\sPosRBW.exe
  C:\Windows\System32\sPosRBW.exe
  2⤵
  PID:12764
- C:\Windows\System32\YoLuBoY.exe
  C:\Windows\System32\YoLuBoY.exe
  2⤵
  PID:12820
- C:\Windows\System32\XWsMJwZ.exe
  C:\Windows\System32\XWsMJwZ.exe
  2⤵
  PID:12840
- C:\Windows\System32\lrHKZqA.exe
  C:\Windows\System32\lrHKZqA.exe
  2⤵
  PID:12856
- C:\Windows\System32\BnzEbCk.exe
  C:\Windows\System32\BnzEbCk.exe
  2⤵
  PID:12876
- C:\Windows\System32\NsRfVIB.exe
  C:\Windows\System32\NsRfVIB.exe
  2⤵
  PID:12892
- C:\Windows\System32\QdZCYiW.exe
  C:\Windows\System32\QdZCYiW.exe
  2⤵
  PID:12924
- C:\Windows\System32\hxiTZwZ.exe
  C:\Windows\System32\hxiTZwZ.exe
  2⤵
  PID:12984
- C:\Windows\System32\PioRQLZ.exe
  C:\Windows\System32\PioRQLZ.exe
  2⤵
  PID:13012
- C:\Windows\System32\iSWlBQW.exe
  C:\Windows\System32\iSWlBQW.exe
  2⤵
  PID:13036
- C:\Windows\System32\NmCLaOC.exe
  C:\Windows\System32\NmCLaOC.exe
  2⤵
  PID:13064
- C:\Windows\System32\hZujgDs.exe
  C:\Windows\System32\hZujgDs.exe
  2⤵
  PID:13092
- C:\Windows\System32\iUccYee.exe
  C:\Windows\System32\iUccYee.exe
  2⤵
  PID:13108
- C:\Windows\System32\TDRdhTE.exe
  C:\Windows\System32\TDRdhTE.exe
  2⤵
  PID:13124
- C:\Windows\System32\quMIalN.exe
  C:\Windows\System32\quMIalN.exe
  2⤵
  PID:13184
- C:\Windows\System32\IuXnLqd.exe
  C:\Windows\System32\IuXnLqd.exe
  2⤵
  PID:13208
- C:\Windows\System32\KoKXQqE.exe
  C:\Windows\System32\KoKXQqE.exe
  2⤵
  PID:13232
- C:\Windows\System32\adewvON.exe
  C:\Windows\System32\adewvON.exe
  2⤵
  PID:13276
- C:\Windows\System32\QECwCet.exe
  C:\Windows\System32\QECwCet.exe
  2⤵
  PID:13304
- C:\Windows\System32\SYqKjrG.exe
  C:\Windows\System32\SYqKjrG.exe
  2⤵
  PID:12316
- C:\Windows\System32\hsldxTk.exe
  C:\Windows\System32\hsldxTk.exe
  2⤵
  PID:12436
- C:\Windows\System32\yjDRDJQ.exe
  C:\Windows\System32\yjDRDJQ.exe
  2⤵
  PID:12424
- C:\Windows\System32\cQHOgml.exe
  C:\Windows\System32\cQHOgml.exe
  2⤵
  PID:12448
- C:\Windows\System32\pOAZbXv.exe
  C:\Windows\System32\pOAZbXv.exe
  2⤵
  PID:12576

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CSfINkr.exe

Filesize
985KB

MD5
1ae6c50f3bedec0971703b9c2be8a264

SHA1
257c7edd4ece51626d556f60426e32fed97e5f91

SHA256
1a1d377763b33ed335df95087563691aad7b83cdf8f4612845167bbc280cd995

SHA512
8f55feb462378bd08b673ff7d24df0023a75989ed7604d61907e0bb1a1ddc91886f82509b8f7a0445591e3cac47ab77bfef5cba347c739a5e359274ad6d7cf92

Download Submit
C:\Windows\System32\EWuXUKs.exe

Filesize
981KB

MD5
9dce4e5963112c873ef5fdc54587be8f

SHA1
0734c03cb0dc5d1be3b7d8385d132de928ef0f0f

SHA256
bd41cfed4b951a708c38655bd503d1fc9e93904e40411cc60b72e3c9dee6adc8

SHA512
347512d9532771bd7f29ebdba72fe0d25ed27d4f2089027d94826733f6c8bfd2e76befbd56f2ac3e24f200cb0bddbb8682e77586e7d964162d35250e661d71f5

Download Submit
C:\Windows\System32\EfZOEcl.exe

Filesize
986KB

MD5
d06841c4e68eed7b52646acb95dd6b8c

SHA1
cb5abab0b19a954a1149f3b8a4b4c629bba3f524

SHA256
c5634aee4b0fc596f7ec1815d2512cff9440a5c3a2e9a443ce095e8289d19eaf

SHA512
b5903efb6394b1c048dad92e404533c7f3916e1a6edb034e237dd5668c28c30c5ad6607504b9de7da8e3336482bccca6fb1a52aba0eea13043bb9c09613c1c7a

Download Submit
C:\Windows\System32\EtOgRUt.exe

Filesize
984KB

MD5
9e80b5e840bb97e96ac78c8489e1a43e

SHA1
5be379a72b27e5f8c634309a189f907d1f70d64b

SHA256
8f7a9f981a1e883660e5f981e7638887e53357ce8009169dfea35f0123eb89fe

SHA512
31c7a6719b31762e422a8a3a386d34692dfa02d9b33a062bc82681af45a7c9a177c8bb1dda5e0f4c9ce51434a4dbc2f8d9c440c6fd207c89b59529f37c6ebd7e

Download Submit
C:\Windows\System32\GrfwsEk.exe

Filesize
985KB

MD5
afb879ccf9987bdef8e1e13e47d9f00f

SHA1
a6dfede91e12a894467d9e666077b25d6c7fc893

SHA256
1762464584d91c29e04894dc8023a43b69220ae4cc0050a3310800b9f12ddd19

SHA512
f525c5daea75f89568c5f75cad74993c51148a755f1a714aa41dbe7cf2282500ae0bc1cf065ee3f0db4977ded404f13db3f8a29ab72da5cb3fb54b6f9829ae4c

Download Submit
C:\Windows\System32\IQIFanD.exe

Filesize
982KB

MD5
8aa3e7201d39b2e6fa9852c59f640f02

SHA1
c7c0886fe8faf9904c232ec56fadc6493ecad1b2

SHA256
f874170d6e6b00604d741224212aa1bd8e5279a96f8d4ded06ba309955566c80

SHA512
29d59cc0d018b351d262e4b2b289e0545b552211b138eaf114622c976f41cd07d3bc6a8c778928d4985e56f0aecdfe8b974879f3be93eead53fbea80adea18b0

Download Submit
C:\Windows\System32\JxqgfeD.exe

Filesize
986KB

MD5
aecae0044e6614212dd4362c0c1dd8a7

SHA1
a8afd7a724e5acb2ec7e45f994abbb212769e42f

SHA256
953085e50917f1b85ff186c6035e796f8e4916066efa492cefec2a7464a6c9ff

SHA512
a19c09d8aa36daa28d6927e1a29ea4d9f32d578f5364ff0a25c736a651f3be287d33cb92905c1fd940d11aa7b55010db47dac5f2d9c54d55be9686268adfb664

Download Submit
C:\Windows\System32\POIPhIE.exe

Filesize
983KB

MD5
9a24f7c395bd533d117c192947a15106

SHA1
8b635f6ae5761c131fe98080e678ba6876ea8282

SHA256
b035e1d3f84c2969b30d9b3b27ff511405e695c57131eb6a48ea9f1878117535

SHA512
6ca06c90fedbe383c539ac54856e2ad066e01f2146e78cff09d7047a8b7454de7ded6cc13bbf77acc4ccafa73a6cc6dbbb53920fe06e6ce3b3faa7036cd65d4e

Download Submit
C:\Windows\System32\SRelYCB.exe

Filesize
980KB

MD5
2fa9d6ce6b903e1a7a09e23c65d2e7b2

SHA1
0a5acb3cde8c4de4f5c6819638bbf81de5ded4e5

SHA256
86e7784df14941ad6a13050a1b1ac645d750629d7e628780b4b71c7fa714b88d

SHA512
c5cd957eebb4222eb46cef35dd8eced82dea2bdd9a4ab7779e11c215c1b44b1e18a54c93229ec82645f71d3b6324872fb05e242b038d93e81405f3e32fe03106

Download Submit
C:\Windows\System32\UOhYtMe.exe

Filesize
983KB

MD5
f3171cb44f1c87f81bdd8bbc128c816d

SHA1
a029fbc0379a69fee3c30711645a597666cae355

SHA256
51950c40c1a337b11a702546e1d4a03b0c7963de49a4d2bce2d6b18981d2556d

SHA512
11db66da2d81730e965d80719a8524576fc1f0eac3af3c652a7a7bf6dee264c48cb02b38543a2fd7e1b15db25160e3a1d427751eabb3bf4f1843576535738443

Download Submit
C:\Windows\System32\Uugrnte.exe

Filesize
979KB

MD5
51127ed4e0d172d4f5bd4e97f120ef84

SHA1
6dcce4b86e0ed1e1ce35efad4477abe649477956

SHA256
f5dc35b3a7d1adc6206aa4ce384dcc5ab3e7a4da87e1299a56e87b58dbaef25e

SHA512
66f69f60cf725a509366e5dc02f66c76b2aaf9cdb249dac798f364925b4853e7677e371f8f7bb0200470285c00cdedd72346b98501965ce7fc3ac6fb3e4e4930

Download Submit
C:\Windows\System32\VtvXCle.exe

Filesize
983KB

MD5
fcf3b0f22ba8bb0143d4e62a775d490a

SHA1
75a86c4370dcdd0b2a0b7fef8ccefba8ace30f2b

SHA256
dc545f1db1bb49556711f7942e7fc62c30bdf6493fe697ff719dc183ad0f17ea

SHA512
0c7dc917e4d67ac0e2191bc046c140c868ca4ac63802d98e234ce00c081fa830837d05b03424f0942c47b52bf7059b46f1f7394d7f863cd5aeeff68890e73a5c

Download Submit
C:\Windows\System32\WUpfxYL.exe

Filesize
985KB

MD5
0bf1edf24fd3c105d4a6753461f88666

SHA1
54b5402ac86a87e6e0847df13b55ddeba1448a46

SHA256
cceefcfd084bc9bab533f2b4d9b6327c1ff8fb322eff4a4427dd1bee173d675d

SHA512
1af05e71f1c5b07c25e81f1e3d681d3e0d206b07ccc0c162ad252a2993f91ce290a5deb1199e071034159779d0340f1b36180d8dd36fba2ddf1f6e3b66bf5aef

Download Submit
C:\Windows\System32\ZmHGbjS.exe

Filesize
984KB

MD5
798a7ec02ac095234de0a51d46570037

SHA1
ffe806be6296523188537e6e6840c20b689ea762

SHA256
53e931a9d6c486373359a12c40ccbfd82e5c13c92ebb949a54b604cae2cd194b

SHA512
b58eb2fba6c6b8e6edaa529f54c4031d088e65a8caab64fdc672bc9f910002e48cd2adb20074d9b0b37b0749014ccf7cf76c75f96fb4218d6c8b3c162afd292f

Download Submit
C:\Windows\System32\bqEZEeB.exe

Filesize
981KB

MD5
48bf83f832cdbfa40df9fe9b2167ab9e

SHA1
aba084246a466b9ed74d1e8ef81a1c994dd1057b

SHA256
f8f26776def39e58c09db88772c67c7127d27241f25a9270b96dc4b839dab54c

SHA512
49f7456f1acd3eee4cd003a2bfaab72298641087d8849f0f82ee41f90888c65264954a0f00273ab7b9b3d3ae58365ea925b76c9578adaea10c45c8854b35b40b

Download Submit
C:\Windows\System32\cJRQtMv.exe

Filesize
986KB

MD5
9b6c403065316b164386f5b6cf0b7c7b

SHA1
192ef65b543484e45d648001330b46f9bda69e5b

SHA256
a76d3317b3142cfac0a963e5a2a2439d976affb4018b55f7e9bf7588c19d3447

SHA512
7415cde597b808222edcdcac11f4877124a90bbc40995463b412e037f5d0135f53fea1a1bf34a15eacc52797d3870807c29c0b5f22cc8dbae0c05cfa87360430

Download Submit
C:\Windows\System32\efvpPgi.exe

Filesize
980KB

MD5
f66841eb60fc6d1a4f782f635571ed7f

SHA1
8b92bab3123a3dbcf13a80a10df64981e40a222f

SHA256
426a633784372a18c9c1792c1af58b3dd249029d4d1a68da020e59e3591e01ae

SHA512
79d4518aceee5807fef10dd5aaa964decbc46579d974ac5f42ecf085082044611269835849823e6163ec34540c006b6c5716a67a8313a92b010be3461c0aa0ac

Download Submit
C:\Windows\System32\fCrSPdi.exe

Filesize
982KB

MD5
8d912460ee88aacb8d1864a8466a68eb

SHA1
2873cb4c2c48aed1c3f4ed726f4b784483b45ec6

SHA256
41ec7270497df2b090534643576754fe24699dfe3dfc42d65a1b846eef3f69f6

SHA512
2f4328ff3eab257d97eded49889defa4087ab5db8e443599363d6ed325f78d6b41ec07345b2a1ce79e727aa2357cb684aed2eabbee832aa48fe1da2ea1e2f86b

Download Submit
C:\Windows\System32\izQdAdB.exe

Filesize
980KB

MD5
e8ed7f9b4783044cde6d792f4f125503

SHA1
3591f27c05a91f36ef33681fe72859e0116494cb

SHA256
27bfdf55c3aaa79bd1b7726abd963f5c4e8f1bb647e05a796c383de2668f20d0

SHA512
b4c2621f7d7a82eb9d515d2735d852550d83ad8e5195040afc4e0f4852bb389c6a8d8ad77b10fc1a8e1c3782787ba68ea50fe79be68266dc28e96cf3af592b1e

Download Submit
C:\Windows\System32\ktUXKqs.exe

Filesize
984KB

MD5
0cfc795692dde1a3a750a84447147da4

SHA1
6446971744741a82c7d440c39ed0d71a405f5002

SHA256
23f392d52d4baa74f0398e92825355b29ec9bd07f2dab6cb5a707db9ecf7528a

SHA512
9f849f1efe963c5afcede0597b9fe4e43935cf20e851e673ad56e2ab7a5cffe8086e33c048be1f3179b66009a7ec9ce91c51f0fa4ed6a86e705c508a3be1667b

Download Submit
C:\Windows\System32\pbBGvfQ.exe

Filesize
985KB

MD5
2b953aa3f78fe0b6781cb0df21cfa616

SHA1
77b91348bb8670e3390e27f492473cdaefc10a60

SHA256
7c5700e261b69dd14a7f123115fe1c1cf8c3356e2cdcd7fced2ae53be3fa3088

SHA512
e16f7f36fd9844f12f288ed3d46c551a2314992c80532dfe2e75749b3228482fbc13b160897434cc86e8f9a31ef45611654148be8d7ed3d1355c6e24a0b9e4b0

Download Submit
C:\Windows\System32\pxnxZam.exe

Filesize
986KB

MD5
d170eb329ebbbb0cee04a7ae220969f2

SHA1
3028fa497f7b2bab56a288994f809dbbed7711d0

SHA256
a3c7f84a372ce66eb3d37bd440cdfb74788c00a98a5e7e0ccc9c63b24c5d7b5d

SHA512
24a21eb2a99296bd110a046b9387942267129637ce98a76c7c4978b502d3bb2843de4c1ed2ca24d0e765366b075fe592da6948be9c1b6d77e94ed4b1e3b5ec40

Download Submit
C:\Windows\System32\qSgjBYF.exe

Filesize
981KB

MD5
1bc0c5134db30ea739663b59cb1163b1

SHA1
66d8902a8b8b53d33162b574d6e42ea433c0aeb7

SHA256
301512291a4851266a2c312bfb28df42df19230d2583cb18f3b02ab808cd221a

SHA512
3a8358b505816131ccd50b9847b8a9653cd61ca15a1053b88495f5776223baacd76bd8a7648401b2e08027ba0175d02e19e2b6158fa320ad3649b34f2ae0c27f

Download Submit
C:\Windows\System32\qTFexWq.exe

Filesize
980KB

MD5
337a557c234d5f39f8b37a98dac79915

SHA1
44a17ffd19ec93ce0a8c6fe615faf5ba89797ef6

SHA256
3eb9ac342bedf1c1a1520f6c6cafdb7f9b86ee2dfba6d13e644f190396dccaa2

SHA512
bf6950accd56b5e2d856b3430316f7f9790c9907fabd21da1ca4b7551737a96b6e23e8298cf8ac64b883634b0ae453dfcc7bc92abfc1c0a7127c2b14d337c057

Download Submit
C:\Windows\System32\ruvFSCD.exe

Filesize
979KB

MD5
08cdb7c83ef8bad3ab7340dbc936a53f

SHA1
bd962ef2853d9648bef57ea5c31177ebca07cc6c

SHA256
ea686e666f7379acfa432fdf48024fb154450fbf28a14a693e65a4e1c0732d5b

SHA512
9b87573ea8145de86a1fe153326748a7a613c5ff0352e976394c0a9c4381bbd41525b5a9b28545a7cf272db7a76f0769cb0f6a3577fe9384382db42c21b28911

Download Submit
C:\Windows\System32\snClGwt.exe

Filesize
983KB

MD5
a53d30c7a961dd4a9538991254130b30

SHA1
308e180bdd84e76955b02cc529914e2ce99e6c91

SHA256
c4e56db8c034ecf8ba3853a3309fd93eaf0b0fb23173e4e06b8a7594234c5d95

SHA512
1349d7242c93afeb9af21316ee486270b1c55c109b7f6ad204e0631767cfed086898c286e844b0274706c6a4eaa5f63e85e95a3ca2fa18b23303edce2220daa2

Download Submit
C:\Windows\System32\tbiChVm.exe

Filesize
979KB

MD5
e43436c451a0ebb67bad642b47a48cd4

SHA1
f6c328be16247bbb0b333e75a9bb4e5925468b99

SHA256
402114451b6a0f2f09529b84bb9e6cb2b01515a580acd468d3d5c13c91ea38fa

SHA512
3f95073896fa5c34f793e6f1887240bc0103378e86c215094c8df0194459ad446bfbc9aa0d63c3d8844c683d38ac524c9ca68c5f348c61c9c0c993368ec26e5e

Download Submit
C:\Windows\System32\unepaiN.exe

Filesize
981KB

MD5
e3e065804db92b251366b26e27f2de29

SHA1
16708fa8df72f465e65c5ca92b47f0783adb648b

SHA256
03a010285e55def4aa7112b62a72f244377e99eff99b44ab689b117221fdfba0

SHA512
95fec188ed629c31f190026179bcbb3819f36a4faec9930f232e123309b04ceaacab879a60ba709b2cc8103083a83b7f851df6aeb01a3818643f32c1f93c71bf

Download Submit
C:\Windows\System32\wOjFRzn.exe

Filesize
982KB

MD5
f06029d5d50e3981cf9bfe9659b603fd

SHA1
aab7a70328297cef1830b6547e885a867db1b2c6

SHA256
4005ca07264daff032a4d3337ffa3ce6bad40649ed5d6b789338b02666be624e

SHA512
84ef9d6c12d708ac418dbf70f91d03ab8eb21e370219795069e7d1077015c95fa8a90d76c5e0fe42229fe41ca9c3f24767ddf9b316e76ce80aa4760451b70363

Download Submit
C:\Windows\System32\xhYwHvg.exe

Filesize
984KB

MD5
d9778d02cff633031c5fdda0b1499c80

SHA1
34505dc3b1a701238cc932cf7f037b28a41ee2f6

SHA256
1535961929d5aac5a4dbe36e8e0ec7e3c3e6ab6cd4e2c58d7e2159b854fa1b52

SHA512
6231d32c299d411471b78b97169325c819e22aafe132100acfb18b2fe552d6e8d8b0d1c124e6399a5127dace2eca90bd0a986db76330f3b9dbf74f798e7c4ae5

Download Submit
C:\Windows\System32\zGAnouK.exe

Filesize
984KB

MD5
e92e2eb8e62ada055260dd55233c026e

SHA1
a057a2b3e145e131f40ccd3d8121b1cafd0306fd

SHA256
f87e40eae1de76655462e078dc6a60d3dca30e061d9e8bbd24aa10fd55830ee5

SHA512
b67522c0147b2432bfd12cfdf30295352c685537e6296a6564992588a26fed2dd2e4f78c63478f737c916984531b48f7f6f5e6003ebde6139ab9dcacdf8820a3

Download Submit
C:\Windows\System32\zTLsHnS.exe

Filesize
982KB

MD5
ad250388a55f304ae38d0496b232755b

SHA1
a4eedd84ef197b4744fcbcdef6746e5bad6f85c4

SHA256
d574e76c13823cd86f76ab2d1adf44985fbaa7b1537c433ee231af8c19bdee54

SHA512
646265b9550f05b7a8b4d6a0b3796eabf6f88be869e5e1420d2f12cc93bcf80e84ddd485d685235c13dc682657c81544cd7ff80e13e8cf62f19d425762ad1c20

Download Submit
memory/332-329-0x00007FF668310000-0x00007FF668701000-memory.dmp

Filesize
3.9MB

Download
memory/332-2103-0x00007FF668310000-0x00007FF668701000-memory.dmp

Filesize
3.9MB

Download
memory/1096-2105-0x00007FF6E7D90000-0x00007FF6E8181000-memory.dmp

Filesize
3.9MB

Download
memory/1096-333-0x00007FF6E7D90000-0x00007FF6E8181000-memory.dmp

Filesize
3.9MB

Download
memory/1152-273-0x00007FF622890000-0x00007FF622C81000-memory.dmp

Filesize
3.9MB

Download
memory/1152-2078-0x00007FF622890000-0x00007FF622C81000-memory.dmp

Filesize
3.9MB

Download
memory/1228-2097-0x00007FF61AAB0000-0x00007FF61AEA1000-memory.dmp

Filesize
3.9MB

Download
memory/1228-304-0x00007FF61AAB0000-0x00007FF61AEA1000-memory.dmp

Filesize
3.9MB

Download
memory/1380-2060-0x00007FF757610000-0x00007FF757A01000-memory.dmp

Filesize
3.9MB

Download
memory/1380-63-0x00007FF757610000-0x00007FF757A01000-memory.dmp

Filesize
3.9MB

Download
memory/1480-1-0x0000012007320000-0x0000012007330000-memory.dmp

Filesize
64KB

Download
memory/1480-0-0x00007FF74C860000-0x00007FF74CC51000-memory.dmp

Filesize
3.9MB

Download
memory/1544-2052-0x00007FF7E8750000-0x00007FF7E8B41000-memory.dmp

Filesize
3.9MB

Download
memory/1544-47-0x00007FF7E8750000-0x00007FF7E8B41000-memory.dmp

Filesize
3.9MB

Download
memory/2108-2070-0x00007FF6BF790000-0x00007FF6BFB81000-memory.dmp

Filesize
3.9MB

Download
memory/2108-284-0x00007FF6BF790000-0x00007FF6BFB81000-memory.dmp

Filesize
3.9MB

Download
memory/2420-18-0x00007FF791220000-0x00007FF791611000-memory.dmp

Filesize
3.9MB

Download
memory/2420-2046-0x00007FF791220000-0x00007FF791611000-memory.dmp

Filesize
3.9MB

Download
memory/2488-305-0x00007FF730C50000-0x00007FF731041000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2095-0x00007FF730C50000-0x00007FF731041000-memory.dmp

Filesize
3.9MB

Download
memory/2784-30-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp

Filesize
3.9MB

Download
memory/2784-2050-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp

Filesize
3.9MB

Download
memory/2784-1989-0x00007FF6827A0000-0x00007FF682B91000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2026-0x00007FF670A20000-0x00007FF670E11000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2068-0x00007FF670A20000-0x00007FF670E11000-memory.dmp

Filesize
3.9MB

Download
memory/2884-72-0x00007FF670A20000-0x00007FF670E11000-memory.dmp

Filesize
3.9MB

Download
memory/3044-69-0x00007FF62A790000-0x00007FF62AB81000-memory.dmp

Filesize
3.9MB

Download
memory/3044-2066-0x00007FF62A790000-0x00007FF62AB81000-memory.dmp

Filesize
3.9MB

Download
memory/3044-2004-0x00007FF62A790000-0x00007FF62AB81000-memory.dmp

Filesize
3.9MB

Download
memory/3052-319-0x00007FF67DBB0000-0x00007FF67DFA1000-memory.dmp

Filesize
3.9MB

Download
memory/3052-2074-0x00007FF67DBB0000-0x00007FF67DFA1000-memory.dmp

Filesize
3.9MB

Download
memory/3092-308-0x00007FF720130000-0x00007FF720521000-memory.dmp

Filesize
3.9MB

Download
memory/3092-2072-0x00007FF720130000-0x00007FF720521000-memory.dmp

Filesize
3.9MB

Download
memory/3116-2056-0x00007FF7E8520000-0x00007FF7E8911000-memory.dmp

Filesize
3.9MB

Download
memory/3116-53-0x00007FF7E8520000-0x00007FF7E8911000-memory.dmp

Filesize
3.9MB

Download
memory/3892-2076-0x00007FF748000000-0x00007FF7483F1000-memory.dmp

Filesize
3.9MB

Download
memory/3892-332-0x00007FF748000000-0x00007FF7483F1000-memory.dmp

Filesize
3.9MB

Download
memory/4108-2101-0x00007FF7D6470000-0x00007FF7D6861000-memory.dmp

Filesize
3.9MB

Download
memory/4108-288-0x00007FF7D6470000-0x00007FF7D6861000-memory.dmp

Filesize
3.9MB

Download
memory/4276-2048-0x00007FF66A190000-0x00007FF66A581000-memory.dmp

Filesize
3.9MB

Download
memory/4276-61-0x00007FF66A190000-0x00007FF66A581000-memory.dmp

Filesize
3.9MB

Download
memory/4280-35-0x00007FF7A41B0000-0x00007FF7A45A1000-memory.dmp

Filesize
3.9MB

Download
memory/4280-2054-0x00007FF7A41B0000-0x00007FF7A45A1000-memory.dmp

Filesize
3.9MB

Download
memory/4280-1990-0x00007FF7A41B0000-0x00007FF7A45A1000-memory.dmp

Filesize
3.9MB

Download
memory/4388-2080-0x00007FF73D390000-0x00007FF73D781000-memory.dmp

Filesize
3.9MB

Download
memory/4388-331-0x00007FF73D390000-0x00007FF73D781000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2099-0x00007FF763A40000-0x00007FF763E31000-memory.dmp

Filesize
3.9MB

Download
memory/4464-292-0x00007FF763A40000-0x00007FF763E31000-memory.dmp

Filesize
3.9MB

Download
memory/4476-2058-0x00007FF77B120000-0x00007FF77B511000-memory.dmp

Filesize
3.9MB

Download
memory/4476-57-0x00007FF77B120000-0x00007FF77B511000-memory.dmp

Filesize
3.9MB

Download
memory/4592-58-0x00007FF666E10000-0x00007FF667201000-memory.dmp

Filesize
3.9MB

Download
memory/4592-2062-0x00007FF666E10000-0x00007FF667201000-memory.dmp

Filesize
3.9MB

Download
memory/5012-2064-0x00007FF74FFA0000-0x00007FF750391000-memory.dmp

Filesize
3.9MB

Download
memory/5012-71-0x00007FF74FFA0000-0x00007FF750391000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads