xmrig | 20cc0b79fb8c34b9239540241a8afe4a72deba5009ab804baabae7cba7262260

Analysis

max time kernel
94s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
Size

1.2MB
MD5

00152210c39b1c2e8509f0c2aef7bc68
SHA1

f140872730583e158200cf1b497c8cb4c8ba5654
SHA256

20cc0b79fb8c34b9239540241a8afe4a72deba5009ab804baabae7cba7262260
SHA512

d43b15ecf1d66bc8b5ca9f5ba97b46c000deb9b237876a0b45935e0a5285b9836a2ec9a0ed49c13d2ecf96a10cf030ebca2df1ac15bb9c6fdf68acd324dbb160
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1GO:knw9oUUEEDl37jcq4nP9O

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2752 created 4480	2752	WerFaultSecure.exe	82

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral2/memory/4032-37-0x00007FF7EE2F0000-0x00007FF7EE6E1000-memory.dmp	xmrig
behavioral2/memory/2760-43-0x00007FF6EFEB0000-0x00007FF6F02A1000-memory.dmp	xmrig
behavioral2/memory/2964-54-0x00007FF651420000-0x00007FF651811000-memory.dmp	xmrig
behavioral2/memory/1300-93-0x00007FF656460000-0x00007FF656851000-memory.dmp	xmrig
behavioral2/memory/4908-95-0x00007FF756EC0000-0x00007FF7572B1000-memory.dmp	xmrig
behavioral2/memory/4624-149-0x00007FF6A7700000-0x00007FF6A7AF1000-memory.dmp	xmrig
behavioral2/memory/3128-160-0x00007FF663D70000-0x00007FF664161000-memory.dmp	xmrig
behavioral2/memory/4436-169-0x00007FF693450000-0x00007FF693841000-memory.dmp	xmrig
behavioral2/memory/1112-170-0x00007FF6603A0000-0x00007FF660791000-memory.dmp	xmrig
behavioral2/memory/2000-175-0x00007FF77FF10000-0x00007FF780301000-memory.dmp	xmrig
behavioral2/memory/5116-186-0x00007FF7DDF30000-0x00007FF7DE321000-memory.dmp	xmrig
behavioral2/memory/3060-229-0x00007FF6A0D10000-0x00007FF6A1101000-memory.dmp	xmrig
behavioral2/memory/732-234-0x00007FF78CCD0000-0x00007FF78D0C1000-memory.dmp	xmrig
behavioral2/memory/3560-240-0x00007FF730F60000-0x00007FF731351000-memory.dmp	xmrig
behavioral2/memory/3672-247-0x00007FF714240000-0x00007FF714631000-memory.dmp	xmrig
behavioral2/memory/4632-238-0x00007FF656810000-0x00007FF656C01000-memory.dmp	xmrig
behavioral2/memory/4728-261-0x00007FF69E640000-0x00007FF69EA31000-memory.dmp	xmrig
behavioral2/memory/4716-268-0x00007FF7EA0B0000-0x00007FF7EA4A1000-memory.dmp	xmrig
behavioral2/memory/2436-277-0x00007FF701030000-0x00007FF701421000-memory.dmp	xmrig
behavioral2/memory/672-274-0x00007FF624570000-0x00007FF624961000-memory.dmp	xmrig
behavioral2/memory/3580-289-0x00007FF70A210000-0x00007FF70A601000-memory.dmp	xmrig
behavioral2/memory/2560-283-0x00007FF78B470000-0x00007FF78B861000-memory.dmp	xmrig
behavioral2/memory/3156-292-0x00007FF7E74D0000-0x00007FF7E78C1000-memory.dmp	xmrig
behavioral2/memory/4840-293-0x00007FF6A2970000-0x00007FF6A2D61000-memory.dmp	xmrig
behavioral2/memory/1904-294-0x00007FF6E06F0000-0x00007FF6E0AE1000-memory.dmp	xmrig
behavioral2/memory/2072-258-0x00007FF761B40000-0x00007FF761F31000-memory.dmp	xmrig
behavioral2/memory/3552-295-0x00007FF7C3AA0000-0x00007FF7C3E91000-memory.dmp	xmrig
behavioral2/memory/2988-307-0x00007FF7E1CA0000-0x00007FF7E2091000-memory.dmp	xmrig
behavioral2/memory/2164-315-0x00007FF71EC50000-0x00007FF71F041000-memory.dmp	xmrig
behavioral2/memory/4836-322-0x00007FF72BF90000-0x00007FF72C381000-memory.dmp	xmrig
behavioral2/memory/3916-326-0x00007FF6AEEC0000-0x00007FF6AF2B1000-memory.dmp	xmrig
behavioral2/memory/3100-333-0x00007FF765790000-0x00007FF765B81000-memory.dmp	xmrig
behavioral2/memory/628-346-0x00007FF66ABB0000-0x00007FF66AFA1000-memory.dmp	xmrig
behavioral2/memory/4308-351-0x00007FF6F76E0000-0x00007FF6F7AD1000-memory.dmp	xmrig
behavioral2/memory/3260-349-0x00007FF6BB6D0000-0x00007FF6BBAC1000-memory.dmp	xmrig
behavioral2/memory/4860-338-0x00007FF782260000-0x00007FF782651000-memory.dmp	xmrig
behavioral2/memory/60-335-0x00007FF69B330000-0x00007FF69B721000-memory.dmp	xmrig
behavioral2/memory/2632-255-0x00007FF6183E0000-0x00007FF6187D1000-memory.dmp	xmrig
behavioral2/memory/4348-251-0x00007FF6ED500000-0x00007FF6ED8F1000-memory.dmp	xmrig
behavioral2/memory/5016-230-0x00007FF7CBE80000-0x00007FF7CC271000-memory.dmp	xmrig
behavioral2/memory/5048-182-0x00007FF610660000-0x00007FF610A51000-memory.dmp	xmrig
behavioral2/memory/4924-178-0x00007FF696950000-0x00007FF696D41000-memory.dmp	xmrig
behavioral2/memory/5060-176-0x00007FF700950000-0x00007FF700D41000-memory.dmp	xmrig
behavioral2/memory/1500-172-0x00007FF6C3BB0000-0x00007FF6C3FA1000-memory.dmp	xmrig
behavioral2/memory/3268-144-0x00007FF647E30000-0x00007FF648221000-memory.dmp	xmrig
behavioral2/memory/1124-142-0x00007FF7FA350000-0x00007FF7FA741000-memory.dmp	xmrig
behavioral2/memory/1244-138-0x00007FF7C8640000-0x00007FF7C8A31000-memory.dmp	xmrig
behavioral2/memory/4488-128-0x00007FF7724E0000-0x00007FF7728D1000-memory.dmp	xmrig
behavioral2/memory/232-124-0x00007FF795B90000-0x00007FF795F81000-memory.dmp	xmrig
behavioral2/memory/2988-107-0x00007FF7E1CA0000-0x00007FF7E2091000-memory.dmp	xmrig
behavioral2/memory/1064-87-0x00007FF764980000-0x00007FF764D71000-memory.dmp	xmrig
behavioral2/memory/1224-79-0x00007FF76D8B0000-0x00007FF76DCA1000-memory.dmp	xmrig
behavioral2/memory/3264-78-0x00007FF66B690000-0x00007FF66BA81000-memory.dmp	xmrig
behavioral2/memory/3444-74-0x00007FF7B3C40000-0x00007FF7B4031000-memory.dmp	xmrig
behavioral2/memory/4864-71-0x00007FF7F1800000-0x00007FF7F1BF1000-memory.dmp	xmrig
behavioral2/memory/2788-60-0x00007FF771BC0000-0x00007FF771FB1000-memory.dmp	xmrig
behavioral2/memory/544-40-0x00007FF71ADC0000-0x00007FF71B1B1000-memory.dmp	xmrig
behavioral2/memory/4624-30-0x00007FF6A7700000-0x00007FF6A7AF1000-memory.dmp	xmrig
behavioral2/memory/1112-25-0x00007FF6603A0000-0x00007FF660791000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4436	LenKsRt.exe
4032	vEKmvru.exe
1112	zzIlDDk.exe
4624	LvDnaSd.exe
544	WRfbFZE.exe
2760	PSUiqjX.exe
2964	ZUaxZyR.exe
2788	JTmAQsx.exe
4864	LfTbOgB.exe
1224	irxdQMU.exe
3444	IxMsqbm.exe
3264	ZquVxGD.exe
1064	yUNlToi.exe
1300	yUorZDz.exe
4908	YFqjfgu.exe
532	fgBTuIe.exe
2988	dtCfqFX.exe
232	VgsTNiI.exe
1772	EwYRLDQ.exe
4488	lXqeQrp.exe
1244	irjwFVm.exe
3268	jsxgrTT.exe
1124	BBSXcPB.exe
3080	OJovvoG.exe
1500	bhoyEfK.exe
2000	shPJvBn.exe
4924	wqLIjON.exe
5060	eGIZIOS.exe
5048	ZARxkfg.exe
5116	kSSWnvt.exe
3060	GCCYzJc.exe
5016	rlaSWaW.exe
732	GuNXpci.exe
4632	pWWrLXY.exe
3560	qOsXwsZ.exe
3672	wfEMvJs.exe
4348	QxbUBsD.exe
2632	sHkGseW.exe
2072	KDWFAnX.exe
4728	jdQVGes.exe
4716	RcGGrrS.exe
672	XQhjMgO.exe
2436	OPwcFQj.exe
2164	zAMevPL.exe
2560	HDWEimG.exe
4836	MvNyrcF.exe
3580	azZSgqq.exe
3916	zlniCTM.exe
3100	qHzIXUm.exe
60	MSZowgZ.exe
3156	VjfAIrA.exe
4840	fufoCtf.exe
1904	IZczcrL.exe
4860	calohif.exe
628	jzqxfpR.exe
3552	kvPQAcL.exe
3260	FhNRMCP.exe
4308	ZoWAYla.exe
872	JPDInoH.exe
764	ezlnDWS.exe
5068	LiboSjy.exe
740	gVPHeKl.exe
1840	QWIzUfq.exe
2312	HMoXgQn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3128-0-0x00007FF663D70000-0x00007FF664161000-memory.dmp	upx
behavioral2/files/0x000300000001e9b1-4.dat	upx
behavioral2/files/0x0006000000023277-11.dat	upx
behavioral2/files/0x00090000000233e2-8.dat	upx
behavioral2/files/0x00070000000233ea-24.dat	upx
behavioral2/files/0x00070000000233ec-31.dat	upx
behavioral2/memory/4032-37-0x00007FF7EE2F0000-0x00007FF7EE6E1000-memory.dmp	upx
behavioral2/files/0x00070000000233eb-33.dat	upx
behavioral2/files/0x00070000000233ed-41.dat	upx
behavioral2/memory/2760-43-0x00007FF6EFEB0000-0x00007FF6F02A1000-memory.dmp	upx
behavioral2/files/0x00070000000233ee-46.dat	upx
behavioral2/memory/2964-54-0x00007FF651420000-0x00007FF651811000-memory.dmp	upx
behavioral2/files/0x00070000000233f1-65.dat	upx
behavioral2/files/0x00070000000233f2-67.dat	upx
behavioral2/files/0x00070000000233f0-69.dat	upx
behavioral2/files/0x00070000000233f3-72.dat	upx
behavioral2/files/0x00070000000233f4-83.dat	upx
behavioral2/files/0x00090000000233e7-88.dat	upx
behavioral2/memory/1300-93-0x00007FF656460000-0x00007FF656851000-memory.dmp	upx
behavioral2/memory/4908-95-0x00007FF756EC0000-0x00007FF7572B1000-memory.dmp	upx
behavioral2/files/0x00070000000233f6-98.dat	upx
behavioral2/files/0x00070000000233f5-97.dat	upx
behavioral2/memory/1772-113-0x00007FF7F6800000-0x00007FF7F6BF1000-memory.dmp	upx
behavioral2/files/0x00070000000233f9-122.dat	upx
behavioral2/files/0x00070000000233fa-125.dat	upx
behavioral2/files/0x00070000000233fd-141.dat	upx
behavioral2/memory/3080-143-0x00007FF67DF50000-0x00007FF67E341000-memory.dmp	upx
behavioral2/memory/4624-149-0x00007FF6A7700000-0x00007FF6A7AF1000-memory.dmp	upx
behavioral2/files/0x00070000000233ff-155.dat	upx
behavioral2/memory/3128-160-0x00007FF663D70000-0x00007FF664161000-memory.dmp	upx
behavioral2/memory/4436-169-0x00007FF693450000-0x00007FF693841000-memory.dmp	upx
behavioral2/memory/1112-170-0x00007FF6603A0000-0x00007FF660791000-memory.dmp	upx
behavioral2/files/0x0007000000023402-173.dat	upx
behavioral2/memory/2000-175-0x00007FF77FF10000-0x00007FF780301000-memory.dmp	upx
behavioral2/memory/5116-186-0x00007FF7DDF30000-0x00007FF7DE321000-memory.dmp	upx
behavioral2/files/0x0007000000023405-195.dat	upx
behavioral2/memory/3060-229-0x00007FF6A0D10000-0x00007FF6A1101000-memory.dmp	upx
behavioral2/memory/732-234-0x00007FF78CCD0000-0x00007FF78D0C1000-memory.dmp	upx
behavioral2/memory/3560-240-0x00007FF730F60000-0x00007FF731351000-memory.dmp	upx
behavioral2/memory/3672-247-0x00007FF714240000-0x00007FF714631000-memory.dmp	upx
behavioral2/memory/4632-238-0x00007FF656810000-0x00007FF656C01000-memory.dmp	upx
behavioral2/memory/4728-261-0x00007FF69E640000-0x00007FF69EA31000-memory.dmp	upx
behavioral2/memory/4716-268-0x00007FF7EA0B0000-0x00007FF7EA4A1000-memory.dmp	upx
behavioral2/memory/2436-277-0x00007FF701030000-0x00007FF701421000-memory.dmp	upx
behavioral2/memory/672-274-0x00007FF624570000-0x00007FF624961000-memory.dmp	upx
behavioral2/memory/3580-289-0x00007FF70A210000-0x00007FF70A601000-memory.dmp	upx
behavioral2/memory/2560-283-0x00007FF78B470000-0x00007FF78B861000-memory.dmp	upx
behavioral2/memory/3156-292-0x00007FF7E74D0000-0x00007FF7E78C1000-memory.dmp	upx
behavioral2/memory/4840-293-0x00007FF6A2970000-0x00007FF6A2D61000-memory.dmp	upx
behavioral2/memory/1904-294-0x00007FF6E06F0000-0x00007FF6E0AE1000-memory.dmp	upx
behavioral2/memory/2072-258-0x00007FF761B40000-0x00007FF761F31000-memory.dmp	upx
behavioral2/memory/3552-295-0x00007FF7C3AA0000-0x00007FF7C3E91000-memory.dmp	upx
behavioral2/memory/2988-307-0x00007FF7E1CA0000-0x00007FF7E2091000-memory.dmp	upx
behavioral2/memory/2164-315-0x00007FF71EC50000-0x00007FF71F041000-memory.dmp	upx
behavioral2/memory/4836-322-0x00007FF72BF90000-0x00007FF72C381000-memory.dmp	upx
behavioral2/memory/3916-326-0x00007FF6AEEC0000-0x00007FF6AF2B1000-memory.dmp	upx
behavioral2/memory/3100-333-0x00007FF765790000-0x00007FF765B81000-memory.dmp	upx
behavioral2/memory/628-346-0x00007FF66ABB0000-0x00007FF66AFA1000-memory.dmp	upx
behavioral2/memory/4308-351-0x00007FF6F76E0000-0x00007FF6F7AD1000-memory.dmp	upx
behavioral2/memory/3260-349-0x00007FF6BB6D0000-0x00007FF6BBAC1000-memory.dmp	upx
behavioral2/memory/4860-338-0x00007FF782260000-0x00007FF782651000-memory.dmp	upx
behavioral2/memory/60-335-0x00007FF69B330000-0x00007FF69B721000-memory.dmp	upx
behavioral2/memory/2632-255-0x00007FF6183E0000-0x00007FF6187D1000-memory.dmp	upx
behavioral2/memory/4348-251-0x00007FF6ED500000-0x00007FF6ED8F1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\rwrveWA.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\vDDCbfN.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\FKXQyLJ.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\lfzmokw.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\sZYQZpN.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\kDvoynt.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\GASnWbM.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\OJovvoG.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\cfnQsbV.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\allkaad.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\PPlrWEI.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\OWpbwux.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\zAMevPL.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\kuShJoI.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\hEKhkuR.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\wVSKVhK.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\JRoBOTX.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\OPwcFQj.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\GIrAozt.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\BbBcSMX.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\vOGwoLe.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\KDWFAnX.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\pzXOooX.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\OQSCDea.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\QYtsfuX.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\jsUPhXl.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\nVzDAVo.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\kqEFjqs.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\mqueHEQ.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\HxhFwow.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\OoYCnHM.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\SzaUoLC.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\BYvXMWy.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\kDTnerS.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\AgsIaFL.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\mygSFkl.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\wqLIjON.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\SMcQIUI.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\xrVAFOx.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\kvPQAcL.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\BDIUDJK.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\WQUObyb.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\cAxsxgI.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\tqMQxUs.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\HDWEimG.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\sRVBroo.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\tJjbhhj.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\FsuQiAb.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\EYMsahj.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\GuNXpci.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\feKEovI.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\nomyURX.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\xiNwIPm.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\wpzsWHN.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\jrKNCjJ.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\jsxgrTT.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\NxmzJAE.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\ZoWAYla.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\tSmBFDO.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\hgioOgc.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\BBSXcPB.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\EzWxzGy.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\vknlEVP.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
File created	C:\Windows\System32\TTyAQVu.exe	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	WerFaultSecure.exe
1524	WerFaultSecure.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4436	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	89
PID 3128 wrote to memory of 4436	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	89
PID 3128 wrote to memory of 4032	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	90
PID 3128 wrote to memory of 4032	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	90
PID 3128 wrote to memory of 1112	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	91
PID 3128 wrote to memory of 1112	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	91
PID 3128 wrote to memory of 4624	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	92
PID 3128 wrote to memory of 4624	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	92
PID 3128 wrote to memory of 544	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	93
PID 3128 wrote to memory of 544	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	93
PID 3128 wrote to memory of 2760	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	94
PID 3128 wrote to memory of 2760	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	94
PID 3128 wrote to memory of 2964	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	95
PID 3128 wrote to memory of 2964	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	95
PID 3128 wrote to memory of 2788	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	96
PID 3128 wrote to memory of 2788	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	96
PID 3128 wrote to memory of 4864	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	97
PID 3128 wrote to memory of 4864	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	97
PID 3128 wrote to memory of 3264	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	98
PID 3128 wrote to memory of 3264	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	98
PID 3128 wrote to memory of 1224	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	99
PID 3128 wrote to memory of 1224	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	99
PID 3128 wrote to memory of 3444	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	100
PID 3128 wrote to memory of 3444	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	100
PID 3128 wrote to memory of 1064	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	101
PID 3128 wrote to memory of 1064	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	101
PID 3128 wrote to memory of 1300	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	102
PID 3128 wrote to memory of 1300	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	102
PID 3128 wrote to memory of 4908	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	103
PID 3128 wrote to memory of 4908	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	103
PID 3128 wrote to memory of 532	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	104
PID 3128 wrote to memory of 532	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	104
PID 3128 wrote to memory of 2988	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	105
PID 3128 wrote to memory of 2988	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	105
PID 3128 wrote to memory of 232	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	106
PID 3128 wrote to memory of 232	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	106
PID 3128 wrote to memory of 1772	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	107
PID 3128 wrote to memory of 1772	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	107
PID 3128 wrote to memory of 4488	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	108
PID 3128 wrote to memory of 4488	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	108
PID 3128 wrote to memory of 1244	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	109
PID 3128 wrote to memory of 1244	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	109
PID 3128 wrote to memory of 3268	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	110
PID 3128 wrote to memory of 3268	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	110
PID 3128 wrote to memory of 1124	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	111
PID 3128 wrote to memory of 1124	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	111
PID 3128 wrote to memory of 3080	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	112
PID 3128 wrote to memory of 3080	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	112
PID 3128 wrote to memory of 1500	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	113
PID 3128 wrote to memory of 1500	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	113
PID 3128 wrote to memory of 2000	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	114
PID 3128 wrote to memory of 2000	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	114
PID 3128 wrote to memory of 5060	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	115
PID 3128 wrote to memory of 5060	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	115
PID 3128 wrote to memory of 4924	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	116
PID 3128 wrote to memory of 4924	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	116
PID 3128 wrote to memory of 5048	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	117
PID 3128 wrote to memory of 5048	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	117
PID 3128 wrote to memory of 5116	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	118
PID 3128 wrote to memory of 5116	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	118
PID 3128 wrote to memory of 3060	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	119
PID 3128 wrote to memory of 3060	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	119
PID 3128 wrote to memory of 5016	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	120
PID 3128 wrote to memory of 5016	3128	00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe	120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4480
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 4480 -s 1052
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1524

C:\Users\Admin\AppData\Local\Temp\00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00152210c39b1c2e8509f0c2aef7bc68_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\System32\LenKsRt.exe
  C:\Windows\System32\LenKsRt.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\vEKmvru.exe
  C:\Windows\System32\vEKmvru.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\zzIlDDk.exe
  C:\Windows\System32\zzIlDDk.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System32\LvDnaSd.exe
  C:\Windows\System32\LvDnaSd.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\WRfbFZE.exe
  C:\Windows\System32\WRfbFZE.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System32\PSUiqjX.exe
  C:\Windows\System32\PSUiqjX.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\ZUaxZyR.exe
  C:\Windows\System32\ZUaxZyR.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\JTmAQsx.exe
  C:\Windows\System32\JTmAQsx.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\LfTbOgB.exe
  C:\Windows\System32\LfTbOgB.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\ZquVxGD.exe
  C:\Windows\System32\ZquVxGD.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\irxdQMU.exe
  C:\Windows\System32\irxdQMU.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System32\IxMsqbm.exe
  C:\Windows\System32\IxMsqbm.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System32\yUNlToi.exe
  C:\Windows\System32\yUNlToi.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\yUorZDz.exe
  C:\Windows\System32\yUorZDz.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System32\YFqjfgu.exe
  C:\Windows\System32\YFqjfgu.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\fgBTuIe.exe
  C:\Windows\System32\fgBTuIe.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System32\dtCfqFX.exe
  C:\Windows\System32\dtCfqFX.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\VgsTNiI.exe
  C:\Windows\System32\VgsTNiI.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System32\EwYRLDQ.exe
  C:\Windows\System32\EwYRLDQ.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\lXqeQrp.exe
  C:\Windows\System32\lXqeQrp.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\irjwFVm.exe
  C:\Windows\System32\irjwFVm.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System32\jsxgrTT.exe
  C:\Windows\System32\jsxgrTT.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System32\BBSXcPB.exe
  C:\Windows\System32\BBSXcPB.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System32\OJovvoG.exe
  C:\Windows\System32\OJovvoG.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\bhoyEfK.exe
  C:\Windows\System32\bhoyEfK.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System32\shPJvBn.exe
  C:\Windows\System32\shPJvBn.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\eGIZIOS.exe
  C:\Windows\System32\eGIZIOS.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\wqLIjON.exe
  C:\Windows\System32\wqLIjON.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\ZARxkfg.exe
  C:\Windows\System32\ZARxkfg.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\kSSWnvt.exe
  C:\Windows\System32\kSSWnvt.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\GCCYzJc.exe
  C:\Windows\System32\GCCYzJc.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\rlaSWaW.exe
  C:\Windows\System32\rlaSWaW.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\GuNXpci.exe
  C:\Windows\System32\GuNXpci.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System32\pWWrLXY.exe
  C:\Windows\System32\pWWrLXY.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\qOsXwsZ.exe
  C:\Windows\System32\qOsXwsZ.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\wfEMvJs.exe
  C:\Windows\System32\wfEMvJs.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System32\QxbUBsD.exe
  C:\Windows\System32\QxbUBsD.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System32\sHkGseW.exe
  C:\Windows\System32\sHkGseW.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System32\KDWFAnX.exe
  C:\Windows\System32\KDWFAnX.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System32\jdQVGes.exe
  C:\Windows\System32\jdQVGes.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\RcGGrrS.exe
  C:\Windows\System32\RcGGrrS.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\XQhjMgO.exe
  C:\Windows\System32\XQhjMgO.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System32\OPwcFQj.exe
  C:\Windows\System32\OPwcFQj.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\zAMevPL.exe
  C:\Windows\System32\zAMevPL.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System32\HDWEimG.exe
  C:\Windows\System32\HDWEimG.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System32\MvNyrcF.exe
  C:\Windows\System32\MvNyrcF.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System32\azZSgqq.exe
  C:\Windows\System32\azZSgqq.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System32\zlniCTM.exe
  C:\Windows\System32\zlniCTM.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System32\qHzIXUm.exe
  C:\Windows\System32\qHzIXUm.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\MSZowgZ.exe
  C:\Windows\System32\MSZowgZ.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\VjfAIrA.exe
  C:\Windows\System32\VjfAIrA.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\fufoCtf.exe
  C:\Windows\System32\fufoCtf.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\IZczcrL.exe
  C:\Windows\System32\IZczcrL.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System32\calohif.exe
  C:\Windows\System32\calohif.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\jzqxfpR.exe
  C:\Windows\System32\jzqxfpR.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System32\kvPQAcL.exe
  C:\Windows\System32\kvPQAcL.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System32\FhNRMCP.exe
  C:\Windows\System32\FhNRMCP.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\ZoWAYla.exe
  C:\Windows\System32\ZoWAYla.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\JPDInoH.exe
  C:\Windows\System32\JPDInoH.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System32\ezlnDWS.exe
  C:\Windows\System32\ezlnDWS.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System32\LiboSjy.exe
  C:\Windows\System32\LiboSjy.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\gVPHeKl.exe
  C:\Windows\System32\gVPHeKl.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\QWIzUfq.exe
  C:\Windows\System32\QWIzUfq.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System32\HMoXgQn.exe
  C:\Windows\System32\HMoXgQn.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System32\xyHJEPr.exe
  C:\Windows\System32\xyHJEPr.exe
  2⤵
  PID:3052
- C:\Windows\System32\tZyFGkF.exe
  C:\Windows\System32\tZyFGkF.exe
  2⤵
  PID:888
- C:\Windows\System32\DQgSaKM.exe
  C:\Windows\System32\DQgSaKM.exe
  2⤵
  PID:2280
- C:\Windows\System32\WHByFTD.exe
  C:\Windows\System32\WHByFTD.exe
  2⤵
  PID:2040
- C:\Windows\System32\LZRmQCW.exe
  C:\Windows\System32\LZRmQCW.exe
  2⤵
  PID:2540
- C:\Windows\System32\nQVqopM.exe
  C:\Windows\System32\nQVqopM.exe
  2⤵
  PID:4900
- C:\Windows\System32\FFKonyV.exe
  C:\Windows\System32\FFKonyV.exe
  2⤵
  PID:1844
- C:\Windows\System32\QmEBKne.exe
  C:\Windows\System32\QmEBKne.exe
  2⤵
  PID:3716
- C:\Windows\System32\bOaqLUT.exe
  C:\Windows\System32\bOaqLUT.exe
  2⤵
  PID:3404
- C:\Windows\System32\cEdATQo.exe
  C:\Windows\System32\cEdATQo.exe
  2⤵
  PID:2176
- C:\Windows\System32\PPlrWEI.exe
  C:\Windows\System32\PPlrWEI.exe
  2⤵
  PID:1484
- C:\Windows\System32\QmpsFCM.exe
  C:\Windows\System32\QmpsFCM.exe
  2⤵
  PID:5172
- C:\Windows\System32\KSaYwhU.exe
  C:\Windows\System32\KSaYwhU.exe
  2⤵
  PID:5224
- C:\Windows\System32\WQUObyb.exe
  C:\Windows\System32\WQUObyb.exe
  2⤵
  PID:5256
- C:\Windows\System32\feKEovI.exe
  C:\Windows\System32\feKEovI.exe
  2⤵
  PID:5276
- C:\Windows\System32\REdLWni.exe
  C:\Windows\System32\REdLWni.exe
  2⤵
  PID:5292
- C:\Windows\System32\PisXclK.exe
  C:\Windows\System32\PisXclK.exe
  2⤵
  PID:5332
- C:\Windows\System32\mKkpdpy.exe
  C:\Windows\System32\mKkpdpy.exe
  2⤵
  PID:5348
- C:\Windows\System32\hUzSQWo.exe
  C:\Windows\System32\hUzSQWo.exe
  2⤵
  PID:5368
- C:\Windows\System32\CCAYwye.exe
  C:\Windows\System32\CCAYwye.exe
  2⤵
  PID:5384
- C:\Windows\System32\UQNYYyb.exe
  C:\Windows\System32\UQNYYyb.exe
  2⤵
  PID:5412
- C:\Windows\System32\LbAanfE.exe
  C:\Windows\System32\LbAanfE.exe
  2⤵
  PID:5452
- C:\Windows\System32\NXIFRJe.exe
  C:\Windows\System32\NXIFRJe.exe
  2⤵
  PID:5540
- C:\Windows\System32\wVSKVhK.exe
  C:\Windows\System32\wVSKVhK.exe
  2⤵
  PID:5560
- C:\Windows\System32\EKeXMJO.exe
  C:\Windows\System32\EKeXMJO.exe
  2⤵
  PID:5600
- C:\Windows\System32\fZkjDlf.exe
  C:\Windows\System32\fZkjDlf.exe
  2⤵
  PID:5632
- C:\Windows\System32\qNCCQcm.exe
  C:\Windows\System32\qNCCQcm.exe
  2⤵
  PID:5648
- C:\Windows\System32\whuXRzc.exe
  C:\Windows\System32\whuXRzc.exe
  2⤵
  PID:5676
- C:\Windows\System32\IXWqHWp.exe
  C:\Windows\System32\IXWqHWp.exe
  2⤵
  PID:5692
- C:\Windows\System32\OPJsVkL.exe
  C:\Windows\System32\OPJsVkL.exe
  2⤵
  PID:5716
- C:\Windows\System32\BgIXGuT.exe
  C:\Windows\System32\BgIXGuT.exe
  2⤵
  PID:5752
- C:\Windows\System32\mmdLtqM.exe
  C:\Windows\System32\mmdLtqM.exe
  2⤵
  PID:5768
- C:\Windows\System32\SlXQovX.exe
  C:\Windows\System32\SlXQovX.exe
  2⤵
  PID:5812
- C:\Windows\System32\fIFRpeH.exe
  C:\Windows\System32\fIFRpeH.exe
  2⤵
  PID:5856
- C:\Windows\System32\ZzUOuBM.exe
  C:\Windows\System32\ZzUOuBM.exe
  2⤵
  PID:5876
- C:\Windows\System32\QPwhldK.exe
  C:\Windows\System32\QPwhldK.exe
  2⤵
  PID:5896
- C:\Windows\System32\FsuQiAb.exe
  C:\Windows\System32\FsuQiAb.exe
  2⤵
  PID:5920
- C:\Windows\System32\hIcgJAC.exe
  C:\Windows\System32\hIcgJAC.exe
  2⤵
  PID:5936
- C:\Windows\System32\pNmAXdg.exe
  C:\Windows\System32\pNmAXdg.exe
  2⤵
  PID:5968
- C:\Windows\System32\VVdYozV.exe
  C:\Windows\System32\VVdYozV.exe
  2⤵
  PID:5988
- C:\Windows\System32\sZYQZpN.exe
  C:\Windows\System32\sZYQZpN.exe
  2⤵
  PID:6028
- C:\Windows\System32\cBSDsJU.exe
  C:\Windows\System32\cBSDsJU.exe
  2⤵
  PID:6088
- C:\Windows\System32\IedPZTR.exe
  C:\Windows\System32\IedPZTR.exe
  2⤵
  PID:6108
- C:\Windows\System32\TapmTkS.exe
  C:\Windows\System32\TapmTkS.exe
  2⤵
  PID:6124
- C:\Windows\System32\mqueHEQ.exe
  C:\Windows\System32\mqueHEQ.exe
  2⤵
  PID:6140
- C:\Windows\System32\wFxNpNa.exe
  C:\Windows\System32\wFxNpNa.exe
  2⤵
  PID:4752
- C:\Windows\System32\GoLBjKD.exe
  C:\Windows\System32\GoLBjKD.exe
  2⤵
  PID:3472
- C:\Windows\System32\BAPDvsy.exe
  C:\Windows\System32\BAPDvsy.exe
  2⤵
  PID:2836
- C:\Windows\System32\pzXOooX.exe
  C:\Windows\System32\pzXOooX.exe
  2⤵
  PID:680
- C:\Windows\System32\TdIIDNn.exe
  C:\Windows\System32\TdIIDNn.exe
  2⤵
  PID:5240
- C:\Windows\System32\cAxsxgI.exe
  C:\Windows\System32\cAxsxgI.exe
  2⤵
  PID:5396
- C:\Windows\System32\tIgQQVu.exe
  C:\Windows\System32\tIgQQVu.exe
  2⤵
  PID:5488
- C:\Windows\System32\GIrAozt.exe
  C:\Windows\System32\GIrAozt.exe
  2⤵
  PID:5504
- C:\Windows\System32\qYrIVSP.exe
  C:\Windows\System32\qYrIVSP.exe
  2⤵
  PID:5516
- C:\Windows\System32\LzxflSk.exe
  C:\Windows\System32\LzxflSk.exe
  2⤵
  PID:5568
- C:\Windows\System32\YglCTHw.exe
  C:\Windows\System32\YglCTHw.exe
  2⤵
  PID:5688
- C:\Windows\System32\JPfeNev.exe
  C:\Windows\System32\JPfeNev.exe
  2⤵
  PID:5888
- C:\Windows\System32\gjQPOwQ.exe
  C:\Windows\System32\gjQPOwQ.exe
  2⤵
  PID:4416
- C:\Windows\System32\STazpWF.exe
  C:\Windows\System32\STazpWF.exe
  2⤵
  PID:5932
- C:\Windows\System32\fzBGiOm.exe
  C:\Windows\System32\fzBGiOm.exe
  2⤵
  PID:5976
- C:\Windows\System32\suYptPP.exe
  C:\Windows\System32\suYptPP.exe
  2⤵
  PID:1624
- C:\Windows\System32\FYeNsVz.exe
  C:\Windows\System32\FYeNsVz.exe
  2⤵
  PID:6096
- C:\Windows\System32\BbBcSMX.exe
  C:\Windows\System32\BbBcSMX.exe
  2⤵
  PID:3092
- C:\Windows\System32\mKEZpjX.exe
  C:\Windows\System32\mKEZpjX.exe
  2⤵
  PID:2100
- C:\Windows\System32\OhbAZin.exe
  C:\Windows\System32\OhbAZin.exe
  2⤵
  PID:5300
- C:\Windows\System32\lfzmokw.exe
  C:\Windows\System32\lfzmokw.exe
  2⤵
  PID:5520
- C:\Windows\System32\pCPQjUX.exe
  C:\Windows\System32\pCPQjUX.exe
  2⤵
  PID:5748
- C:\Windows\System32\tqMQxUs.exe
  C:\Windows\System32\tqMQxUs.exe
  2⤵
  PID:5792
- C:\Windows\System32\kPWGOdk.exe
  C:\Windows\System32\kPWGOdk.exe
  2⤵
  PID:5836
- C:\Windows\System32\GkHqUkP.exe
  C:\Windows\System32\GkHqUkP.exe
  2⤵
  PID:6076
- C:\Windows\System32\HsaLOHL.exe
  C:\Windows\System32\HsaLOHL.exe
  2⤵
  PID:4688
- C:\Windows\System32\JqLXPBU.exe
  C:\Windows\System32\JqLXPBU.exe
  2⤵
  PID:5264
- C:\Windows\System32\SoRMBIb.exe
  C:\Windows\System32\SoRMBIb.exe
  2⤵
  PID:4484
- C:\Windows\System32\FsXApjo.exe
  C:\Windows\System32\FsXApjo.exe
  2⤵
  PID:5424
- C:\Windows\System32\ZILPHvk.exe
  C:\Windows\System32\ZILPHvk.exe
  2⤵
  PID:5824
- C:\Windows\System32\rhtIlaP.exe
  C:\Windows\System32\rhtIlaP.exe
  2⤵
  PID:5984
- C:\Windows\System32\LSJGRAK.exe
  C:\Windows\System32\LSJGRAK.exe
  2⤵
  PID:5952
- C:\Windows\System32\eOTNGpl.exe
  C:\Windows\System32\eOTNGpl.exe
  2⤵
  PID:5964
- C:\Windows\System32\quvZurg.exe
  C:\Windows\System32\quvZurg.exe
  2⤵
  PID:4788
- C:\Windows\System32\gVutBwa.exe
  C:\Windows\System32\gVutBwa.exe
  2⤵
  PID:6164
- C:\Windows\System32\wtOIgxf.exe
  C:\Windows\System32\wtOIgxf.exe
  2⤵
  PID:6200
- C:\Windows\System32\IJWILzA.exe
  C:\Windows\System32\IJWILzA.exe
  2⤵
  PID:6272
- C:\Windows\System32\HxhFwow.exe
  C:\Windows\System32\HxhFwow.exe
  2⤵
  PID:6288
- C:\Windows\System32\GYXPMTh.exe
  C:\Windows\System32\GYXPMTh.exe
  2⤵
  PID:6320
- C:\Windows\System32\rVVTiSL.exe
  C:\Windows\System32\rVVTiSL.exe
  2⤵
  PID:6340
- C:\Windows\System32\RgQgtvU.exe
  C:\Windows\System32\RgQgtvU.exe
  2⤵
  PID:6356
- C:\Windows\System32\YXHDggK.exe
  C:\Windows\System32\YXHDggK.exe
  2⤵
  PID:6376
- C:\Windows\System32\jqrvLdP.exe
  C:\Windows\System32\jqrvLdP.exe
  2⤵
  PID:6392
- C:\Windows\System32\AGzAJro.exe
  C:\Windows\System32\AGzAJro.exe
  2⤵
  PID:6408
- C:\Windows\System32\HrLbHUz.exe
  C:\Windows\System32\HrLbHUz.exe
  2⤵
  PID:6428
- C:\Windows\System32\EzWxzGy.exe
  C:\Windows\System32\EzWxzGy.exe
  2⤵
  PID:6492
- C:\Windows\System32\ByGmFGV.exe
  C:\Windows\System32\ByGmFGV.exe
  2⤵
  PID:6588
- C:\Windows\System32\rgyqQXy.exe
  C:\Windows\System32\rgyqQXy.exe
  2⤵
  PID:6640
- C:\Windows\System32\esfiTpm.exe
  C:\Windows\System32\esfiTpm.exe
  2⤵
  PID:6656
- C:\Windows\System32\vlraufz.exe
  C:\Windows\System32\vlraufz.exe
  2⤵
  PID:6672
- C:\Windows\System32\PGeKoPC.exe
  C:\Windows\System32\PGeKoPC.exe
  2⤵
  PID:6688
- C:\Windows\System32\RHBYkyS.exe
  C:\Windows\System32\RHBYkyS.exe
  2⤵
  PID:6732
- C:\Windows\System32\VKdMGPy.exe
  C:\Windows\System32\VKdMGPy.exe
  2⤵
  PID:6764
- C:\Windows\System32\RlyrsMM.exe
  C:\Windows\System32\RlyrsMM.exe
  2⤵
  PID:6780
- C:\Windows\System32\IxoxvvR.exe
  C:\Windows\System32\IxoxvvR.exe
  2⤵
  PID:6796
- C:\Windows\System32\QUcJpeP.exe
  C:\Windows\System32\QUcJpeP.exe
  2⤵
  PID:6812
- C:\Windows\System32\OoYCnHM.exe
  C:\Windows\System32\OoYCnHM.exe
  2⤵
  PID:6864
- C:\Windows\System32\LxKjWsL.exe
  C:\Windows\System32\LxKjWsL.exe
  2⤵
  PID:6880
- C:\Windows\System32\wVIlFGu.exe
  C:\Windows\System32\wVIlFGu.exe
  2⤵
  PID:6908
- C:\Windows\System32\XELWvba.exe
  C:\Windows\System32\XELWvba.exe
  2⤵
  PID:6932
- C:\Windows\System32\JvNIbEP.exe
  C:\Windows\System32\JvNIbEP.exe
  2⤵
  PID:6996
- C:\Windows\System32\yJwnMSv.exe
  C:\Windows\System32\yJwnMSv.exe
  2⤵
  PID:7044
- C:\Windows\System32\CXelIrL.exe
  C:\Windows\System32\CXelIrL.exe
  2⤵
  PID:7060
- C:\Windows\System32\KBgKsda.exe
  C:\Windows\System32\KBgKsda.exe
  2⤵
  PID:7088
- C:\Windows\System32\nVwjdyd.exe
  C:\Windows\System32\nVwjdyd.exe
  2⤵
  PID:7104
- C:\Windows\System32\SzaUoLC.exe
  C:\Windows\System32\SzaUoLC.exe
  2⤵
  PID:5464
- C:\Windows\System32\RjxVvVZ.exe
  C:\Windows\System32\RjxVvVZ.exe
  2⤵
  PID:5196
- C:\Windows\System32\MOYcaIz.exe
  C:\Windows\System32\MOYcaIz.exe
  2⤵
  PID:6236
- C:\Windows\System32\UUFGBoZ.exe
  C:\Windows\System32\UUFGBoZ.exe
  2⤵
  PID:6220
- C:\Windows\System32\UNmBpKV.exe
  C:\Windows\System32\UNmBpKV.exe
  2⤵
  PID:6336
- C:\Windows\System32\DlUMzKk.exe
  C:\Windows\System32\DlUMzKk.exe
  2⤵
  PID:6312
- C:\Windows\System32\GAInYjA.exe
  C:\Windows\System32\GAInYjA.exe
  2⤵
  PID:6332
- C:\Windows\System32\ultPpaS.exe
  C:\Windows\System32\ultPpaS.exe
  2⤵
  PID:6384
- C:\Windows\System32\hRgpUjR.exe
  C:\Windows\System32\hRgpUjR.exe
  2⤵
  PID:6464
- C:\Windows\System32\qRAdoEg.exe
  C:\Windows\System32\qRAdoEg.exe
  2⤵
  PID:6468
- C:\Windows\System32\YUUTfnW.exe
  C:\Windows\System32\YUUTfnW.exe
  2⤵
  PID:6488
- C:\Windows\System32\ZiEjPyD.exe
  C:\Windows\System32\ZiEjPyD.exe
  2⤵
  PID:6596
- C:\Windows\System32\QFSPKzz.exe
  C:\Windows\System32\QFSPKzz.exe
  2⤵
  PID:6612
- C:\Windows\System32\uKlAGip.exe
  C:\Windows\System32\uKlAGip.exe
  2⤵
  PID:6684
- C:\Windows\System32\ybWvOqg.exe
  C:\Windows\System32\ybWvOqg.exe
  2⤵
  PID:6744
- C:\Windows\System32\ZKxGnpc.exe
  C:\Windows\System32\ZKxGnpc.exe
  2⤵
  PID:6824
- C:\Windows\System32\UnxIlSf.exe
  C:\Windows\System32\UnxIlSf.exe
  2⤵
  PID:6948
- C:\Windows\System32\XSSVJgf.exe
  C:\Windows\System32\XSSVJgf.exe
  2⤵
  PID:6920
- C:\Windows\System32\yqHWouZ.exe
  C:\Windows\System32\yqHWouZ.exe
  2⤵
  PID:6968
- C:\Windows\System32\WaboFPz.exe
  C:\Windows\System32\WaboFPz.exe
  2⤵
  PID:408
- C:\Windows\System32\vxIEkky.exe
  C:\Windows\System32\vxIEkky.exe
  2⤵
  PID:5496
- C:\Windows\System32\OQSCDea.exe
  C:\Windows\System32\OQSCDea.exe
  2⤵
  PID:1456
- C:\Windows\System32\bAQRYjH.exe
  C:\Windows\System32\bAQRYjH.exe
  2⤵
  PID:6424
- C:\Windows\System32\sjlaQnI.exe
  C:\Windows\System32\sjlaQnI.exe
  2⤵
  PID:6512
- C:\Windows\System32\dNOGLRn.exe
  C:\Windows\System32\dNOGLRn.exe
  2⤵
  PID:6364
- C:\Windows\System32\OWpbwux.exe
  C:\Windows\System32\OWpbwux.exe
  2⤵
  PID:6760
- C:\Windows\System32\gogOgsp.exe
  C:\Windows\System32\gogOgsp.exe
  2⤵
  PID:6972
- C:\Windows\System32\rwrveWA.exe
  C:\Windows\System32\rwrveWA.exe
  2⤵
  PID:6980
- C:\Windows\System32\oxcEPQk.exe
  C:\Windows\System32\oxcEPQk.exe
  2⤵
  PID:7080
- C:\Windows\System32\acarPKV.exe
  C:\Windows\System32\acarPKV.exe
  2⤵
  PID:6184
- C:\Windows\System32\hxXUSiw.exe
  C:\Windows\System32\hxXUSiw.exe
  2⤵
  PID:6132
- C:\Windows\System32\loHfTth.exe
  C:\Windows\System32\loHfTth.exe
  2⤵
  PID:6248
- C:\Windows\System32\rZAetAm.exe
  C:\Windows\System32\rZAetAm.exe
  2⤵
  PID:6680
- C:\Windows\System32\YuxgTUa.exe
  C:\Windows\System32\YuxgTUa.exe
  2⤵
  PID:5096
- C:\Windows\System32\ULMEExd.exe
  C:\Windows\System32\ULMEExd.exe
  2⤵
  PID:7148
- C:\Windows\System32\bxuglbC.exe
  C:\Windows\System32\bxuglbC.exe
  2⤵
  PID:7120
- C:\Windows\System32\qDENIEZ.exe
  C:\Windows\System32\qDENIEZ.exe
  2⤵
  PID:7016
- C:\Windows\System32\pYVFdDK.exe
  C:\Windows\System32\pYVFdDK.exe
  2⤵
  PID:1884
- C:\Windows\System32\DfviPdf.exe
  C:\Windows\System32\DfviPdf.exe
  2⤵
  PID:2492
- C:\Windows\System32\nwcGgHZ.exe
  C:\Windows\System32\nwcGgHZ.exe
  2⤵
  PID:7184
- C:\Windows\System32\XCmNHMs.exe
  C:\Windows\System32\XCmNHMs.exe
  2⤵
  PID:7204
- C:\Windows\System32\CoZFIbT.exe
  C:\Windows\System32\CoZFIbT.exe
  2⤵
  PID:7244
- C:\Windows\System32\KgBVgWn.exe
  C:\Windows\System32\KgBVgWn.exe
  2⤵
  PID:7272
- C:\Windows\System32\otEoShg.exe
  C:\Windows\System32\otEoShg.exe
  2⤵
  PID:7336
- C:\Windows\System32\CroidKb.exe
  C:\Windows\System32\CroidKb.exe
  2⤵
  PID:7360
- C:\Windows\System32\IKOkKgN.exe
  C:\Windows\System32\IKOkKgN.exe
  2⤵
  PID:7376
- C:\Windows\System32\QpMHZLb.exe
  C:\Windows\System32\QpMHZLb.exe
  2⤵
  PID:7392
- C:\Windows\System32\xTiPrHw.exe
  C:\Windows\System32\xTiPrHw.exe
  2⤵
  PID:7436
- C:\Windows\System32\gcpYApm.exe
  C:\Windows\System32\gcpYApm.exe
  2⤵
  PID:7476
- C:\Windows\System32\wEpLFgM.exe
  C:\Windows\System32\wEpLFgM.exe
  2⤵
  PID:7496
- C:\Windows\System32\nwrodhQ.exe
  C:\Windows\System32\nwrodhQ.exe
  2⤵
  PID:7512
- C:\Windows\System32\lZUdrHi.exe
  C:\Windows\System32\lZUdrHi.exe
  2⤵
  PID:7528
- C:\Windows\System32\nomyURX.exe
  C:\Windows\System32\nomyURX.exe
  2⤵
  PID:7548
- C:\Windows\System32\HChhDpW.exe
  C:\Windows\System32\HChhDpW.exe
  2⤵
  PID:7572
- C:\Windows\System32\zgggRMU.exe
  C:\Windows\System32\zgggRMU.exe
  2⤵
  PID:7592
- C:\Windows\System32\dGMfXfU.exe
  C:\Windows\System32\dGMfXfU.exe
  2⤵
  PID:7608
- C:\Windows\System32\kIaBDwR.exe
  C:\Windows\System32\kIaBDwR.exe
  2⤵
  PID:7624
- C:\Windows\System32\AWRoAIo.exe
  C:\Windows\System32\AWRoAIo.exe
  2⤵
  PID:7664
- C:\Windows\System32\ISSXrnl.exe
  C:\Windows\System32\ISSXrnl.exe
  2⤵
  PID:7684
- C:\Windows\System32\ntNXOht.exe
  C:\Windows\System32\ntNXOht.exe
  2⤵
  PID:7704
- C:\Windows\System32\isCOyiW.exe
  C:\Windows\System32\isCOyiW.exe
  2⤵
  PID:7764
- C:\Windows\System32\gzGYyZe.exe
  C:\Windows\System32\gzGYyZe.exe
  2⤵
  PID:7828
- C:\Windows\System32\LttwzsU.exe
  C:\Windows\System32\LttwzsU.exe
  2⤵
  PID:7880
- C:\Windows\System32\iDIBfYi.exe
  C:\Windows\System32\iDIBfYi.exe
  2⤵
  PID:7916
- C:\Windows\System32\BVIaGco.exe
  C:\Windows\System32\BVIaGco.exe
  2⤵
  PID:7932
- C:\Windows\System32\RqiBzML.exe
  C:\Windows\System32\RqiBzML.exe
  2⤵
  PID:7952
- C:\Windows\System32\GvwWmJh.exe
  C:\Windows\System32\GvwWmJh.exe
  2⤵
  PID:7968
- C:\Windows\System32\eMRqquL.exe
  C:\Windows\System32\eMRqquL.exe
  2⤵
  PID:7984
- C:\Windows\System32\afYYwjx.exe
  C:\Windows\System32\afYYwjx.exe
  2⤵
  PID:8000
- C:\Windows\System32\vVlULPg.exe
  C:\Windows\System32\vVlULPg.exe
  2⤵
  PID:8044
- C:\Windows\System32\qEPoPle.exe
  C:\Windows\System32\qEPoPle.exe
  2⤵
  PID:8064
- C:\Windows\System32\dQfLfbS.exe
  C:\Windows\System32\dQfLfbS.exe
  2⤵
  PID:8080
- C:\Windows\System32\fFjjFlz.exe
  C:\Windows\System32\fFjjFlz.exe
  2⤵
  PID:8100
- C:\Windows\System32\orNKlHR.exe
  C:\Windows\System32\orNKlHR.exe
  2⤵
  PID:8116
- C:\Windows\System32\mXeziYD.exe
  C:\Windows\System32\mXeziYD.exe
  2⤵
  PID:8136
- C:\Windows\System32\vDDCbfN.exe
  C:\Windows\System32\vDDCbfN.exe
  2⤵
  PID:8152
- C:\Windows\System32\vyJQVjd.exe
  C:\Windows\System32\vyJQVjd.exe
  2⤵
  PID:6484
- C:\Windows\System32\RPsiwTt.exe
  C:\Windows\System32\RPsiwTt.exe
  2⤵
  PID:7428
- C:\Windows\System32\BELHqTK.exe
  C:\Windows\System32\BELHqTK.exe
  2⤵
  PID:7400
- C:\Windows\System32\MCEPjBu.exe
  C:\Windows\System32\MCEPjBu.exe
  2⤵
  PID:7456
- C:\Windows\System32\LRqAZwx.exe
  C:\Windows\System32\LRqAZwx.exe
  2⤵
  PID:7680
- C:\Windows\System32\Zlqesnb.exe
  C:\Windows\System32\Zlqesnb.exe
  2⤵
  PID:7660
- C:\Windows\System32\qqsXnSa.exe
  C:\Windows\System32\qqsXnSa.exe
  2⤵
  PID:7716
- C:\Windows\System32\oxFglxC.exe
  C:\Windows\System32\oxFglxC.exe
  2⤵
  PID:7712
- C:\Windows\System32\roLuATC.exe
  C:\Windows\System32\roLuATC.exe
  2⤵
  PID:7808
- C:\Windows\System32\WYtMFkD.exe
  C:\Windows\System32\WYtMFkD.exe
  2⤵
  PID:7980
- C:\Windows\System32\LjRNosp.exe
  C:\Windows\System32\LjRNosp.exe
  2⤵
  PID:7976
- C:\Windows\System32\BtjFGXL.exe
  C:\Windows\System32\BtjFGXL.exe
  2⤵
  PID:8088
- C:\Windows\System32\CtCYsXl.exe
  C:\Windows\System32\CtCYsXl.exe
  2⤵
  PID:8072
- C:\Windows\System32\pHhwPFX.exe
  C:\Windows\System32\pHhwPFX.exe
  2⤵
  PID:7212
- C:\Windows\System32\BYvXMWy.exe
  C:\Windows\System32\BYvXMWy.exe
  2⤵
  PID:8168
- C:\Windows\System32\WQdmDHl.exe
  C:\Windows\System32\WQdmDHl.exe
  2⤵
  PID:8176
- C:\Windows\System32\wLiHHwQ.exe
  C:\Windows\System32\wLiHHwQ.exe
  2⤵
  PID:7284
- C:\Windows\System32\ncvSODZ.exe
  C:\Windows\System32\ncvSODZ.exe
  2⤵
  PID:7472
- C:\Windows\System32\tSmBFDO.exe
  C:\Windows\System32\tSmBFDO.exe
  2⤵
  PID:7384
- C:\Windows\System32\vknlEVP.exe
  C:\Windows\System32\vknlEVP.exe
  2⤵
  PID:7524
- C:\Windows\System32\XWgCeir.exe
  C:\Windows\System32\XWgCeir.exe
  2⤵
  PID:7648
- C:\Windows\System32\JcvFwuT.exe
  C:\Windows\System32\JcvFwuT.exe
  2⤵
  PID:7520
- C:\Windows\System32\QsGHCaG.exe
  C:\Windows\System32\QsGHCaG.exe
  2⤵
  PID:6728
- C:\Windows\System32\gtNmCLs.exe
  C:\Windows\System32\gtNmCLs.exe
  2⤵
  PID:7280
- C:\Windows\System32\WlKzuae.exe
  C:\Windows\System32\WlKzuae.exe
  2⤵
  PID:8208
- C:\Windows\System32\vjIiMRx.exe
  C:\Windows\System32\vjIiMRx.exe
  2⤵
  PID:8224
- C:\Windows\System32\MWkEvWo.exe
  C:\Windows\System32\MWkEvWo.exe
  2⤵
  PID:8244
- C:\Windows\System32\oGUbQht.exe
  C:\Windows\System32\oGUbQht.exe
  2⤵
  PID:8288
- C:\Windows\System32\EsRuocn.exe
  C:\Windows\System32\EsRuocn.exe
  2⤵
  PID:8308
- C:\Windows\System32\kuShJoI.exe
  C:\Windows\System32\kuShJoI.exe
  2⤵
  PID:8340
- C:\Windows\System32\IdQZAyp.exe
  C:\Windows\System32\IdQZAyp.exe
  2⤵
  PID:8404
- C:\Windows\System32\SMcQIUI.exe
  C:\Windows\System32\SMcQIUI.exe
  2⤵
  PID:8428
- C:\Windows\System32\xLsJGtH.exe
  C:\Windows\System32\xLsJGtH.exe
  2⤵
  PID:8448
- C:\Windows\System32\iRxOAUe.exe
  C:\Windows\System32\iRxOAUe.exe
  2⤵
  PID:8464
- C:\Windows\System32\NuUKBpM.exe
  C:\Windows\System32\NuUKBpM.exe
  2⤵
  PID:8480
- C:\Windows\System32\sQNMcCD.exe
  C:\Windows\System32\sQNMcCD.exe
  2⤵
  PID:8520
- C:\Windows\System32\IyMinHz.exe
  C:\Windows\System32\IyMinHz.exe
  2⤵
  PID:8540
- C:\Windows\System32\COqZKLT.exe
  C:\Windows\System32\COqZKLT.exe
  2⤵
  PID:8556
- C:\Windows\System32\QYtsfuX.exe
  C:\Windows\System32\QYtsfuX.exe
  2⤵
  PID:8572
- C:\Windows\System32\ZZFYaSJ.exe
  C:\Windows\System32\ZZFYaSJ.exe
  2⤵
  PID:8656
- C:\Windows\System32\BwAGTSv.exe
  C:\Windows\System32\BwAGTSv.exe
  2⤵
  PID:8676
- C:\Windows\System32\xiNwIPm.exe
  C:\Windows\System32\xiNwIPm.exe
  2⤵
  PID:8712
- C:\Windows\System32\sRVBroo.exe
  C:\Windows\System32\sRVBroo.exe
  2⤵
  PID:8732
- C:\Windows\System32\sYQcTce.exe
  C:\Windows\System32\sYQcTce.exe
  2⤵
  PID:8780
- C:\Windows\System32\NxmzJAE.exe
  C:\Windows\System32\NxmzJAE.exe
  2⤵
  PID:8824
- C:\Windows\System32\BDIUDJK.exe
  C:\Windows\System32\BDIUDJK.exe
  2⤵
  PID:8848
- C:\Windows\System32\lWZpUmz.exe
  C:\Windows\System32\lWZpUmz.exe
  2⤵
  PID:8892
- C:\Windows\System32\jsogACs.exe
  C:\Windows\System32\jsogACs.exe
  2⤵
  PID:8912
- C:\Windows\System32\ypNZLyg.exe
  C:\Windows\System32\ypNZLyg.exe
  2⤵
  PID:8928
- C:\Windows\System32\VdLHmtr.exe
  C:\Windows\System32\VdLHmtr.exe
  2⤵
  PID:8944
- C:\Windows\System32\sKrTSmi.exe
  C:\Windows\System32\sKrTSmi.exe
  2⤵
  PID:8992
- C:\Windows\System32\jsUPhXl.exe
  C:\Windows\System32\jsUPhXl.exe
  2⤵
  PID:9012
- C:\Windows\System32\PlrEVFL.exe
  C:\Windows\System32\PlrEVFL.exe
  2⤵
  PID:9080
- C:\Windows\System32\HDVjxqh.exe
  C:\Windows\System32\HDVjxqh.exe
  2⤵
  PID:9124
- C:\Windows\System32\qHQfiux.exe
  C:\Windows\System32\qHQfiux.exe
  2⤵
  PID:9160
- C:\Windows\System32\RJOjHqN.exe
  C:\Windows\System32\RJOjHqN.exe
  2⤵
  PID:9176
- C:\Windows\System32\VuZlaju.exe
  C:\Windows\System32\VuZlaju.exe
  2⤵
  PID:9192
- C:\Windows\System32\TTyAQVu.exe
  C:\Windows\System32\TTyAQVu.exe
  2⤵
  PID:9212
- C:\Windows\System32\stBmRZp.exe
  C:\Windows\System32\stBmRZp.exe
  2⤵
  PID:7600
- C:\Windows\System32\UWBeNFp.exe
  C:\Windows\System32\UWBeNFp.exe
  2⤵
  PID:8252
- C:\Windows\System32\hgioOgc.exe
  C:\Windows\System32\hgioOgc.exe
  2⤵
  PID:8220
- C:\Windows\System32\MmVBUKV.exe
  C:\Windows\System32\MmVBUKV.exe
  2⤵
  PID:6924
- C:\Windows\System32\ohZHuGy.exe
  C:\Windows\System32\ohZHuGy.exe
  2⤵
  PID:8416
- C:\Windows\System32\FUjSDVw.exe
  C:\Windows\System32\FUjSDVw.exe
  2⤵
  PID:8552
- C:\Windows\System32\nVzDAVo.exe
  C:\Windows\System32\nVzDAVo.exe
  2⤵
  PID:8536
- C:\Windows\System32\DPIcSxY.exe
  C:\Windows\System32\DPIcSxY.exe
  2⤵
  PID:8500
- C:\Windows\System32\hqaFSiv.exe
  C:\Windows\System32\hqaFSiv.exe
  2⤵
  PID:8568
- C:\Windows\System32\ytnIhWT.exe
  C:\Windows\System32\ytnIhWT.exe
  2⤵
  PID:8724
- C:\Windows\System32\kDvoynt.exe
  C:\Windows\System32\kDvoynt.exe
  2⤵
  PID:8740
- C:\Windows\System32\kqEFjqs.exe
  C:\Windows\System32\kqEFjqs.exe
  2⤵
  PID:8808
- C:\Windows\System32\MxUpkOY.exe
  C:\Windows\System32\MxUpkOY.exe
  2⤵
  PID:9028
- C:\Windows\System32\TdtxQpK.exe
  C:\Windows\System32\TdtxQpK.exe
  2⤵
  PID:9020
- C:\Windows\System32\EkMlzBm.exe
  C:\Windows\System32\EkMlzBm.exe
  2⤵
  PID:9132
- C:\Windows\System32\yXrlhzp.exe
  C:\Windows\System32\yXrlhzp.exe
  2⤵
  PID:9136
- C:\Windows\System32\giwGUvQ.exe
  C:\Windows\System32\giwGUvQ.exe
  2⤵
  PID:7908
- C:\Windows\System32\SGykVsw.exe
  C:\Windows\System32\SGykVsw.exe
  2⤵
  PID:7252
- C:\Windows\System32\NAeGzBu.exe
  C:\Windows\System32\NAeGzBu.exe
  2⤵
  PID:8108
- C:\Windows\System32\xNvjNTJ.exe
  C:\Windows\System32\xNvjNTJ.exe
  2⤵
  PID:8396
- C:\Windows\System32\ZdSAaMk.exe
  C:\Windows\System32\ZdSAaMk.exe
  2⤵
  PID:8444
- C:\Windows\System32\allkaad.exe
  C:\Windows\System32\allkaad.exe
  2⤵
  PID:8620
- C:\Windows\System32\FKXQyLJ.exe
  C:\Windows\System32\FKXQyLJ.exe
  2⤵
  PID:8608
- C:\Windows\System32\EYMsahj.exe
  C:\Windows\System32\EYMsahj.exe
  2⤵
  PID:8972
- C:\Windows\System32\BXDTTWZ.exe
  C:\Windows\System32\BXDTTWZ.exe
  2⤵
  PID:8872
- C:\Windows\System32\cuLrzmT.exe
  C:\Windows\System32\cuLrzmT.exe
  2⤵
  PID:9052
- C:\Windows\System32\DuJxroN.exe
  C:\Windows\System32\DuJxroN.exe
  2⤵
  PID:8904
- C:\Windows\System32\nfTvofH.exe
  C:\Windows\System32\nfTvofH.exe
  2⤵
  PID:8196
- C:\Windows\System32\yEtqlst.exe
  C:\Windows\System32\yEtqlst.exe
  2⤵
  PID:8328
- C:\Windows\System32\luFqOsr.exe
  C:\Windows\System32\luFqOsr.exe
  2⤵
  PID:8704
- C:\Windows\System32\zwxzAfi.exe
  C:\Windows\System32\zwxzAfi.exe
  2⤵
  PID:1732
- C:\Windows\System32\shSkEzy.exe
  C:\Windows\System32\shSkEzy.exe
  2⤵
  PID:8936
- C:\Windows\System32\OFSPjKZ.exe
  C:\Windows\System32\OFSPjKZ.exe
  2⤵
  PID:7948
- C:\Windows\System32\sTZstnS.exe
  C:\Windows\System32\sTZstnS.exe
  2⤵
  PID:2216
- C:\Windows\System32\FlYHCBt.exe
  C:\Windows\System32\FlYHCBt.exe
  2⤵
  PID:3104
- C:\Windows\System32\yJMiwUZ.exe
  C:\Windows\System32\yJMiwUZ.exe
  2⤵
  PID:2980
- C:\Windows\System32\hEKhkuR.exe
  C:\Windows\System32\hEKhkuR.exe
  2⤵
  PID:9232
- C:\Windows\System32\xrVAFOx.exe
  C:\Windows\System32\xrVAFOx.exe
  2⤵
  PID:9284
- C:\Windows\System32\egmprCv.exe
  C:\Windows\System32\egmprCv.exe
  2⤵
  PID:9304
- C:\Windows\System32\UiNnnrS.exe
  C:\Windows\System32\UiNnnrS.exe
  2⤵
  PID:9360
- C:\Windows\System32\AsWqcSC.exe
  C:\Windows\System32\AsWqcSC.exe
  2⤵
  PID:9392
- C:\Windows\System32\agIgWxd.exe
  C:\Windows\System32\agIgWxd.exe
  2⤵
  PID:9428
- C:\Windows\System32\kDTnerS.exe
  C:\Windows\System32\kDTnerS.exe
  2⤵
  PID:9448
- C:\Windows\System32\OxtVmYZ.exe
  C:\Windows\System32\OxtVmYZ.exe
  2⤵
  PID:9476
- C:\Windows\System32\cGkzajB.exe
  C:\Windows\System32\cGkzajB.exe
  2⤵
  PID:9524
- C:\Windows\System32\bxIoNIs.exe
  C:\Windows\System32\bxIoNIs.exe
  2⤵
  PID:9544
- C:\Windows\System32\AgsIaFL.exe
  C:\Windows\System32\AgsIaFL.exe
  2⤵
  PID:9600
- C:\Windows\System32\GASnWbM.exe
  C:\Windows\System32\GASnWbM.exe
  2⤵
  PID:9628
- C:\Windows\System32\ZTNgsmR.exe
  C:\Windows\System32\ZTNgsmR.exe
  2⤵
  PID:9648
- C:\Windows\System32\mvMVBNy.exe
  C:\Windows\System32\mvMVBNy.exe
  2⤵
  PID:9668
- C:\Windows\System32\kJKRRVK.exe
  C:\Windows\System32\kJKRRVK.exe
  2⤵
  PID:9684
- C:\Windows\System32\wFliVwP.exe
  C:\Windows\System32\wFliVwP.exe
  2⤵
  PID:9728
- C:\Windows\System32\lVhJWzm.exe
  C:\Windows\System32\lVhJWzm.exe
  2⤵
  PID:9752
- C:\Windows\System32\MYyOhVu.exe
  C:\Windows\System32\MYyOhVu.exe
  2⤵
  PID:9804
- C:\Windows\System32\oWbXTcr.exe
  C:\Windows\System32\oWbXTcr.exe
  2⤵
  PID:9864
- C:\Windows\System32\ByEVqNe.exe
  C:\Windows\System32\ByEVqNe.exe
  2⤵
  PID:9892
- C:\Windows\System32\cfnQsbV.exe
  C:\Windows\System32\cfnQsbV.exe
  2⤵
  PID:9916
- C:\Windows\System32\cIQMwbu.exe
  C:\Windows\System32\cIQMwbu.exe
  2⤵
  PID:9964
- C:\Windows\System32\YcqaxYZ.exe
  C:\Windows\System32\YcqaxYZ.exe
  2⤵
  PID:10004
- C:\Windows\System32\uMpOfyo.exe
  C:\Windows\System32\uMpOfyo.exe
  2⤵
  PID:10020
- C:\Windows\System32\uqVAvUv.exe
  C:\Windows\System32\uqVAvUv.exe
  2⤵
  PID:10036
- C:\Windows\System32\tWelmhw.exe
  C:\Windows\System32\tWelmhw.exe
  2⤵
  PID:10052
- C:\Windows\System32\kFDAMOL.exe
  C:\Windows\System32\kFDAMOL.exe
  2⤵
  PID:10088
- C:\Windows\System32\eEmrPLr.exe
  C:\Windows\System32\eEmrPLr.exe
  2⤵
  PID:10152
- C:\Windows\System32\fvEaWxA.exe
  C:\Windows\System32\fvEaWxA.exe
  2⤵
  PID:10216
- C:\Windows\System32\mabwlzC.exe
  C:\Windows\System32\mabwlzC.exe
  2⤵
  PID:10236

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4480 -i 4480 -h 608 -j 624 -s 632 -d 9488
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BBSXcPB.exe

Filesize
1.2MB

MD5
d5bbf123b35eee2232010c043375dad9

SHA1
cf09f6d6bf7c7f32f6dc8369c7e7fe380f292168

SHA256
cff3ab11b6c5c22b41e78f38a6f8a93211f6c24752b8d0e6d255aadf0db546f1

SHA512
c2e16ddd75113a80708c52617f7253c754c7f294c1bd9ba2249240ea1ef59d6b8ecdf4dd5346ccfe0808e9d4031c30a55d694a2a22f3eceec020310290b3035f

Download Submit
C:\Windows\System32\EwYRLDQ.exe

Filesize
1.2MB

MD5
06b7d9e6008e2efa20e62c9d6b3c78ad

SHA1
cf9bdffb9720570e200fd9aa1c84db69bc626bef

SHA256
7bcd11e38a05741eca621350de57edf02ffff18722624b12b382c0205a41baf5

SHA512
494c0495103d3474d867f92ef7fae73328f4cb44dbc49b56d1c4d77c806546062aa9cdc4eed790c6403424dab706dc65e6eb5b599e6e29aef8c9f04260aa9476

Download Submit
C:\Windows\System32\GCCYzJc.exe

Filesize
1.2MB

MD5
452c51106b443a028ba8ef7b30bf4fee

SHA1
93b71b5a94a14031af9401eecb899db80eb9e80d

SHA256
f4c226ec066aa1e8df36fa284b1117dba4b8b6c54dc59c4711ec7fe91e26941e

SHA512
c0b5a712a574b39c9178b4ff75ca51905c44bd7f9eb662a8a76a1646c830c143596b66879d495739be3e11bb4728de8bc97da5a4074407ee26c2ba0f5d56562b

Download Submit
C:\Windows\System32\IxMsqbm.exe

Filesize
1.2MB

MD5
4118f3533274301c6f2fda0d7da9a249

SHA1
26916b1ae98be813d79d9353784eb5929652f28c

SHA256
351fb748bc400a22f8774ee4940c5099d0b4b9ceeb4e678fda0ae0b76e5d2829

SHA512
8f6e8641f3b44c6349a81a76854a6cdb3fa38401379eb372ec41db46c100284ce02de39c5f44c54535171e0b075eddfb8523d1bcf8e121fa6d3771d47c3bab4c

Download Submit
C:\Windows\System32\JTmAQsx.exe

Filesize
1.2MB

MD5
f1e34dd0f8cdd0f42c5c46d40e639674

SHA1
935bca67cd75fa7484f488b9863592e50b748a78

SHA256
035c99e63543fa6074aea480a39a68ac132e2773e401f80b114dbfe523b9d423

SHA512
a2a065474deb962887894b9d98fb98dd7e52ef6ccbaf12d634b28a8e1dbf3590bf6f223d457cb835d4122f7a5b8854d5e594324a0f8b6f2a05fb6e27d0dfeeb2

Download Submit
C:\Windows\System32\LenKsRt.exe

Filesize
1.2MB

MD5
771a8c648efd0c9515294fbe9926dbb7

SHA1
39bf57cb22d2a091c349c3a461ea6100141ae904

SHA256
f25ef7581d6124748f9294b6519b5203960db9c61421c81486080b5af604d90f

SHA512
c6d70e046224ee505c0f07b21a0f15b961919b6603c0cdede33f58af15428a823c7ed5f96c53f66f05b6fac71785e121d2cbc026424a2b78c878342e5bc133c8

Download Submit
C:\Windows\System32\LfTbOgB.exe

Filesize
1.2MB

MD5
28838df546aed62cfd861c7e9fe266c1

SHA1
bed57ec7964dc7f85034b0fafc8a5d43d530f0b0

SHA256
d9e3abbef16b4758944eb9374f11e2e91a8737c0c94089aa2965cf3b9bb0a180

SHA512
8f4e7a04ab77d36f222858cca4b3feeb86957821663be893c3e3c84547186735f6c82b86ffd3acf9ddc452c937959a6d162fc3b1ba73775b29d92cad57b88856

Download Submit
C:\Windows\System32\LvDnaSd.exe

Filesize
1.2MB

MD5
a589244cf1b3aea458a1815f74f3f8a6

SHA1
ef8fd22743273e6f091d28680cc76e1f81a330b6

SHA256
daa024c74d71220b5b3008a207031905a64b8a5343c473ff79c79fe45439b8e1

SHA512
43afab4ed2324077d7faa289607c4b943e9c17b25dcc8992aca4518652e45b51c1a30effd82ee3c91d6cfbf850ddd3abbdc7bc9cb4b187dc22f62522783ca3c6

Download Submit
C:\Windows\System32\OJovvoG.exe

Filesize
1.2MB

MD5
6b04cb6bca722b873ff18571e267f0fd

SHA1
400b07bb71132d441e32e4aef555f22bf19e0a85

SHA256
3d3697e1d687f3f6a7fb75bbf17b295dcfbdb29d136d2dc2b45002a94059617a

SHA512
041af82c0e86b2d982884b0eec5b904508cc37e46b63eb0fc9439c16b6e7e7d6a9288c3a162beab9bf22fc4f98b4f69a5b43f3a1e1de25e25f6bad7ca375e917

Download Submit
C:\Windows\System32\PSUiqjX.exe

Filesize
1.2MB

MD5
1d090d8ddaa3db38fb87f6a63531a0a8

SHA1
d8a0ae9033c7f6978619023c851d0d675e09a3f8

SHA256
314b445a14cbd8e177243fa7e8d18f7c61ba4c05e31992309ed57f68e1fb8a7b

SHA512
27708280aaae956dabf2bebabd3dc4fde9b3cef3a0a19454932fde871c112202caa2e0a972eb33981c2af5ceed11dcecb614455a05d3de46120b9c2a1c617d3a

Download Submit
C:\Windows\System32\VgsTNiI.exe

Filesize
1.2MB

MD5
b4c964c46f4529c3e1cdff16d15882d8

SHA1
11cdbe0a8363008aa9badd85cba96a22c0ef71c7

SHA256
2f4056589bbb0a029eae753de58665c50995ca148a5379101000ea459c209ece

SHA512
959de86077bcd14efddc9e04aef3b0c57d03879440db7163953cddc4b7c3fbe9bf9ae9264f828bbc3a4d27b0324cec6417c492aa6120183bb5524c88bb5fd6f8

Download Submit
C:\Windows\System32\WRfbFZE.exe

Filesize
1.2MB

MD5
c698f4d3c9934a1661d3e47dbe6127b3

SHA1
72e6c50595622369bd2f777361113635ff5367a4

SHA256
38ee48c44a237d233d0a6e7a03842306fa9041da1d4bacbaf14de8dbd5ac2269

SHA512
acfeeee933fe8b65db53f6cce102fc03dfb33edf4bc869371cfbdb8a237f2caaaf78d18de2056d853fa8562ca141e237ac978f92166cb060dda3d66fcd5897f3

Download Submit
C:\Windows\System32\YFqjfgu.exe

Filesize
1.2MB

MD5
72ff9accd815b7729ac99a592d3d92d5

SHA1
11ec37bf3446608b26e4420a5118061e27b24c51

SHA256
d5696f3fe9277fd4ac4fe985b136dffbe8a59c4793dbcf62f4616159cdfed5c4

SHA512
535ff61864635331ccff3d3676726fd93dabab5f376ce9242392b6c4b167b9fed2f4d1febf55f27839ff07f82eab5edc914863ad4d8ef019ddf4415d17898b36

Download Submit
C:\Windows\System32\ZARxkfg.exe

Filesize
1.2MB

MD5
1f802b25aaea0e505620c2452ae782fd

SHA1
e9d3bbd463a3f6f4b491053143811d9aac079f5c

SHA256
83ea5565ef8cfb258a04a600bde37908626651972dd1542dec720167e4941e6a

SHA512
d42bfc8b7db999d3312be5c7cc1c25b8d6f9fdd3a90c12cbc52f9a4794ad8e7aea775e27cc62c89084e7132ebec3b5c3494a03d29c7bdc85aa0b3f2eb1b12913

Download Submit
C:\Windows\System32\ZUaxZyR.exe

Filesize
1.2MB

MD5
8c4a940d8be1633c8666088dfcabecab

SHA1
26654d35f58f94352ff7062e67fe6e0b885e8684

SHA256
ecdc07b1d37ed495dab44b4f109a0c2aaeeacdc54ce9c2ccd6c9a239f989a6f0

SHA512
7f6d7b43f2440c763a955a4c83f7706ced4a095b8d1b1c1c25b5e76777eeac955f133d66f8c8d57268520b94cf274908cb76ee964e6c86021071e021a4505794

Download Submit
C:\Windows\System32\ZquVxGD.exe

Filesize
1.2MB

MD5
97b374d7172ab63131c79488f695ef8b

SHA1
d7172994141d0a7bb13fa4c3f9f8e69bf9f4bc76

SHA256
a4a63b7f343e26119ecc1ed84d683e93ca467e18eff6611814f2210a9bb88dfa

SHA512
4c3db8af6ead2247df4a8144c20f0879423c5b09cbaee77cedeb2b08adf7910b24ceaf630862348c59fd2da40e7b61527421464c56b00dc460b8585ac1905676

Download Submit
C:\Windows\System32\bhoyEfK.exe

Filesize
1.2MB

MD5
694baf1effe483599059e19b4b24111b

SHA1
d2fcc25caf1a815624a4c091a5ee8bf168e64561

SHA256
79ac818dcd4ccd41919e0c5ede722fa1022acdc7685bd9cee023ad57e0b9d412

SHA512
d007a0dfa4caad174ba35d62745d24909bf37581a3ef56f1d154f85771e7e1d2c8ce594d22f4055bef88585e3081a7466d85bf1d11307efd54328c72b3a87dff

Download Submit
C:\Windows\System32\dtCfqFX.exe

Filesize
1.2MB

MD5
f47e496a573e6f8023ca53f378d73ded

SHA1
c23f008f84c930e44676ed2077368252bef89549

SHA256
7d0dbbdfc395dc98285061e91ce56d11791137e2430e3a2218e4ed2bdee3e554

SHA512
b09744e51ae048f934d5feb242a7e2e530e3653cfcf163115c8d75370081d0cbb0e590d1a190b1d008a33a96ab8f3d780e048c997ac35148734099b1fa964a29

Download Submit
C:\Windows\System32\eGIZIOS.exe

Filesize
1.2MB

MD5
d90d8d9dd06ccdf7c020cc8b29fc6de6

SHA1
2cd55c55776243ba3b0821633a56d120b27d8422

SHA256
8cb1a1e46281fc4c21c0da8973ac69cf7b127b0c326d055a88bd92e4ee262fdf

SHA512
f98d35a909e8dcdb2da8348d36f9707e043d425041eb72eac40c91b7b4de142b88499ef571103c60c4d57646a5052a1b7bccfd751178548224849f4087cfd3df

Download Submit
C:\Windows\System32\fgBTuIe.exe

Filesize
1.2MB

MD5
7645c14de388193239946287e72a553a

SHA1
3d70c3874ed5bd9ace5fa4bcef6885ca142b30e7

SHA256
b45c139465434b53340ef68fb8d385c5529413bca7a398a78fc0842a87cc37d1

SHA512
4f7218f3d57f9a072431caf8874c958c1e6240213f224fe4cf62c5cde44e32b93fa56d3b4a0bd7fdac006bf4e8286e6fa583b11b72ca52572b0b462fca9fb3a1

Download Submit
C:\Windows\System32\irjwFVm.exe

Filesize
1.2MB

MD5
756310d364de0ce37a3bb4d084779dc7

SHA1
01eee91c222e7730c0181d62f3984aa270c08947

SHA256
1d8ec3eb971fc47bf40e561f16d2b0e35fb1094a6f702d9e96dc3ea413c2f53f

SHA512
ea999ad7f0a69a7d3c9a3328f148d539c5b2fa01af24d0cfe71049008d86646fb883cf3f05e87d9c6eb5eeb5252c0ef79efc72e713c554231d77983e682d95de

Download Submit
C:\Windows\System32\irxdQMU.exe

Filesize
1.2MB

MD5
6d1ee80007caf68e1e24b8f97509dc1b

SHA1
e823625e320642fb3c636e7ba8200d6a5ce6a914

SHA256
66576188046832372dfd0a882b4b43b8cadf4fce9c1ccb3834cb78433fc8643f

SHA512
be6431d36327302cace49c5469d91cbf7246a02c1a2bb464e2b00522ef11e50b68a0206b34c3a4282bf14b494fbe404bcb3338aab3a937e55819e011425c3a2e

Download Submit
C:\Windows\System32\jsxgrTT.exe

Filesize
1.2MB

MD5
f9aaae68512286533e2d24f7e6158d7a

SHA1
ddf3ff28536b8eba6821edc757e083821ca623df

SHA256
ccad6f26ee1df02e94ac0cb61085501bc0ef9372cd20a72336362ff1a5bc19c5

SHA512
f322e95dda88d44482f0275e4e2a6e66605303781875f7ca4bad4479eaf9bf22870cec4cf5b782e695df5ee2ce36b581921e6304550282a9741ef8b3b75b955c

Download Submit
C:\Windows\System32\kSSWnvt.exe

Filesize
1.2MB

MD5
72c6bb4ac48f7d07caccc4fe7cf2e04a

SHA1
0517971f94d5ebfe6c2585041576ad8074d1d785

SHA256
eb5bd2cb5d973d5cc61baed837b128bec13c54eb414137db4f273ccdb16ab499

SHA512
f879e1d4b8e9021708f9e061149dfe1558d8c9bbe2a8171976d26f6723aeb35878b6a88e1e20b0012c15842409e43d7eda7f3050d8644532cabc118e69975b5e

Download Submit
C:\Windows\System32\lXqeQrp.exe

Filesize
1.2MB

MD5
b2efca68ddf0af598c85d8d63c5960ff

SHA1
c6f2ebcb5a6d70a61c1f95099ac3d5f60cabfb13

SHA256
93a991b55344e5b5ac6193b4201fd51489885a5015c512a3055bba1af3695202

SHA512
fd042b9f1f3c8ead3cca126a41996a53f124daf697984da8534cc658a02d1b98e20b1aa6a3a51564924f744999b7bdcb69c3a2279d158c28d36c0665b1bdcdbf

Download Submit
C:\Windows\System32\rlaSWaW.exe

Filesize
1.2MB

MD5
455d70edb7745cb8e832ab080fd0b776

SHA1
b62a3986907adb687a90c3c04e187f1756c2683d

SHA256
fd9b8bbecd8ae8b39e317ada35ffcc5e218e9261792966770847348f8961ea5f

SHA512
a97d2455c9390e34981e01d2156bfcfa55e720d9209556a7fc295956f34c5a5474ca7cb44d9ad5e74bc219c608b3d357742d06637350d28211c9c8adbf87618a

Download Submit
C:\Windows\System32\shPJvBn.exe

Filesize
1.2MB

MD5
086a12f6fab63ab820a4c6e0208d8897

SHA1
94d364b458524b466516e597feba422c7d095504

SHA256
15cd66dc12ed8e09e7e106327d8b8ea200404ffb7de3b7f7481abd6a6a6cfec9

SHA512
6723b4285fe15dc260f3f7cdc2a1b5b9543f6ad25353a8d61f8d2506a95e6128aa85f8ec9afa953b661f7af76dff8f8cc1f3944361ac2c0d94d4006e00fd42df

Download Submit
C:\Windows\System32\vEKmvru.exe

Filesize
1.2MB

MD5
552c9a4898dff4f38af8e8834136efc6

SHA1
b37f24c092905f8609cb95a40a8ca4ba7364e93b

SHA256
5e44ff28194642b1f23e2241a8bb514a782ba86e6e5ab8fbadc30b5d8ad3ed1a

SHA512
3d9de6606f5056d3832b607f86b413365ff283d865094fe679f4b4d376e5c9a94f39d943138713bbaabc8818bd84ec74a23b4a7dac079ab62f93a51ca3a62b1a

Download Submit
C:\Windows\System32\wqLIjON.exe

Filesize
1.2MB

MD5
f01109c722198fa6a7661fffe4a875f3

SHA1
57c686fb70c4e827e2c0f3d7733bff8a1b728442

SHA256
07aa03876b0449eaf878e729836bb7cae58d649f7163fce43f17e8630fcb3d0c

SHA512
7865fd34dd015a5dc1dcd3db52229bc877c91dea1efefb285ecc0b3ffe15a9d237d5e04b4ed2e961fca7c55c5e7b72e1508d94af92d722ceb5def349c4af0358

Download Submit
C:\Windows\System32\yUNlToi.exe

Filesize
1.2MB

MD5
03057db39370006a3ccc6afbc466fb54

SHA1
64b8d25cb51039b632615d5a92f7c70058882d4f

SHA256
937be379d287640ce3cb04594422d8211fb9c535bb930149be17d02c017da325

SHA512
9af90ff76d080b2ec40d3415c236a14dc7e705a0642717ef106217b84af424f47072b2996f0fb82ad7bd89380d618472d1d1e6ae8b0b621166c46d3bcdf0bf3b

Download Submit
C:\Windows\System32\yUorZDz.exe

Filesize
1.2MB

MD5
21e90959a923ab1ed94a4b260eb989c9

SHA1
d656dedafbab45adde67b72c00de5bfd15086462

SHA256
b6999bab6df38957fd835165638d824e02e7f0f79f06ac8c62f2d31572d6baca

SHA512
18da9f5f22c5c391a7f1459a022edd3f731c0f98b59c7d871e09fd83289ff3557c949f5cca66c376cdc5a43dfe52b9403391fdc74bd7daeaa676ad0696b454c8

Download Submit
C:\Windows\System32\zzIlDDk.exe

Filesize
1.2MB

MD5
891a0277984c0fa4bf46050c25894276

SHA1
8811d70f4bbae375b72d110c2090020062efa150

SHA256
7dc961359b149da7a442229c35e88c8b4d3c6892766d4bf434db49377b50667c

SHA512
48f4d44fa7f74ab1fede9d334410125ea24758bd79b4102e29fc7f0d6450e850fb7fad0fdc95aab8d6e4ceb35e4234f05f8d0f549040e848e343235f0fa1e375

Download Submit
memory/60-335-0x00007FF69B330000-0x00007FF69B721000-memory.dmp

Filesize
3.9MB

Download
memory/232-124-0x00007FF795B90000-0x00007FF795F81000-memory.dmp

Filesize
3.9MB

Download
memory/532-100-0x00007FF674A10000-0x00007FF674E01000-memory.dmp

Filesize
3.9MB

Download
memory/544-40-0x00007FF71ADC0000-0x00007FF71B1B1000-memory.dmp

Filesize
3.9MB

Download
memory/628-346-0x00007FF66ABB0000-0x00007FF66AFA1000-memory.dmp

Filesize
3.9MB

Download
memory/672-274-0x00007FF624570000-0x00007FF624961000-memory.dmp

Filesize
3.9MB

Download
memory/732-234-0x00007FF78CCD0000-0x00007FF78D0C1000-memory.dmp

Filesize
3.9MB

Download
memory/1064-87-0x00007FF764980000-0x00007FF764D71000-memory.dmp

Filesize
3.9MB

Download
memory/1112-170-0x00007FF6603A0000-0x00007FF660791000-memory.dmp

Filesize
3.9MB

Download
memory/1112-25-0x00007FF6603A0000-0x00007FF660791000-memory.dmp

Filesize
3.9MB

Download
memory/1124-142-0x00007FF7FA350000-0x00007FF7FA741000-memory.dmp

Filesize
3.9MB

Download
memory/1224-79-0x00007FF76D8B0000-0x00007FF76DCA1000-memory.dmp

Filesize
3.9MB

Download
memory/1244-138-0x00007FF7C8640000-0x00007FF7C8A31000-memory.dmp

Filesize
3.9MB

Download
memory/1300-93-0x00007FF656460000-0x00007FF656851000-memory.dmp

Filesize
3.9MB

Download
memory/1500-172-0x00007FF6C3BB0000-0x00007FF6C3FA1000-memory.dmp

Filesize
3.9MB

Download
memory/1772-113-0x00007FF7F6800000-0x00007FF7F6BF1000-memory.dmp

Filesize
3.9MB

Download
memory/1904-294-0x00007FF6E06F0000-0x00007FF6E0AE1000-memory.dmp

Filesize
3.9MB

Download
memory/2000-175-0x00007FF77FF10000-0x00007FF780301000-memory.dmp

Filesize
3.9MB

Download
memory/2072-258-0x00007FF761B40000-0x00007FF761F31000-memory.dmp

Filesize
3.9MB

Download
memory/2164-315-0x00007FF71EC50000-0x00007FF71F041000-memory.dmp

Filesize
3.9MB

Download
memory/2436-277-0x00007FF701030000-0x00007FF701421000-memory.dmp

Filesize
3.9MB

Download
memory/2560-283-0x00007FF78B470000-0x00007FF78B861000-memory.dmp

Filesize
3.9MB

Download
memory/2632-255-0x00007FF6183E0000-0x00007FF6187D1000-memory.dmp

Filesize
3.9MB

Download
memory/2760-43-0x00007FF6EFEB0000-0x00007FF6F02A1000-memory.dmp

Filesize
3.9MB

Download
memory/2788-60-0x00007FF771BC0000-0x00007FF771FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2964-54-0x00007FF651420000-0x00007FF651811000-memory.dmp

Filesize
3.9MB

Download
memory/2988-307-0x00007FF7E1CA0000-0x00007FF7E2091000-memory.dmp

Filesize
3.9MB

Download
memory/2988-107-0x00007FF7E1CA0000-0x00007FF7E2091000-memory.dmp

Filesize
3.9MB

Download
memory/3060-229-0x00007FF6A0D10000-0x00007FF6A1101000-memory.dmp

Filesize
3.9MB

Download
memory/3080-143-0x00007FF67DF50000-0x00007FF67E341000-memory.dmp

Filesize
3.9MB

Download
memory/3100-333-0x00007FF765790000-0x00007FF765B81000-memory.dmp

Filesize
3.9MB

Download
memory/3128-1-0x000002937A9C0000-0x000002937A9D0000-memory.dmp

Filesize
64KB

Download
memory/3128-160-0x00007FF663D70000-0x00007FF664161000-memory.dmp

Filesize
3.9MB

Download
memory/3128-0-0x00007FF663D70000-0x00007FF664161000-memory.dmp

Filesize
3.9MB

Download
memory/3156-292-0x00007FF7E74D0000-0x00007FF7E78C1000-memory.dmp

Filesize
3.9MB

Download
memory/3260-349-0x00007FF6BB6D0000-0x00007FF6BBAC1000-memory.dmp

Filesize
3.9MB

Download
memory/3264-78-0x00007FF66B690000-0x00007FF66BA81000-memory.dmp

Filesize
3.9MB

Download
memory/3268-144-0x00007FF647E30000-0x00007FF648221000-memory.dmp

Filesize
3.9MB

Download
memory/3444-74-0x00007FF7B3C40000-0x00007FF7B4031000-memory.dmp

Filesize
3.9MB

Download
memory/3552-295-0x00007FF7C3AA0000-0x00007FF7C3E91000-memory.dmp

Filesize
3.9MB

Download
memory/3560-240-0x00007FF730F60000-0x00007FF731351000-memory.dmp

Filesize
3.9MB

Download
memory/3580-289-0x00007FF70A210000-0x00007FF70A601000-memory.dmp

Filesize
3.9MB

Download
memory/3672-247-0x00007FF714240000-0x00007FF714631000-memory.dmp

Filesize
3.9MB

Download
memory/3916-326-0x00007FF6AEEC0000-0x00007FF6AF2B1000-memory.dmp

Filesize
3.9MB

Download
memory/4032-37-0x00007FF7EE2F0000-0x00007FF7EE6E1000-memory.dmp

Filesize
3.9MB

Download
memory/4308-351-0x00007FF6F76E0000-0x00007FF6F7AD1000-memory.dmp

Filesize
3.9MB

Download
memory/4348-251-0x00007FF6ED500000-0x00007FF6ED8F1000-memory.dmp

Filesize
3.9MB

Download
memory/4436-13-0x00007FF693450000-0x00007FF693841000-memory.dmp

Filesize
3.9MB

Download
memory/4436-169-0x00007FF693450000-0x00007FF693841000-memory.dmp

Filesize
3.9MB

Download
memory/4488-128-0x00007FF7724E0000-0x00007FF7728D1000-memory.dmp

Filesize
3.9MB

Download
memory/4624-149-0x00007FF6A7700000-0x00007FF6A7AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4624-30-0x00007FF6A7700000-0x00007FF6A7AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4632-238-0x00007FF656810000-0x00007FF656C01000-memory.dmp

Filesize
3.9MB

Download
memory/4716-268-0x00007FF7EA0B0000-0x00007FF7EA4A1000-memory.dmp

Filesize
3.9MB

Download
memory/4728-261-0x00007FF69E640000-0x00007FF69EA31000-memory.dmp

Filesize
3.9MB

Download
memory/4836-322-0x00007FF72BF90000-0x00007FF72C381000-memory.dmp

Filesize
3.9MB

Download
memory/4840-293-0x00007FF6A2970000-0x00007FF6A2D61000-memory.dmp

Filesize
3.9MB

Download
memory/4860-338-0x00007FF782260000-0x00007FF782651000-memory.dmp

Filesize
3.9MB

Download
memory/4864-71-0x00007FF7F1800000-0x00007FF7F1BF1000-memory.dmp

Filesize
3.9MB

Download
memory/4908-95-0x00007FF756EC0000-0x00007FF7572B1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-178-0x00007FF696950000-0x00007FF696D41000-memory.dmp

Filesize
3.9MB

Download
memory/5016-230-0x00007FF7CBE80000-0x00007FF7CC271000-memory.dmp

Filesize
3.9MB

Download
memory/5048-182-0x00007FF610660000-0x00007FF610A51000-memory.dmp

Filesize
3.9MB

Download
memory/5060-176-0x00007FF700950000-0x00007FF700D41000-memory.dmp

Filesize
3.9MB

Download
memory/5116-186-0x00007FF7DDF30000-0x00007FF7DE321000-memory.dmp

Filesize
3.9MB

Download