xmrig | 5a391beec97cd23c40ef08eb982f109f91609e5548279f9f285ffdc362ca1a59

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 12:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
Size

1.3MB
MD5

2a066b42baac8a5851cf5f39a2a6167c
SHA1

fd54ab2d63b6af1974eef7081a459432331ae510
SHA256

5a391beec97cd23c40ef08eb982f109f91609e5548279f9f285ffdc362ca1a59
SHA512

16f36eab71059869bf020fb68aab37566b34e26f3067e98bd2f3f4093389273cfbaa29bc54c49aea4508b80d9b342e6a2a1af754e21affa927526f5f465ab035
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOj1fI:knw9oUUEEDlGUh+hNjq

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 52 IoCs

miner

resource	yara_rule
behavioral2/memory/2548-29-0x00007FF70BEF0000-0x00007FF70C2E1000-memory.dmp	xmrig
behavioral2/memory/1728-32-0x00007FF770A60000-0x00007FF770E51000-memory.dmp	xmrig
behavioral2/memory/4936-27-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp	xmrig
behavioral2/memory/1512-19-0x00007FF6C6330000-0x00007FF6C6721000-memory.dmp	xmrig
behavioral2/memory/3040-54-0x00007FF633BC0000-0x00007FF633FB1000-memory.dmp	xmrig
behavioral2/memory/4436-62-0x00007FF7B1260000-0x00007FF7B1651000-memory.dmp	xmrig
behavioral2/memory/3384-56-0x00007FF73B6B0000-0x00007FF73BAA1000-memory.dmp	xmrig
behavioral2/memory/348-40-0x00007FF7D8D70000-0x00007FF7D9161000-memory.dmp	xmrig
behavioral2/memory/4584-73-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp	xmrig
behavioral2/memory/3924-343-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp	xmrig
behavioral2/memory/3532-344-0x00007FF703960000-0x00007FF703D51000-memory.dmp	xmrig
behavioral2/memory/2656-347-0x00007FF766B50000-0x00007FF766F41000-memory.dmp	xmrig
behavioral2/memory/3796-345-0x00007FF7F8740000-0x00007FF7F8B31000-memory.dmp	xmrig
behavioral2/memory/2312-349-0x00007FF7B6E30000-0x00007FF7B7221000-memory.dmp	xmrig
behavioral2/memory/2692-348-0x00007FF719EB0000-0x00007FF71A2A1000-memory.dmp	xmrig
behavioral2/memory/944-354-0x00007FF67C8E0000-0x00007FF67CCD1000-memory.dmp	xmrig
behavioral2/memory/4788-366-0x00007FF670A20000-0x00007FF670E11000-memory.dmp	xmrig
behavioral2/memory/3424-375-0x00007FF621950000-0x00007FF621D41000-memory.dmp	xmrig
behavioral2/memory/2216-388-0x00007FF72F380000-0x00007FF72F771000-memory.dmp	xmrig
behavioral2/memory/1648-389-0x00007FF698400000-0x00007FF6987F1000-memory.dmp	xmrig
behavioral2/memory/2200-384-0x00007FF62B390000-0x00007FF62B781000-memory.dmp	xmrig
behavioral2/memory/8-363-0x00007FF74A390000-0x00007FF74A781000-memory.dmp	xmrig
behavioral2/memory/2208-360-0x00007FF7CC6E0000-0x00007FF7CCAD1000-memory.dmp	xmrig
behavioral2/memory/3456-918-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp	xmrig
behavioral2/memory/4936-930-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp	xmrig
behavioral2/memory/1728-1947-0x00007FF770A60000-0x00007FF770E51000-memory.dmp	xmrig
behavioral2/memory/968-2025-0x00007FF703C60000-0x00007FF704051000-memory.dmp	xmrig
behavioral2/memory/2216-2059-0x00007FF72F380000-0x00007FF72F771000-memory.dmp	xmrig
behavioral2/memory/3456-2070-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp	xmrig
behavioral2/memory/1512-2072-0x00007FF6C6330000-0x00007FF6C6721000-memory.dmp	xmrig
behavioral2/memory/1728-2078-0x00007FF770A60000-0x00007FF770E51000-memory.dmp	xmrig
behavioral2/memory/4936-2076-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp	xmrig
behavioral2/memory/2548-2074-0x00007FF70BEF0000-0x00007FF70C2E1000-memory.dmp	xmrig
behavioral2/memory/348-2080-0x00007FF7D8D70000-0x00007FF7D9161000-memory.dmp	xmrig
behavioral2/memory/3040-2084-0x00007FF633BC0000-0x00007FF633FB1000-memory.dmp	xmrig
behavioral2/memory/968-2082-0x00007FF703C60000-0x00007FF704051000-memory.dmp	xmrig
behavioral2/memory/3384-2086-0x00007FF73B6B0000-0x00007FF73BAA1000-memory.dmp	xmrig
behavioral2/memory/4436-2088-0x00007FF7B1260000-0x00007FF7B1651000-memory.dmp	xmrig
behavioral2/memory/1648-2090-0x00007FF698400000-0x00007FF6987F1000-memory.dmp	xmrig
behavioral2/memory/3924-2092-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp	xmrig
behavioral2/memory/4584-2094-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp	xmrig
behavioral2/memory/3532-2096-0x00007FF703960000-0x00007FF703D51000-memory.dmp	xmrig
behavioral2/memory/8-2110-0x00007FF74A390000-0x00007FF74A781000-memory.dmp	xmrig
behavioral2/memory/2692-2106-0x00007FF719EB0000-0x00007FF71A2A1000-memory.dmp	xmrig
behavioral2/memory/2656-2104-0x00007FF766B50000-0x00007FF766F41000-memory.dmp	xmrig
behavioral2/memory/2312-2102-0x00007FF7B6E30000-0x00007FF7B7221000-memory.dmp	xmrig
behavioral2/memory/3796-2100-0x00007FF7F8740000-0x00007FF7F8B31000-memory.dmp	xmrig
behavioral2/memory/944-2098-0x00007FF67C8E0000-0x00007FF67CCD1000-memory.dmp	xmrig
behavioral2/memory/4788-2112-0x00007FF670A20000-0x00007FF670E11000-memory.dmp	xmrig
behavioral2/memory/3424-2114-0x00007FF621950000-0x00007FF621D41000-memory.dmp	xmrig
behavioral2/memory/2200-2116-0x00007FF62B390000-0x00007FF62B781000-memory.dmp	xmrig
behavioral2/memory/2208-2108-0x00007FF7CC6E0000-0x00007FF7CCAD1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3456	sSrYkdn.exe
1512	OUsWpWQ.exe
2548	oxWkToO.exe
4936	RYNkajt.exe
1728	MJiFsSw.exe
348	NALLBPv.exe
968	XJFwZiL.exe
3040	fnRTsGN.exe
3384	ZkCOZcB.exe
4436	uBZBOkR.exe
4584	xSTrgBH.exe
3924	YNWztVr.exe
1648	YmYHkdX.exe
3532	tKiBlqk.exe
3796	tkuirVl.exe
2656	qIcsoAZ.exe
2692	MZhbGtM.exe
2312	eOVGBOg.exe
944	SVEkuNH.exe
2208	TFtTOCe.exe
8	cjVChpy.exe
4788	DgbriRf.exe
3424	OUxnMnd.exe
2200	sobzEzf.exe
1624	KqGPsno.exe
2936	ouPSGSn.exe
1568	ieKQrSj.exe
2596	LuyfJPi.exe
2192	NtoMpLk.exe
3688	wQABgAx.exe
3568	pDebIIw.exe
4812	ngapbCu.exe
4228	NgjGooq.exe
1544	rHegzZM.exe
4484	eQCRGIe.exe
4932	dzotdrQ.exe
440	FKzpzIB.exe
4240	IRGhpFj.exe
4512	NSfWyVS.exe
832	KYPJjnG.exe
4852	mEwsTIo.exe
2828	WOXAGpq.exe
5092	OYJVZuG.exe
3224	xJdZDcw.exe
5116	XeKBAEC.exe
3432	IfTNHMH.exe
4984	xazuUMi.exe
1188	dtpPubW.exe
3844	KPSjfJB.exe
4220	IzZbAlw.exe
2688	FfeJyPH.exe
4424	mtZwGZs.exe
4176	RTcnrgt.exe
4132	oBrXSlE.exe
3272	JfESCTC.exe
3436	nTGIeNr.exe
4976	TeWUuBC.exe
5096	nyFARQO.exe
452	GDEFPQT.exe
4968	VGYwWpL.exe
5084	gbcsldG.exe
3736	qXJKviq.exe
3492	uEQCaRi.exe
4408	BKJtEze.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2216-0-0x00007FF72F380000-0x00007FF72F771000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/files/0x0008000000023412-10.dat	upx
behavioral2/files/0x000900000002340a-11.dat	upx
behavioral2/files/0x0007000000023413-21.dat	upx
behavioral2/files/0x0007000000023414-30.dat	upx
behavioral2/memory/2548-29-0x00007FF70BEF0000-0x00007FF70C2E1000-memory.dmp	upx
behavioral2/memory/1728-32-0x00007FF770A60000-0x00007FF770E51000-memory.dmp	upx
behavioral2/memory/4936-27-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp	upx
behavioral2/memory/1512-19-0x00007FF6C6330000-0x00007FF6C6721000-memory.dmp	upx
behavioral2/memory/3456-8-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp	upx
behavioral2/files/0x0007000000023415-34.dat	upx
behavioral2/files/0x0007000000023416-44.dat	upx
behavioral2/memory/968-46-0x00007FF703C60000-0x00007FF704051000-memory.dmp	upx
behavioral2/files/0x0009000000023410-48.dat	upx
behavioral2/files/0x0007000000023417-53.dat	upx
behavioral2/memory/3040-54-0x00007FF633BC0000-0x00007FF633FB1000-memory.dmp	upx
behavioral2/files/0x0007000000023418-58.dat	upx
behavioral2/memory/4436-62-0x00007FF7B1260000-0x00007FF7B1651000-memory.dmp	upx
behavioral2/memory/3384-56-0x00007FF73B6B0000-0x00007FF73BAA1000-memory.dmp	upx
behavioral2/memory/348-40-0x00007FF7D8D70000-0x00007FF7D9161000-memory.dmp	upx
behavioral2/files/0x0007000000023419-69.dat	upx
behavioral2/files/0x0004000000022ac4-68.dat	upx
behavioral2/memory/4584-73-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp	upx
behavioral2/files/0x000800000002341a-77.dat	upx
behavioral2/files/0x000800000002341c-82.dat	upx
behavioral2/files/0x000700000002341d-87.dat	upx
behavioral2/files/0x000700000002341e-92.dat	upx
behavioral2/files/0x000700000002341f-97.dat	upx
behavioral2/files/0x0007000000023421-105.dat	upx
behavioral2/files/0x0007000000023422-110.dat	upx
behavioral2/files/0x0007000000023423-117.dat	upx
behavioral2/files/0x0007000000023428-142.dat	upx
behavioral2/files/0x000700000002342c-162.dat	upx
behavioral2/files/0x000700000002342e-172.dat	upx
behavioral2/memory/3924-343-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp	upx
behavioral2/memory/3532-344-0x00007FF703960000-0x00007FF703D51000-memory.dmp	upx
behavioral2/files/0x000700000002342d-167.dat	upx
behavioral2/files/0x000700000002342b-157.dat	upx
behavioral2/files/0x000700000002342a-152.dat	upx
behavioral2/files/0x0007000000023429-147.dat	upx
behavioral2/files/0x0007000000023427-137.dat	upx
behavioral2/files/0x0007000000023426-132.dat	upx
behavioral2/files/0x0007000000023425-127.dat	upx
behavioral2/files/0x0007000000023424-122.dat	upx
behavioral2/files/0x0007000000023420-102.dat	upx
behavioral2/memory/2656-347-0x00007FF766B50000-0x00007FF766F41000-memory.dmp	upx
behavioral2/memory/3796-345-0x00007FF7F8740000-0x00007FF7F8B31000-memory.dmp	upx
behavioral2/memory/2312-349-0x00007FF7B6E30000-0x00007FF7B7221000-memory.dmp	upx
behavioral2/memory/2692-348-0x00007FF719EB0000-0x00007FF71A2A1000-memory.dmp	upx
behavioral2/memory/944-354-0x00007FF67C8E0000-0x00007FF67CCD1000-memory.dmp	upx
behavioral2/memory/4788-366-0x00007FF670A20000-0x00007FF670E11000-memory.dmp	upx
behavioral2/memory/3424-375-0x00007FF621950000-0x00007FF621D41000-memory.dmp	upx
behavioral2/memory/2216-388-0x00007FF72F380000-0x00007FF72F771000-memory.dmp	upx
behavioral2/memory/1648-389-0x00007FF698400000-0x00007FF6987F1000-memory.dmp	upx
behavioral2/memory/2200-384-0x00007FF62B390000-0x00007FF62B781000-memory.dmp	upx
behavioral2/memory/8-363-0x00007FF74A390000-0x00007FF74A781000-memory.dmp	upx
behavioral2/memory/2208-360-0x00007FF7CC6E0000-0x00007FF7CCAD1000-memory.dmp	upx
behavioral2/memory/3456-918-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp	upx
behavioral2/memory/4936-930-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp	upx
behavioral2/memory/1728-1947-0x00007FF770A60000-0x00007FF770E51000-memory.dmp	upx
behavioral2/memory/968-2025-0x00007FF703C60000-0x00007FF704051000-memory.dmp	upx
behavioral2/memory/2216-2059-0x00007FF72F380000-0x00007FF72F771000-memory.dmp	upx
behavioral2/memory/3456-2070-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\QmdABcN.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\eXWUPhG.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\ENcBUfk.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\JsZcJPJ.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\WGAizgT.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\oLCBvsq.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\TeWUuBC.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\gbcsldG.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\QCpjXgO.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\UWRPKdn.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\QNJKdWO.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\fPFwtAI.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\Lsalzjw.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\tiQuJbl.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\ckMXkKs.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\YcQqnkG.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\tHOeUgn.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\hUTzlMT.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\BLlVUCP.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\ahktKiO.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\devxMex.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\veSoyoA.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\oLArByO.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\GkKEFmg.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\qpNeOFh.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\DgRzWDW.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\uaelaBy.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\qYIVAEE.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\YvopEiI.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\TkFsgDY.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\YgOalSk.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\mIEqENM.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\qIeVOPE.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\mFNSbBl.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\QuWDZQM.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\xQUBxfZ.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\NNMUWlw.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\aUtVSSa.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\PdjbxKN.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\XziKjPY.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\tpJSuGm.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\jgcivtP.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\oJbIvbg.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\KMyKCbZ.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\HYpALDX.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\vTJogKX.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\NvTsBWv.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\SjxeDvo.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\ILNssOk.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\BoybVZZ.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\BKJtEze.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\tqBOrgZ.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\PRfJvss.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\OhxtFfO.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\JfESCTC.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\VEesHRx.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\iyPlGAg.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\CNKKPTT.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\rBpEzqz.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\shZFLsm.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\JOZetgA.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\LtXdMic.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\NREfMlH.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
File created	C:\Windows\System32\WqblIMj.exe	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12824	dwm.exe
Token: SeChangeNotifyPrivilege	12824	dwm.exe
Token: 33	12824	dwm.exe
Token: SeIncBasePriorityPrivilege	12824	dwm.exe
Token: SeShutdownPrivilege	12824	dwm.exe
Token: SeCreatePagefilePrivilege	12824	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 3456	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	84
PID 2216 wrote to memory of 3456	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	84
PID 2216 wrote to memory of 1512	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	85
PID 2216 wrote to memory of 1512	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	85
PID 2216 wrote to memory of 2548	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	86
PID 2216 wrote to memory of 2548	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	86
PID 2216 wrote to memory of 4936	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	87
PID 2216 wrote to memory of 4936	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	87
PID 2216 wrote to memory of 1728	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	88
PID 2216 wrote to memory of 1728	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	88
PID 2216 wrote to memory of 348	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	89
PID 2216 wrote to memory of 348	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	89
PID 2216 wrote to memory of 968	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	90
PID 2216 wrote to memory of 968	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	90
PID 2216 wrote to memory of 3040	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	91
PID 2216 wrote to memory of 3040	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	91
PID 2216 wrote to memory of 3384	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	92
PID 2216 wrote to memory of 3384	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	92
PID 2216 wrote to memory of 4436	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	93
PID 2216 wrote to memory of 4436	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	93
PID 2216 wrote to memory of 4584	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	94
PID 2216 wrote to memory of 4584	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	94
PID 2216 wrote to memory of 3924	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	96
PID 2216 wrote to memory of 3924	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	96
PID 2216 wrote to memory of 1648	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	97
PID 2216 wrote to memory of 1648	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	97
PID 2216 wrote to memory of 3532	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	98
PID 2216 wrote to memory of 3532	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	98
PID 2216 wrote to memory of 3796	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	99
PID 2216 wrote to memory of 3796	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	99
PID 2216 wrote to memory of 2656	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	100
PID 2216 wrote to memory of 2656	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	100
PID 2216 wrote to memory of 2692	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	101
PID 2216 wrote to memory of 2692	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	101
PID 2216 wrote to memory of 2312	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	102
PID 2216 wrote to memory of 2312	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	102
PID 2216 wrote to memory of 944	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	103
PID 2216 wrote to memory of 944	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	103
PID 2216 wrote to memory of 2208	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	104
PID 2216 wrote to memory of 2208	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	104
PID 2216 wrote to memory of 8	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	105
PID 2216 wrote to memory of 8	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	105
PID 2216 wrote to memory of 4788	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	106
PID 2216 wrote to memory of 4788	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	106
PID 2216 wrote to memory of 3424	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	107
PID 2216 wrote to memory of 3424	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	107
PID 2216 wrote to memory of 2200	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	108
PID 2216 wrote to memory of 2200	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	108
PID 2216 wrote to memory of 1624	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	109
PID 2216 wrote to memory of 1624	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	109
PID 2216 wrote to memory of 2936	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	110
PID 2216 wrote to memory of 2936	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	110
PID 2216 wrote to memory of 1568	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	111
PID 2216 wrote to memory of 1568	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	111
PID 2216 wrote to memory of 2596	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	112
PID 2216 wrote to memory of 2596	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	112
PID 2216 wrote to memory of 2192	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	113
PID 2216 wrote to memory of 2192	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	113
PID 2216 wrote to memory of 3688	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	114
PID 2216 wrote to memory of 3688	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	114
PID 2216 wrote to memory of 3568	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	115
PID 2216 wrote to memory of 3568	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	115
PID 2216 wrote to memory of 4812	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	116
PID 2216 wrote to memory of 4812	2216	2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a066b42baac8a5851cf5f39a2a6167c_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System32\sSrYkdn.exe
  C:\Windows\System32\sSrYkdn.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\OUsWpWQ.exe
  C:\Windows\System32\OUsWpWQ.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System32\oxWkToO.exe
  C:\Windows\System32\oxWkToO.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\RYNkajt.exe
  C:\Windows\System32\RYNkajt.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System32\MJiFsSw.exe
  C:\Windows\System32\MJiFsSw.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System32\NALLBPv.exe
  C:\Windows\System32\NALLBPv.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System32\XJFwZiL.exe
  C:\Windows\System32\XJFwZiL.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\fnRTsGN.exe
  C:\Windows\System32\fnRTsGN.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System32\ZkCOZcB.exe
  C:\Windows\System32\ZkCOZcB.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\uBZBOkR.exe
  C:\Windows\System32\uBZBOkR.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\xSTrgBH.exe
  C:\Windows\System32\xSTrgBH.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\YNWztVr.exe
  C:\Windows\System32\YNWztVr.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\YmYHkdX.exe
  C:\Windows\System32\YmYHkdX.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\tKiBlqk.exe
  C:\Windows\System32\tKiBlqk.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System32\tkuirVl.exe
  C:\Windows\System32\tkuirVl.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System32\qIcsoAZ.exe
  C:\Windows\System32\qIcsoAZ.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System32\MZhbGtM.exe
  C:\Windows\System32\MZhbGtM.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\eOVGBOg.exe
  C:\Windows\System32\eOVGBOg.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\SVEkuNH.exe
  C:\Windows\System32\SVEkuNH.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System32\TFtTOCe.exe
  C:\Windows\System32\TFtTOCe.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System32\cjVChpy.exe
  C:\Windows\System32\cjVChpy.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System32\DgbriRf.exe
  C:\Windows\System32\DgbriRf.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System32\OUxnMnd.exe
  C:\Windows\System32\OUxnMnd.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System32\sobzEzf.exe
  C:\Windows\System32\sobzEzf.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System32\KqGPsno.exe
  C:\Windows\System32\KqGPsno.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\ouPSGSn.exe
  C:\Windows\System32\ouPSGSn.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\ieKQrSj.exe
  C:\Windows\System32\ieKQrSj.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System32\LuyfJPi.exe
  C:\Windows\System32\LuyfJPi.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\NtoMpLk.exe
  C:\Windows\System32\NtoMpLk.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System32\wQABgAx.exe
  C:\Windows\System32\wQABgAx.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\pDebIIw.exe
  C:\Windows\System32\pDebIIw.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\ngapbCu.exe
  C:\Windows\System32\ngapbCu.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System32\NgjGooq.exe
  C:\Windows\System32\NgjGooq.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System32\rHegzZM.exe
  C:\Windows\System32\rHegzZM.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\eQCRGIe.exe
  C:\Windows\System32\eQCRGIe.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\dzotdrQ.exe
  C:\Windows\System32\dzotdrQ.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\FKzpzIB.exe
  C:\Windows\System32\FKzpzIB.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System32\IRGhpFj.exe
  C:\Windows\System32\IRGhpFj.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System32\NSfWyVS.exe
  C:\Windows\System32\NSfWyVS.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\KYPJjnG.exe
  C:\Windows\System32\KYPJjnG.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System32\mEwsTIo.exe
  C:\Windows\System32\mEwsTIo.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\WOXAGpq.exe
  C:\Windows\System32\WOXAGpq.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System32\OYJVZuG.exe
  C:\Windows\System32\OYJVZuG.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System32\xJdZDcw.exe
  C:\Windows\System32\xJdZDcw.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\XeKBAEC.exe
  C:\Windows\System32\XeKBAEC.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\IfTNHMH.exe
  C:\Windows\System32\IfTNHMH.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\xazuUMi.exe
  C:\Windows\System32\xazuUMi.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System32\dtpPubW.exe
  C:\Windows\System32\dtpPubW.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System32\KPSjfJB.exe
  C:\Windows\System32\KPSjfJB.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System32\IzZbAlw.exe
  C:\Windows\System32\IzZbAlw.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\FfeJyPH.exe
  C:\Windows\System32\FfeJyPH.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System32\mtZwGZs.exe
  C:\Windows\System32\mtZwGZs.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\RTcnrgt.exe
  C:\Windows\System32\RTcnrgt.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\oBrXSlE.exe
  C:\Windows\System32\oBrXSlE.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\JfESCTC.exe
  C:\Windows\System32\JfESCTC.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\nTGIeNr.exe
  C:\Windows\System32\nTGIeNr.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System32\TeWUuBC.exe
  C:\Windows\System32\TeWUuBC.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\nyFARQO.exe
  C:\Windows\System32\nyFARQO.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\GDEFPQT.exe
  C:\Windows\System32\GDEFPQT.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\VGYwWpL.exe
  C:\Windows\System32\VGYwWpL.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System32\gbcsldG.exe
  C:\Windows\System32\gbcsldG.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\qXJKviq.exe
  C:\Windows\System32\qXJKviq.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\uEQCaRi.exe
  C:\Windows\System32\uEQCaRi.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System32\BKJtEze.exe
  C:\Windows\System32\BKJtEze.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\hbZtinp.exe
  C:\Windows\System32\hbZtinp.exe
  2⤵
  PID:3912
- C:\Windows\System32\qvNVvpA.exe
  C:\Windows\System32\qvNVvpA.exe
  2⤵
  PID:2624
- C:\Windows\System32\TUSMFmp.exe
  C:\Windows\System32\TUSMFmp.exe
  2⤵
  PID:3952
- C:\Windows\System32\lAdhWof.exe
  C:\Windows\System32\lAdhWof.exe
  2⤵
  PID:4772
- C:\Windows\System32\LGgrWWl.exe
  C:\Windows\System32\LGgrWWl.exe
  2⤵
  PID:2488
- C:\Windows\System32\PUARIRb.exe
  C:\Windows\System32\PUARIRb.exe
  2⤵
  PID:4340
- C:\Windows\System32\JKuYMdI.exe
  C:\Windows\System32\JKuYMdI.exe
  2⤵
  PID:1396
- C:\Windows\System32\pFvjIgs.exe
  C:\Windows\System32\pFvjIgs.exe
  2⤵
  PID:404
- C:\Windows\System32\MmstZWc.exe
  C:\Windows\System32\MmstZWc.exe
  2⤵
  PID:4688
- C:\Windows\System32\YNaXZJr.exe
  C:\Windows\System32\YNaXZJr.exe
  2⤵
  PID:2044
- C:\Windows\System32\QfzsDni.exe
  C:\Windows\System32\QfzsDni.exe
  2⤵
  PID:4880
- C:\Windows\System32\WIdvyTR.exe
  C:\Windows\System32\WIdvyTR.exe
  2⤵
  PID:1160
- C:\Windows\System32\fPFwtAI.exe
  C:\Windows\System32\fPFwtAI.exe
  2⤵
  PID:4348
- C:\Windows\System32\cuycMMX.exe
  C:\Windows\System32\cuycMMX.exe
  2⤵
  PID:4556
- C:\Windows\System32\flgqlud.exe
  C:\Windows\System32\flgqlud.exe
  2⤵
  PID:1864
- C:\Windows\System32\CtwqNlv.exe
  C:\Windows\System32\CtwqNlv.exe
  2⤵
  PID:1904
- C:\Windows\System32\VAGfERI.exe
  C:\Windows\System32\VAGfERI.exe
  2⤵
  PID:2460
- C:\Windows\System32\SnHtFfQ.exe
  C:\Windows\System32\SnHtFfQ.exe
  2⤵
  PID:3956
- C:\Windows\System32\dMvqMkT.exe
  C:\Windows\System32\dMvqMkT.exe
  2⤵
  PID:5036
- C:\Windows\System32\Lsalzjw.exe
  C:\Windows\System32\Lsalzjw.exe
  2⤵
  PID:2400
- C:\Windows\System32\xlAbzqd.exe
  C:\Windows\System32\xlAbzqd.exe
  2⤵
  PID:724
- C:\Windows\System32\WFTrjVo.exe
  C:\Windows\System32\WFTrjVo.exe
  2⤵
  PID:1112
- C:\Windows\System32\VEesHRx.exe
  C:\Windows\System32\VEesHRx.exe
  2⤵
  PID:3888
- C:\Windows\System32\AoWLFZW.exe
  C:\Windows\System32\AoWLFZW.exe
  2⤵
  PID:556
- C:\Windows\System32\inEGNgV.exe
  C:\Windows\System32\inEGNgV.exe
  2⤵
  PID:3260
- C:\Windows\System32\XtOkHqG.exe
  C:\Windows\System32\XtOkHqG.exe
  2⤵
  PID:3836
- C:\Windows\System32\GOkJxMX.exe
  C:\Windows\System32\GOkJxMX.exe
  2⤵
  PID:1884
- C:\Windows\System32\TAhczcG.exe
  C:\Windows\System32\TAhczcG.exe
  2⤵
  PID:3128
- C:\Windows\System32\PEPBwsp.exe
  C:\Windows\System32\PEPBwsp.exe
  2⤵
  PID:3644
- C:\Windows\System32\ZDPzrlf.exe
  C:\Windows\System32\ZDPzrlf.exe
  2⤵
  PID:4372
- C:\Windows\System32\PdjbxKN.exe
  C:\Windows\System32\PdjbxKN.exe
  2⤵
  PID:396
- C:\Windows\System32\RnnCScr.exe
  C:\Windows\System32\RnnCScr.exe
  2⤵
  PID:2288
- C:\Windows\System32\tqBOrgZ.exe
  C:\Windows\System32\tqBOrgZ.exe
  2⤵
  PID:1608
- C:\Windows\System32\odkkPfq.exe
  C:\Windows\System32\odkkPfq.exe
  2⤵
  PID:4980
- C:\Windows\System32\VRiKCOa.exe
  C:\Windows\System32\VRiKCOa.exe
  2⤵
  PID:5172
- C:\Windows\System32\VFcadaG.exe
  C:\Windows\System32\VFcadaG.exe
  2⤵
  PID:5200
- C:\Windows\System32\zDRmRVy.exe
  C:\Windows\System32\zDRmRVy.exe
  2⤵
  PID:5272
- C:\Windows\System32\SyDHQaw.exe
  C:\Windows\System32\SyDHQaw.exe
  2⤵
  PID:5328
- C:\Windows\System32\IemEPIu.exe
  C:\Windows\System32\IemEPIu.exe
  2⤵
  PID:5380
- C:\Windows\System32\kYGCMtr.exe
  C:\Windows\System32\kYGCMtr.exe
  2⤵
  PID:5404
- C:\Windows\System32\WCLtueS.exe
  C:\Windows\System32\WCLtueS.exe
  2⤵
  PID:5436
- C:\Windows\System32\mtHdFbI.exe
  C:\Windows\System32\mtHdFbI.exe
  2⤵
  PID:5460
- C:\Windows\System32\QFcwUtB.exe
  C:\Windows\System32\QFcwUtB.exe
  2⤵
  PID:5476
- C:\Windows\System32\FvSbrmN.exe
  C:\Windows\System32\FvSbrmN.exe
  2⤵
  PID:5500
- C:\Windows\System32\mFNSbBl.exe
  C:\Windows\System32\mFNSbBl.exe
  2⤵
  PID:5524
- C:\Windows\System32\dekWQKG.exe
  C:\Windows\System32\dekWQKG.exe
  2⤵
  PID:5560
- C:\Windows\System32\KQpHHyz.exe
  C:\Windows\System32\KQpHHyz.exe
  2⤵
  PID:5592
- C:\Windows\System32\PHwAnpQ.exe
  C:\Windows\System32\PHwAnpQ.exe
  2⤵
  PID:5612
- C:\Windows\System32\jvzCFUK.exe
  C:\Windows\System32\jvzCFUK.exe
  2⤵
  PID:5628
- C:\Windows\System32\FTQyNFy.exe
  C:\Windows\System32\FTQyNFy.exe
  2⤵
  PID:5652
- C:\Windows\System32\qkCfaFd.exe
  C:\Windows\System32\qkCfaFd.exe
  2⤵
  PID:5692
- C:\Windows\System32\BWDqAoy.exe
  C:\Windows\System32\BWDqAoy.exe
  2⤵
  PID:5720
- C:\Windows\System32\ZxmmSfx.exe
  C:\Windows\System32\ZxmmSfx.exe
  2⤵
  PID:5736
- C:\Windows\System32\SEXfNIj.exe
  C:\Windows\System32\SEXfNIj.exe
  2⤵
  PID:5764
- C:\Windows\System32\aiTorBB.exe
  C:\Windows\System32\aiTorBB.exe
  2⤵
  PID:5784
- C:\Windows\System32\wynItaU.exe
  C:\Windows\System32\wynItaU.exe
  2⤵
  PID:5812
- C:\Windows\System32\VTawxXz.exe
  C:\Windows\System32\VTawxXz.exe
  2⤵
  PID:5868
- C:\Windows\System32\cwIFGiA.exe
  C:\Windows\System32\cwIFGiA.exe
  2⤵
  PID:5912
- C:\Windows\System32\BLlVUCP.exe
  C:\Windows\System32\BLlVUCP.exe
  2⤵
  PID:5928
- C:\Windows\System32\WjJbemT.exe
  C:\Windows\System32\WjJbemT.exe
  2⤵
  PID:5956
- C:\Windows\System32\DJhyaKl.exe
  C:\Windows\System32\DJhyaKl.exe
  2⤵
  PID:5984
- C:\Windows\System32\gJLeFLL.exe
  C:\Windows\System32\gJLeFLL.exe
  2⤵
  PID:6000
- C:\Windows\System32\ggdVjlg.exe
  C:\Windows\System32\ggdVjlg.exe
  2⤵
  PID:6032
- C:\Windows\System32\qwIcaaf.exe
  C:\Windows\System32\qwIcaaf.exe
  2⤵
  PID:6060
- C:\Windows\System32\EanBmuG.exe
  C:\Windows\System32\EanBmuG.exe
  2⤵
  PID:6104
- C:\Windows\System32\YsgKMeE.exe
  C:\Windows\System32\YsgKMeE.exe
  2⤵
  PID:3232
- C:\Windows\System32\WvrvPTX.exe
  C:\Windows\System32\WvrvPTX.exe
  2⤵
  PID:4360
- C:\Windows\System32\BqdmHNf.exe
  C:\Windows\System32\BqdmHNf.exe
  2⤵
  PID:5152
- C:\Windows\System32\HfNfMVd.exe
  C:\Windows\System32\HfNfMVd.exe
  2⤵
  PID:5260
- C:\Windows\System32\VSBWfAZ.exe
  C:\Windows\System32\VSBWfAZ.exe
  2⤵
  PID:760
- C:\Windows\System32\WqblIMj.exe
  C:\Windows\System32\WqblIMj.exe
  2⤵
  PID:2236
- C:\Windows\System32\TXnFeyz.exe
  C:\Windows\System32\TXnFeyz.exe
  2⤵
  PID:5244
- C:\Windows\System32\ebVDyVN.exe
  C:\Windows\System32\ebVDyVN.exe
  2⤵
  PID:5388
- C:\Windows\System32\LBJOnsp.exe
  C:\Windows\System32\LBJOnsp.exe
  2⤵
  PID:5468
- C:\Windows\System32\xoESRze.exe
  C:\Windows\System32\xoESRze.exe
  2⤵
  PID:5520
- C:\Windows\System32\LlcUVBh.exe
  C:\Windows\System32\LlcUVBh.exe
  2⤵
  PID:5552
- C:\Windows\System32\IwZHSlx.exe
  C:\Windows\System32\IwZHSlx.exe
  2⤵
  PID:5608
- C:\Windows\System32\OYeSgKB.exe
  C:\Windows\System32\OYeSgKB.exe
  2⤵
  PID:5728
- C:\Windows\System32\cZafZWn.exe
  C:\Windows\System32\cZafZWn.exe
  2⤵
  PID:5828
- C:\Windows\System32\oPetiIZ.exe
  C:\Windows\System32\oPetiIZ.exe
  2⤵
  PID:5936
- C:\Windows\System32\yZnibeq.exe
  C:\Windows\System32\yZnibeq.exe
  2⤵
  PID:5900
- C:\Windows\System32\feIRQPU.exe
  C:\Windows\System32\feIRQPU.exe
  2⤵
  PID:6020
- C:\Windows\System32\CAYlOFI.exe
  C:\Windows\System32\CAYlOFI.exe
  2⤵
  PID:6024
- C:\Windows\System32\xKnDekD.exe
  C:\Windows\System32\xKnDekD.exe
  2⤵
  PID:6116
- C:\Windows\System32\MLZBiDB.exe
  C:\Windows\System32\MLZBiDB.exe
  2⤵
  PID:5264
- C:\Windows\System32\stEQirY.exe
  C:\Windows\System32\stEQirY.exe
  2⤵
  PID:5320
- C:\Windows\System32\omfALTf.exe
  C:\Windows\System32\omfALTf.exe
  2⤵
  PID:5156
- C:\Windows\System32\OsQcuxZ.exe
  C:\Windows\System32\OsQcuxZ.exe
  2⤵
  PID:5604
- C:\Windows\System32\uCBQuKQ.exe
  C:\Windows\System32\uCBQuKQ.exe
  2⤵
  PID:5732
- C:\Windows\System32\KkoXYBp.exe
  C:\Windows\System32\KkoXYBp.exe
  2⤵
  PID:5884
- C:\Windows\System32\DSEsdkg.exe
  C:\Windows\System32\DSEsdkg.exe
  2⤵
  PID:5920
- C:\Windows\System32\ygUUFqZ.exe
  C:\Windows\System32\ygUUFqZ.exe
  2⤵
  PID:6088
- C:\Windows\System32\DgRzWDW.exe
  C:\Windows\System32\DgRzWDW.exe
  2⤵
  PID:5284
- C:\Windows\System32\JYTijef.exe
  C:\Windows\System32\JYTijef.exe
  2⤵
  PID:5992
- C:\Windows\System32\RLQSgtc.exe
  C:\Windows\System32\RLQSgtc.exe
  2⤵
  PID:5864
- C:\Windows\System32\huhDzZp.exe
  C:\Windows\System32\huhDzZp.exe
  2⤵
  PID:5708
- C:\Windows\System32\gfvqEdj.exe
  C:\Windows\System32\gfvqEdj.exe
  2⤵
  PID:6152
- C:\Windows\System32\KPISens.exe
  C:\Windows\System32\KPISens.exe
  2⤵
  PID:6172
- C:\Windows\System32\NDxBqSr.exe
  C:\Windows\System32\NDxBqSr.exe
  2⤵
  PID:6196
- C:\Windows\System32\doQXXRD.exe
  C:\Windows\System32\doQXXRD.exe
  2⤵
  PID:6248
- C:\Windows\System32\iwpNCln.exe
  C:\Windows\System32\iwpNCln.exe
  2⤵
  PID:6284
- C:\Windows\System32\fOdEUwz.exe
  C:\Windows\System32\fOdEUwz.exe
  2⤵
  PID:6300
- C:\Windows\System32\uWRiSHM.exe
  C:\Windows\System32\uWRiSHM.exe
  2⤵
  PID:6324
- C:\Windows\System32\yprkgCU.exe
  C:\Windows\System32\yprkgCU.exe
  2⤵
  PID:6368
- C:\Windows\System32\uaelaBy.exe
  C:\Windows\System32\uaelaBy.exe
  2⤵
  PID:6392
- C:\Windows\System32\QCpjXgO.exe
  C:\Windows\System32\QCpjXgO.exe
  2⤵
  PID:6412
- C:\Windows\System32\fuEZqux.exe
  C:\Windows\System32\fuEZqux.exe
  2⤵
  PID:6428
- C:\Windows\System32\IgLZkdE.exe
  C:\Windows\System32\IgLZkdE.exe
  2⤵
  PID:6452
- C:\Windows\System32\DxOuxKg.exe
  C:\Windows\System32\DxOuxKg.exe
  2⤵
  PID:6520
- C:\Windows\System32\gISuaoa.exe
  C:\Windows\System32\gISuaoa.exe
  2⤵
  PID:6548
- C:\Windows\System32\ndbjbiS.exe
  C:\Windows\System32\ndbjbiS.exe
  2⤵
  PID:6572
- C:\Windows\System32\rxVKTJf.exe
  C:\Windows\System32\rxVKTJf.exe
  2⤵
  PID:6588
- C:\Windows\System32\LSIdtPl.exe
  C:\Windows\System32\LSIdtPl.exe
  2⤵
  PID:6612
- C:\Windows\System32\uYCDytU.exe
  C:\Windows\System32\uYCDytU.exe
  2⤵
  PID:6632
- C:\Windows\System32\nOQQNuP.exe
  C:\Windows\System32\nOQQNuP.exe
  2⤵
  PID:6660
- C:\Windows\System32\DZsnoDr.exe
  C:\Windows\System32\DZsnoDr.exe
  2⤵
  PID:6680
- C:\Windows\System32\aLSnjtJ.exe
  C:\Windows\System32\aLSnjtJ.exe
  2⤵
  PID:6696
- C:\Windows\System32\cdoskQE.exe
  C:\Windows\System32\cdoskQE.exe
  2⤵
  PID:6736
- C:\Windows\System32\GkCiywW.exe
  C:\Windows\System32\GkCiywW.exe
  2⤵
  PID:6752
- C:\Windows\System32\ydhqnVW.exe
  C:\Windows\System32\ydhqnVW.exe
  2⤵
  PID:6800
- C:\Windows\System32\CKthRNZ.exe
  C:\Windows\System32\CKthRNZ.exe
  2⤵
  PID:6840
- C:\Windows\System32\ecZDWOr.exe
  C:\Windows\System32\ecZDWOr.exe
  2⤵
  PID:6860
- C:\Windows\System32\gPcapAc.exe
  C:\Windows\System32\gPcapAc.exe
  2⤵
  PID:6876
- C:\Windows\System32\jaehPUs.exe
  C:\Windows\System32\jaehPUs.exe
  2⤵
  PID:6904
- C:\Windows\System32\njnBWpZ.exe
  C:\Windows\System32\njnBWpZ.exe
  2⤵
  PID:6920
- C:\Windows\System32\qyVPrpq.exe
  C:\Windows\System32\qyVPrpq.exe
  2⤵
  PID:6984
- C:\Windows\System32\SaWxDXF.exe
  C:\Windows\System32\SaWxDXF.exe
  2⤵
  PID:7020
- C:\Windows\System32\EYWJAQt.exe
  C:\Windows\System32\EYWJAQt.exe
  2⤵
  PID:7048
- C:\Windows\System32\HMmpzJg.exe
  C:\Windows\System32\HMmpzJg.exe
  2⤵
  PID:7072
- C:\Windows\System32\HExwZiA.exe
  C:\Windows\System32\HExwZiA.exe
  2⤵
  PID:7088
- C:\Windows\System32\LczGcCJ.exe
  C:\Windows\System32\LczGcCJ.exe
  2⤵
  PID:7120
- C:\Windows\System32\knyWefB.exe
  C:\Windows\System32\knyWefB.exe
  2⤵
  PID:7144
- C:\Windows\System32\dZgYkiO.exe
  C:\Windows\System32\dZgYkiO.exe
  2⤵
  PID:5712
- C:\Windows\System32\Nyvjoct.exe
  C:\Windows\System32\Nyvjoct.exe
  2⤵
  PID:6192
- C:\Windows\System32\upwMhnx.exe
  C:\Windows\System32\upwMhnx.exe
  2⤵
  PID:6308
- C:\Windows\System32\CWVYsOP.exe
  C:\Windows\System32\CWVYsOP.exe
  2⤵
  PID:6316
- C:\Windows\System32\fjPhhEQ.exe
  C:\Windows\System32\fjPhhEQ.exe
  2⤵
  PID:6376
- C:\Windows\System32\wJrnsyv.exe
  C:\Windows\System32\wJrnsyv.exe
  2⤵
  PID:6424
- C:\Windows\System32\ahktKiO.exe
  C:\Windows\System32\ahktKiO.exe
  2⤵
  PID:6488
- C:\Windows\System32\cFbEwxr.exe
  C:\Windows\System32\cFbEwxr.exe
  2⤵
  PID:6560
- C:\Windows\System32\BCvzltm.exe
  C:\Windows\System32\BCvzltm.exe
  2⤵
  PID:6656
- C:\Windows\System32\QmdABcN.exe
  C:\Windows\System32\QmdABcN.exe
  2⤵
  PID:6688
- C:\Windows\System32\QrYjpgX.exe
  C:\Windows\System32\QrYjpgX.exe
  2⤵
  PID:6744
- C:\Windows\System32\ylWSOhA.exe
  C:\Windows\System32\ylWSOhA.exe
  2⤵
  PID:6796
- C:\Windows\System32\upxcjPy.exe
  C:\Windows\System32\upxcjPy.exe
  2⤵
  PID:6832
- C:\Windows\System32\JZjCTeV.exe
  C:\Windows\System32\JZjCTeV.exe
  2⤵
  PID:6960
- C:\Windows\System32\AgfLzJk.exe
  C:\Windows\System32\AgfLzJk.exe
  2⤵
  PID:7064
- C:\Windows\System32\DXtoKaV.exe
  C:\Windows\System32\DXtoKaV.exe
  2⤵
  PID:7080
- C:\Windows\System32\oiJhHJV.exe
  C:\Windows\System32\oiJhHJV.exe
  2⤵
  PID:7164
- C:\Windows\System32\ljkniJK.exe
  C:\Windows\System32\ljkniJK.exe
  2⤵
  PID:6232
- C:\Windows\System32\SnosQif.exe
  C:\Windows\System32\SnosQif.exe
  2⤵
  PID:6356
- C:\Windows\System32\tiQuJbl.exe
  C:\Windows\System32\tiQuJbl.exe
  2⤵
  PID:6672
- C:\Windows\System32\dFPKhUS.exe
  C:\Windows\System32\dFPKhUS.exe
  2⤵
  PID:6768
- C:\Windows\System32\TkFsgDY.exe
  C:\Windows\System32\TkFsgDY.exe
  2⤵
  PID:6932
- C:\Windows\System32\lXacdmF.exe
  C:\Windows\System32\lXacdmF.exe
  2⤵
  PID:7132
- C:\Windows\System32\paLMZwh.exe
  C:\Windows\System32\paLMZwh.exe
  2⤵
  PID:6168
- C:\Windows\System32\ckMXkKs.exe
  C:\Windows\System32\ckMXkKs.exe
  2⤵
  PID:6584
- C:\Windows\System32\VwHspXd.exe
  C:\Windows\System32\VwHspXd.exe
  2⤵
  PID:7016
- C:\Windows\System32\aqyVHRW.exe
  C:\Windows\System32\aqyVHRW.exe
  2⤵
  PID:6628
- C:\Windows\System32\hxyvAYn.exe
  C:\Windows\System32\hxyvAYn.exe
  2⤵
  PID:6512
- C:\Windows\System32\qGWCNru.exe
  C:\Windows\System32\qGWCNru.exe
  2⤵
  PID:7176
- C:\Windows\System32\anGVwCf.exe
  C:\Windows\System32\anGVwCf.exe
  2⤵
  PID:7196
- C:\Windows\System32\ziNqkRj.exe
  C:\Windows\System32\ziNqkRj.exe
  2⤵
  PID:7244
- C:\Windows\System32\rzNfjSr.exe
  C:\Windows\System32\rzNfjSr.exe
  2⤵
  PID:7268
- C:\Windows\System32\iyPlGAg.exe
  C:\Windows\System32\iyPlGAg.exe
  2⤵
  PID:7288
- C:\Windows\System32\jgixdGE.exe
  C:\Windows\System32\jgixdGE.exe
  2⤵
  PID:7312
- C:\Windows\System32\QPIkdDZ.exe
  C:\Windows\System32\QPIkdDZ.exe
  2⤵
  PID:7336
- C:\Windows\System32\eXWUPhG.exe
  C:\Windows\System32\eXWUPhG.exe
  2⤵
  PID:7364
- C:\Windows\System32\AdWJrIU.exe
  C:\Windows\System32\AdWJrIU.exe
  2⤵
  PID:7404
- C:\Windows\System32\XziKjPY.exe
  C:\Windows\System32\XziKjPY.exe
  2⤵
  PID:7452
- C:\Windows\System32\jULTees.exe
  C:\Windows\System32\jULTees.exe
  2⤵
  PID:7476
- C:\Windows\System32\qHsvSoG.exe
  C:\Windows\System32\qHsvSoG.exe
  2⤵
  PID:7500
- C:\Windows\System32\lJpLShD.exe
  C:\Windows\System32\lJpLShD.exe
  2⤵
  PID:7528
- C:\Windows\System32\fZkeuvF.exe
  C:\Windows\System32\fZkeuvF.exe
  2⤵
  PID:7544
- C:\Windows\System32\PIRbACe.exe
  C:\Windows\System32\PIRbACe.exe
  2⤵
  PID:7568
- C:\Windows\System32\YcQqnkG.exe
  C:\Windows\System32\YcQqnkG.exe
  2⤵
  PID:7584
- C:\Windows\System32\mbBkGne.exe
  C:\Windows\System32\mbBkGne.exe
  2⤵
  PID:7612
- C:\Windows\System32\tBSeiia.exe
  C:\Windows\System32\tBSeiia.exe
  2⤵
  PID:7656
- C:\Windows\System32\ixEeENi.exe
  C:\Windows\System32\ixEeENi.exe
  2⤵
  PID:7700
- C:\Windows\System32\kPlgcMB.exe
  C:\Windows\System32\kPlgcMB.exe
  2⤵
  PID:7736
- C:\Windows\System32\FHlugRt.exe
  C:\Windows\System32\FHlugRt.exe
  2⤵
  PID:7756
- C:\Windows\System32\EswzoYb.exe
  C:\Windows\System32\EswzoYb.exe
  2⤵
  PID:7772
- C:\Windows\System32\KANsSPF.exe
  C:\Windows\System32\KANsSPF.exe
  2⤵
  PID:7792
- C:\Windows\System32\RYCdALb.exe
  C:\Windows\System32\RYCdALb.exe
  2⤵
  PID:7840
- C:\Windows\System32\qfxIyHC.exe
  C:\Windows\System32\qfxIyHC.exe
  2⤵
  PID:7864
- C:\Windows\System32\lsgneFW.exe
  C:\Windows\System32\lsgneFW.exe
  2⤵
  PID:7888
- C:\Windows\System32\ssFFMIZ.exe
  C:\Windows\System32\ssFFMIZ.exe
  2⤵
  PID:7908
- C:\Windows\System32\nUTKGjo.exe
  C:\Windows\System32\nUTKGjo.exe
  2⤵
  PID:7940
- C:\Windows\System32\dVMtsXg.exe
  C:\Windows\System32\dVMtsXg.exe
  2⤵
  PID:7960
- C:\Windows\System32\CNKKPTT.exe
  C:\Windows\System32\CNKKPTT.exe
  2⤵
  PID:7984
- C:\Windows\System32\uTrjDRD.exe
  C:\Windows\System32\uTrjDRD.exe
  2⤵
  PID:8016
- C:\Windows\System32\IfGnQdW.exe
  C:\Windows\System32\IfGnQdW.exe
  2⤵
  PID:8056
- C:\Windows\System32\dVgwKJN.exe
  C:\Windows\System32\dVgwKJN.exe
  2⤵
  PID:8080
- C:\Windows\System32\HKUAxsM.exe
  C:\Windows\System32\HKUAxsM.exe
  2⤵
  PID:8124
- C:\Windows\System32\RlYQtgc.exe
  C:\Windows\System32\RlYQtgc.exe
  2⤵
  PID:8148
- C:\Windows\System32\aXamCpN.exe
  C:\Windows\System32\aXamCpN.exe
  2⤵
  PID:8172
- C:\Windows\System32\orRHoaA.exe
  C:\Windows\System32\orRHoaA.exe
  2⤵
  PID:8188
- C:\Windows\System32\cVgMpdQ.exe
  C:\Windows\System32\cVgMpdQ.exe
  2⤵
  PID:7204
- C:\Windows\System32\dGlsjYg.exe
  C:\Windows\System32\dGlsjYg.exe
  2⤵
  PID:7236
- C:\Windows\System32\nWpdtcm.exe
  C:\Windows\System32\nWpdtcm.exe
  2⤵
  PID:7356
- C:\Windows\System32\LVUnILh.exe
  C:\Windows\System32\LVUnILh.exe
  2⤵
  PID:3800
- C:\Windows\System32\devxMex.exe
  C:\Windows\System32\devxMex.exe
  2⤵
  PID:7488
- C:\Windows\System32\VsVLWUB.exe
  C:\Windows\System32\VsVLWUB.exe
  2⤵
  PID:7540
- C:\Windows\System32\jgWDRMf.exe
  C:\Windows\System32\jgWDRMf.exe
  2⤵
  PID:7628
- C:\Windows\System32\ENcBUfk.exe
  C:\Windows\System32\ENcBUfk.exe
  2⤵
  PID:7876
- C:\Windows\System32\sZtSrTT.exe
  C:\Windows\System32\sZtSrTT.exe
  2⤵
  PID:7924
- C:\Windows\System32\rIeDmOR.exe
  C:\Windows\System32\rIeDmOR.exe
  2⤵
  PID:7996
- C:\Windows\System32\OkkBhKj.exe
  C:\Windows\System32\OkkBhKj.exe
  2⤵
  PID:8052
- C:\Windows\System32\AjyDFpA.exe
  C:\Windows\System32\AjyDFpA.exe
  2⤵
  PID:8100
- C:\Windows\System32\JEzKILl.exe
  C:\Windows\System32\JEzKILl.exe
  2⤵
  PID:6388
- C:\Windows\System32\vlYiDIN.exe
  C:\Windows\System32\vlYiDIN.exe
  2⤵
  PID:7416
- C:\Windows\System32\HCWZzMN.exe
  C:\Windows\System32\HCWZzMN.exe
  2⤵
  PID:7592
- C:\Windows\System32\NBLOnzN.exe
  C:\Windows\System32\NBLOnzN.exe
  2⤵
  PID:7812
- C:\Windows\System32\ZUZnDHu.exe
  C:\Windows\System32\ZUZnDHu.exe
  2⤵
  PID:7696
- C:\Windows\System32\DHZHeCF.exe
  C:\Windows\System32\DHZHeCF.exe
  2⤵
  PID:7852
- C:\Windows\System32\oQlzMxI.exe
  C:\Windows\System32\oQlzMxI.exe
  2⤵
  PID:7936
- C:\Windows\System32\uWgzBHW.exe
  C:\Windows\System32\uWgzBHW.exe
  2⤵
  PID:7224
- C:\Windows\System32\AMjTzbz.exe
  C:\Windows\System32\AMjTzbz.exe
  2⤵
  PID:7260
- C:\Windows\System32\kImWYkl.exe
  C:\Windows\System32\kImWYkl.exe
  2⤵
  PID:7784
- C:\Windows\System32\ygSkevI.exe
  C:\Windows\System32\ygSkevI.exe
  2⤵
  PID:8036
- C:\Windows\System32\ydOIknx.exe
  C:\Windows\System32\ydOIknx.exe
  2⤵
  PID:8088
- C:\Windows\System32\XGXGLqZ.exe
  C:\Windows\System32\XGXGLqZ.exe
  2⤵
  PID:7980
- C:\Windows\System32\CRzwkNl.exe
  C:\Windows\System32\CRzwkNl.exe
  2⤵
  PID:8196
- C:\Windows\System32\ruBAYas.exe
  C:\Windows\System32\ruBAYas.exe
  2⤵
  PID:8216
- C:\Windows\System32\AIkxQNU.exe
  C:\Windows\System32\AIkxQNU.exe
  2⤵
  PID:8236
- C:\Windows\System32\myDJqEl.exe
  C:\Windows\System32\myDJqEl.exe
  2⤵
  PID:8252
- C:\Windows\System32\xFIImik.exe
  C:\Windows\System32\xFIImik.exe
  2⤵
  PID:8288
- C:\Windows\System32\YUdnzGc.exe
  C:\Windows\System32\YUdnzGc.exe
  2⤵
  PID:8320
- C:\Windows\System32\Dtfrtdx.exe
  C:\Windows\System32\Dtfrtdx.exe
  2⤵
  PID:8348
- C:\Windows\System32\qYIVAEE.exe
  C:\Windows\System32\qYIVAEE.exe
  2⤵
  PID:8368
- C:\Windows\System32\dYLlKUv.exe
  C:\Windows\System32\dYLlKUv.exe
  2⤵
  PID:8420
- C:\Windows\System32\chLqKPP.exe
  C:\Windows\System32\chLqKPP.exe
  2⤵
  PID:8452
- C:\Windows\System32\ePlwhZA.exe
  C:\Windows\System32\ePlwhZA.exe
  2⤵
  PID:8476
- C:\Windows\System32\zIlTnZK.exe
  C:\Windows\System32\zIlTnZK.exe
  2⤵
  PID:8500
- C:\Windows\System32\Izfcqdg.exe
  C:\Windows\System32\Izfcqdg.exe
  2⤵
  PID:8520
- C:\Windows\System32\vxOVRop.exe
  C:\Windows\System32\vxOVRop.exe
  2⤵
  PID:8540
- C:\Windows\System32\EGmqfHb.exe
  C:\Windows\System32\EGmqfHb.exe
  2⤵
  PID:8556
- C:\Windows\System32\CgupPiW.exe
  C:\Windows\System32\CgupPiW.exe
  2⤵
  PID:8588
- C:\Windows\System32\pSfSSiG.exe
  C:\Windows\System32\pSfSSiG.exe
  2⤵
  PID:8608
- C:\Windows\System32\mvdohes.exe
  C:\Windows\System32\mvdohes.exe
  2⤵
  PID:8676
- C:\Windows\System32\IeTyMvl.exe
  C:\Windows\System32\IeTyMvl.exe
  2⤵
  PID:8696
- C:\Windows\System32\ljLaFbN.exe
  C:\Windows\System32\ljLaFbN.exe
  2⤵
  PID:8716
- C:\Windows\System32\lJrKRbN.exe
  C:\Windows\System32\lJrKRbN.exe
  2⤵
  PID:8740
- C:\Windows\System32\IknxSMO.exe
  C:\Windows\System32\IknxSMO.exe
  2⤵
  PID:8760
- C:\Windows\System32\ceOSsoa.exe
  C:\Windows\System32\ceOSsoa.exe
  2⤵
  PID:8808
- C:\Windows\System32\UWRPKdn.exe
  C:\Windows\System32\UWRPKdn.exe
  2⤵
  PID:8828
- C:\Windows\System32\wPMBKfO.exe
  C:\Windows\System32\wPMBKfO.exe
  2⤵
  PID:8868
- C:\Windows\System32\mMJCoUZ.exe
  C:\Windows\System32\mMJCoUZ.exe
  2⤵
  PID:8896
- C:\Windows\System32\FQBoZnl.exe
  C:\Windows\System32\FQBoZnl.exe
  2⤵
  PID:8912
- C:\Windows\System32\BhFxVeG.exe
  C:\Windows\System32\BhFxVeG.exe
  2⤵
  PID:8932
- C:\Windows\System32\uOFqXaG.exe
  C:\Windows\System32\uOFqXaG.exe
  2⤵
  PID:8956
- C:\Windows\System32\qdIEtqO.exe
  C:\Windows\System32\qdIEtqO.exe
  2⤵
  PID:9000
- C:\Windows\System32\fAnDXfn.exe
  C:\Windows\System32\fAnDXfn.exe
  2⤵
  PID:9024
- C:\Windows\System32\iXgiYJz.exe
  C:\Windows\System32\iXgiYJz.exe
  2⤵
  PID:9068
- C:\Windows\System32\uPxukXM.exe
  C:\Windows\System32\uPxukXM.exe
  2⤵
  PID:9092
- C:\Windows\System32\oozvnME.exe
  C:\Windows\System32\oozvnME.exe
  2⤵
  PID:9112
- C:\Windows\System32\GkKEFmg.exe
  C:\Windows\System32\GkKEFmg.exe
  2⤵
  PID:9152
- C:\Windows\System32\AEmFvJV.exe
  C:\Windows\System32\AEmFvJV.exe
  2⤵
  PID:9176
- C:\Windows\System32\wOIfERL.exe
  C:\Windows\System32\wOIfERL.exe
  2⤵
  PID:9192
- C:\Windows\System32\fZnVOgj.exe
  C:\Windows\System32\fZnVOgj.exe
  2⤵
  PID:7508
- C:\Windows\System32\zzBgWoB.exe
  C:\Windows\System32\zzBgWoB.exe
  2⤵
  PID:8232
- C:\Windows\System32\DXeEkWg.exe
  C:\Windows\System32\DXeEkWg.exe
  2⤵
  PID:8264
- C:\Windows\System32\nWmzeNa.exe
  C:\Windows\System32\nWmzeNa.exe
  2⤵
  PID:8356
- C:\Windows\System32\JSQzBCy.exe
  C:\Windows\System32\JSQzBCy.exe
  2⤵
  PID:8416
- C:\Windows\System32\KOyoFMU.exe
  C:\Windows\System32\KOyoFMU.exe
  2⤵
  PID:8548
- C:\Windows\System32\kEBxYqT.exe
  C:\Windows\System32\kEBxYqT.exe
  2⤵
  PID:8576
- C:\Windows\System32\xbJWegB.exe
  C:\Windows\System32\xbJWegB.exe
  2⤵
  PID:8628
- C:\Windows\System32\CtGrCFK.exe
  C:\Windows\System32\CtGrCFK.exe
  2⤵
  PID:8708
- C:\Windows\System32\vcSFiId.exe
  C:\Windows\System32\vcSFiId.exe
  2⤵
  PID:8776
- C:\Windows\System32\wchwObj.exe
  C:\Windows\System32\wchwObj.exe
  2⤵
  PID:8884
- C:\Windows\System32\ZHAGNhZ.exe
  C:\Windows\System32\ZHAGNhZ.exe
  2⤵
  PID:8908
- C:\Windows\System32\aQYWLVO.exe
  C:\Windows\System32\aQYWLVO.exe
  2⤵
  PID:8924
- C:\Windows\System32\KEDZjMc.exe
  C:\Windows\System32\KEDZjMc.exe
  2⤵
  PID:9020
- C:\Windows\System32\JIyHRqR.exe
  C:\Windows\System32\JIyHRqR.exe
  2⤵
  PID:9100
- C:\Windows\System32\YfcaOlp.exe
  C:\Windows\System32\YfcaOlp.exe
  2⤵
  PID:9160
- C:\Windows\System32\bwsJhES.exe
  C:\Windows\System32\bwsJhES.exe
  2⤵
  PID:9212
- C:\Windows\System32\vevhnnq.exe
  C:\Windows\System32\vevhnnq.exe
  2⤵
  PID:8392
- C:\Windows\System32\YgOalSk.exe
  C:\Windows\System32\YgOalSk.exe
  2⤵
  PID:8552
- C:\Windows\System32\rqGSKON.exe
  C:\Windows\System32\rqGSKON.exe
  2⤵
  PID:8584
- C:\Windows\System32\puVgadQ.exe
  C:\Windows\System32\puVgadQ.exe
  2⤵
  PID:8804
- C:\Windows\System32\fRehmzE.exe
  C:\Windows\System32\fRehmzE.exe
  2⤵
  PID:8904
- C:\Windows\System32\LZfEumq.exe
  C:\Windows\System32\LZfEumq.exe
  2⤵
  PID:8228
- C:\Windows\System32\sallvTa.exe
  C:\Windows\System32\sallvTa.exe
  2⤵
  PID:8512
- C:\Windows\System32\qAyXALh.exe
  C:\Windows\System32\qAyXALh.exe
  2⤵
  PID:8732
- C:\Windows\System32\tLKLczj.exe
  C:\Windows\System32\tLKLczj.exe
  2⤵
  PID:8600
- C:\Windows\System32\YHrHaZY.exe
  C:\Windows\System32\YHrHaZY.exe
  2⤵
  PID:8992
- C:\Windows\System32\JWQyuar.exe
  C:\Windows\System32\JWQyuar.exe
  2⤵
  PID:9228
- C:\Windows\System32\ODWPfri.exe
  C:\Windows\System32\ODWPfri.exe
  2⤵
  PID:9244
- C:\Windows\System32\AZjYssc.exe
  C:\Windows\System32\AZjYssc.exe
  2⤵
  PID:9272
- C:\Windows\System32\EDlECYL.exe
  C:\Windows\System32\EDlECYL.exe
  2⤵
  PID:9304
- C:\Windows\System32\hVxozah.exe
  C:\Windows\System32\hVxozah.exe
  2⤵
  PID:9324
- C:\Windows\System32\tHOeUgn.exe
  C:\Windows\System32\tHOeUgn.exe
  2⤵
  PID:9348
- C:\Windows\System32\NAKCzwz.exe
  C:\Windows\System32\NAKCzwz.exe
  2⤵
  PID:9372
- C:\Windows\System32\UTChHgp.exe
  C:\Windows\System32\UTChHgp.exe
  2⤵
  PID:9420
- C:\Windows\System32\MDCWnpM.exe
  C:\Windows\System32\MDCWnpM.exe
  2⤵
  PID:9452
- C:\Windows\System32\KHLpXkF.exe
  C:\Windows\System32\KHLpXkF.exe
  2⤵
  PID:9480
- C:\Windows\System32\TbVLcFW.exe
  C:\Windows\System32\TbVLcFW.exe
  2⤵
  PID:9496
- C:\Windows\System32\kbaCyVc.exe
  C:\Windows\System32\kbaCyVc.exe
  2⤵
  PID:9524
- C:\Windows\System32\bCOqxXQ.exe
  C:\Windows\System32\bCOqxXQ.exe
  2⤵
  PID:9564
- C:\Windows\System32\HOzGJFa.exe
  C:\Windows\System32\HOzGJFa.exe
  2⤵
  PID:9580
- C:\Windows\System32\JYCmWbW.exe
  C:\Windows\System32\JYCmWbW.exe
  2⤵
  PID:9600
- C:\Windows\System32\DuwRYit.exe
  C:\Windows\System32\DuwRYit.exe
  2⤵
  PID:9616
- C:\Windows\System32\LfGtxrj.exe
  C:\Windows\System32\LfGtxrj.exe
  2⤵
  PID:9644
- C:\Windows\System32\RDFXnej.exe
  C:\Windows\System32\RDFXnej.exe
  2⤵
  PID:9668
- C:\Windows\System32\yVkIzkG.exe
  C:\Windows\System32\yVkIzkG.exe
  2⤵
  PID:9684
- C:\Windows\System32\qtPIPqj.exe
  C:\Windows\System32\qtPIPqj.exe
  2⤵
  PID:9716
- C:\Windows\System32\OdPzSPz.exe
  C:\Windows\System32\OdPzSPz.exe
  2⤵
  PID:9776
- C:\Windows\System32\kjRJIuJ.exe
  C:\Windows\System32\kjRJIuJ.exe
  2⤵
  PID:9796
- C:\Windows\System32\VPlAPBC.exe
  C:\Windows\System32\VPlAPBC.exe
  2⤵
  PID:9812
- C:\Windows\System32\zvKNxvb.exe
  C:\Windows\System32\zvKNxvb.exe
  2⤵
  PID:9844
- C:\Windows\System32\OBvmEDV.exe
  C:\Windows\System32\OBvmEDV.exe
  2⤵
  PID:9864
- C:\Windows\System32\HFqhcfC.exe
  C:\Windows\System32\HFqhcfC.exe
  2⤵
  PID:9896
- C:\Windows\System32\AmQvATi.exe
  C:\Windows\System32\AmQvATi.exe
  2⤵
  PID:9928
- C:\Windows\System32\qSVQGCh.exe
  C:\Windows\System32\qSVQGCh.exe
  2⤵
  PID:9972
- C:\Windows\System32\FEaYFLX.exe
  C:\Windows\System32\FEaYFLX.exe
  2⤵
  PID:9988
- C:\Windows\System32\IciFqaW.exe
  C:\Windows\System32\IciFqaW.exe
  2⤵
  PID:10028
- C:\Windows\System32\Wggvkqz.exe
  C:\Windows\System32\Wggvkqz.exe
  2⤵
  PID:10068
- C:\Windows\System32\FrfFGNZ.exe
  C:\Windows\System32\FrfFGNZ.exe
  2⤵
  PID:10108
- C:\Windows\System32\ZVewCLi.exe
  C:\Windows\System32\ZVewCLi.exe
  2⤵
  PID:10128
- C:\Windows\System32\xNTtWWe.exe
  C:\Windows\System32\xNTtWWe.exe
  2⤵
  PID:10152
- C:\Windows\System32\eWluBPh.exe
  C:\Windows\System32\eWluBPh.exe
  2⤵
  PID:10180
- C:\Windows\System32\irtJxlJ.exe
  C:\Windows\System32\irtJxlJ.exe
  2⤵
  PID:10208
- C:\Windows\System32\MESwqcB.exe
  C:\Windows\System32\MESwqcB.exe
  2⤵
  PID:10224
- C:\Windows\System32\XGQVYQc.exe
  C:\Windows\System32\XGQVYQc.exe
  2⤵
  PID:8816
- C:\Windows\System32\EuOSoBa.exe
  C:\Windows\System32\EuOSoBa.exe
  2⤵
  PID:9268
- C:\Windows\System32\MocoEPL.exe
  C:\Windows\System32\MocoEPL.exe
  2⤵
  PID:9368
- C:\Windows\System32\UcDOyyK.exe
  C:\Windows\System32\UcDOyyK.exe
  2⤵
  PID:9468
- C:\Windows\System32\nbkzwaq.exe
  C:\Windows\System32\nbkzwaq.exe
  2⤵
  PID:9508
- C:\Windows\System32\QGQZzFa.exe
  C:\Windows\System32\QGQZzFa.exe
  2⤵
  PID:9576
- C:\Windows\System32\DLcLXrl.exe
  C:\Windows\System32\DLcLXrl.exe
  2⤵
  PID:9656
- C:\Windows\System32\GyLzAzB.exe
  C:\Windows\System32\GyLzAzB.exe
  2⤵
  PID:9744
- C:\Windows\System32\QNJKdWO.exe
  C:\Windows\System32\QNJKdWO.exe
  2⤵
  PID:9804
- C:\Windows\System32\MQKinsT.exe
  C:\Windows\System32\MQKinsT.exe
  2⤵
  PID:9860
- C:\Windows\System32\bxVFKoB.exe
  C:\Windows\System32\bxVFKoB.exe
  2⤵
  PID:9892
- C:\Windows\System32\ztzldUD.exe
  C:\Windows\System32\ztzldUD.exe
  2⤵
  PID:10000
- C:\Windows\System32\IsLoxCd.exe
  C:\Windows\System32\IsLoxCd.exe
  2⤵
  PID:10040
- C:\Windows\System32\jMdSjrr.exe
  C:\Windows\System32\jMdSjrr.exe
  2⤵
  PID:10116
- C:\Windows\System32\nBTldBm.exe
  C:\Windows\System32\nBTldBm.exe
  2⤵
  PID:10160
- C:\Windows\System32\BttAoxS.exe
  C:\Windows\System32\BttAoxS.exe
  2⤵
  PID:10200
- C:\Windows\System32\aRONAnC.exe
  C:\Windows\System32\aRONAnC.exe
  2⤵
  PID:9260
- C:\Windows\System32\ODFmNCO.exe
  C:\Windows\System32\ODFmNCO.exe
  2⤵
  PID:9440
- C:\Windows\System32\XumdoKY.exe
  C:\Windows\System32\XumdoKY.exe
  2⤵
  PID:9712
- C:\Windows\System32\ufPxCKz.exe
  C:\Windows\System32\ufPxCKz.exe
  2⤵
  PID:9856
- C:\Windows\System32\oJbIvbg.exe
  C:\Windows\System32\oJbIvbg.exe
  2⤵
  PID:9948
- C:\Windows\System32\XPwNIXv.exe
  C:\Windows\System32\XPwNIXv.exe
  2⤵
  PID:10164
- C:\Windows\System32\zjyqHXu.exe
  C:\Windows\System32\zjyqHXu.exe
  2⤵
  PID:9436
- C:\Windows\System32\VFhWkqo.exe
  C:\Windows\System32\VFhWkqo.exe
  2⤵
  PID:9944
- C:\Windows\System32\SjxeDvo.exe
  C:\Windows\System32\SjxeDvo.exe
  2⤵
  PID:10188
- C:\Windows\System32\RpEkuJg.exe
  C:\Windows\System32\RpEkuJg.exe
  2⤵
  PID:9652
- C:\Windows\System32\NbTAbYd.exe
  C:\Windows\System32\NbTAbYd.exe
  2⤵
  PID:10260
- C:\Windows\System32\odeopgb.exe
  C:\Windows\System32\odeopgb.exe
  2⤵
  PID:10284
- C:\Windows\System32\WIZAlas.exe
  C:\Windows\System32\WIZAlas.exe
  2⤵
  PID:10300
- C:\Windows\System32\MoJSRDG.exe
  C:\Windows\System32\MoJSRDG.exe
  2⤵
  PID:10340
- C:\Windows\System32\bwaUuzm.exe
  C:\Windows\System32\bwaUuzm.exe
  2⤵
  PID:10364
- C:\Windows\System32\RVwGLIt.exe
  C:\Windows\System32\RVwGLIt.exe
  2⤵
  PID:10392
- C:\Windows\System32\VVHZbCh.exe
  C:\Windows\System32\VVHZbCh.exe
  2⤵
  PID:10412
- C:\Windows\System32\BkajpDg.exe
  C:\Windows\System32\BkajpDg.exe
  2⤵
  PID:10440
- C:\Windows\System32\lJkJoUJ.exe
  C:\Windows\System32\lJkJoUJ.exe
  2⤵
  PID:10480
- C:\Windows\System32\XRlCGXT.exe
  C:\Windows\System32\XRlCGXT.exe
  2⤵
  PID:10508
- C:\Windows\System32\VrUyATj.exe
  C:\Windows\System32\VrUyATj.exe
  2⤵
  PID:10536
- C:\Windows\System32\OOJSdPn.exe
  C:\Windows\System32\OOJSdPn.exe
  2⤵
  PID:10560
- C:\Windows\System32\aZxzIku.exe
  C:\Windows\System32\aZxzIku.exe
  2⤵
  PID:10580
- C:\Windows\System32\GqjhzbV.exe
  C:\Windows\System32\GqjhzbV.exe
  2⤵
  PID:10600
- C:\Windows\System32\LJJmPWG.exe
  C:\Windows\System32\LJJmPWG.exe
  2⤵
  PID:10628
- C:\Windows\System32\uGnkVuy.exe
  C:\Windows\System32\uGnkVuy.exe
  2⤵
  PID:10656
- C:\Windows\System32\rCuILju.exe
  C:\Windows\System32\rCuILju.exe
  2⤵
  PID:10704
- C:\Windows\System32\AOAgJFO.exe
  C:\Windows\System32\AOAgJFO.exe
  2⤵
  PID:10736
- C:\Windows\System32\iwaksBG.exe
  C:\Windows\System32\iwaksBG.exe
  2⤵
  PID:10752
- C:\Windows\System32\meqlfKe.exe
  C:\Windows\System32\meqlfKe.exe
  2⤵
  PID:10780
- C:\Windows\System32\gEJLpLS.exe
  C:\Windows\System32\gEJLpLS.exe
  2⤵
  PID:10820
- C:\Windows\System32\YNeeFfO.exe
  C:\Windows\System32\YNeeFfO.exe
  2⤵
  PID:10852
- C:\Windows\System32\qlTZUgG.exe
  C:\Windows\System32\qlTZUgG.exe
  2⤵
  PID:10872
- C:\Windows\System32\roSrRZq.exe
  C:\Windows\System32\roSrRZq.exe
  2⤵
  PID:10912
- C:\Windows\System32\BfTAYNQ.exe
  C:\Windows\System32\BfTAYNQ.exe
  2⤵
  PID:10940
- C:\Windows\System32\vWeCAkT.exe
  C:\Windows\System32\vWeCAkT.exe
  2⤵
  PID:10960
- C:\Windows\System32\yLtdyFk.exe
  C:\Windows\System32\yLtdyFk.exe
  2⤵
  PID:10980
- C:\Windows\System32\uksNJLx.exe
  C:\Windows\System32\uksNJLx.exe
  2⤵
  PID:11012
- C:\Windows\System32\FYqJLFo.exe
  C:\Windows\System32\FYqJLFo.exe
  2⤵
  PID:11072
- C:\Windows\System32\tDGMpzE.exe
  C:\Windows\System32\tDGMpzE.exe
  2⤵
  PID:11088
- C:\Windows\System32\pKrBXeM.exe
  C:\Windows\System32\pKrBXeM.exe
  2⤵
  PID:11104
- C:\Windows\System32\LZTkoHf.exe
  C:\Windows\System32\LZTkoHf.exe
  2⤵
  PID:11120
- C:\Windows\System32\PjtARYU.exe
  C:\Windows\System32\PjtARYU.exe
  2⤵
  PID:11136
- C:\Windows\System32\uicVCCz.exe
  C:\Windows\System32\uicVCCz.exe
  2⤵
  PID:11152
- C:\Windows\System32\ILNssOk.exe
  C:\Windows\System32\ILNssOk.exe
  2⤵
  PID:11168
- C:\Windows\System32\OvgpnRQ.exe
  C:\Windows\System32\OvgpnRQ.exe
  2⤵
  PID:11184
- C:\Windows\System32\mKbtqPq.exe
  C:\Windows\System32\mKbtqPq.exe
  2⤵
  PID:11200
- C:\Windows\System32\BzqGcao.exe
  C:\Windows\System32\BzqGcao.exe
  2⤵
  PID:11216
- C:\Windows\System32\KCMbfEC.exe
  C:\Windows\System32\KCMbfEC.exe
  2⤵
  PID:10500
- C:\Windows\System32\OjeyZtY.exe
  C:\Windows\System32\OjeyZtY.exe
  2⤵
  PID:10532
- C:\Windows\System32\JHaPtVr.exe
  C:\Windows\System32\JHaPtVr.exe
  2⤵
  PID:10636
- C:\Windows\System32\dhQsEcE.exe
  C:\Windows\System32\dhQsEcE.exe
  2⤵
  PID:10664
- C:\Windows\System32\DxfFroF.exe
  C:\Windows\System32\DxfFroF.exe
  2⤵
  PID:10724
- C:\Windows\System32\KMyKCbZ.exe
  C:\Windows\System32\KMyKCbZ.exe
  2⤵
  PID:10764
- C:\Windows\System32\sSDygAU.exe
  C:\Windows\System32\sSDygAU.exe
  2⤵
  PID:10808
- C:\Windows\System32\QSDxKYW.exe
  C:\Windows\System32\QSDxKYW.exe
  2⤵
  PID:10860
- C:\Windows\System32\JsZcJPJ.exe
  C:\Windows\System32\JsZcJPJ.exe
  2⤵
  PID:10968
- C:\Windows\System32\KJxJTqN.exe
  C:\Windows\System32\KJxJTqN.exe
  2⤵
  PID:11036
- C:\Windows\System32\UZGFgZp.exe
  C:\Windows\System32\UZGFgZp.exe
  2⤵
  PID:11144
- C:\Windows\System32\QuWDZQM.exe
  C:\Windows\System32\QuWDZQM.exe
  2⤵
  PID:11048
- C:\Windows\System32\nRjLFqs.exe
  C:\Windows\System32\nRjLFqs.exe
  2⤵
  PID:11148
- C:\Windows\System32\zqTwsjI.exe
  C:\Windows\System32\zqTwsjI.exe
  2⤵
  PID:10280
- C:\Windows\System32\VzWBLGb.exe
  C:\Windows\System32\VzWBLGb.exe
  2⤵
  PID:10348
- C:\Windows\System32\wcdYVEj.exe
  C:\Windows\System32\wcdYVEj.exe
  2⤵
  PID:9964
- C:\Windows\System32\EwgZoUF.exe
  C:\Windows\System32\EwgZoUF.exe
  2⤵
  PID:10648
- C:\Windows\System32\HYpALDX.exe
  C:\Windows\System32\HYpALDX.exe
  2⤵
  PID:612
- C:\Windows\System32\oLArByO.exe
  C:\Windows\System32\oLArByO.exe
  2⤵
  PID:10892
- C:\Windows\System32\MOlDUsM.exe
  C:\Windows\System32\MOlDUsM.exe
  2⤵
  PID:11044
- C:\Windows\System32\PRfJvss.exe
  C:\Windows\System32\PRfJvss.exe
  2⤵
  PID:11176
- C:\Windows\System32\jEKeTAS.exe
  C:\Windows\System32\jEKeTAS.exe
  2⤵
  PID:11252
- C:\Windows\System32\sRmxQbF.exe
  C:\Windows\System32\sRmxQbF.exe
  2⤵
  PID:10428
- C:\Windows\System32\zoMRVjN.exe
  C:\Windows\System32\zoMRVjN.exe
  2⤵
  PID:10924
- C:\Windows\System32\lgJsDwd.exe
  C:\Windows\System32\lgJsDwd.exe
  2⤵
  PID:10424
- C:\Windows\System32\uwcekKe.exe
  C:\Windows\System32\uwcekKe.exe
  2⤵
  PID:2932
- C:\Windows\System32\JCDNdhf.exe
  C:\Windows\System32\JCDNdhf.exe
  2⤵
  PID:11084
- C:\Windows\System32\FQHxhGF.exe
  C:\Windows\System32\FQHxhGF.exe
  2⤵
  PID:11268
- C:\Windows\System32\TSKaaUz.exe
  C:\Windows\System32\TSKaaUz.exe
  2⤵
  PID:11292
- C:\Windows\System32\DesJDAS.exe
  C:\Windows\System32\DesJDAS.exe
  2⤵
  PID:11348
- C:\Windows\System32\rREZgpt.exe
  C:\Windows\System32\rREZgpt.exe
  2⤵
  PID:11372
- C:\Windows\System32\XiRNGhy.exe
  C:\Windows\System32\XiRNGhy.exe
  2⤵
  PID:11400
- C:\Windows\System32\AyIwKwU.exe
  C:\Windows\System32\AyIwKwU.exe
  2⤵
  PID:11416
- C:\Windows\System32\NxJqRMG.exe
  C:\Windows\System32\NxJqRMG.exe
  2⤵
  PID:11436
- C:\Windows\System32\hOCkxAr.exe
  C:\Windows\System32\hOCkxAr.exe
  2⤵
  PID:11472
- C:\Windows\System32\VxNzeeo.exe
  C:\Windows\System32\VxNzeeo.exe
  2⤵
  PID:11504
- C:\Windows\System32\GTQpcxl.exe
  C:\Windows\System32\GTQpcxl.exe
  2⤵
  PID:11540
- C:\Windows\System32\hzxQGxO.exe
  C:\Windows\System32\hzxQGxO.exe
  2⤵
  PID:11560
- C:\Windows\System32\xVStOWF.exe
  C:\Windows\System32\xVStOWF.exe
  2⤵
  PID:11576
- C:\Windows\System32\LKmCJqd.exe
  C:\Windows\System32\LKmCJqd.exe
  2⤵
  PID:11604
- C:\Windows\System32\RTuDlUH.exe
  C:\Windows\System32\RTuDlUH.exe
  2⤵
  PID:11656
- C:\Windows\System32\NdTUqzG.exe
  C:\Windows\System32\NdTUqzG.exe
  2⤵
  PID:11680
- C:\Windows\System32\HxcuDBa.exe
  C:\Windows\System32\HxcuDBa.exe
  2⤵
  PID:11708
- C:\Windows\System32\tcriCXQ.exe
  C:\Windows\System32\tcriCXQ.exe
  2⤵
  PID:11732
- C:\Windows\System32\LxeqYGm.exe
  C:\Windows\System32\LxeqYGm.exe
  2⤵
  PID:11752
- C:\Windows\System32\qtwatgo.exe
  C:\Windows\System32\qtwatgo.exe
  2⤵
  PID:11768
- C:\Windows\System32\zgVARrV.exe
  C:\Windows\System32\zgVARrV.exe
  2⤵
  PID:11800
- C:\Windows\System32\bfCaAdF.exe
  C:\Windows\System32\bfCaAdF.exe
  2⤵
  PID:11816
- C:\Windows\System32\IeVdtzV.exe
  C:\Windows\System32\IeVdtzV.exe
  2⤵
  PID:11852
- C:\Windows\System32\mitgeoT.exe
  C:\Windows\System32\mitgeoT.exe
  2⤵
  PID:11896
- C:\Windows\System32\qxsWNHn.exe
  C:\Windows\System32\qxsWNHn.exe
  2⤵
  PID:11916
- C:\Windows\System32\qZqKUOS.exe
  C:\Windows\System32\qZqKUOS.exe
  2⤵
  PID:11952
- C:\Windows\System32\SVGjkZm.exe
  C:\Windows\System32\SVGjkZm.exe
  2⤵
  PID:11984
- C:\Windows\System32\aocTHUe.exe
  C:\Windows\System32\aocTHUe.exe
  2⤵
  PID:12008
- C:\Windows\System32\FfGDjmw.exe
  C:\Windows\System32\FfGDjmw.exe
  2⤵
  PID:12044
- C:\Windows\System32\CfjZdhp.exe
  C:\Windows\System32\CfjZdhp.exe
  2⤵
  PID:12072
- C:\Windows\System32\djNCmjQ.exe
  C:\Windows\System32\djNCmjQ.exe
  2⤵
  PID:12100
- C:\Windows\System32\tSArvMb.exe
  C:\Windows\System32\tSArvMb.exe
  2⤵
  PID:12124
- C:\Windows\System32\poPaadS.exe
  C:\Windows\System32\poPaadS.exe
  2⤵
  PID:12144
- C:\Windows\System32\jCNPTjm.exe
  C:\Windows\System32\jCNPTjm.exe
  2⤵
  PID:12172
- C:\Windows\System32\Mlydwxf.exe
  C:\Windows\System32\Mlydwxf.exe
  2⤵
  PID:12192
- C:\Windows\System32\YSzKWDd.exe
  C:\Windows\System32\YSzKWDd.exe
  2⤵
  PID:12212
- C:\Windows\System32\mGKsjIf.exe
  C:\Windows\System32\mGKsjIf.exe
  2⤵
  PID:12236
- C:\Windows\System32\XbgOpyL.exe
  C:\Windows\System32\XbgOpyL.exe
  2⤵
  PID:12264
- C:\Windows\System32\lwJCAxz.exe
  C:\Windows\System32\lwJCAxz.exe
  2⤵
  PID:10692
- C:\Windows\System32\OwLbJHt.exe
  C:\Windows\System32\OwLbJHt.exe
  2⤵
  PID:11280
- C:\Windows\System32\lFsuXga.exe
  C:\Windows\System32\lFsuXga.exe
  2⤵
  PID:11324
- C:\Windows\System32\xNSCWbc.exe
  C:\Windows\System32\xNSCWbc.exe
  2⤵
  PID:11484
- C:\Windows\System32\MbERsVJ.exe
  C:\Windows\System32\MbERsVJ.exe
  2⤵
  PID:11536
- C:\Windows\System32\OFEmaNz.exe
  C:\Windows\System32\OFEmaNz.exe
  2⤵
  PID:11620
- C:\Windows\System32\eubLtbS.exe
  C:\Windows\System32\eubLtbS.exe
  2⤵
  PID:11704
- C:\Windows\System32\zrlZzUe.exe
  C:\Windows\System32\zrlZzUe.exe
  2⤵
  PID:312
- C:\Windows\System32\tpJSuGm.exe
  C:\Windows\System32\tpJSuGm.exe
  2⤵
  PID:11784
- C:\Windows\System32\RWOtmPS.exe
  C:\Windows\System32\RWOtmPS.exe
  2⤵
  PID:11880
- C:\Windows\System32\KLCSGOo.exe
  C:\Windows\System32\KLCSGOo.exe
  2⤵
  PID:11912
- C:\Windows\System32\LpgWDFm.exe
  C:\Windows\System32\LpgWDFm.exe
  2⤵
  PID:11968
- C:\Windows\System32\PjiFZpv.exe
  C:\Windows\System32\PjiFZpv.exe
  2⤵
  PID:12028
- C:\Windows\System32\izJYGge.exe
  C:\Windows\System32\izJYGge.exe
  2⤵
  PID:12084
- C:\Windows\System32\ZRTnhVw.exe
  C:\Windows\System32\ZRTnhVw.exe
  2⤵
  PID:12160
- C:\Windows\System32\XoWZyBc.exe
  C:\Windows\System32\XoWZyBc.exe
  2⤵
  PID:12252
- C:\Windows\System32\OmCIaJJ.exe
  C:\Windows\System32\OmCIaJJ.exe
  2⤵
  PID:11040
- C:\Windows\System32\ACjogzT.exe
  C:\Windows\System32\ACjogzT.exe
  2⤵
  PID:11460
- C:\Windows\System32\BOJdCDP.exe
  C:\Windows\System32\BOJdCDP.exe
  2⤵
  PID:11616
- C:\Windows\System32\BNmBnCa.exe
  C:\Windows\System32\BNmBnCa.exe
  2⤵
  PID:11700
- C:\Windows\System32\veSoyoA.exe
  C:\Windows\System32\veSoyoA.exe
  2⤵
  PID:11760
- C:\Windows\System32\RocaoNq.exe
  C:\Windows\System32\RocaoNq.exe
  2⤵
  PID:11864
- C:\Windows\System32\mkpnbeR.exe
  C:\Windows\System32\mkpnbeR.exe
  2⤵
  PID:12184
- C:\Windows\System32\fcoNwjC.exe
  C:\Windows\System32\fcoNwjC.exe
  2⤵
  PID:12276
- C:\Windows\System32\fIFOJxc.exe
  C:\Windows\System32\fIFOJxc.exe
  2⤵
  PID:11584
- C:\Windows\System32\ATSuZFk.exe
  C:\Windows\System32\ATSuZFk.exe
  2⤵
  PID:11836
- C:\Windows\System32\YvopEiI.exe
  C:\Windows\System32\YvopEiI.exe
  2⤵
  PID:12224
- C:\Windows\System32\qpNeOFh.exe
  C:\Windows\System32\qpNeOFh.exe
  2⤵
  PID:11780
- C:\Windows\System32\NFdpjId.exe
  C:\Windows\System32\NFdpjId.exe
  2⤵
  PID:2364
- C:\Windows\System32\BLbOSkk.exe
  C:\Windows\System32\BLbOSkk.exe
  2⤵
  PID:4632
- C:\Windows\System32\gERFOJI.exe
  C:\Windows\System32\gERFOJI.exe
  2⤵
  PID:12292
- C:\Windows\System32\mIEqENM.exe
  C:\Windows\System32\mIEqENM.exe
  2⤵
  PID:12324
- C:\Windows\System32\eCpCXYe.exe
  C:\Windows\System32\eCpCXYe.exe
  2⤵
  PID:12352
- C:\Windows\System32\nyKaxPD.exe
  C:\Windows\System32\nyKaxPD.exe
  2⤵
  PID:12404
- C:\Windows\System32\NREfMlH.exe
  C:\Windows\System32\NREfMlH.exe
  2⤵
  PID:12428
- C:\Windows\System32\rsYGvRH.exe
  C:\Windows\System32\rsYGvRH.exe
  2⤵
  PID:12448
- C:\Windows\System32\rLahjVL.exe
  C:\Windows\System32\rLahjVL.exe
  2⤵
  PID:12488
- C:\Windows\System32\oYNiVDC.exe
  C:\Windows\System32\oYNiVDC.exe
  2⤵
  PID:12504
- C:\Windows\System32\WdNAmuI.exe
  C:\Windows\System32\WdNAmuI.exe
  2⤵
  PID:12524
- C:\Windows\System32\xQUBxfZ.exe
  C:\Windows\System32\xQUBxfZ.exe
  2⤵
  PID:12548
- C:\Windows\System32\LzsblXH.exe
  C:\Windows\System32\LzsblXH.exe
  2⤵
  PID:12564
- C:\Windows\System32\shZFLsm.exe
  C:\Windows\System32\shZFLsm.exe
  2⤵
  PID:12640
- C:\Windows\System32\BLnclXn.exe
  C:\Windows\System32\BLnclXn.exe
  2⤵
  PID:12660
- C:\Windows\System32\IQaUtyj.exe
  C:\Windows\System32\IQaUtyj.exe
  2⤵
  PID:12688
- C:\Windows\System32\yzgyvyt.exe
  C:\Windows\System32\yzgyvyt.exe
  2⤵
  PID:12704
- C:\Windows\System32\hbSXTHH.exe
  C:\Windows\System32\hbSXTHH.exe
  2⤵
  PID:12720
- C:\Windows\System32\IZMnVCs.exe
  C:\Windows\System32\IZMnVCs.exe
  2⤵
  PID:12748
- C:\Windows\System32\DcdciBQ.exe
  C:\Windows\System32\DcdciBQ.exe
  2⤵
  PID:12796
- C:\Windows\System32\xZfAraH.exe
  C:\Windows\System32\xZfAraH.exe
  2⤵
  PID:12816
- C:\Windows\System32\OwyHHBs.exe
  C:\Windows\System32\OwyHHBs.exe
  2⤵
  PID:12856
- C:\Windows\System32\GqdojjB.exe
  C:\Windows\System32\GqdojjB.exe
  2⤵
  PID:12884
- C:\Windows\System32\JOZetgA.exe
  C:\Windows\System32\JOZetgA.exe
  2⤵
  PID:12912
- C:\Windows\System32\LoBPxZQ.exe
  C:\Windows\System32\LoBPxZQ.exe
  2⤵
  PID:12936
- C:\Windows\System32\yrNtuuB.exe
  C:\Windows\System32\yrNtuuB.exe
  2⤵
  PID:12952
- C:\Windows\System32\FukzfGn.exe
  C:\Windows\System32\FukzfGn.exe
  2⤵
  PID:12968
- C:\Windows\System32\gPXVxfP.exe
  C:\Windows\System32\gPXVxfP.exe
  2⤵
  PID:12988
- C:\Windows\System32\JeDpudS.exe
  C:\Windows\System32\JeDpudS.exe
  2⤵
  PID:13032
- C:\Windows\System32\ccnMGCv.exe
  C:\Windows\System32\ccnMGCv.exe
  2⤵
  PID:13080
- C:\Windows\System32\NNGoXGa.exe
  C:\Windows\System32\NNGoXGa.exe
  2⤵
  PID:13112
- C:\Windows\System32\MQfQAMP.exe
  C:\Windows\System32\MQfQAMP.exe
  2⤵
  PID:13136
- C:\Windows\System32\QdQPUTB.exe
  C:\Windows\System32\QdQPUTB.exe
  2⤵
  PID:13156
- C:\Windows\System32\aAqARmE.exe
  C:\Windows\System32\aAqARmE.exe
  2⤵
  PID:13184
- C:\Windows\System32\wCMgKcA.exe
  C:\Windows\System32\wCMgKcA.exe
  2⤵
  PID:13212
- C:\Windows\System32\vTJogKX.exe
  C:\Windows\System32\vTJogKX.exe
  2⤵
  PID:13260
- C:\Windows\System32\yMvkZve.exe
  C:\Windows\System32\yMvkZve.exe
  2⤵
  PID:13280
- C:\Windows\System32\iZTeccP.exe
  C:\Windows\System32\iZTeccP.exe
  2⤵
  PID:13300
- C:\Windows\System32\UpqNbkn.exe
  C:\Windows\System32\UpqNbkn.exe
  2⤵
  PID:12304
- C:\Windows\System32\TjjseTC.exe
  C:\Windows\System32\TjjseTC.exe
  2⤵
  PID:12344
- C:\Windows\System32\jeWyNBO.exe
  C:\Windows\System32\jeWyNBO.exe
  2⤵
  PID:12480
- C:\Windows\System32\uoOmPwj.exe
  C:\Windows\System32\uoOmPwj.exe
  2⤵
  PID:12520
- C:\Windows\System32\JCVtVcp.exe
  C:\Windows\System32\JCVtVcp.exe
  2⤵
  PID:12584
- C:\Windows\System32\YEaKDvS.exe
  C:\Windows\System32\YEaKDvS.exe
  2⤵
  PID:12624
- C:\Windows\System32\oNpgAAM.exe
  C:\Windows\System32\oNpgAAM.exe
  2⤵
  PID:12712
- C:\Windows\System32\iYkzVCU.exe
  C:\Windows\System32\iYkzVCU.exe
  2⤵
  PID:12764
- C:\Windows\System32\WIneadg.exe
  C:\Windows\System32\WIneadg.exe
  2⤵
  PID:12812
- C:\Windows\System32\KHHzvCT.exe
  C:\Windows\System32\KHHzvCT.exe
  2⤵
  PID:12896
- C:\Windows\System32\IZPIDmn.exe
  C:\Windows\System32\IZPIDmn.exe
  2⤵
  PID:12964
- C:\Windows\System32\punlxRz.exe
  C:\Windows\System32\punlxRz.exe
  2⤵
  PID:12996
- C:\Windows\System32\OEvrzLZ.exe
  C:\Windows\System32\OEvrzLZ.exe
  2⤵
  PID:13124
- C:\Windows\System32\kcaMuta.exe
  C:\Windows\System32\kcaMuta.exe
  2⤵
  PID:13172
- C:\Windows\System32\CCIrcHn.exe
  C:\Windows\System32\CCIrcHn.exe
  2⤵
  PID:13196
- C:\Windows\System32\LtXdMic.exe
  C:\Windows\System32\LtXdMic.exe
  2⤵
  PID:13224
- C:\Windows\System32\BoybVZZ.exe
  C:\Windows\System32\BoybVZZ.exe
  2⤵
  PID:11996
- C:\Windows\System32\FzegDAc.exe
  C:\Windows\System32\FzegDAc.exe
  2⤵
  PID:13208

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DgbriRf.exe

Filesize
1.3MB

MD5
d652d131f2c1ae1e2fdf6696e98b3f15

SHA1
9ed26caf3e631550c9b7dd1727471085e59c72ac

SHA256
de95955e4d08fac9a3ca335781b9135c0f748c32d92f0d38781ec857145ad681

SHA512
b1ccf660f493f960dba9b350cdeaefbb2806eec810d521fe192b04fe7a01e6d279d8500493296b418570cc9a92b77b47b33c5d2cc8f9e47dabc0bc4b28889998

Download Submit
C:\Windows\System32\KqGPsno.exe

Filesize
1.3MB

MD5
a45f75d91ddf22ea263b868c52f0d6a0

SHA1
11f62f9d897d0fbdc6c516427be82d38e6e66162

SHA256
2c279526993e3b53157bc240799ab0d4fa3a2f31b3acccf972cdb3259070e3e4

SHA512
5f17d003abcbb9e8c951d83b29340b7463b5c054065c96bf43a9cdc456ceb08c6b4251bb0e19130bec63e5e2bb92b8fa43911af56b8144d801ce2fd5f1717174

Download Submit
C:\Windows\System32\LuyfJPi.exe

Filesize
1.3MB

MD5
8fd34b657172a558788624d77913067a

SHA1
52413ff320e09863ca07581471e5b571c0f1cba5

SHA256
7f5863d6907b5def6eeddbd43adc1326fc475ec46c9fb2547ad47779b22c9ce0

SHA512
9c6dd92853d11b39685179665d380dd6b27f900ec26464f893bdf9a742d18b5c494fee1d174b2ad61e96e6da43ecd5e57974cf895e4001527c2d2870dfcef5df

Download Submit
C:\Windows\System32\MJiFsSw.exe

Filesize
1.3MB

MD5
ab4518a8040bde6982c2730a2cbe19e6

SHA1
392734874bba4246c367427c1a965790f989ff59

SHA256
69ca68b9f4e4cc5de277ea3de5e8ddb4ee7496bb5b3518dc94703b8796da3176

SHA512
35ea4f959b961a6ec509d3dcb1497cd76350c6ca06b3bf65879cf42285dc51328907101c700920d6cfb6f51a249218e1a9d8bc085ecb39de53134751ffc7d3a9

Download Submit
C:\Windows\System32\MZhbGtM.exe

Filesize
1.3MB

MD5
3905e5d762ef91acbbf7fae917edf401

SHA1
24863854d3b830ae90cf2b53b66316fd7e0696c0

SHA256
f24870d2ba4ef419287b1fde4294152d8f508d3e659292b16b0294561f80ab62

SHA512
f1e2e637a32a357468849f5cd5338c5d9c3fb584eb1d25ffbb04a409e3cc2e9e7addab4a17aa5e327447328564dbf067f7cfd54b61c8b558c221ed4716f06984

Download Submit
C:\Windows\System32\NALLBPv.exe

Filesize
1.3MB

MD5
9cca9337f0e05c64db46cc20f2a93ebb

SHA1
61229b3a5eb74242b6268656e9fb0075e813fef2

SHA256
695ae20da08c0c9f2f716894e0aa303e19a4882e5c07923738235b18f78fb66d

SHA512
ece3209ffbc3b1d943a599f404f8478e0b4f826aaaf1d4998d5eff079380adc6c797f6aa34f55b8e40fec72d76fb6db4ad4bb094db40445ee3bc275d3b1bb8d3

Download Submit
C:\Windows\System32\NtoMpLk.exe

Filesize
1.3MB

MD5
581dd39c7665ed5be3892ab790201912

SHA1
9fc10d5c7c1b7614bc3e85ac86fd2ce4bbf95b8e

SHA256
5789614f233622898e445af7e65876da891a68b5748004afc3b7c04ee6fc29ad

SHA512
55e690cfefec2d352fc5d8cea89df124f0c716f5f8c26cb124d51352ad6ff8435a5cfde3cd3507c52bd34e46167387663e19f7b1c132a496890fbbdffdb253b6

Download Submit
C:\Windows\System32\OUsWpWQ.exe

Filesize
1.3MB

MD5
aaefa524cb3c4041bdaae4deb11f287d

SHA1
b7a524aed9629d0fcee43d5f37b8b4bce2ea6b4b

SHA256
06656c018de66f8ae7a1707bc126719f2644b5e2bc89d5e33694c400c7d16fe7

SHA512
92338ce56db99f46955fe76abe61cf28a6fa01730e101b10a3348b64b5090ed6a743f7a9c063b5cfaf368f3a71bf9405d5b1a14f457666829f0b7eb667d64e59

Download Submit
C:\Windows\System32\OUxnMnd.exe

Filesize
1.3MB

MD5
e2e5c01f72de9d02900ae09a8271925a

SHA1
95e2c6a505299c59d7d53d858ef0424764307fa7

SHA256
22d30787a955fa53a39ed4fbafe4ef77ec002b5277d9fea1501287215e7ef1fc

SHA512
05c09bcd4751510082bf657ba8ec633e9fdabe9a9ada2d6bda671bb5e2ef707b59cfd479dac1fbd2e054a143e30bcaa59952f8c34f95d1198c854a1982a6297e

Download Submit
C:\Windows\System32\RYNkajt.exe

Filesize
1.3MB

MD5
26da4f77e20cb77fc19d681ee50751f7

SHA1
9d5949bd9defae322252f329cebd426d70b9f4d0

SHA256
bb13f5eeb03104d2ea180b577db02bc27dcb279f918f6609aa18c480f339241f

SHA512
e39cc457fea52c94c34925e0054ac3b8afda8a60b7137f652ebb114b9ecf102cf39621bd5f185789a8ee2d7ba8806f7b68eae00c66027372b91de60dfbfe2d07

Download Submit
C:\Windows\System32\SVEkuNH.exe

Filesize
1.3MB

MD5
d1d277c75b370e15327fe2826b8a8d14

SHA1
6d8b7e6887d1faed8f6da6c7846a490100215b5c

SHA256
9f88220c35d4fe785b5fbfafdaccfd2cda85d8b29ce0a7679446feecce483a98

SHA512
18df606d6badb59238f92148c1921eba3c6b0516d51065ae7507cfe800898ec3ca59e40c7cd3dd0cb54bd86298cb240b33291c8b207c5ec7184d37cec4a36bda

Download Submit
C:\Windows\System32\TFtTOCe.exe

Filesize
1.3MB

MD5
57c991bd252dd8041b37fd21699a72f3

SHA1
5f8588a7775389cb67b978d97d95b05cbf3c9084

SHA256
72e6d7526e9def492d4550e1dd5c947bfefe550d83d910869af5ee4e27e7219e

SHA512
1f6203de5ace7860f50e51030c79d55237e92323a583940f00e037573c87f99c111db0c1c2f6cffea650905ffa809b45ae695dd6e9718343eb99c224040ae72b

Download Submit
C:\Windows\System32\XJFwZiL.exe

Filesize
1.3MB

MD5
4908faa68ed243f50874c6362ec4e817

SHA1
468c6ffece3b7ec75000abafcde171c7352f77b5

SHA256
018a8ac8b10333aea580f16708b89d74e78e375e52fa1d38382eef7e2b66bf07

SHA512
4950a05c89a6b0a83d279d88f645a9fed57df9eb9ab47109c4ea0f7607e2504a7fd3ba3faacb9f946c09f9faa91eacf9f27fadaa28bb9e21bf2e822229d2459d

Download Submit
C:\Windows\System32\YNWztVr.exe

Filesize
1.3MB

MD5
d25bda7f56129597a87ef5c0c1c9281a

SHA1
62a6e9c4833356547479e123648db683ea2b6260

SHA256
4294fa1f47dd8cd5c69f237980c92742c47acb08ad5205e94a7c0d74c5b8f139

SHA512
6059d0b014704534ae584b0b3a7b390c46ca5f51c95b4faf759428993210cb9fcde995dd789e6edde3f3060bfb29fb0c48fd7c023582bb4fc5b4f4193d03bf03

Download Submit
C:\Windows\System32\YmYHkdX.exe

Filesize
1.3MB

MD5
0ed9a350c3e2ef3842235e7d6e0578da

SHA1
1c59d1c5bcb2caeecb67a043d77a03a54b196308

SHA256
44fc8dcaea691aac3666f8fd646330b1c7ec3dcc6dd19cafa47a5d355e39715f

SHA512
0e370e2aaeaf1c9129e646153fb51f89e70639d4a872d9d71901ad890cbc69a9223ec4f76dec7b25bf108a10274f6164557341ff686c323a1115396c37acea51

Download Submit
C:\Windows\System32\ZkCOZcB.exe

Filesize
1.3MB

MD5
72b0439e3ac48438e58ea62d83b29c21

SHA1
a9243194a623c974b03a346f77cd18a50046bae8

SHA256
fd25e1983a13244929e501e8756007b3726efc79e3042e2a48514b475ef7d17c

SHA512
40f60f4bc1a1f9cf05a18079080f6f6ea77f933fcc7c56f4833dc9a988a3775a8189eba53933c711834a2376c9012fbde1e6ce2eae932da929adb954f3fff9bb

Download Submit
C:\Windows\System32\cjVChpy.exe

Filesize
1.3MB

MD5
c6bd0e43fb2096bf669c509d9886c016

SHA1
4a09bdcbfa4a656112b7ba303b9d5ab5d1ae0667

SHA256
2cdbe1b20605807e5c096334a7e94f90339c7981498f13c2053f852e5d95f906

SHA512
900e14035996be47f9f28862cf5d145f9295eb70a55450dc8320d776bf9b71005415ce9729178cd326b0f1736754d2a6e51c175f336b8399a7704766d6438d8b

Download Submit
C:\Windows\System32\eOVGBOg.exe

Filesize
1.3MB

MD5
abf6f12464533ef48cafa51e0474ab1e

SHA1
4571e0a5d8c858423d85d027c58151c4121471f8

SHA256
5fd093f13fd3946f7b40035546c7328c0771bee3c58353deda7669d74f430ffd

SHA512
9956f94bcab8bce7554510395016109f1008adfd336d464df4ce9703be3da9e126b65a334b175161f02d5ad0f9ae27ef085ec200343d25a2b8e9e60f0ebd65e0

Download Submit
C:\Windows\System32\fnRTsGN.exe

Filesize
1.3MB

MD5
18aed26f6a323308bb65efd49b44d2df

SHA1
ced49e3f5c08bc926f06c699b944f02b94c5cbfa

SHA256
62e21c11c749ab2b1b21f05e8d292bea56752f4f2b5fef3abddea07163f1baa2

SHA512
6027a4b3f871008fbeb30961cfbaf74517364928e6b546bd445b97037b323b06d1a9950cf3c150547d41e652e166f1e91d128f283d9ff36be09c105ea972c2ab

Download Submit
C:\Windows\System32\ieKQrSj.exe

Filesize
1.3MB

MD5
06d2b2abda9a0cd6d52e6337c5fe1790

SHA1
483294af352a8b5fef031770be9136a8cfe454c1

SHA256
daadc44885de318c80740e4bc100b6c415cff5923cf3e5cd7626a71abfd26593

SHA512
6ff52dc4b4d22f25bd1db7c15a8779593dc303a729d9c8ed3b27e4b2bec4a4fd1d4a23ea2fa8f43d23b3efc98a8a539c97a1764270031f90226ef728c5c59bf8

Download Submit
C:\Windows\System32\ngapbCu.exe

Filesize
1.3MB

MD5
ab67d1e0dc13f426bc8a96ef27afcb13

SHA1
7d53cfbd4ea199057a42e9707d00d6ff84dbb1fb

SHA256
8ed7bc8f39a53dce111423a28976650a4d02636293d44256304ec1891c2b88f8

SHA512
80865162f3137e736cb62d273a665b9ce467864b99b3b4447e6c261a7dff5658107c7b288587ef6fe28d7e8785a8d517ff42315e8151d071f2970a78a1f588aa

Download Submit
C:\Windows\System32\ouPSGSn.exe

Filesize
1.3MB

MD5
5569602d9da1b68ae5d40b3a8948539d

SHA1
728c1b9ecd4270ec181ceed4bd7eae96bf62209a

SHA256
ad94f74ea4a35886ece01c9aa1ac0eabd9591742305fbfc489fa562bfc8aae88

SHA512
71cdc2d7185a23a08721bc7b9649b4e3501d288dfefd0db57b61ce5628a5cd5cdd951304eccbd3f194fb1a92c6d2d7c68e2a1c21fb364a1572838d866bec0da5

Download Submit
C:\Windows\System32\oxWkToO.exe

Filesize
1.3MB

MD5
c336a5acad1e59870d575664cb141586

SHA1
986bc7d38b64ff545224302eff85b1f3006f0ab4

SHA256
6ed9c0d7a6cea9ba55f38731cffee7a0065b00a6dd0d6872b7dbf1eb8635f30a

SHA512
06bfc085b81fe6d3d37461be02e14b1728d5206ce7abd52a0e11ab9b6eb4bb972e7cfe2f189f3fd863de6952cd71cf10a14a0c99e76a542068ca3248604f615f

Download Submit
C:\Windows\System32\pDebIIw.exe

Filesize
1.3MB

MD5
57ec87bf4dd3bcac6e0fe11a5139b4d2

SHA1
b946f0971c2c8e408d2d23b43bc7cba3622fdac0

SHA256
0e3322030899479077317548e0a76f13f318a3f1348e737a03ae3b6686faeb89

SHA512
687703bcd47c7ef3f0f79464fd08635b15a86811b6e110f9955db97f283f3268629095c69186e85919c2f18fe4751164f3946a4289504808ad6ec0ed0ab53d1d

Download Submit
C:\Windows\System32\qIcsoAZ.exe

Filesize
1.3MB

MD5
a6467ac394e8fe05ac6c5d59cc60897d

SHA1
9b9a8d611a7cf1ae7000f3a6be993b5e2f6d7883

SHA256
736725343662e00e819ec388c41a9c8a3b7633033ab3b63021ef7ce23bb1c63f

SHA512
c2103e5a527ef69bde315ff2f1cc84da593c16f6e1ab722d21e5a45fe3e088a08f038ea67d3853a0a521c7599cf71187c8dc446c072c2bd50830e8ac92ace224

Download Submit
C:\Windows\System32\sSrYkdn.exe

Filesize
1.3MB

MD5
e2ef5d59f32e61e1b84938f0867f6598

SHA1
faea4144bc97bda680ffee42d6a565ea02b96754

SHA256
dad69f62efaefcb36eb6488c78b74ce95500de85e8b35a79df1f5ee18df492fb

SHA512
578da9c2a1c131b8ad17eff5b865f9c8d54969138dcd2043f2e23141702ad253c12b4c99de735fc3097fc9227d5a982448e2ad792e3a3688d159a55a2b211368

Download Submit
C:\Windows\System32\sobzEzf.exe

Filesize
1.3MB

MD5
1e9752d87679738bd851b58f1f36a596

SHA1
eda948b7166726cc79e5a687a971f888f93e2cf6

SHA256
75d6f2088b77273338377d130936a9fd65a279b04a5ab2955281d90939974369

SHA512
abb66b83f6dc953d625db3e1e1d0783e6b51a50a4ef2d3e8daf3a1d222a85f19204db1db1a97abb73961a986e7d9afb17caba1a691ad5f0e16bf437ccf00a80a

Download Submit
C:\Windows\System32\tKiBlqk.exe

Filesize
1.3MB

MD5
e9cd3037a6db637f06698a2c138e1b5a

SHA1
5c770fc2ac774904ca8c377b190b7f3043c70dce

SHA256
f35d45a4082e27f9ec585eb2743997bd206eecb0389cf984e4ebc5a9128b10bd

SHA512
a944a015ca7536cac2c47467129fc598604e71e37c2180eee1259df1fc41623eaa8b19e9b627b01e0ef5ce7e295a5fd49cd88aa223c6d43ee82791ae378a3fb0

Download Submit
C:\Windows\System32\tkuirVl.exe

Filesize
1.3MB

MD5
9d116f8feb9117de0ca2827cc122507d

SHA1
90f724aca60c40bfe14ff6e8f5695687517d18d9

SHA256
387453ff89a5dd07957ac2621ac37c777d40f058013fad97f2f898791ab6a805

SHA512
d5caccf98c87f0266fc74ec31ff5168132cbcdf9d2d136cf27e629a82712a87b3ac03824a09f95c381069af9085523ead7d7f7c5811820f155ca07ec62bd5df4

Download Submit
C:\Windows\System32\uBZBOkR.exe

Filesize
1.3MB

MD5
b41f7e77199d9cd27888f95af317141b

SHA1
019f3e63dbcbb061d34cd06107531300df587242

SHA256
4774833265151043d398e5c2b4584784e007a44b174afb6fba9f9e4da2e57e86

SHA512
09b8bd20f23fd40f14b5e6d688d81885724dfe3e7a9cad6613caa7629977999c8e56b4306fa6658dc56609231c9c920d461b2d909b66e920a5a038a3f9596fc4

Download Submit
C:\Windows\System32\wQABgAx.exe

Filesize
1.3MB

MD5
831ef9d542c903df8a3a987ec58ea4a7

SHA1
9f401c0476de56d3a6ac153a46764cf8050ae514

SHA256
a0975cb6b5ae5ff009c2e3c2b999574ef5b158497684f2d0b25662a3c31f0862

SHA512
9fefda236439d4714f999d3dc07502f1edfa52eba11ee1acc77c9d4fe1782b1bd4866a80ae277a7d46d4697ab8b2136083d9647a0b82f7c96bd0f1f465aa401c

Download Submit
C:\Windows\System32\xSTrgBH.exe

Filesize
1.3MB

MD5
3f698e1ad28b0056c32bed8f06ac1795

SHA1
c9207e14b1fa70a3319f4274386b85ced1d1087b

SHA256
4c25d19aecd7c3f84fb5f1b65d94d89d5634de54a16cce82b77fbea75317e752

SHA512
6f8f5d5401bf204d4d2515e6c81da53a9d3dfd318e35d04a13250ee65879083a4a6ef80d1b969da8fe460f725fe239d7b0cb66929ade601d0df7b57655cffe88

Download Submit
memory/8-363-0x00007FF74A390000-0x00007FF74A781000-memory.dmp

Filesize
3.9MB

Download
memory/8-2110-0x00007FF74A390000-0x00007FF74A781000-memory.dmp

Filesize
3.9MB

Download
memory/348-2080-0x00007FF7D8D70000-0x00007FF7D9161000-memory.dmp

Filesize
3.9MB

Download
memory/348-40-0x00007FF7D8D70000-0x00007FF7D9161000-memory.dmp

Filesize
3.9MB

Download
memory/944-2098-0x00007FF67C8E0000-0x00007FF67CCD1000-memory.dmp

Filesize
3.9MB

Download
memory/944-354-0x00007FF67C8E0000-0x00007FF67CCD1000-memory.dmp

Filesize
3.9MB

Download
memory/968-2025-0x00007FF703C60000-0x00007FF704051000-memory.dmp

Filesize
3.9MB

Download
memory/968-2082-0x00007FF703C60000-0x00007FF704051000-memory.dmp

Filesize
3.9MB

Download
memory/968-46-0x00007FF703C60000-0x00007FF704051000-memory.dmp

Filesize
3.9MB

Download
memory/1512-2072-0x00007FF6C6330000-0x00007FF6C6721000-memory.dmp

Filesize
3.9MB

Download
memory/1512-19-0x00007FF6C6330000-0x00007FF6C6721000-memory.dmp

Filesize
3.9MB

Download
memory/1648-389-0x00007FF698400000-0x00007FF6987F1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2090-0x00007FF698400000-0x00007FF6987F1000-memory.dmp

Filesize
3.9MB

Download
memory/1728-1947-0x00007FF770A60000-0x00007FF770E51000-memory.dmp

Filesize
3.9MB

Download
memory/1728-32-0x00007FF770A60000-0x00007FF770E51000-memory.dmp

Filesize
3.9MB

Download
memory/1728-2078-0x00007FF770A60000-0x00007FF770E51000-memory.dmp

Filesize
3.9MB

Download
memory/2200-2116-0x00007FF62B390000-0x00007FF62B781000-memory.dmp

Filesize
3.9MB

Download
memory/2200-384-0x00007FF62B390000-0x00007FF62B781000-memory.dmp

Filesize
3.9MB

Download
memory/2208-2108-0x00007FF7CC6E0000-0x00007FF7CCAD1000-memory.dmp

Filesize
3.9MB

Download
memory/2208-360-0x00007FF7CC6E0000-0x00007FF7CCAD1000-memory.dmp

Filesize
3.9MB

Download
memory/2216-1-0x000002C931F70000-0x000002C931F80000-memory.dmp

Filesize
64KB

Download
memory/2216-0-0x00007FF72F380000-0x00007FF72F771000-memory.dmp

Filesize
3.9MB

Download
memory/2216-388-0x00007FF72F380000-0x00007FF72F771000-memory.dmp

Filesize
3.9MB

Download
memory/2216-2059-0x00007FF72F380000-0x00007FF72F771000-memory.dmp

Filesize
3.9MB

Download
memory/2312-349-0x00007FF7B6E30000-0x00007FF7B7221000-memory.dmp

Filesize
3.9MB

Download
memory/2312-2102-0x00007FF7B6E30000-0x00007FF7B7221000-memory.dmp

Filesize
3.9MB

Download
memory/2548-29-0x00007FF70BEF0000-0x00007FF70C2E1000-memory.dmp

Filesize
3.9MB

Download
memory/2548-2074-0x00007FF70BEF0000-0x00007FF70C2E1000-memory.dmp

Filesize
3.9MB

Download
memory/2656-2104-0x00007FF766B50000-0x00007FF766F41000-memory.dmp

Filesize
3.9MB

Download
memory/2656-347-0x00007FF766B50000-0x00007FF766F41000-memory.dmp

Filesize
3.9MB

Download
memory/2692-2106-0x00007FF719EB0000-0x00007FF71A2A1000-memory.dmp

Filesize
3.9MB

Download
memory/2692-348-0x00007FF719EB0000-0x00007FF71A2A1000-memory.dmp

Filesize
3.9MB

Download
memory/3040-2084-0x00007FF633BC0000-0x00007FF633FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3040-54-0x00007FF633BC0000-0x00007FF633FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3384-56-0x00007FF73B6B0000-0x00007FF73BAA1000-memory.dmp

Filesize
3.9MB

Download
memory/3384-2086-0x00007FF73B6B0000-0x00007FF73BAA1000-memory.dmp

Filesize
3.9MB

Download
memory/3424-375-0x00007FF621950000-0x00007FF621D41000-memory.dmp

Filesize
3.9MB

Download
memory/3424-2114-0x00007FF621950000-0x00007FF621D41000-memory.dmp

Filesize
3.9MB

Download
memory/3456-918-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp

Filesize
3.9MB

Download
memory/3456-2070-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp

Filesize
3.9MB

Download
memory/3456-8-0x00007FF7AE3D0000-0x00007FF7AE7C1000-memory.dmp

Filesize
3.9MB

Download
memory/3532-2096-0x00007FF703960000-0x00007FF703D51000-memory.dmp

Filesize
3.9MB

Download
memory/3532-344-0x00007FF703960000-0x00007FF703D51000-memory.dmp

Filesize
3.9MB

Download
memory/3796-2100-0x00007FF7F8740000-0x00007FF7F8B31000-memory.dmp

Filesize
3.9MB

Download
memory/3796-345-0x00007FF7F8740000-0x00007FF7F8B31000-memory.dmp

Filesize
3.9MB

Download
memory/3924-2092-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp

Filesize
3.9MB

Download
memory/3924-343-0x00007FF6EA0D0000-0x00007FF6EA4C1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-62-0x00007FF7B1260000-0x00007FF7B1651000-memory.dmp

Filesize
3.9MB

Download
memory/4436-2088-0x00007FF7B1260000-0x00007FF7B1651000-memory.dmp

Filesize
3.9MB

Download
memory/4584-73-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp

Filesize
3.9MB

Download
memory/4584-2094-0x00007FF6EA1E0000-0x00007FF6EA5D1000-memory.dmp

Filesize
3.9MB

Download
memory/4788-366-0x00007FF670A20000-0x00007FF670E11000-memory.dmp

Filesize
3.9MB

Download
memory/4788-2112-0x00007FF670A20000-0x00007FF670E11000-memory.dmp

Filesize
3.9MB

Download
memory/4936-27-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp

Filesize
3.9MB

Download
memory/4936-2076-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp

Filesize
3.9MB

Download
memory/4936-930-0x00007FF7035D0000-0x00007FF7039C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads