xmrig | 6ba64f51308a181c818fe25330175be72bedfce436c69f7b36960dfdf4d4f85e

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
Size

1.3MB
MD5

004468715ee7f5409b6fabba2527b229
SHA1

903381d2adc2fb700c8061fbde2bdb1e078d1720
SHA256

6ba64f51308a181c818fe25330175be72bedfce436c69f7b36960dfdf4d4f85e
SHA512

c40e06a1e3b65dce72a2681c3769b131aea338a7cebf17fdbc1f9c59df0f52ec18bbbde652718bb43c552f8c91c33104bbfcf21f68e0cff446848d520e8743d1
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOn0cF:knw9oUUEEDlGUh+hNnF

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral2/memory/2964-11-0x00007FF6A5C90000-0x00007FF6A6081000-memory.dmp	xmrig
behavioral2/memory/2420-17-0x00007FF7E7CE0000-0x00007FF7E80D1000-memory.dmp	xmrig
behavioral2/memory/1988-77-0x00007FF61DE90000-0x00007FF61E281000-memory.dmp	xmrig
behavioral2/memory/2832-122-0x00007FF757C70000-0x00007FF758061000-memory.dmp	xmrig
behavioral2/memory/848-131-0x00007FF62C6E0000-0x00007FF62CAD1000-memory.dmp	xmrig
behavioral2/memory/2964-144-0x00007FF6A5C90000-0x00007FF6A6081000-memory.dmp	xmrig
behavioral2/memory/2996-202-0x00007FF633A70000-0x00007FF633E61000-memory.dmp	xmrig
behavioral2/memory/1664-207-0x00007FF6550A0000-0x00007FF655491000-memory.dmp	xmrig
behavioral2/memory/1600-210-0x00007FF76AF90000-0x00007FF76B381000-memory.dmp	xmrig
behavioral2/memory/4312-215-0x00007FF65AD80000-0x00007FF65B171000-memory.dmp	xmrig
behavioral2/memory/3724-220-0x00007FF67B480000-0x00007FF67B871000-memory.dmp	xmrig
behavioral2/memory/2472-230-0x00007FF7D4750000-0x00007FF7D4B41000-memory.dmp	xmrig
behavioral2/memory/4976-235-0x00007FF6B0130000-0x00007FF6B0521000-memory.dmp	xmrig
behavioral2/memory/4064-241-0x00007FF6FBFD0000-0x00007FF6FC3C1000-memory.dmp	xmrig
behavioral2/memory/2788-246-0x00007FF600420000-0x00007FF600811000-memory.dmp	xmrig
behavioral2/memory/3868-251-0x00007FF6949D0000-0x00007FF694DC1000-memory.dmp	xmrig
behavioral2/memory/3732-254-0x00007FF7E1C40000-0x00007FF7E2031000-memory.dmp	xmrig
behavioral2/memory/4132-256-0x00007FF65D380000-0x00007FF65D771000-memory.dmp	xmrig
behavioral2/memory/2236-259-0x00007FF621D70000-0x00007FF622161000-memory.dmp	xmrig
behavioral2/memory/3192-258-0x00007FF601040000-0x00007FF601431000-memory.dmp	xmrig
behavioral2/memory/3056-249-0x00007FF792560000-0x00007FF792951000-memory.dmp	xmrig
behavioral2/memory/3212-267-0x00007FF6C70C0000-0x00007FF6C74B1000-memory.dmp	xmrig
behavioral2/memory/5060-271-0x00007FF600CC0000-0x00007FF6010B1000-memory.dmp	xmrig
behavioral2/memory/4036-269-0x00007FF7F45A0000-0x00007FF7F4991000-memory.dmp	xmrig
behavioral2/memory/1456-244-0x00007FF758460000-0x00007FF758851000-memory.dmp	xmrig
behavioral2/memory/4028-227-0x00007FF7815D0000-0x00007FF7819C1000-memory.dmp	xmrig
behavioral2/memory/2508-225-0x00007FF662540000-0x00007FF662931000-memory.dmp	xmrig
behavioral2/memory/4416-222-0x00007FF6E4CA0000-0x00007FF6E5091000-memory.dmp	xmrig
behavioral2/memory/2436-217-0x00007FF77B380000-0x00007FF77B771000-memory.dmp	xmrig
behavioral2/memory/3028-212-0x00007FF752130000-0x00007FF752521000-memory.dmp	xmrig
behavioral2/memory/4780-205-0x00007FF6CA610000-0x00007FF6CAA01000-memory.dmp	xmrig
behavioral2/memory/2616-200-0x00007FF7BFC10000-0x00007FF7C0001000-memory.dmp	xmrig
behavioral2/memory/2660-197-0x00007FF7508F0000-0x00007FF750CE1000-memory.dmp	xmrig
behavioral2/memory/3068-195-0x00007FF7399D0000-0x00007FF739DC1000-memory.dmp	xmrig
behavioral2/memory/4524-191-0x00007FF720750000-0x00007FF720B41000-memory.dmp	xmrig
behavioral2/memory/968-189-0x00007FF7CE400000-0x00007FF7CE7F1000-memory.dmp	xmrig
behavioral2/memory/3208-184-0x00007FF668E30000-0x00007FF669221000-memory.dmp	xmrig
behavioral2/memory/2420-174-0x00007FF7E7CE0000-0x00007FF7E80D1000-memory.dmp	xmrig
behavioral2/memory/3320-148-0x00007FF699BC0000-0x00007FF699FB1000-memory.dmp	xmrig
behavioral2/memory/2664-145-0x00007FF7760D0000-0x00007FF7764C1000-memory.dmp	xmrig
behavioral2/memory/4736-142-0x00007FF6AC370000-0x00007FF6AC761000-memory.dmp	xmrig
behavioral2/memory/732-137-0x00007FF6CC610000-0x00007FF6CCA01000-memory.dmp	xmrig
behavioral2/memory/4712-134-0x00007FF71AC70000-0x00007FF71B061000-memory.dmp	xmrig
behavioral2/memory/3320-277-0x00007FF699BC0000-0x00007FF699FB1000-memory.dmp	xmrig
behavioral2/memory/716-128-0x00007FF79F550000-0x00007FF79F941000-memory.dmp	xmrig
behavioral2/memory/4900-124-0x00007FF61AA60000-0x00007FF61AE51000-memory.dmp	xmrig
behavioral2/memory/2536-292-0x00007FF6D82D0000-0x00007FF6D86C1000-memory.dmp	xmrig
behavioral2/memory/5108-106-0x00007FF74D610000-0x00007FF74DA01000-memory.dmp	xmrig
behavioral2/memory/2636-103-0x00007FF6C70C0000-0x00007FF6C74B1000-memory.dmp	xmrig
behavioral2/memory/1176-99-0x00007FF7435F0000-0x00007FF7439E1000-memory.dmp	xmrig
behavioral2/memory/3296-94-0x00007FF607DB0000-0x00007FF6081A1000-memory.dmp	xmrig
behavioral2/memory/2788-69-0x00007FF600420000-0x00007FF600811000-memory.dmp	xmrig
behavioral2/memory/4976-38-0x00007FF6B0130000-0x00007FF6B0521000-memory.dmp	xmrig
behavioral2/memory/4780-23-0x00007FF6CA610000-0x00007FF6CAA01000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2964	obZsvPc.exe
2420	jxjhgkq.exe
4780	JaJMHFa.exe
2436	wVuTdNn.exe
4028	vcvbBAw.exe
4976	QnaKJCV.exe
4064	iDHQays.exe
3296	OYbjodX.exe
1456	BNTUEMp.exe
2788	lFWWUWh.exe
1988	ZfaTzWO.exe
1176	DddfEXL.exe
2636	VOhnIlL.exe
5108	NbOBPSN.exe
716	LpmDiYr.exe
2236	YCopCTK.exe
4132	xhcYXXy.exe
2832	nDAxHpQ.exe
4900	ByhpOYB.exe
848	obtlhtC.exe
4712	RPWqpwz.exe
4736	wnUBQfS.exe
2664	TUIZTBK.exe
3320	ecBXhff.exe
2996	ypwaGCH.exe
3208	QYyJjgy.exe
968	DQxOwtm.exe
4524	JscGuAs.exe
3068	kpSxMFE.exe
2660	ANUHYcq.exe
2616	VnRHUaL.exe
1664	sPOuJwg.exe
1600	fJraUOO.exe
3028	sBWWEcH.exe
4312	lbdElUJ.exe
3724	RnCHyxB.exe
4416	uzEBcQo.exe
2508	XZEMrgA.exe
2472	uNoeHYc.exe
2324	gWlGjsQ.exe
3712	teZlkzi.exe
3056	yjCHoMU.exe
3868	BPKRfSu.exe
3732	nThPdVE.exe
3192	NIXfKkA.exe
3212	CIqFpeq.exe
4036	Ndynsfe.exe
5060	tHYMVLf.exe
2580	flgllaT.exe
2536	OqRjjxC.exe
3236	HbHEZwH.exe
2176	ChEcMCG.exe
2548	DwMynzo.exe
4128	XCXhjBD.exe
2032	FgGWgjy.exe
4488	nqWXVCH.exe
5084	RoZcMGR.exe
2264	mHsAPvv.exe
4040	xVzNshO.exe
4692	lnXiFIP.exe
2440	ByrzWQr.exe
4800	PUclDYE.exe
4356	mdbdHsL.exe
3704	ATavSFu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/732-0-0x00007FF6CC610000-0x00007FF6CCA01000-memory.dmp	upx
behavioral2/files/0x00080000000233fb-6.dat	upx
behavioral2/files/0x00070000000233ff-10.dat	upx
behavioral2/memory/2964-11-0x00007FF6A5C90000-0x00007FF6A6081000-memory.dmp	upx
behavioral2/memory/2420-17-0x00007FF7E7CE0000-0x00007FF7E80D1000-memory.dmp	upx
behavioral2/files/0x0007000000023402-24.dat	upx
behavioral2/files/0x0007000000023403-31.dat	upx
behavioral2/files/0x0007000000023407-54.dat	upx
behavioral2/files/0x0007000000023408-55.dat	upx
behavioral2/files/0x0007000000023409-59.dat	upx
behavioral2/memory/1988-77-0x00007FF61DE90000-0x00007FF61E281000-memory.dmp	upx
behavioral2/files/0x000700000002340c-83.dat	upx
behavioral2/files/0x0007000000023410-104.dat	upx
behavioral2/files/0x000700000002340d-107.dat	upx
behavioral2/memory/2832-122-0x00007FF757C70000-0x00007FF758061000-memory.dmp	upx
behavioral2/files/0x0007000000023413-132.dat	upx
behavioral2/memory/848-131-0x00007FF62C6E0000-0x00007FF62CAD1000-memory.dmp	upx
behavioral2/files/0x0007000000023412-135.dat	upx
behavioral2/memory/2964-144-0x00007FF6A5C90000-0x00007FF6A6081000-memory.dmp	upx
behavioral2/files/0x0007000000023414-146.dat	upx
behavioral2/files/0x0007000000023415-167.dat	upx
behavioral2/files/0x0007000000023418-178.dat	upx
behavioral2/files/0x000700000002341c-192.dat	upx
behavioral2/memory/2996-202-0x00007FF633A70000-0x00007FF633E61000-memory.dmp	upx
behavioral2/memory/1664-207-0x00007FF6550A0000-0x00007FF655491000-memory.dmp	upx
behavioral2/memory/1600-210-0x00007FF76AF90000-0x00007FF76B381000-memory.dmp	upx
behavioral2/memory/4312-215-0x00007FF65AD80000-0x00007FF65B171000-memory.dmp	upx
behavioral2/memory/3724-220-0x00007FF67B480000-0x00007FF67B871000-memory.dmp	upx
behavioral2/memory/2472-230-0x00007FF7D4750000-0x00007FF7D4B41000-memory.dmp	upx
behavioral2/memory/4976-235-0x00007FF6B0130000-0x00007FF6B0521000-memory.dmp	upx
behavioral2/memory/4064-241-0x00007FF6FBFD0000-0x00007FF6FC3C1000-memory.dmp	upx
behavioral2/memory/2788-246-0x00007FF600420000-0x00007FF600811000-memory.dmp	upx
behavioral2/memory/3868-251-0x00007FF6949D0000-0x00007FF694DC1000-memory.dmp	upx
behavioral2/memory/3732-254-0x00007FF7E1C40000-0x00007FF7E2031000-memory.dmp	upx
behavioral2/memory/4132-256-0x00007FF65D380000-0x00007FF65D771000-memory.dmp	upx
behavioral2/memory/2236-259-0x00007FF621D70000-0x00007FF622161000-memory.dmp	upx
behavioral2/memory/3192-258-0x00007FF601040000-0x00007FF601431000-memory.dmp	upx
behavioral2/memory/3056-249-0x00007FF792560000-0x00007FF792951000-memory.dmp	upx
behavioral2/memory/3212-267-0x00007FF6C70C0000-0x00007FF6C74B1000-memory.dmp	upx
behavioral2/memory/5060-271-0x00007FF600CC0000-0x00007FF6010B1000-memory.dmp	upx
behavioral2/memory/4036-269-0x00007FF7F45A0000-0x00007FF7F4991000-memory.dmp	upx
behavioral2/memory/2580-276-0x00007FF738F30000-0x00007FF739321000-memory.dmp	upx
behavioral2/memory/1456-244-0x00007FF758460000-0x00007FF758851000-memory.dmp	upx
behavioral2/memory/3712-239-0x00007FF751830000-0x00007FF751C21000-memory.dmp	upx
behavioral2/memory/2324-232-0x00007FF6510F0000-0x00007FF6514E1000-memory.dmp	upx
behavioral2/memory/4028-227-0x00007FF7815D0000-0x00007FF7819C1000-memory.dmp	upx
behavioral2/memory/2508-225-0x00007FF662540000-0x00007FF662931000-memory.dmp	upx
behavioral2/memory/4416-222-0x00007FF6E4CA0000-0x00007FF6E5091000-memory.dmp	upx
behavioral2/memory/2436-217-0x00007FF77B380000-0x00007FF77B771000-memory.dmp	upx
behavioral2/memory/3028-212-0x00007FF752130000-0x00007FF752521000-memory.dmp	upx
behavioral2/memory/4780-205-0x00007FF6CA610000-0x00007FF6CAA01000-memory.dmp	upx
behavioral2/memory/2616-200-0x00007FF7BFC10000-0x00007FF7C0001000-memory.dmp	upx
behavioral2/memory/2660-197-0x00007FF7508F0000-0x00007FF750CE1000-memory.dmp	upx
behavioral2/memory/3068-195-0x00007FF7399D0000-0x00007FF739DC1000-memory.dmp	upx
behavioral2/memory/4524-191-0x00007FF720750000-0x00007FF720B41000-memory.dmp	upx
behavioral2/memory/968-189-0x00007FF7CE400000-0x00007FF7CE7F1000-memory.dmp	upx
behavioral2/files/0x000700000002341b-185.dat	upx
behavioral2/memory/3208-184-0x00007FF668E30000-0x00007FF669221000-memory.dmp	upx
behavioral2/files/0x000700000002341a-181.dat	upx
behavioral2/files/0x0007000000023419-175.dat	upx
behavioral2/memory/2420-174-0x00007FF7E7CE0000-0x00007FF7E80D1000-memory.dmp	upx
behavioral2/files/0x0007000000023417-171.dat	upx
behavioral2/files/0x0007000000023416-169.dat	upx
behavioral2/memory/3320-148-0x00007FF699BC0000-0x00007FF699FB1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\lcderci.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\CxgVNXs.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\THfpBxB.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\wVuTdNn.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\ovtdpdw.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\JVnMVdG.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\qEAzDUx.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\wrfTqdd.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\NvFthKN.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\rVwlNZm.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\clbyvhu.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\daJDbvx.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\eILjNPY.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\JsGPDwA.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\GUZoSOh.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\QZHksMI.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\sSZdpcT.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\nTLUqYn.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\RoZcMGR.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\BNlYonJ.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\uFdnGgV.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\LcdJBcO.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\flgllaT.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\EEaoann.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\GBMLcjM.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\ydfIAAi.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\TfIOMUt.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\gpLSlFf.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\HCbvREa.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\yjCHoMU.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\zoFJHAB.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\LBKblan.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\XWqocaQ.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\XViLPOd.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\UaSJRHM.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\OqkKQTM.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\VITNobO.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\oLpeXRY.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\CJXjxcp.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\yivtCXE.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\tWQwGAm.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\NIXfKkA.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\sPOuJwg.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\cUKOQjT.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\cZkWaoi.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\TUIZTBK.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\JnFMGuK.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\vNQTYuz.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\hasBuNc.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\AilsVdD.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\TgdaysT.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\oppIepo.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\nkCVlQE.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\ZWkJOqb.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\ZxtHGoG.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\qJxdgvR.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\zuqWjHm.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\GbmPrQC.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\AdygbMO.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\FwIZFNR.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\pFGRhSi.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\UrgQZoK.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\Cebbyuu.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
File created	C:\Windows\System32\uIwnepI.exe	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2928	dwm.exe
Token: SeChangeNotifyPrivilege	2928	dwm.exe
Token: 33	2928	dwm.exe
Token: SeIncBasePriorityPrivilege	2928	dwm.exe
Token: SeShutdownPrivilege	2928	dwm.exe
Token: SeCreatePagefilePrivilege	2928	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 2964	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	86
PID 732 wrote to memory of 2964	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	86
PID 732 wrote to memory of 2420	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	87
PID 732 wrote to memory of 2420	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	87
PID 732 wrote to memory of 4780	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	88
PID 732 wrote to memory of 4780	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	88
PID 732 wrote to memory of 4028	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	89
PID 732 wrote to memory of 4028	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	89
PID 732 wrote to memory of 2436	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	90
PID 732 wrote to memory of 2436	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	90
PID 732 wrote to memory of 4976	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	91
PID 732 wrote to memory of 4976	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	91
PID 732 wrote to memory of 4064	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	92
PID 732 wrote to memory of 4064	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	92
PID 732 wrote to memory of 1988	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	93
PID 732 wrote to memory of 1988	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	93
PID 732 wrote to memory of 3296	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	94
PID 732 wrote to memory of 3296	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	94
PID 732 wrote to memory of 1456	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	95
PID 732 wrote to memory of 1456	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	95
PID 732 wrote to memory of 2788	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	96
PID 732 wrote to memory of 2788	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	96
PID 732 wrote to memory of 1176	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	99
PID 732 wrote to memory of 1176	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	99
PID 732 wrote to memory of 2636	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	101
PID 732 wrote to memory of 2636	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	101
PID 732 wrote to memory of 5108	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	102
PID 732 wrote to memory of 5108	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	102
PID 732 wrote to memory of 716	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	103
PID 732 wrote to memory of 716	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	103
PID 732 wrote to memory of 2236	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	104
PID 732 wrote to memory of 2236	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	104
PID 732 wrote to memory of 4132	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	105
PID 732 wrote to memory of 4132	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	105
PID 732 wrote to memory of 2832	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	106
PID 732 wrote to memory of 2832	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	106
PID 732 wrote to memory of 4900	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	107
PID 732 wrote to memory of 4900	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	107
PID 732 wrote to memory of 848	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	108
PID 732 wrote to memory of 848	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	108
PID 732 wrote to memory of 4712	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	109
PID 732 wrote to memory of 4712	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	109
PID 732 wrote to memory of 4736	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	110
PID 732 wrote to memory of 4736	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	110
PID 732 wrote to memory of 2664	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	111
PID 732 wrote to memory of 2664	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	111
PID 732 wrote to memory of 3320	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	112
PID 732 wrote to memory of 3320	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	112
PID 732 wrote to memory of 2996	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	113
PID 732 wrote to memory of 2996	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	113
PID 732 wrote to memory of 3208	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	114
PID 732 wrote to memory of 3208	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	114
PID 732 wrote to memory of 968	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	115
PID 732 wrote to memory of 968	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	115
PID 732 wrote to memory of 4524	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	116
PID 732 wrote to memory of 4524	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	116
PID 732 wrote to memory of 3068	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	117
PID 732 wrote to memory of 3068	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	117
PID 732 wrote to memory of 2660	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	118
PID 732 wrote to memory of 2660	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	118
PID 732 wrote to memory of 2616	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	119
PID 732 wrote to memory of 2616	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	119
PID 732 wrote to memory of 1664	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	120
PID 732 wrote to memory of 1664	732	004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe	120

C:\Users\Admin\AppData\Local\Temp\004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\004468715ee7f5409b6fabba2527b229_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\System32\obZsvPc.exe
  C:\Windows\System32\obZsvPc.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System32\jxjhgkq.exe
  C:\Windows\System32\jxjhgkq.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\JaJMHFa.exe
  C:\Windows\System32\JaJMHFa.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System32\vcvbBAw.exe
  C:\Windows\System32\vcvbBAw.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System32\wVuTdNn.exe
  C:\Windows\System32\wVuTdNn.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System32\QnaKJCV.exe
  C:\Windows\System32\QnaKJCV.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\iDHQays.exe
  C:\Windows\System32\iDHQays.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System32\ZfaTzWO.exe
  C:\Windows\System32\ZfaTzWO.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\OYbjodX.exe
  C:\Windows\System32\OYbjodX.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\BNTUEMp.exe
  C:\Windows\System32\BNTUEMp.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\lFWWUWh.exe
  C:\Windows\System32\lFWWUWh.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\DddfEXL.exe
  C:\Windows\System32\DddfEXL.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System32\VOhnIlL.exe
  C:\Windows\System32\VOhnIlL.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System32\NbOBPSN.exe
  C:\Windows\System32\NbOBPSN.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System32\LpmDiYr.exe
  C:\Windows\System32\LpmDiYr.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System32\YCopCTK.exe
  C:\Windows\System32\YCopCTK.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\xhcYXXy.exe
  C:\Windows\System32\xhcYXXy.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\nDAxHpQ.exe
  C:\Windows\System32\nDAxHpQ.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System32\ByhpOYB.exe
  C:\Windows\System32\ByhpOYB.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\obtlhtC.exe
  C:\Windows\System32\obtlhtC.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System32\RPWqpwz.exe
  C:\Windows\System32\RPWqpwz.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\wnUBQfS.exe
  C:\Windows\System32\wnUBQfS.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System32\TUIZTBK.exe
  C:\Windows\System32\TUIZTBK.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System32\ecBXhff.exe
  C:\Windows\System32\ecBXhff.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System32\ypwaGCH.exe
  C:\Windows\System32\ypwaGCH.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\QYyJjgy.exe
  C:\Windows\System32\QYyJjgy.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\DQxOwtm.exe
  C:\Windows\System32\DQxOwtm.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System32\JscGuAs.exe
  C:\Windows\System32\JscGuAs.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\kpSxMFE.exe
  C:\Windows\System32\kpSxMFE.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\ANUHYcq.exe
  C:\Windows\System32\ANUHYcq.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\VnRHUaL.exe
  C:\Windows\System32\VnRHUaL.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System32\sPOuJwg.exe
  C:\Windows\System32\sPOuJwg.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\fJraUOO.exe
  C:\Windows\System32\fJraUOO.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System32\sBWWEcH.exe
  C:\Windows\System32\sBWWEcH.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\lbdElUJ.exe
  C:\Windows\System32\lbdElUJ.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\RnCHyxB.exe
  C:\Windows\System32\RnCHyxB.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System32\uzEBcQo.exe
  C:\Windows\System32\uzEBcQo.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\XZEMrgA.exe
  C:\Windows\System32\XZEMrgA.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\uNoeHYc.exe
  C:\Windows\System32\uNoeHYc.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System32\gWlGjsQ.exe
  C:\Windows\System32\gWlGjsQ.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System32\teZlkzi.exe
  C:\Windows\System32\teZlkzi.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System32\yjCHoMU.exe
  C:\Windows\System32\yjCHoMU.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System32\BPKRfSu.exe
  C:\Windows\System32\BPKRfSu.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\nThPdVE.exe
  C:\Windows\System32\nThPdVE.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System32\NIXfKkA.exe
  C:\Windows\System32\NIXfKkA.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\CIqFpeq.exe
  C:\Windows\System32\CIqFpeq.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\Ndynsfe.exe
  C:\Windows\System32\Ndynsfe.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System32\tHYMVLf.exe
  C:\Windows\System32\tHYMVLf.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\flgllaT.exe
  C:\Windows\System32\flgllaT.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\OqRjjxC.exe
  C:\Windows\System32\OqRjjxC.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\HbHEZwH.exe
  C:\Windows\System32\HbHEZwH.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\ChEcMCG.exe
  C:\Windows\System32\ChEcMCG.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System32\DwMynzo.exe
  C:\Windows\System32\DwMynzo.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System32\XCXhjBD.exe
  C:\Windows\System32\XCXhjBD.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System32\FgGWgjy.exe
  C:\Windows\System32\FgGWgjy.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System32\nqWXVCH.exe
  C:\Windows\System32\nqWXVCH.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\RoZcMGR.exe
  C:\Windows\System32\RoZcMGR.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\mHsAPvv.exe
  C:\Windows\System32\mHsAPvv.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\xVzNshO.exe
  C:\Windows\System32\xVzNshO.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\lnXiFIP.exe
  C:\Windows\System32\lnXiFIP.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System32\ByrzWQr.exe
  C:\Windows\System32\ByrzWQr.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System32\PUclDYE.exe
  C:\Windows\System32\PUclDYE.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System32\mdbdHsL.exe
  C:\Windows\System32\mdbdHsL.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System32\ATavSFu.exe
  C:\Windows\System32\ATavSFu.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\pFGRhSi.exe
  C:\Windows\System32\pFGRhSi.exe
  2⤵
  PID:2992
- C:\Windows\System32\mQXPgGV.exe
  C:\Windows\System32\mQXPgGV.exe
  2⤵
  PID:2520
- C:\Windows\System32\pkCgQNe.exe
  C:\Windows\System32\pkCgQNe.exe
  2⤵
  PID:3144
- C:\Windows\System32\uUzlGJC.exe
  C:\Windows\System32\uUzlGJC.exe
  2⤵
  PID:4660
- C:\Windows\System32\cUKOQjT.exe
  C:\Windows\System32\cUKOQjT.exe
  2⤵
  PID:3312
- C:\Windows\System32\KzaLNVc.exe
  C:\Windows\System32\KzaLNVc.exe
  2⤵
  PID:2056
- C:\Windows\System32\oLpeXRY.exe
  C:\Windows\System32\oLpeXRY.exe
  2⤵
  PID:396
- C:\Windows\System32\Cebbyuu.exe
  C:\Windows\System32\Cebbyuu.exe
  2⤵
  PID:728
- C:\Windows\System32\cTtoVKj.exe
  C:\Windows\System32\cTtoVKj.exe
  2⤵
  PID:1780
- C:\Windows\System32\wFscOmm.exe
  C:\Windows\System32\wFscOmm.exe
  2⤵
  PID:668
- C:\Windows\System32\JsGPDwA.exe
  C:\Windows\System32\JsGPDwA.exe
  2⤵
  PID:988
- C:\Windows\System32\VZkrdxU.exe
  C:\Windows\System32\VZkrdxU.exe
  2⤵
  PID:5128
- C:\Windows\System32\BqbPRBm.exe
  C:\Windows\System32\BqbPRBm.exe
  2⤵
  PID:5144
- C:\Windows\System32\XCjnVvC.exe
  C:\Windows\System32\XCjnVvC.exe
  2⤵
  PID:5260
- C:\Windows\System32\oIoSgHz.exe
  C:\Windows\System32\oIoSgHz.exe
  2⤵
  PID:5288
- C:\Windows\System32\kYqkyDX.exe
  C:\Windows\System32\kYqkyDX.exe
  2⤵
  PID:5316
- C:\Windows\System32\fIvomOO.exe
  C:\Windows\System32\fIvomOO.exe
  2⤵
  PID:5396
- C:\Windows\System32\fWeXtGN.exe
  C:\Windows\System32\fWeXtGN.exe
  2⤵
  PID:5428
- C:\Windows\System32\YmhoyBW.exe
  C:\Windows\System32\YmhoyBW.exe
  2⤵
  PID:5444
- C:\Windows\System32\GjCPRVs.exe
  C:\Windows\System32\GjCPRVs.exe
  2⤵
  PID:5464
- C:\Windows\System32\SOceBId.exe
  C:\Windows\System32\SOceBId.exe
  2⤵
  PID:5508
- C:\Windows\System32\nUNYpjg.exe
  C:\Windows\System32\nUNYpjg.exe
  2⤵
  PID:5528
- C:\Windows\System32\urxCShd.exe
  C:\Windows\System32\urxCShd.exe
  2⤵
  PID:5544
- C:\Windows\System32\JnoTNqd.exe
  C:\Windows\System32\JnoTNqd.exe
  2⤵
  PID:5564
- C:\Windows\System32\SvByVcH.exe
  C:\Windows\System32\SvByVcH.exe
  2⤵
  PID:5584
- C:\Windows\System32\MtGOHKy.exe
  C:\Windows\System32\MtGOHKy.exe
  2⤵
  PID:5648
- C:\Windows\System32\JVcJawp.exe
  C:\Windows\System32\JVcJawp.exe
  2⤵
  PID:5672
- C:\Windows\System32\pIjFmoZ.exe
  C:\Windows\System32\pIjFmoZ.exe
  2⤵
  PID:5720
- C:\Windows\System32\BdMfbci.exe
  C:\Windows\System32\BdMfbci.exe
  2⤵
  PID:5748
- C:\Windows\System32\wXbUBSq.exe
  C:\Windows\System32\wXbUBSq.exe
  2⤵
  PID:5764
- C:\Windows\System32\GUZoSOh.exe
  C:\Windows\System32\GUZoSOh.exe
  2⤵
  PID:5780
- C:\Windows\System32\kdCJCaM.exe
  C:\Windows\System32\kdCJCaM.exe
  2⤵
  PID:5800
- C:\Windows\System32\DtuuSgj.exe
  C:\Windows\System32\DtuuSgj.exe
  2⤵
  PID:5816
- C:\Windows\System32\AWsAhOt.exe
  C:\Windows\System32\AWsAhOt.exe
  2⤵
  PID:5832
- C:\Windows\System32\dtsnTIc.exe
  C:\Windows\System32\dtsnTIc.exe
  2⤵
  PID:5852
- C:\Windows\System32\EiJPTJR.exe
  C:\Windows\System32\EiJPTJR.exe
  2⤵
  PID:5872
- C:\Windows\System32\lcderci.exe
  C:\Windows\System32\lcderci.exe
  2⤵
  PID:5888
- C:\Windows\System32\BepnnqG.exe
  C:\Windows\System32\BepnnqG.exe
  2⤵
  PID:5904
- C:\Windows\System32\MZKJKJF.exe
  C:\Windows\System32\MZKJKJF.exe
  2⤵
  PID:5924
- C:\Windows\System32\mclJXDs.exe
  C:\Windows\System32\mclJXDs.exe
  2⤵
  PID:5956
- C:\Windows\System32\clbyvhu.exe
  C:\Windows\System32\clbyvhu.exe
  2⤵
  PID:6020
- C:\Windows\System32\LcdJBcO.exe
  C:\Windows\System32\LcdJBcO.exe
  2⤵
  PID:6124
- C:\Windows\System32\EEaoann.exe
  C:\Windows\System32\EEaoann.exe
  2⤵
  PID:3684
- C:\Windows\System32\PvEDNNG.exe
  C:\Windows\System32\PvEDNNG.exe
  2⤵
  PID:2988
- C:\Windows\System32\hLhDRMO.exe
  C:\Windows\System32\hLhDRMO.exe
  2⤵
  PID:3948
- C:\Windows\System32\OLObewH.exe
  C:\Windows\System32\OLObewH.exe
  2⤵
  PID:3084
- C:\Windows\System32\RutRilt.exe
  C:\Windows\System32\RutRilt.exe
  2⤵
  PID:5220
- C:\Windows\System32\QufplVe.exe
  C:\Windows\System32\QufplVe.exe
  2⤵
  PID:5232
- C:\Windows\System32\kDNnZwK.exe
  C:\Windows\System32\kDNnZwK.exe
  2⤵
  PID:5344
- C:\Windows\System32\boiJaLX.exe
  C:\Windows\System32\boiJaLX.exe
  2⤵
  PID:4080
- C:\Windows\System32\yfrFGJs.exe
  C:\Windows\System32\yfrFGJs.exe
  2⤵
  PID:5380
- C:\Windows\System32\UYqhwlH.exe
  C:\Windows\System32\UYqhwlH.exe
  2⤵
  PID:1884
- C:\Windows\System32\yISHKJQ.exe
  C:\Windows\System32\yISHKJQ.exe
  2⤵
  PID:5440
- C:\Windows\System32\FmeSVfo.exe
  C:\Windows\System32\FmeSVfo.exe
  2⤵
  PID:5404
- C:\Windows\System32\ZfzspZX.exe
  C:\Windows\System32\ZfzspZX.exe
  2⤵
  PID:5456
- C:\Windows\System32\qEAzDUx.exe
  C:\Windows\System32\qEAzDUx.exe
  2⤵
  PID:4340
- C:\Windows\System32\aaCUuJh.exe
  C:\Windows\System32\aaCUuJh.exe
  2⤵
  PID:5664
- C:\Windows\System32\daJDbvx.exe
  C:\Windows\System32\daJDbvx.exe
  2⤵
  PID:4508
- C:\Windows\System32\mfbNVKD.exe
  C:\Windows\System32\mfbNVKD.exe
  2⤵
  PID:2224
- C:\Windows\System32\WTReLJF.exe
  C:\Windows\System32\WTReLJF.exe
  2⤵
  PID:5760
- C:\Windows\System32\TKDUrzc.exe
  C:\Windows\System32\TKDUrzc.exe
  2⤵
  PID:3472
- C:\Windows\System32\NfvriqZ.exe
  C:\Windows\System32\NfvriqZ.exe
  2⤵
  PID:5828
- C:\Windows\System32\WoYFGTJ.exe
  C:\Windows\System32\WoYFGTJ.exe
  2⤵
  PID:5912
- C:\Windows\System32\HNfDmBf.exe
  C:\Windows\System32\HNfDmBf.exe
  2⤵
  PID:1220
- C:\Windows\System32\RXbonTd.exe
  C:\Windows\System32\RXbonTd.exe
  2⤵
  PID:6140
- C:\Windows\System32\KYYAndK.exe
  C:\Windows\System32\KYYAndK.exe
  2⤵
  PID:4348
- C:\Windows\System32\JAweDlZ.exe
  C:\Windows\System32\JAweDlZ.exe
  2⤵
  PID:5312
- C:\Windows\System32\NwUnoIm.exe
  C:\Windows\System32\NwUnoIm.exe
  2⤵
  PID:1816
- C:\Windows\System32\ZWkJOqb.exe
  C:\Windows\System32\ZWkJOqb.exe
  2⤵
  PID:1960
- C:\Windows\System32\MSRUmmm.exe
  C:\Windows\System32\MSRUmmm.exe
  2⤵
  PID:3796
- C:\Windows\System32\IvjxEHG.exe
  C:\Windows\System32\IvjxEHG.exe
  2⤵
  PID:5756
- C:\Windows\System32\IHCujlJ.exe
  C:\Windows\System32\IHCujlJ.exe
  2⤵
  PID:5808
- C:\Windows\System32\pdEVvFo.exe
  C:\Windows\System32\pdEVvFo.exe
  2⤵
  PID:5716
- C:\Windows\System32\njPvmoK.exe
  C:\Windows\System32\njPvmoK.exe
  2⤵
  PID:5896
- C:\Windows\System32\CuzHpzH.exe
  C:\Windows\System32\CuzHpzH.exe
  2⤵
  PID:5916
- C:\Windows\System32\CaUQfqr.exe
  C:\Windows\System32\CaUQfqr.exe
  2⤵
  PID:2396
- C:\Windows\System32\uIwnepI.exe
  C:\Windows\System32\uIwnepI.exe
  2⤵
  PID:5328
- C:\Windows\System32\JhfyIhY.exe
  C:\Windows\System32\JhfyIhY.exe
  2⤵
  PID:5596
- C:\Windows\System32\DzmSGRt.exe
  C:\Windows\System32\DzmSGRt.exe
  2⤵
  PID:5460
- C:\Windows\System32\BMfOZDY.exe
  C:\Windows\System32\BMfOZDY.exe
  2⤵
  PID:996
- C:\Windows\System32\nkCVlQE.exe
  C:\Windows\System32\nkCVlQE.exe
  2⤵
  PID:6136
- C:\Windows\System32\gDZhSUN.exe
  C:\Windows\System32\gDZhSUN.exe
  2⤵
  PID:5844
- C:\Windows\System32\rVwlNZm.exe
  C:\Windows\System32\rVwlNZm.exe
  2⤵
  PID:1976
- C:\Windows\System32\fjumOXg.exe
  C:\Windows\System32\fjumOXg.exe
  2⤵
  PID:5732
- C:\Windows\System32\vzTwgpf.exe
  C:\Windows\System32\vzTwgpf.exe
  2⤵
  PID:5884
- C:\Windows\System32\pauQrtc.exe
  C:\Windows\System32\pauQrtc.exe
  2⤵
  PID:6164
- C:\Windows\System32\kySwxkX.exe
  C:\Windows\System32\kySwxkX.exe
  2⤵
  PID:6184
- C:\Windows\System32\kNuncED.exe
  C:\Windows\System32\kNuncED.exe
  2⤵
  PID:6220
- C:\Windows\System32\URrXdxj.exe
  C:\Windows\System32\URrXdxj.exe
  2⤵
  PID:6240
- C:\Windows\System32\ZxtHGoG.exe
  C:\Windows\System32\ZxtHGoG.exe
  2⤵
  PID:6256
- C:\Windows\System32\cdZDeaw.exe
  C:\Windows\System32\cdZDeaw.exe
  2⤵
  PID:6280
- C:\Windows\System32\wodNivj.exe
  C:\Windows\System32\wodNivj.exe
  2⤵
  PID:6296
- C:\Windows\System32\zkGTlTP.exe
  C:\Windows\System32\zkGTlTP.exe
  2⤵
  PID:6412
- C:\Windows\System32\PSCnKSE.exe
  C:\Windows\System32\PSCnKSE.exe
  2⤵
  PID:6464
- C:\Windows\System32\SxpXyga.exe
  C:\Windows\System32\SxpXyga.exe
  2⤵
  PID:6500
- C:\Windows\System32\FVIQhpD.exe
  C:\Windows\System32\FVIQhpD.exe
  2⤵
  PID:6520
- C:\Windows\System32\GBkTxEZ.exe
  C:\Windows\System32\GBkTxEZ.exe
  2⤵
  PID:6536
- C:\Windows\System32\oZkkeVO.exe
  C:\Windows\System32\oZkkeVO.exe
  2⤵
  PID:6552
- C:\Windows\System32\BABBznT.exe
  C:\Windows\System32\BABBznT.exe
  2⤵
  PID:6568
- C:\Windows\System32\pkHponI.exe
  C:\Windows\System32\pkHponI.exe
  2⤵
  PID:6588
- C:\Windows\System32\MSzXBgQ.exe
  C:\Windows\System32\MSzXBgQ.exe
  2⤵
  PID:6640
- C:\Windows\System32\irWvwKG.exe
  C:\Windows\System32\irWvwKG.exe
  2⤵
  PID:6708
- C:\Windows\System32\CxgVNXs.exe
  C:\Windows\System32\CxgVNXs.exe
  2⤵
  PID:6728
- C:\Windows\System32\tEvQCDv.exe
  C:\Windows\System32\tEvQCDv.exe
  2⤵
  PID:6748
- C:\Windows\System32\moqkHJd.exe
  C:\Windows\System32\moqkHJd.exe
  2⤵
  PID:6768
- C:\Windows\System32\ovYhVvQ.exe
  C:\Windows\System32\ovYhVvQ.exe
  2⤵
  PID:6784
- C:\Windows\System32\nuxaroo.exe
  C:\Windows\System32\nuxaroo.exe
  2⤵
  PID:6804
- C:\Windows\System32\JQIxlTl.exe
  C:\Windows\System32\JQIxlTl.exe
  2⤵
  PID:6824
- C:\Windows\System32\ugoWXcJ.exe
  C:\Windows\System32\ugoWXcJ.exe
  2⤵
  PID:6840
- C:\Windows\System32\xqygLzD.exe
  C:\Windows\System32\xqygLzD.exe
  2⤵
  PID:6900
- C:\Windows\System32\jXFrpGp.exe
  C:\Windows\System32\jXFrpGp.exe
  2⤵
  PID:6944
- C:\Windows\System32\PjRNaQN.exe
  C:\Windows\System32\PjRNaQN.exe
  2⤵
  PID:6984
- C:\Windows\System32\wRpXMBy.exe
  C:\Windows\System32\wRpXMBy.exe
  2⤵
  PID:7024
- C:\Windows\System32\YLomshn.exe
  C:\Windows\System32\YLomshn.exe
  2⤵
  PID:7052
- C:\Windows\System32\iVcCemD.exe
  C:\Windows\System32\iVcCemD.exe
  2⤵
  PID:7068
- C:\Windows\System32\caISNyV.exe
  C:\Windows\System32\caISNyV.exe
  2⤵
  PID:7088
- C:\Windows\System32\BSCngDA.exe
  C:\Windows\System32\BSCngDA.exe
  2⤵
  PID:7116
- C:\Windows\System32\vJBhXsb.exe
  C:\Windows\System32\vJBhXsb.exe
  2⤵
  PID:7132
- C:\Windows\System32\wrfTqdd.exe
  C:\Windows\System32\wrfTqdd.exe
  2⤵
  PID:1796
- C:\Windows\System32\KpEGjGX.exe
  C:\Windows\System32\KpEGjGX.exe
  2⤵
  PID:5932
- C:\Windows\System32\VITNobO.exe
  C:\Windows\System32\VITNobO.exe
  2⤵
  PID:2184
- C:\Windows\System32\JTYSpTz.exe
  C:\Windows\System32\JTYSpTz.exe
  2⤵
  PID:6176
- C:\Windows\System32\EjxNNWs.exe
  C:\Windows\System32\EjxNNWs.exe
  2⤵
  PID:6272
- C:\Windows\System32\qLgfuVY.exe
  C:\Windows\System32\qLgfuVY.exe
  2⤵
  PID:6248
- C:\Windows\System32\JnFMGuK.exe
  C:\Windows\System32\JnFMGuK.exe
  2⤵
  PID:6304
- C:\Windows\System32\thWzBzo.exe
  C:\Windows\System32\thWzBzo.exe
  2⤵
  PID:6456
- C:\Windows\System32\lsWmOUc.exe
  C:\Windows\System32\lsWmOUc.exe
  2⤵
  PID:6532
- C:\Windows\System32\bOpjYRn.exe
  C:\Windows\System32\bOpjYRn.exe
  2⤵
  PID:6616
- C:\Windows\System32\HFTYXSW.exe
  C:\Windows\System32\HFTYXSW.exe
  2⤵
  PID:6580
- C:\Windows\System32\ayWslfw.exe
  C:\Windows\System32\ayWslfw.exe
  2⤵
  PID:6528
- C:\Windows\System32\uXLEMws.exe
  C:\Windows\System32\uXLEMws.exe
  2⤵
  PID:6660
- C:\Windows\System32\GNLDCeH.exe
  C:\Windows\System32\GNLDCeH.exe
  2⤵
  PID:6724
- C:\Windows\System32\bRHfjMW.exe
  C:\Windows\System32\bRHfjMW.exe
  2⤵
  PID:6800
- C:\Windows\System32\cGkTHyR.exe
  C:\Windows\System32\cGkTHyR.exe
  2⤵
  PID:7108
- C:\Windows\System32\OoIJVGC.exe
  C:\Windows\System32\OoIJVGC.exe
  2⤵
  PID:7128
- C:\Windows\System32\zSHUDRw.exe
  C:\Windows\System32\zSHUDRw.exe
  2⤵
  PID:616
- C:\Windows\System32\wkpIxeH.exe
  C:\Windows\System32\wkpIxeH.exe
  2⤵
  PID:3272
- C:\Windows\System32\mAwJSmx.exe
  C:\Windows\System32\mAwJSmx.exe
  2⤵
  PID:5632
- C:\Windows\System32\POyTVpd.exe
  C:\Windows\System32\POyTVpd.exe
  2⤵
  PID:6308
- C:\Windows\System32\unfKeBc.exe
  C:\Windows\System32\unfKeBc.exe
  2⤵
  PID:6596
- C:\Windows\System32\vAudgpv.exe
  C:\Windows\System32\vAudgpv.exe
  2⤵
  PID:6396
- C:\Windows\System32\BFuPQmc.exe
  C:\Windows\System32\BFuPQmc.exe
  2⤵
  PID:6612
- C:\Windows\System32\NyzoZdZ.exe
  C:\Windows\System32\NyzoZdZ.exe
  2⤵
  PID:6648
- C:\Windows\System32\fnFkqTh.exe
  C:\Windows\System32\fnFkqTh.exe
  2⤵
  PID:5020
- C:\Windows\System32\aRkfqnA.exe
  C:\Windows\System32\aRkfqnA.exe
  2⤵
  PID:6764
- C:\Windows\System32\GiWWNqu.exe
  C:\Windows\System32\GiWWNqu.exe
  2⤵
  PID:6512
- C:\Windows\System32\nCgBCGp.exe
  C:\Windows\System32\nCgBCGp.exe
  2⤵
  PID:6736
- C:\Windows\System32\PkWSPfS.exe
  C:\Windows\System32\PkWSPfS.exe
  2⤵
  PID:7188
- C:\Windows\System32\ZCgWmxI.exe
  C:\Windows\System32\ZCgWmxI.exe
  2⤵
  PID:7212
- C:\Windows\System32\yzPZVhJ.exe
  C:\Windows\System32\yzPZVhJ.exe
  2⤵
  PID:7264
- C:\Windows\System32\otOspqq.exe
  C:\Windows\System32\otOspqq.exe
  2⤵
  PID:7312
- C:\Windows\System32\EwNJSDV.exe
  C:\Windows\System32\EwNJSDV.exe
  2⤵
  PID:7336
- C:\Windows\System32\BvPNyXW.exe
  C:\Windows\System32\BvPNyXW.exe
  2⤵
  PID:7352
- C:\Windows\System32\bvQHYKt.exe
  C:\Windows\System32\bvQHYKt.exe
  2⤵
  PID:7372
- C:\Windows\System32\MKHQKpi.exe
  C:\Windows\System32\MKHQKpi.exe
  2⤵
  PID:7388
- C:\Windows\System32\tETrzHP.exe
  C:\Windows\System32\tETrzHP.exe
  2⤵
  PID:7408
- C:\Windows\System32\lVHGqCw.exe
  C:\Windows\System32\lVHGqCw.exe
  2⤵
  PID:7480
- C:\Windows\System32\FAlvUEn.exe
  C:\Windows\System32\FAlvUEn.exe
  2⤵
  PID:7516
- C:\Windows\System32\AzEWqQI.exe
  C:\Windows\System32\AzEWqQI.exe
  2⤵
  PID:7572
- C:\Windows\System32\DbbVnnZ.exe
  C:\Windows\System32\DbbVnnZ.exe
  2⤵
  PID:7592
- C:\Windows\System32\vRKqILN.exe
  C:\Windows\System32\vRKqILN.exe
  2⤵
  PID:7620
- C:\Windows\System32\RnloRwT.exe
  C:\Windows\System32\RnloRwT.exe
  2⤵
  PID:7664
- C:\Windows\System32\aNTSufu.exe
  C:\Windows\System32\aNTSufu.exe
  2⤵
  PID:7692
- C:\Windows\System32\CfdXnkI.exe
  C:\Windows\System32\CfdXnkI.exe
  2⤵
  PID:7708
- C:\Windows\System32\cPQqBht.exe
  C:\Windows\System32\cPQqBht.exe
  2⤵
  PID:7728
- C:\Windows\System32\FFTYWNI.exe
  C:\Windows\System32\FFTYWNI.exe
  2⤵
  PID:7744
- C:\Windows\System32\eWpOhII.exe
  C:\Windows\System32\eWpOhII.exe
  2⤵
  PID:7764
- C:\Windows\System32\kCWtXmN.exe
  C:\Windows\System32\kCWtXmN.exe
  2⤵
  PID:7780
- C:\Windows\System32\bvbLYEY.exe
  C:\Windows\System32\bvbLYEY.exe
  2⤵
  PID:7812
- C:\Windows\System32\qJxdgvR.exe
  C:\Windows\System32\qJxdgvR.exe
  2⤵
  PID:7876
- C:\Windows\System32\XDUHPMk.exe
  C:\Windows\System32\XDUHPMk.exe
  2⤵
  PID:7896
- C:\Windows\System32\CFiImDb.exe
  C:\Windows\System32\CFiImDb.exe
  2⤵
  PID:7916
- C:\Windows\System32\YztYvcv.exe
  C:\Windows\System32\YztYvcv.exe
  2⤵
  PID:7956
- C:\Windows\System32\KNhlxVL.exe
  C:\Windows\System32\KNhlxVL.exe
  2⤵
  PID:7988
- C:\Windows\System32\oUcXotk.exe
  C:\Windows\System32\oUcXotk.exe
  2⤵
  PID:8008
- C:\Windows\System32\fvvQDGD.exe
  C:\Windows\System32\fvvQDGD.exe
  2⤵
  PID:8048
- C:\Windows\System32\uvprdUc.exe
  C:\Windows\System32\uvprdUc.exe
  2⤵
  PID:8112
- C:\Windows\System32\CZvzJSk.exe
  C:\Windows\System32\CZvzJSk.exe
  2⤵
  PID:8128
- C:\Windows\System32\yYradLz.exe
  C:\Windows\System32\yYradLz.exe
  2⤵
  PID:8168
- C:\Windows\System32\zVmdLpC.exe
  C:\Windows\System32\zVmdLpC.exe
  2⤵
  PID:7060
- C:\Windows\System32\ZqsCRuH.exe
  C:\Windows\System32\ZqsCRuH.exe
  2⤵
  PID:7076
- C:\Windows\System32\DNwkKYH.exe
  C:\Windows\System32\DNwkKYH.exe
  2⤵
  PID:6156
- C:\Windows\System32\SSjnYzt.exe
  C:\Windows\System32\SSjnYzt.exe
  2⤵
  PID:6848
- C:\Windows\System32\qvywelx.exe
  C:\Windows\System32\qvywelx.exe
  2⤵
  PID:7292
- C:\Windows\System32\jNsUvji.exe
  C:\Windows\System32\jNsUvji.exe
  2⤵
  PID:7428
- C:\Windows\System32\xCZzzzQ.exe
  C:\Windows\System32\xCZzzzQ.exe
  2⤵
  PID:7384
- C:\Windows\System32\GBMLcjM.exe
  C:\Windows\System32\GBMLcjM.exe
  2⤵
  PID:7468
- C:\Windows\System32\JmNlZuN.exe
  C:\Windows\System32\JmNlZuN.exe
  2⤵
  PID:7568
- C:\Windows\System32\AzUyoKi.exe
  C:\Windows\System32\AzUyoKi.exe
  2⤵
  PID:7640
- C:\Windows\System32\EHgDtXU.exe
  C:\Windows\System32\EHgDtXU.exe
  2⤵
  PID:7776
- C:\Windows\System32\PDSMOUp.exe
  C:\Windows\System32\PDSMOUp.exe
  2⤵
  PID:7756
- C:\Windows\System32\DyBulWA.exe
  C:\Windows\System32\DyBulWA.exe
  2⤵
  PID:7852
- C:\Windows\System32\fDDxybJ.exe
  C:\Windows\System32\fDDxybJ.exe
  2⤵
  PID:7864
- C:\Windows\System32\jjqnJSZ.exe
  C:\Windows\System32\jjqnJSZ.exe
  2⤵
  PID:7924
- C:\Windows\System32\zjgxctS.exe
  C:\Windows\System32\zjgxctS.exe
  2⤵
  PID:8020
- C:\Windows\System32\xaDIopO.exe
  C:\Windows\System32\xaDIopO.exe
  2⤵
  PID:6928
- C:\Windows\System32\pbhAyyR.exe
  C:\Windows\System32\pbhAyyR.exe
  2⤵
  PID:8152
- C:\Windows\System32\CJXjxcp.exe
  C:\Windows\System32\CJXjxcp.exe
  2⤵
  PID:6208
- C:\Windows\System32\cwxSnof.exe
  C:\Windows\System32\cwxSnof.exe
  2⤵
  PID:7196
- C:\Windows\System32\PHBBOYv.exe
  C:\Windows\System32\PHBBOYv.exe
  2⤵
  PID:7236
- C:\Windows\System32\ivzwAlU.exe
  C:\Windows\System32\ivzwAlU.exe
  2⤵
  PID:7400
- C:\Windows\System32\HiayPAN.exe
  C:\Windows\System32\HiayPAN.exe
  2⤵
  PID:7504
- C:\Windows\System32\GcXtJkz.exe
  C:\Windows\System32\GcXtJkz.exe
  2⤵
  PID:7836
- C:\Windows\System32\APmaCae.exe
  C:\Windows\System32\APmaCae.exe
  2⤵
  PID:7888
- C:\Windows\System32\FmFjGhY.exe
  C:\Windows\System32\FmFjGhY.exe
  2⤵
  PID:8164
- C:\Windows\System32\UMehMkp.exe
  C:\Windows\System32\UMehMkp.exe
  2⤵
  PID:7588
- C:\Windows\System32\VBoCZWK.exe
  C:\Windows\System32\VBoCZWK.exe
  2⤵
  PID:8180
- C:\Windows\System32\xEgIVYZ.exe
  C:\Windows\System32\xEgIVYZ.exe
  2⤵
  PID:7912
- C:\Windows\System32\LlCnHxN.exe
  C:\Windows\System32\LlCnHxN.exe
  2⤵
  PID:7996
- C:\Windows\System32\szAxXHm.exe
  C:\Windows\System32\szAxXHm.exe
  2⤵
  PID:8212
- C:\Windows\System32\PRxtywg.exe
  C:\Windows\System32\PRxtywg.exe
  2⤵
  PID:8256
- C:\Windows\System32\BhJzNlp.exe
  C:\Windows\System32\BhJzNlp.exe
  2⤵
  PID:8276
- C:\Windows\System32\LPiriFx.exe
  C:\Windows\System32\LPiriFx.exe
  2⤵
  PID:8300
- C:\Windows\System32\phoHQrQ.exe
  C:\Windows\System32\phoHQrQ.exe
  2⤵
  PID:8320
- C:\Windows\System32\PBKNxFL.exe
  C:\Windows\System32\PBKNxFL.exe
  2⤵
  PID:8356
- C:\Windows\System32\heVLmJC.exe
  C:\Windows\System32\heVLmJC.exe
  2⤵
  PID:8388
- C:\Windows\System32\Alckbgy.exe
  C:\Windows\System32\Alckbgy.exe
  2⤵
  PID:8420
- C:\Windows\System32\aHeCRYM.exe
  C:\Windows\System32\aHeCRYM.exe
  2⤵
  PID:8452
- C:\Windows\System32\QZHksMI.exe
  C:\Windows\System32\QZHksMI.exe
  2⤵
  PID:8476
- C:\Windows\System32\NvFthKN.exe
  C:\Windows\System32\NvFthKN.exe
  2⤵
  PID:8496
- C:\Windows\System32\pTFxJth.exe
  C:\Windows\System32\pTFxJth.exe
  2⤵
  PID:8520
- C:\Windows\System32\imHUuwQ.exe
  C:\Windows\System32\imHUuwQ.exe
  2⤵
  PID:8536
- C:\Windows\System32\iwKHzbP.exe
  C:\Windows\System32\iwKHzbP.exe
  2⤵
  PID:8568
- C:\Windows\System32\qvoBTtD.exe
  C:\Windows\System32\qvoBTtD.exe
  2⤵
  PID:8608
- C:\Windows\System32\nWMBgXC.exe
  C:\Windows\System32\nWMBgXC.exe
  2⤵
  PID:8640
- C:\Windows\System32\qKESazc.exe
  C:\Windows\System32\qKESazc.exe
  2⤵
  PID:8676
- C:\Windows\System32\ERnfHAE.exe
  C:\Windows\System32\ERnfHAE.exe
  2⤵
  PID:8704
- C:\Windows\System32\hpmjqel.exe
  C:\Windows\System32\hpmjqel.exe
  2⤵
  PID:8724
- C:\Windows\System32\luKNrpG.exe
  C:\Windows\System32\luKNrpG.exe
  2⤵
  PID:8748
- C:\Windows\System32\fLPzMyo.exe
  C:\Windows\System32\fLPzMyo.exe
  2⤵
  PID:8772
- C:\Windows\System32\YeSwFvq.exe
  C:\Windows\System32\YeSwFvq.exe
  2⤵
  PID:8808
- C:\Windows\System32\sGnSPCA.exe
  C:\Windows\System32\sGnSPCA.exe
  2⤵
  PID:8836
- C:\Windows\System32\mSZrGIC.exe
  C:\Windows\System32\mSZrGIC.exe
  2⤵
  PID:8876
- C:\Windows\System32\hkYgBEW.exe
  C:\Windows\System32\hkYgBEW.exe
  2⤵
  PID:8900
- C:\Windows\System32\vKanqRw.exe
  C:\Windows\System32\vKanqRw.exe
  2⤵
  PID:8916
- C:\Windows\System32\NeNYEBK.exe
  C:\Windows\System32\NeNYEBK.exe
  2⤵
  PID:8944
- C:\Windows\System32\DprCxsQ.exe
  C:\Windows\System32\DprCxsQ.exe
  2⤵
  PID:8964
- C:\Windows\System32\SVMHgQi.exe
  C:\Windows\System32\SVMHgQi.exe
  2⤵
  PID:8980
- C:\Windows\System32\INWoEmQ.exe
  C:\Windows\System32\INWoEmQ.exe
  2⤵
  PID:8996
- C:\Windows\System32\cZkWaoi.exe
  C:\Windows\System32\cZkWaoi.exe
  2⤵
  PID:9016
- C:\Windows\System32\mOBZmUI.exe
  C:\Windows\System32\mOBZmUI.exe
  2⤵
  PID:9056
- C:\Windows\System32\UJFuMcX.exe
  C:\Windows\System32\UJFuMcX.exe
  2⤵
  PID:9116
- C:\Windows\System32\jiXhmkS.exe
  C:\Windows\System32\jiXhmkS.exe
  2⤵
  PID:9136
- C:\Windows\System32\hTTVpWo.exe
  C:\Windows\System32\hTTVpWo.exe
  2⤵
  PID:9172
- C:\Windows\System32\ydfIAAi.exe
  C:\Windows\System32\ydfIAAi.exe
  2⤵
  PID:9192
- C:\Windows\System32\tQGlZFR.exe
  C:\Windows\System32\tQGlZFR.exe
  2⤵
  PID:9212
- C:\Windows\System32\mCvVXru.exe
  C:\Windows\System32\mCvVXru.exe
  2⤵
  PID:8196
- C:\Windows\System32\bIGenoK.exe
  C:\Windows\System32\bIGenoK.exe
  2⤵
  PID:8328
- C:\Windows\System32\cAksKxq.exe
  C:\Windows\System32\cAksKxq.exe
  2⤵
  PID:8368
- C:\Windows\System32\iPnMKLB.exe
  C:\Windows\System32\iPnMKLB.exe
  2⤵
  PID:8468
- C:\Windows\System32\sSZdpcT.exe
  C:\Windows\System32\sSZdpcT.exe
  2⤵
  PID:8464
- C:\Windows\System32\earEBqf.exe
  C:\Windows\System32\earEBqf.exe
  2⤵
  PID:8656
- C:\Windows\System32\MRlBgJj.exe
  C:\Windows\System32\MRlBgJj.exe
  2⤵
  PID:4676
- C:\Windows\System32\uWKByIJ.exe
  C:\Windows\System32\uWKByIJ.exe
  2⤵
  PID:8716
- C:\Windows\System32\AqrzvRT.exe
  C:\Windows\System32\AqrzvRT.exe
  2⤵
  PID:8804
- C:\Windows\System32\gzTQJKE.exe
  C:\Windows\System32\gzTQJKE.exe
  2⤵
  PID:8856
- C:\Windows\System32\XViLPOd.exe
  C:\Windows\System32\XViLPOd.exe
  2⤵
  PID:8928
- C:\Windows\System32\ltsBcJd.exe
  C:\Windows\System32\ltsBcJd.exe
  2⤵
  PID:8932
- C:\Windows\System32\BKDsbVY.exe
  C:\Windows\System32\BKDsbVY.exe
  2⤵
  PID:9036
- C:\Windows\System32\zuqWjHm.exe
  C:\Windows\System32\zuqWjHm.exe
  2⤵
  PID:9076
- C:\Windows\System32\kbrgIJw.exe
  C:\Windows\System32\kbrgIJw.exe
  2⤵
  PID:9144
- C:\Windows\System32\wlpccHD.exe
  C:\Windows\System32\wlpccHD.exe
  2⤵
  PID:9132
- C:\Windows\System32\ExeJige.exe
  C:\Windows\System32\ExeJige.exe
  2⤵
  PID:9200
- C:\Windows\System32\jOdVPUR.exe
  C:\Windows\System32\jOdVPUR.exe
  2⤵
  PID:8312
- C:\Windows\System32\aSwFcTK.exe
  C:\Windows\System32\aSwFcTK.exe
  2⤵
  PID:8668
- C:\Windows\System32\AXxeIOj.exe
  C:\Windows\System32\AXxeIOj.exe
  2⤵
  PID:8696
- C:\Windows\System32\wcRrPrp.exe
  C:\Windows\System32\wcRrPrp.exe
  2⤵
  PID:8884
- C:\Windows\System32\ZlMSOGW.exe
  C:\Windows\System32\ZlMSOGW.exe
  2⤵
  PID:9152
- C:\Windows\System32\IneUeOe.exe
  C:\Windows\System32\IneUeOe.exe
  2⤵
  PID:8204
- C:\Windows\System32\NwtwdRo.exe
  C:\Windows\System32\NwtwdRo.exe
  2⤵
  PID:8528
- C:\Windows\System32\UYApVOV.exe
  C:\Windows\System32\UYApVOV.exe
  2⤵
  PID:8824
- C:\Windows\System32\IWqkYIt.exe
  C:\Windows\System32\IWqkYIt.exe
  2⤵
  PID:8484
- C:\Windows\System32\nxfTAxD.exe
  C:\Windows\System32\nxfTAxD.exe
  2⤵
  PID:9220
- C:\Windows\System32\PipgQFB.exe
  C:\Windows\System32\PipgQFB.exe
  2⤵
  PID:9244
- C:\Windows\System32\EOFMYJX.exe
  C:\Windows\System32\EOFMYJX.exe
  2⤵
  PID:9264
- C:\Windows\System32\iBgivFe.exe
  C:\Windows\System32\iBgivFe.exe
  2⤵
  PID:9320
- C:\Windows\System32\KnzjYyq.exe
  C:\Windows\System32\KnzjYyq.exe
  2⤵
  PID:9340
- C:\Windows\System32\TfIOMUt.exe
  C:\Windows\System32\TfIOMUt.exe
  2⤵
  PID:9356
- C:\Windows\System32\xVmfmGB.exe
  C:\Windows\System32\xVmfmGB.exe
  2⤵
  PID:9404
- C:\Windows\System32\CGTYRww.exe
  C:\Windows\System32\CGTYRww.exe
  2⤵
  PID:9444
- C:\Windows\System32\vXIoNbr.exe
  C:\Windows\System32\vXIoNbr.exe
  2⤵
  PID:9484
- C:\Windows\System32\NxpkcCj.exe
  C:\Windows\System32\NxpkcCj.exe
  2⤵
  PID:9504
- C:\Windows\System32\JblLMvi.exe
  C:\Windows\System32\JblLMvi.exe
  2⤵
  PID:9520
- C:\Windows\System32\IkSJbbA.exe
  C:\Windows\System32\IkSJbbA.exe
  2⤵
  PID:9544
- C:\Windows\System32\FAsaOtx.exe
  C:\Windows\System32\FAsaOtx.exe
  2⤵
  PID:9564
- C:\Windows\System32\QVxyhin.exe
  C:\Windows\System32\QVxyhin.exe
  2⤵
  PID:9580
- C:\Windows\System32\BNlYonJ.exe
  C:\Windows\System32\BNlYonJ.exe
  2⤵
  PID:9600
- C:\Windows\System32\VpPRmsp.exe
  C:\Windows\System32\VpPRmsp.exe
  2⤵
  PID:9616
- C:\Windows\System32\mqRuFtt.exe
  C:\Windows\System32\mqRuFtt.exe
  2⤵
  PID:9636
- C:\Windows\System32\wYFgmSp.exe
  C:\Windows\System32\wYFgmSp.exe
  2⤵
  PID:9652
- C:\Windows\System32\yOBiLwC.exe
  C:\Windows\System32\yOBiLwC.exe
  2⤵
  PID:9672
- C:\Windows\System32\eILjNPY.exe
  C:\Windows\System32\eILjNPY.exe
  2⤵
  PID:9688
- C:\Windows\System32\ubByhKz.exe
  C:\Windows\System32\ubByhKz.exe
  2⤵
  PID:9708
- C:\Windows\System32\oxfyHAh.exe
  C:\Windows\System32\oxfyHAh.exe
  2⤵
  PID:9796
- C:\Windows\System32\GbmPrQC.exe
  C:\Windows\System32\GbmPrQC.exe
  2⤵
  PID:9836
- C:\Windows\System32\YAGxSuS.exe
  C:\Windows\System32\YAGxSuS.exe
  2⤵
  PID:9856
- C:\Windows\System32\ExadEel.exe
  C:\Windows\System32\ExadEel.exe
  2⤵
  PID:9872
- C:\Windows\System32\wyJetcH.exe
  C:\Windows\System32\wyJetcH.exe
  2⤵
  PID:9896
- C:\Windows\System32\dLteviv.exe
  C:\Windows\System32\dLteviv.exe
  2⤵
  PID:9940
- C:\Windows\System32\LrbxqFG.exe
  C:\Windows\System32\LrbxqFG.exe
  2⤵
  PID:9960
- C:\Windows\System32\uADODNd.exe
  C:\Windows\System32\uADODNd.exe
  2⤵
  PID:10024
- C:\Windows\System32\VYDCHWW.exe
  C:\Windows\System32\VYDCHWW.exe
  2⤵
  PID:10096
- C:\Windows\System32\OPAeMVq.exe
  C:\Windows\System32\OPAeMVq.exe
  2⤵
  PID:10112
- C:\Windows\System32\ppeHjLL.exe
  C:\Windows\System32\ppeHjLL.exe
  2⤵
  PID:10136
- C:\Windows\System32\WgEQMrW.exe
  C:\Windows\System32\WgEQMrW.exe
  2⤵
  PID:10156
- C:\Windows\System32\zUUNayf.exe
  C:\Windows\System32\zUUNayf.exe
  2⤵
  PID:10180
- C:\Windows\System32\UHxsadl.exe
  C:\Windows\System32\UHxsadl.exe
  2⤵
  PID:10196
- C:\Windows\System32\tmoWwtf.exe
  C:\Windows\System32\tmoWwtf.exe
  2⤵
  PID:10232
- C:\Windows\System32\fVoKWDY.exe
  C:\Windows\System32\fVoKWDY.exe
  2⤵
  PID:8988
- C:\Windows\System32\OIwrlco.exe
  C:\Windows\System32\OIwrlco.exe
  2⤵
  PID:2232
- C:\Windows\System32\tdbXbGK.exe
  C:\Windows\System32\tdbXbGK.exe
  2⤵
  PID:9348
- C:\Windows\System32\tLvyYXH.exe
  C:\Windows\System32\tLvyYXH.exe
  2⤵
  PID:9384
- C:\Windows\System32\kewkPdV.exe
  C:\Windows\System32\kewkPdV.exe
  2⤵
  PID:9464
- C:\Windows\System32\bSnsJjO.exe
  C:\Windows\System32\bSnsJjO.exe
  2⤵
  PID:9492
- C:\Windows\System32\gpLSlFf.exe
  C:\Windows\System32\gpLSlFf.exe
  2⤵
  PID:9512
- C:\Windows\System32\yPocyEf.exe
  C:\Windows\System32\yPocyEf.exe
  2⤵
  PID:4316
- C:\Windows\System32\YFXiLAf.exe
  C:\Windows\System32\YFXiLAf.exe
  2⤵
  PID:9608
- C:\Windows\System32\SkbbjbR.exe
  C:\Windows\System32\SkbbjbR.exe
  2⤵
  PID:9592
- C:\Windows\System32\DmTLlYf.exe
  C:\Windows\System32\DmTLlYf.exe
  2⤵
  PID:9824
- C:\Windows\System32\BuLZvfT.exe
  C:\Windows\System32\BuLZvfT.exe
  2⤵
  PID:9884
- C:\Windows\System32\ZQtqQcf.exe
  C:\Windows\System32\ZQtqQcf.exe
  2⤵
  PID:9928
- C:\Windows\System32\HCbvREa.exe
  C:\Windows\System32\HCbvREa.exe
  2⤵
  PID:9968
- C:\Windows\System32\wmMgsNV.exe
  C:\Windows\System32\wmMgsNV.exe
  2⤵
  PID:3916
- C:\Windows\System32\QPhNvrI.exe
  C:\Windows\System32\QPhNvrI.exe
  2⤵
  PID:10108
- C:\Windows\System32\Hlgvpka.exe
  C:\Windows\System32\Hlgvpka.exe
  2⤵
  PID:10144
- C:\Windows\System32\vVHqbtn.exe
  C:\Windows\System32\vVHqbtn.exe
  2⤵
  PID:9272
- C:\Windows\System32\qleJeuD.exe
  C:\Windows\System32\qleJeuD.exe
  2⤵
  PID:9428
- C:\Windows\System32\kMmMvcD.exe
  C:\Windows\System32\kMmMvcD.exe
  2⤵
  PID:9556
- C:\Windows\System32\heRXguq.exe
  C:\Windows\System32\heRXguq.exe
  2⤵
  PID:9540
- C:\Windows\System32\FtfmHJS.exe
  C:\Windows\System32\FtfmHJS.exe
  2⤵
  PID:9588
- C:\Windows\System32\QOBvjGi.exe
  C:\Windows\System32\QOBvjGi.exe
  2⤵
  PID:9868
- C:\Windows\System32\QmWYWXT.exe
  C:\Windows\System32\QmWYWXT.exe
  2⤵
  PID:10052
- C:\Windows\System32\rNZYUOr.exe
  C:\Windows\System32\rNZYUOr.exe
  2⤵
  PID:9684
- C:\Windows\System32\lffAToB.exe
  C:\Windows\System32\lffAToB.exe
  2⤵
  PID:9376
- C:\Windows\System32\yswGmoZ.exe
  C:\Windows\System32\yswGmoZ.exe
  2⤵
  PID:4964
- C:\Windows\System32\bvdDJZM.exe
  C:\Windows\System32\bvdDJZM.exe
  2⤵
  PID:10132
- C:\Windows\System32\ymgMCPY.exe
  C:\Windows\System32\ymgMCPY.exe
  2⤵
  PID:10224
- C:\Windows\System32\WDCSLkw.exe
  C:\Windows\System32\WDCSLkw.exe
  2⤵
  PID:4184
- C:\Windows\System32\eBpRJSm.exe
  C:\Windows\System32\eBpRJSm.exe
  2⤵
  PID:9988
- C:\Windows\System32\yivtCXE.exe
  C:\Windows\System32\yivtCXE.exe
  2⤵
  PID:4352
- C:\Windows\System32\aEsWxrm.exe
  C:\Windows\System32\aEsWxrm.exe
  2⤵
  PID:10248
- C:\Windows\System32\vNQTYuz.exe
  C:\Windows\System32\vNQTYuz.exe
  2⤵
  PID:10268
- C:\Windows\System32\lEByEqp.exe
  C:\Windows\System32\lEByEqp.exe
  2⤵
  PID:10364
- C:\Windows\System32\kAHIrXE.exe
  C:\Windows\System32\kAHIrXE.exe
  2⤵
  PID:10432
- C:\Windows\System32\TlQRHcP.exe
  C:\Windows\System32\TlQRHcP.exe
  2⤵
  PID:10448
- C:\Windows\System32\hheiple.exe
  C:\Windows\System32\hheiple.exe
  2⤵
  PID:10464
- C:\Windows\System32\XjAOLKP.exe
  C:\Windows\System32\XjAOLKP.exe
  2⤵
  PID:10488
- C:\Windows\System32\pwnqaaV.exe
  C:\Windows\System32\pwnqaaV.exe
  2⤵
  PID:10508
- C:\Windows\System32\xDKfHIl.exe
  C:\Windows\System32\xDKfHIl.exe
  2⤵
  PID:10524
- C:\Windows\System32\WUexxHn.exe
  C:\Windows\System32\WUexxHn.exe
  2⤵
  PID:10544
- C:\Windows\System32\cTyHyyz.exe
  C:\Windows\System32\cTyHyyz.exe
  2⤵
  PID:10564
- C:\Windows\System32\sufbYjO.exe
  C:\Windows\System32\sufbYjO.exe
  2⤵
  PID:10628
- C:\Windows\System32\nyOvGie.exe
  C:\Windows\System32\nyOvGie.exe
  2⤵
  PID:10648
- C:\Windows\System32\THfpBxB.exe
  C:\Windows\System32\THfpBxB.exe
  2⤵
  PID:10716
- C:\Windows\System32\VecRWYX.exe
  C:\Windows\System32\VecRWYX.exe
  2⤵
  PID:10764
- C:\Windows\System32\ajElVmt.exe
  C:\Windows\System32\ajElVmt.exe
  2⤵
  PID:10780
- C:\Windows\System32\gWHLAfj.exe
  C:\Windows\System32\gWHLAfj.exe
  2⤵
  PID:10800
- C:\Windows\System32\jWjXrBP.exe
  C:\Windows\System32\jWjXrBP.exe
  2⤵
  PID:10840
- C:\Windows\System32\OsGPUDf.exe
  C:\Windows\System32\OsGPUDf.exe
  2⤵
  PID:10888
- C:\Windows\System32\xVeczuf.exe
  C:\Windows\System32\xVeczuf.exe
  2⤵
  PID:10904
- C:\Windows\System32\AgGLaDR.exe
  C:\Windows\System32\AgGLaDR.exe
  2⤵
  PID:10920
- C:\Windows\System32\sOTnboT.exe
  C:\Windows\System32\sOTnboT.exe
  2⤵
  PID:10936
- C:\Windows\System32\ybaETru.exe
  C:\Windows\System32\ybaETru.exe
  2⤵
  PID:10952
- C:\Windows\System32\EIJTqrF.exe
  C:\Windows\System32\EIJTqrF.exe
  2⤵
  PID:10972
- C:\Windows\System32\tOpBDBG.exe
  C:\Windows\System32\tOpBDBG.exe
  2⤵
  PID:11052
- C:\Windows\System32\aolTDSL.exe
  C:\Windows\System32\aolTDSL.exe
  2⤵
  PID:11080
- C:\Windows\System32\DgKFVGR.exe
  C:\Windows\System32\DgKFVGR.exe
  2⤵
  PID:11100
- C:\Windows\System32\XWqocaQ.exe
  C:\Windows\System32\XWqocaQ.exe
  2⤵
  PID:11120
- C:\Windows\System32\YzTkrpJ.exe
  C:\Windows\System32\YzTkrpJ.exe
  2⤵
  PID:11136
- C:\Windows\System32\HgQyytu.exe
  C:\Windows\System32\HgQyytu.exe
  2⤵
  PID:11152
- C:\Windows\System32\eJhJcjj.exe
  C:\Windows\System32\eJhJcjj.exe
  2⤵
  PID:11168
- C:\Windows\System32\MVlYbvE.exe
  C:\Windows\System32\MVlYbvE.exe
  2⤵
  PID:11220
- C:\Windows\System32\hMrrKGG.exe
  C:\Windows\System32\hMrrKGG.exe
  2⤵
  PID:9904
- C:\Windows\System32\OwmieqB.exe
  C:\Windows\System32\OwmieqB.exe
  2⤵
  PID:10320
- C:\Windows\System32\OlmmvSy.exe
  C:\Windows\System32\OlmmvSy.exe
  2⤵
  PID:10300
- C:\Windows\System32\fodyGCP.exe
  C:\Windows\System32\fodyGCP.exe
  2⤵
  PID:10404
- C:\Windows\System32\yQbmbbN.exe
  C:\Windows\System32\yQbmbbN.exe
  2⤵
  PID:10604
- C:\Windows\System32\JvlGOQi.exe
  C:\Windows\System32\JvlGOQi.exe
  2⤵
  PID:10640
- C:\Windows\System32\whEWrCe.exe
  C:\Windows\System32\whEWrCe.exe
  2⤵
  PID:10500
- C:\Windows\System32\IzViDkV.exe
  C:\Windows\System32\IzViDkV.exe
  2⤵
  PID:10700
- C:\Windows\System32\dPHqBcf.exe
  C:\Windows\System32\dPHqBcf.exe
  2⤵
  PID:10808
- C:\Windows\System32\tLJHpRa.exe
  C:\Windows\System32\tLJHpRa.exe
  2⤵
  PID:10752
- C:\Windows\System32\QVbpPGh.exe
  C:\Windows\System32\QVbpPGh.exe
  2⤵
  PID:10832
- C:\Windows\System32\vMURMcW.exe
  C:\Windows\System32\vMURMcW.exe
  2⤵
  PID:10860
- C:\Windows\System32\RSUOVAb.exe
  C:\Windows\System32\RSUOVAb.exe
  2⤵
  PID:10980
- C:\Windows\System32\qNMXhDi.exe
  C:\Windows\System32\qNMXhDi.exe
  2⤵
  PID:10896
- C:\Windows\System32\nduSwVj.exe
  C:\Windows\System32\nduSwVj.exe
  2⤵
  PID:11064
- C:\Windows\System32\wYDeUtU.exe
  C:\Windows\System32\wYDeUtU.exe
  2⤵
  PID:11072
- C:\Windows\System32\XRWiQbc.exe
  C:\Windows\System32\XRWiQbc.exe
  2⤵
  PID:11176
- C:\Windows\System32\mtsFjZJ.exe
  C:\Windows\System32\mtsFjZJ.exe
  2⤵
  PID:11160
- C:\Windows\System32\oWupeeh.exe
  C:\Windows\System32\oWupeeh.exe
  2⤵
  PID:11116
- C:\Windows\System32\lfBGlsw.exe
  C:\Windows\System32\lfBGlsw.exe
  2⤵
  PID:11256
- C:\Windows\System32\ztFKxcz.exe
  C:\Windows\System32\ztFKxcz.exe
  2⤵
  PID:4376
- C:\Windows\System32\UaSJRHM.exe
  C:\Windows\System32\UaSJRHM.exe
  2⤵
  PID:3792
- C:\Windows\System32\MSjLeSL.exe
  C:\Windows\System32\MSjLeSL.exe
  2⤵
  PID:10172
- C:\Windows\System32\ivciYDa.exe
  C:\Windows\System32\ivciYDa.exe
  2⤵
  PID:10360
- C:\Windows\System32\fKuvCzj.exe
  C:\Windows\System32\fKuvCzj.exe
  2⤵
  PID:10256
- C:\Windows\System32\ovtdpdw.exe
  C:\Windows\System32\ovtdpdw.exe
  2⤵
  PID:4804
- C:\Windows\System32\qLHbPkU.exe
  C:\Windows\System32\qLHbPkU.exe
  2⤵
  PID:10932
- C:\Windows\System32\oONxYGL.exe
  C:\Windows\System32\oONxYGL.exe
  2⤵
  PID:11088
- C:\Windows\System32\XSNXRLW.exe
  C:\Windows\System32\XSNXRLW.exe
  2⤵
  PID:10420
- C:\Windows\System32\eeKQNCj.exe
  C:\Windows\System32\eeKQNCj.exe
  2⤵
  PID:11036
- C:\Windows\System32\NaEiVkw.exe
  C:\Windows\System32\NaEiVkw.exe
  2⤵
  PID:10724
- C:\Windows\System32\kDdKuws.exe
  C:\Windows\System32\kDdKuws.exe
  2⤵
  PID:10520
- C:\Windows\System32\yQMYNEa.exe
  C:\Windows\System32\yQMYNEa.exe
  2⤵
  PID:11272
- C:\Windows\System32\DDDIVDX.exe
  C:\Windows\System32\DDDIVDX.exe
  2⤵
  PID:11288
- C:\Windows\System32\scUeyPe.exe
  C:\Windows\System32\scUeyPe.exe
  2⤵
  PID:11304
- C:\Windows\System32\ukJnvuV.exe
  C:\Windows\System32\ukJnvuV.exe
  2⤵
  PID:11388
- C:\Windows\System32\nTLUqYn.exe
  C:\Windows\System32\nTLUqYn.exe
  2⤵
  PID:11408
- C:\Windows\System32\ZsoiizM.exe
  C:\Windows\System32\ZsoiizM.exe
  2⤵
  PID:11488
- C:\Windows\System32\tRFvBZA.exe
  C:\Windows\System32\tRFvBZA.exe
  2⤵
  PID:11560
- C:\Windows\System32\AUIUFfb.exe
  C:\Windows\System32\AUIUFfb.exe
  2⤵
  PID:11576
- C:\Windows\System32\uFdnGgV.exe
  C:\Windows\System32\uFdnGgV.exe
  2⤵
  PID:11596
- C:\Windows\System32\KHLmVBR.exe
  C:\Windows\System32\KHLmVBR.exe
  2⤵
  PID:11612
- C:\Windows\System32\gJUXlWA.exe
  C:\Windows\System32\gJUXlWA.exe
  2⤵
  PID:11628
- C:\Windows\System32\tUtRACH.exe
  C:\Windows\System32\tUtRACH.exe
  2⤵
  PID:11652
- C:\Windows\System32\jPTSMtE.exe
  C:\Windows\System32\jPTSMtE.exe
  2⤵
  PID:11672
- C:\Windows\System32\qZDJyIE.exe
  C:\Windows\System32\qZDJyIE.exe
  2⤵
  PID:11700
- C:\Windows\System32\twROLVE.exe
  C:\Windows\System32\twROLVE.exe
  2⤵
  PID:11772
- C:\Windows\System32\ZmQsCzz.exe
  C:\Windows\System32\ZmQsCzz.exe
  2⤵
  PID:11788
- C:\Windows\System32\irxvfwD.exe
  C:\Windows\System32\irxvfwD.exe
  2⤵
  PID:11808
- C:\Windows\System32\hNeJLQQ.exe
  C:\Windows\System32\hNeJLQQ.exe
  2⤵
  PID:11832
- C:\Windows\System32\AdygbMO.exe
  C:\Windows\System32\AdygbMO.exe
  2⤵
  PID:11888
- C:\Windows\System32\TjsKfqh.exe
  C:\Windows\System32\TjsKfqh.exe
  2⤵
  PID:11932
- C:\Windows\System32\XMzjJeQ.exe
  C:\Windows\System32\XMzjJeQ.exe
  2⤵
  PID:11996
- C:\Windows\System32\oTXrwVj.exe
  C:\Windows\System32\oTXrwVj.exe
  2⤵
  PID:12012
- C:\Windows\System32\FwIZFNR.exe
  C:\Windows\System32\FwIZFNR.exe
  2⤵
  PID:12032
- C:\Windows\System32\PaOSBop.exe
  C:\Windows\System32\PaOSBop.exe
  2⤵
  PID:12048
- C:\Windows\System32\mGAIBqv.exe
  C:\Windows\System32\mGAIBqv.exe
  2⤵
  PID:12092
- C:\Windows\System32\SYLJHcG.exe
  C:\Windows\System32\SYLJHcG.exe
  2⤵
  PID:12124
- C:\Windows\System32\jGYBrhC.exe
  C:\Windows\System32\jGYBrhC.exe
  2⤵
  PID:12140
- C:\Windows\System32\pLDbaFp.exe
  C:\Windows\System32\pLDbaFp.exe
  2⤵
  PID:12156
- C:\Windows\System32\UVxNukG.exe
  C:\Windows\System32\UVxNukG.exe
  2⤵
  PID:12176
- C:\Windows\System32\jWjvGns.exe
  C:\Windows\System32\jWjvGns.exe
  2⤵
  PID:12196
- C:\Windows\System32\dBmhpQh.exe
  C:\Windows\System32\dBmhpQh.exe
  2⤵
  PID:12212
- C:\Windows\System32\lUJnHKz.exe
  C:\Windows\System32\lUJnHKz.exe
  2⤵
  PID:12228
- C:\Windows\System32\IVHyCxI.exe
  C:\Windows\System32\IVHyCxI.exe
  2⤵
  PID:12260
- C:\Windows\System32\xsLeHVY.exe
  C:\Windows\System32\xsLeHVY.exe
  2⤵
  PID:12276
- C:\Windows\System32\vxwvLpR.exe
  C:\Windows\System32\vxwvLpR.exe
  2⤵
  PID:10348
- C:\Windows\System32\CvpAodU.exe
  C:\Windows\System32\CvpAodU.exe
  2⤵
  PID:11132
- C:\Windows\System32\izXBhnH.exe
  C:\Windows\System32\izXBhnH.exe
  2⤵
  PID:10776
- C:\Windows\System32\UrgQZoK.exe
  C:\Windows\System32\UrgQZoK.exe
  2⤵
  PID:11416
- C:\Windows\System32\YslRUDh.exe
  C:\Windows\System32\YslRUDh.exe
  2⤵
  PID:11476
- C:\Windows\System32\lDxUNOI.exe
  C:\Windows\System32\lDxUNOI.exe
  2⤵
  PID:11572
- C:\Windows\System32\uvphBgO.exe
  C:\Windows\System32\uvphBgO.exe
  2⤵
  PID:11688
- C:\Windows\System32\CqSYMcc.exe
  C:\Windows\System32\CqSYMcc.exe
  2⤵
  PID:11852
- C:\Windows\System32\kFKrmeY.exe
  C:\Windows\System32\kFKrmeY.exe
  2⤵
  PID:11840
- C:\Windows\System32\WDCorZF.exe
  C:\Windows\System32\WDCorZF.exe
  2⤵
  PID:11896
- C:\Windows\System32\ZVGsnhE.exe
  C:\Windows\System32\ZVGsnhE.exe
  2⤵
  PID:11964
- C:\Windows\System32\OCbHsvZ.exe
  C:\Windows\System32\OCbHsvZ.exe
  2⤵
  PID:12004
- C:\Windows\System32\HCOfjuQ.exe
  C:\Windows\System32\HCOfjuQ.exe
  2⤵
  PID:12192
- C:\Windows\System32\qNRXtRZ.exe
  C:\Windows\System32\qNRXtRZ.exe
  2⤵
  PID:12116
- C:\Windows\System32\QflHKKy.exe
  C:\Windows\System32\QflHKKy.exe
  2⤵
  PID:11180
- C:\Windows\System32\rdBmHjo.exe
  C:\Windows\System32\rdBmHjo.exe
  2⤵
  PID:12244
- C:\Windows\System32\rnmrjsE.exe
  C:\Windows\System32\rnmrjsE.exe
  2⤵
  PID:11504
- C:\Windows\System32\DlaQegV.exe
  C:\Windows\System32\DlaQegV.exe
  2⤵
  PID:11608
- C:\Windows\System32\zgmivUm.exe
  C:\Windows\System32\zgmivUm.exe
  2⤵
  PID:11400
- C:\Windows\System32\ORKapGe.exe
  C:\Windows\System32\ORKapGe.exe
  2⤵
  PID:11844
- C:\Windows\System32\VtaCoJQ.exe
  C:\Windows\System32\VtaCoJQ.exe
  2⤵
  PID:10444
- C:\Windows\System32\zkRaeUX.exe
  C:\Windows\System32\zkRaeUX.exe
  2⤵
  PID:12028
- C:\Windows\System32\IpURSbU.exe
  C:\Windows\System32\IpURSbU.exe
  2⤵
  PID:12088
- C:\Windows\System32\JDDDDoc.exe
  C:\Windows\System32\JDDDDoc.exe
  2⤵
  PID:9660
- C:\Windows\System32\VLfmdjH.exe
  C:\Windows\System32\VLfmdjH.exe
  2⤵
  PID:11588
- C:\Windows\System32\wHDOSfu.exe
  C:\Windows\System32\wHDOSfu.exe
  2⤵
  PID:11828
- C:\Windows\System32\HTJnUyl.exe
  C:\Windows\System32\HTJnUyl.exe
  2⤵
  PID:11348
- C:\Windows\System32\nUDQhwG.exe
  C:\Windows\System32\nUDQhwG.exe
  2⤵
  PID:11508
- C:\Windows\System32\UiUCPVS.exe
  C:\Windows\System32\UiUCPVS.exe
  2⤵
  PID:12292
- C:\Windows\System32\plbIyeK.exe
  C:\Windows\System32\plbIyeK.exe
  2⤵
  PID:12312
- C:\Windows\System32\HqZpolJ.exe
  C:\Windows\System32\HqZpolJ.exe
  2⤵
  PID:12332
- C:\Windows\System32\shiDjNM.exe
  C:\Windows\System32\shiDjNM.exe
  2⤵
  PID:12348
- C:\Windows\System32\SEyPJPh.exe
  C:\Windows\System32\SEyPJPh.exe
  2⤵
  PID:12368
- C:\Windows\System32\hasBuNc.exe
  C:\Windows\System32\hasBuNc.exe
  2⤵
  PID:12384
- C:\Windows\System32\RWqfKRG.exe
  C:\Windows\System32\RWqfKRG.exe
  2⤵
  PID:12448
- C:\Windows\System32\SoIBZOB.exe
  C:\Windows\System32\SoIBZOB.exe
  2⤵
  PID:12468
- C:\Windows\System32\puxraHb.exe
  C:\Windows\System32\puxraHb.exe
  2⤵
  PID:12608
- C:\Windows\System32\dEDvhyB.exe
  C:\Windows\System32\dEDvhyB.exe
  2⤵
  PID:12624

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ANUHYcq.exe

Filesize
1.3MB

MD5
af8dacf6408e6494765a9283c5088fd4

SHA1
a7ed24b6ffa39f2768378896a8f761216709dc49

SHA256
9fa67d60f8b24c98b3cc43ab4645598658b5532579b74c8810b259023ebc356a

SHA512
1420a91dcda726d8bce5e12c09b8a805878076591e2e5601c32c6a01d64ba8f6cb754a7e545154784260218cc44ebcfb6434f118afaad4af8ef6871448134c70

Download Submit
C:\Windows\System32\BNTUEMp.exe

Filesize
1.3MB

MD5
7342cfed69af1fcdb1ae6142763898aa

SHA1
3238d0f18fc67f18bc8d1bd031b192bdd5b2d2a9

SHA256
fda02db0d4a560d770cf2a163bdf3c3b19e104ce50fa3ef329c43310e05e6efc

SHA512
b03ac660509decb3489b03f121c79a5b53537f738515b3bd23acda12821ae17af990dca1da19540b9908958a11dbd6caca17d05b97d1242efa081c990c066c67

Download Submit
C:\Windows\System32\ByhpOYB.exe

Filesize
1.3MB

MD5
95d4280225d20d18a5fa7feff43add6b

SHA1
734e548ccf03c4fc78fe85bd4ec14028bd13ca3c

SHA256
b34724d2518c113768b91388712ecc59dc3cd793a2bd9c8ce8e256860ab7125f

SHA512
5ba49fa3c4421224794f65bedaf7087827c5c0d68736a631fe90064d205b3a7f73820f8772ef23e024d7dd8aef406e7a741cae5e1088749ab7cd5e26eba5f93f

Download Submit
C:\Windows\System32\DQxOwtm.exe

Filesize
1.3MB

MD5
50ff697f7f557cd01ac522fc49193e68

SHA1
5e0068f75d41fc7b48d88725d06a3123636d692a

SHA256
3b6baa305d852702cf1b631f0d77bf0df79d55f410ef993fde09d73a2416fc94

SHA512
bd9d18abd96435872a804674b9d06d603f045e298265a7b4b74d50f2083bde1eb8be9a0570872064f9ca4c2c1ade43b6ee70f7a334ff201bdf93442f6046e417

Download Submit
C:\Windows\System32\DddfEXL.exe

Filesize
1.3MB

MD5
49e2454650e39c726279a3340bf9c2c1

SHA1
009d68fba111c8ab64a2785be48806663819f52b

SHA256
3803e64a568fd184793f2b9e529a934bd0a8e3af3d14dfcc045acbb4e981841e

SHA512
30f5567c49bb87d8075f575c306eae399fab9f45e7d51ffccb51c5f3afadfc8546f8914c7066640e0b5092640d4e675228219b8e402bb83b59201948d5e4fd9d

Download Submit
C:\Windows\System32\JaJMHFa.exe

Filesize
1.3MB

MD5
87f2053a769224d38a93c57b4db9f5ef

SHA1
c279db223ec795f9867794bd80e177d43bdb9582

SHA256
454f4020382221239c8669c54e614b8ee0ecddbd751852b1c5abd1d068f5cb87

SHA512
9e761c8d4d458e0964d811efa3af9dd5328d98754d61204555a0f90ec2564b5b52634d1f1d4c572a5d4d84c8033a50aa64be7936ef2d41f7505c8b112b8cbdd7

Download Submit
C:\Windows\System32\JscGuAs.exe

Filesize
1.3MB

MD5
a482d308c4736ebdb0d50a3f27ce4588

SHA1
79f40a69d22814c002a8a17eacbfb4f890ca731a

SHA256
7b1ee3f408702c7130242e983510af652e45283af5bef86ee0d6e303d49c2288

SHA512
a50c5335161d112abac399f7e8a1c0ace96e82345e9561ad23c95f1a6505b392f4d825694580de53f8150d5e5c840192a98ea9fadedb1f615e5a858c49054ea6

Download Submit
C:\Windows\System32\LpmDiYr.exe

Filesize
1.3MB

MD5
9f5c789ba93313900985f55501d3eeba

SHA1
b8f4c65f2f9e8afc0c55ba13d0352fb96331632c

SHA256
945eb375dfb0b73492fecc572c60507c28b22c4412d2bb09b78691a57981287d

SHA512
b89605a8c48e4019d3644fe19fcc2627e41e736191aa196cc95ea63a3e20156c052b90185f46a9e360a1171991239c9e0c2390bdb3f820ea79520057ab4ccc9f

Download Submit
C:\Windows\System32\NbOBPSN.exe

Filesize
1.3MB

MD5
5dce057b525f580551ac39648728995e

SHA1
3ca21f4b436ec243aa9ad6f9428e2276d7427fe1

SHA256
42210aab498fd62bac52865d97d0750bbee7468b0ba682e2d254fff96c62df31

SHA512
363212e173f210e5709b972996094a3dd93d6819af37fba647ae3fe74c284f32cb92b31ee94d3b80904d9392f49affc2d16b600b4a8560bfd9ca4b29c8e285a8

Download Submit
C:\Windows\System32\OYbjodX.exe

Filesize
1.3MB

MD5
00193ee7148ca1356a3da471acd19d7e

SHA1
14814aa759becc1037bcd7bc3268495c3954db79

SHA256
df6c00f437c5bf0ed9bdb7f52e28e170685bebc0cc190020aa1878c5b255959b

SHA512
24988b98b5793068c1b82a8487a48db555e17ff010589a969f305b11304abed32f70aef9a32ea3b45cf486695efa4e200124373c8c725a6ae13af279dc12591c

Download Submit
C:\Windows\System32\QYyJjgy.exe

Filesize
1.3MB

MD5
0e6db0507892021662de822a002394e5

SHA1
e15fd256a59f899f6afe7c82cb1364f14528a3ab

SHA256
0ec230112aa6d904c9ae5b13d2a78a6bcd6bb916d17c430d09aa48874ace850c

SHA512
b112dfc15b50bc5d16337ac2bb345f8a6ae04d6f0d8d99f679e24d5642c7e3396b15baf74ddbba81b2f3a33ffb3a6b511f4d88c96fa1aa3fb821625cfc4d62f5

Download Submit
C:\Windows\System32\QnaKJCV.exe

Filesize
1.3MB

MD5
4129f6905e4e89bab45845068f1f0d9c

SHA1
6b115f80907ec13536c104eb29a802b4dd4d2411

SHA256
55f06065b7e25292c8aaa4a0324103dcf94d1408143ce830b3eb5762741831d9

SHA512
e61a043c08a692a037c6514b29d5da43e1ef23d05c5f8ac35ab3d3f5f582b27c81ca24344a141d6690b8791d9f1404d77cdad125372ba6dcb597ca39b124a02d

Download Submit
C:\Windows\System32\RPWqpwz.exe

Filesize
1.3MB

MD5
1de9bf8b54d7de82061e85f70a2076fd

SHA1
0edd14400bee92969b60aacb2abe95e4dd5bbfa8

SHA256
5da7ec663fbd460107ff768085e7cd33a7e678b099a0289cdfe9081b06ebbfdc

SHA512
c0f87a8e8e05e677fb19ed3f9ef77e76d392cb19a6762cc901398d2ed31b0a574806668e597448e3c064ea0fed12f318d4ede557f9d6a97b7ff538b921bea83f

Download Submit
C:\Windows\System32\TUIZTBK.exe

Filesize
1.3MB

MD5
fdc5b061bd3d65086a31a9bf3fd674e4

SHA1
100680e0f077f0385a65feb83f1870b0226b0c5e

SHA256
9435c63522d8bbda595d979acaddb85e103e6238754f497185b93897ff5e8fed

SHA512
f19d9f481c8fe3759b9a8ba5de06a088171d1d8bd4c18796046e07ce5ebfef5386c2702c04b9bed52c8784cd35f057d644404b83b417452f4a9173abf7877501

Download Submit
C:\Windows\System32\VOhnIlL.exe

Filesize
1.3MB

MD5
c253d80f238878879d21e0a26e8136ec

SHA1
f1144e1cf940fd9d04651eaa750cfa122b03b2a2

SHA256
f11f678dc5025654a394e05a9292b4bdfbe197b95692062f0939de860aa67bc5

SHA512
af4e0676af9b331204df554df6ca1074d996512f12a0c8ab4a3bbe726322a09606f103bff45474769c551ff3bfef3fecc09e54e57f9ec20a9be4791f044526a0

Download Submit
C:\Windows\System32\VnRHUaL.exe

Filesize
1.3MB

MD5
2e16181c994b884638288f552054b435

SHA1
0786e743e5d3a469a8e3ad2c1837e40c58c91ac1

SHA256
25e36d7e6d215be149e8ef56b5ce44d482dae97bd42e7028911150623e7d2cd7

SHA512
6cdb89d30825c5f8f8b978b7435fa8b073f7780eb4fe0c2530328de9c091227cdf881765e357891c85c2b6b1906182e718637c7cb92524abbabc44f2a3f65f70

Download Submit
C:\Windows\System32\YCopCTK.exe

Filesize
1.3MB

MD5
cc88d3c3858c7c9c13f00119095983c8

SHA1
cefda237cce7c552080a619622f570547caa92eb

SHA256
a603f95c8e470a72b1570df274387f5cb9b0a361d3c58aff7f59568721690d21

SHA512
5039c8e03889e9232c3c91d1c549a6f38ccd2c3e5d011a8b88d723f5dc7422a9337619f14b3dfe5ae16066773790ab10a0e263d1b0a705a97169b84a4146bb75

Download Submit
C:\Windows\System32\ZfaTzWO.exe

Filesize
1.3MB

MD5
70a997f2c99d4ffaeedb0e4709c2d40b

SHA1
6734e1757f667ec1d78c4835948c4768c315ff0d

SHA256
f0e8584741d1a5729bfa070b182abb0fa222b1924e269361e00dcbcc331cfe13

SHA512
ea63ca7e646b3c4fe934eacc42c146c4e29be30d21ff4e5879db00665af94ef23b17fef5c2c23b022e3bcd1197e7ecc1a453c3642d64f568128622494998f221

Download Submit
C:\Windows\System32\ecBXhff.exe

Filesize
1.3MB

MD5
faa4acc533add426bb50140f4f87c75d

SHA1
8d7c082e2c867d18da29b45d182f9334a77a127c

SHA256
2a5178b64944536ad67d9fb55689d091b608193a006cfbecb5716972634be152

SHA512
17dbfb01a859cfde629bc5fb86569e0a18ecc6c7b9efadcab8c6f3e13655e009250ea6889f5304a7a07b6c735cf6fd853d2010a84304e362011da2e1ce47c773

Download Submit
C:\Windows\System32\iDHQays.exe

Filesize
1.3MB

MD5
0629e32f3cf1b8f5e2f68b3388a67e8a

SHA1
85648356dbdd0089eaf421fc6560453975b1bf36

SHA256
a745fd0df66774891076f30867b778146dae6b04f6f1835ee82c71c4be5a7cb5

SHA512
7c1c86a3c5e99b0e649877d41772213cbca3d1c85ad2be3687c45dda40c783e6b2d2e65c22e743bfcf4970f72be6e85684c9cf8eeee474028538d46878ab0f4e

Download Submit
C:\Windows\System32\jxjhgkq.exe

Filesize
1.3MB

MD5
e6f33daef466d4f8628a80233e3a61d2

SHA1
e22c23177710e68e530ce774f68a7f7671620df3

SHA256
a6588f02022c88ea67f5b0cd76b2d0046c0604ea8de3c4dc8584f8e8dbdf17fe

SHA512
274791e1999c24f22fd8c11155545154dec0025297725bfba91db7667275361b20801629cfb9c09dac587137159e4d8b5034714c9f02f3a0dfcd7cfcea50848c

Download Submit
C:\Windows\System32\kpSxMFE.exe

Filesize
1.3MB

MD5
8bd1a0b4fbb79531eadf0cba9c4aeeba

SHA1
6613acc21cf2abe63c3d0d6277179dd4d2cfebc0

SHA256
0659a1269cce41ef34296ec3a6762965890c1f21baa4760da2613b1358c1940c

SHA512
26e086b9ff4ce5bb08514066ca7a27d45237f474c13e220c7549e419af0f94e1a087fe4e4edd6c6a7a59087588645bbdbc95d123306d92f6c91644605eeed61b

Download Submit
C:\Windows\System32\lFWWUWh.exe

Filesize
1.3MB

MD5
f50127b24715525a19086858b8331253

SHA1
3da4b25daae1b00a1e7fd94fd03f41610287e472

SHA256
c5dcfbc01d1ee289943237cc5b9cde03114488f7d7963dc031f8cb309cbfe769

SHA512
61a4867983c7ca2c6f23609840a78b0b6453df4e5f835c07801db872f661f21cb4bc42ca0068bf1a24bbbcf4d26d2ee7a2c66b4285dcdf07c6b5a1035c5f47bb

Download Submit
C:\Windows\System32\nDAxHpQ.exe

Filesize
1.3MB

MD5
16ef305a41f9e09e96efdd424dc3df6e

SHA1
14178a43ba6f44af960bbdb70530a63ce6b2def7

SHA256
5c1afa52607d2b597be1ee72f84d0d474be33c50c995848a369eaab6d72ced01

SHA512
7f5ea343fb3dbd658d4b747ef241374c57d34706ba564ac35e5b0f60e6edbe007135c0a4268de680b799c7bcd6cac730b37c3908656638e47bc6f28113073dd9

Download Submit
C:\Windows\System32\obZsvPc.exe

Filesize
1.3MB

MD5
dd2430765a33803e304d09b8ef95fc6f

SHA1
4079180a779c4d865fefcdf1e80f1a7f10817eec

SHA256
6c3d91d318cf91252fa38ebb8c051bdc7bb8f61ae47957bcfa458a1a6d95f1fb

SHA512
397a36508e4cbf127185b8af3defca0e2e38ef338feb23baa1ff39fcd289e0103303a5ce8950a8e2c3c3d64f1c2bbf1345defd73d6aa4f83905e23c982d59287

Download Submit
C:\Windows\System32\obtlhtC.exe

Filesize
1.3MB

MD5
f59153686e39c37645d32b00e6846a1b

SHA1
83609270a7121ce3421e7174156ed5b16cac4c0f

SHA256
bc1214b16f03667042aa33a894ca2939ab577effc40e34820a5825aede25a125

SHA512
a2865252e53467393529b307ee30d14d8a7d4ca64e91f272a2f8ace2dbe02b0e039352aa924b799c7ccb5daf0c65ad6c93edaca8998aa10e16ca850c64fdd6d6

Download Submit
C:\Windows\System32\sPOuJwg.exe

Filesize
1.3MB

MD5
c2026e1b148f208ce64ae3fbf52aaecf

SHA1
83b4b0a5f6886edff720d42db5fca1c9150f7915

SHA256
6ca83f3b2b76ffd2bbd12919e835b3924030eab31672b503639d8b7ff77d98f5

SHA512
c95fcd9c61d1bd34e339ab3633210a753fd09dd25f323638fe48892f828e32605989031b1c47604fa19c793c153fd0bbb9b8543118a9aaa29c5396ee09db6a2a

Download Submit
C:\Windows\System32\vcvbBAw.exe

Filesize
1.3MB

MD5
4d400b82c9ed0389171984e5a1bcfa5b

SHA1
b4fc22e305baab73f5280ed60b6f1c0f87761ccd

SHA256
84715301f6554a8a56d9782cf2c26b8efa3dfd6b4aa87f6e4692241048ea6297

SHA512
57085df22a75dced379dc663cf151c4dd72195703465d7e31893661fe0006e90db47069d9cb712958174e65bb6d898fbf217a32e0c83e3d0a188f0e3bfed3098

Download Submit
C:\Windows\System32\wVuTdNn.exe

Filesize
1.3MB

MD5
91e0e5413ff13fcbf7118e70479bfa5d

SHA1
898214e05108cd57a1a99bc6fd3e3d347fd82176

SHA256
3e52e18054f1b85d628af2fb4ef84e8da68b970b5c37ac5964d4c47c511998da

SHA512
9d9687afe85d05d4ecdedc3c215fc1baf06f9a8cf640b156bb7f0fecb8f5b306b63adcb75e4fc85ad46ab7fb5cc85663d9abccc7ce64762d3c26bb730f6d2c7d

Download Submit
C:\Windows\System32\wnUBQfS.exe

Filesize
1.3MB

MD5
7e31179725821440f78702822e50c9d7

SHA1
7e02b0ac983635a42eb42d35270dfb270c551f59

SHA256
e1d2182ab96eac76b8dcd8363c30ea10a3b6b6a791581fe62186154f1fe87d99

SHA512
81a7fdff1cbd7029688970498140ce7490f144b0e3d1583a952208f2248186e321ce72eeb1173f44d43253ecdc30e0ff538971d9ad8d3289d618e5fc3ddd8884

Download Submit
C:\Windows\System32\xhcYXXy.exe

Filesize
1.3MB

MD5
5359b8abc0d6c36e9f8050f8c1171c91

SHA1
670228183b02adb6487b1b299ae34a481480867c

SHA256
a1e5c9c8b15fe772f26c47fdbc385cd197962d6171d138b0428dcc96126231ba

SHA512
770de8bd000a06ef1d20cb2c140c02bf23ee853633a1674c6089b681587d61c875a232c22c687bcb5eec9c46f276eb96136dbbbe764f0ec6811f32a0967500b8

Download Submit
C:\Windows\System32\ypwaGCH.exe

Filesize
1.3MB

MD5
b1878618e452358d11da3f7125bac3fd

SHA1
ea15a9020220abf17cf0199e81814107470419c3

SHA256
9c0fd979396cc95244c9c549c437d89d08b7d6643ffedd80e7d3da7c46545829

SHA512
a729d87eec5e054a11e9e631ee923a6bea47737dd0acff30fb1259b3be60de027a50acfabba05e71346807e141851f46d9e38558e097d1144340886289c549b6

Download Submit
memory/716-128-0x00007FF79F550000-0x00007FF79F941000-memory.dmp

Filesize
3.9MB

Download
memory/732-0-0x00007FF6CC610000-0x00007FF6CCA01000-memory.dmp

Filesize
3.9MB

Download
memory/732-1-0x0000026B18940000-0x0000026B18950000-memory.dmp

Filesize
64KB

Download
memory/732-137-0x00007FF6CC610000-0x00007FF6CCA01000-memory.dmp

Filesize
3.9MB

Download
memory/848-131-0x00007FF62C6E0000-0x00007FF62CAD1000-memory.dmp

Filesize
3.9MB

Download
memory/968-189-0x00007FF7CE400000-0x00007FF7CE7F1000-memory.dmp

Filesize
3.9MB

Download
memory/1176-99-0x00007FF7435F0000-0x00007FF7439E1000-memory.dmp

Filesize
3.9MB

Download
memory/1456-244-0x00007FF758460000-0x00007FF758851000-memory.dmp

Filesize
3.9MB

Download
memory/1456-62-0x00007FF758460000-0x00007FF758851000-memory.dmp

Filesize
3.9MB

Download
memory/1600-210-0x00007FF76AF90000-0x00007FF76B381000-memory.dmp

Filesize
3.9MB

Download
memory/1664-207-0x00007FF6550A0000-0x00007FF655491000-memory.dmp

Filesize
3.9MB

Download
memory/1988-77-0x00007FF61DE90000-0x00007FF61E281000-memory.dmp

Filesize
3.9MB

Download
memory/2236-259-0x00007FF621D70000-0x00007FF622161000-memory.dmp

Filesize
3.9MB

Download
memory/2236-108-0x00007FF621D70000-0x00007FF622161000-memory.dmp

Filesize
3.9MB

Download
memory/2324-232-0x00007FF6510F0000-0x00007FF6514E1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-174-0x00007FF7E7CE0000-0x00007FF7E80D1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-17-0x00007FF7E7CE0000-0x00007FF7E80D1000-memory.dmp

Filesize
3.9MB

Download
memory/2436-26-0x00007FF77B380000-0x00007FF77B771000-memory.dmp

Filesize
3.9MB

Download
memory/2436-217-0x00007FF77B380000-0x00007FF77B771000-memory.dmp

Filesize
3.9MB

Download
memory/2472-230-0x00007FF7D4750000-0x00007FF7D4B41000-memory.dmp

Filesize
3.9MB

Download
memory/2508-225-0x00007FF662540000-0x00007FF662931000-memory.dmp

Filesize
3.9MB

Download
memory/2536-292-0x00007FF6D82D0000-0x00007FF6D86C1000-memory.dmp

Filesize
3.9MB

Download
memory/2580-276-0x00007FF738F30000-0x00007FF739321000-memory.dmp

Filesize
3.9MB

Download
memory/2616-200-0x00007FF7BFC10000-0x00007FF7C0001000-memory.dmp

Filesize
3.9MB

Download
memory/2636-103-0x00007FF6C70C0000-0x00007FF6C74B1000-memory.dmp

Filesize
3.9MB

Download
memory/2660-197-0x00007FF7508F0000-0x00007FF750CE1000-memory.dmp

Filesize
3.9MB

Download
memory/2664-145-0x00007FF7760D0000-0x00007FF7764C1000-memory.dmp

Filesize
3.9MB

Download
memory/2788-69-0x00007FF600420000-0x00007FF600811000-memory.dmp

Filesize
3.9MB

Download
memory/2788-246-0x00007FF600420000-0x00007FF600811000-memory.dmp

Filesize
3.9MB

Download
memory/2832-122-0x00007FF757C70000-0x00007FF758061000-memory.dmp

Filesize
3.9MB

Download
memory/2964-11-0x00007FF6A5C90000-0x00007FF6A6081000-memory.dmp

Filesize
3.9MB

Download
memory/2964-144-0x00007FF6A5C90000-0x00007FF6A6081000-memory.dmp

Filesize
3.9MB

Download
memory/2996-202-0x00007FF633A70000-0x00007FF633E61000-memory.dmp

Filesize
3.9MB

Download
memory/3028-212-0x00007FF752130000-0x00007FF752521000-memory.dmp

Filesize
3.9MB

Download
memory/3056-249-0x00007FF792560000-0x00007FF792951000-memory.dmp

Filesize
3.9MB

Download
memory/3068-195-0x00007FF7399D0000-0x00007FF739DC1000-memory.dmp

Filesize
3.9MB

Download
memory/3192-258-0x00007FF601040000-0x00007FF601431000-memory.dmp

Filesize
3.9MB

Download
memory/3208-184-0x00007FF668E30000-0x00007FF669221000-memory.dmp

Filesize
3.9MB

Download
memory/3212-267-0x00007FF6C70C0000-0x00007FF6C74B1000-memory.dmp

Filesize
3.9MB

Download
memory/3296-94-0x00007FF607DB0000-0x00007FF6081A1000-memory.dmp

Filesize
3.9MB

Download
memory/3320-148-0x00007FF699BC0000-0x00007FF699FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3320-277-0x00007FF699BC0000-0x00007FF699FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3712-239-0x00007FF751830000-0x00007FF751C21000-memory.dmp

Filesize
3.9MB

Download
memory/3724-220-0x00007FF67B480000-0x00007FF67B871000-memory.dmp

Filesize
3.9MB

Download
memory/3732-254-0x00007FF7E1C40000-0x00007FF7E2031000-memory.dmp

Filesize
3.9MB

Download
memory/3868-251-0x00007FF6949D0000-0x00007FF694DC1000-memory.dmp

Filesize
3.9MB

Download
memory/4028-33-0x00007FF7815D0000-0x00007FF7819C1000-memory.dmp

Filesize
3.9MB

Download
memory/4028-227-0x00007FF7815D0000-0x00007FF7819C1000-memory.dmp

Filesize
3.9MB

Download
memory/4036-269-0x00007FF7F45A0000-0x00007FF7F4991000-memory.dmp

Filesize
3.9MB

Download
memory/4064-241-0x00007FF6FBFD0000-0x00007FF6FC3C1000-memory.dmp

Filesize
3.9MB

Download
memory/4064-52-0x00007FF6FBFD0000-0x00007FF6FC3C1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-115-0x00007FF65D380000-0x00007FF65D771000-memory.dmp

Filesize
3.9MB

Download
memory/4132-256-0x00007FF65D380000-0x00007FF65D771000-memory.dmp

Filesize
3.9MB

Download
memory/4312-215-0x00007FF65AD80000-0x00007FF65B171000-memory.dmp

Filesize
3.9MB

Download
memory/4416-222-0x00007FF6E4CA0000-0x00007FF6E5091000-memory.dmp

Filesize
3.9MB

Download
memory/4524-191-0x00007FF720750000-0x00007FF720B41000-memory.dmp

Filesize
3.9MB

Download
memory/4712-134-0x00007FF71AC70000-0x00007FF71B061000-memory.dmp

Filesize
3.9MB

Download
memory/4736-142-0x00007FF6AC370000-0x00007FF6AC761000-memory.dmp

Filesize
3.9MB

Download
memory/4780-205-0x00007FF6CA610000-0x00007FF6CAA01000-memory.dmp

Filesize
3.9MB

Download
memory/4780-23-0x00007FF6CA610000-0x00007FF6CAA01000-memory.dmp

Filesize
3.9MB

Download
memory/4900-124-0x00007FF61AA60000-0x00007FF61AE51000-memory.dmp

Filesize
3.9MB

Download
memory/4976-38-0x00007FF6B0130000-0x00007FF6B0521000-memory.dmp

Filesize
3.9MB

Download
memory/4976-235-0x00007FF6B0130000-0x00007FF6B0521000-memory.dmp

Filesize
3.9MB

Download
memory/5060-271-0x00007FF600CC0000-0x00007FF6010B1000-memory.dmp

Filesize
3.9MB

Download
memory/5108-106-0x00007FF74D610000-0x00007FF74DA01000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads