xmrig | 6372e71c3a6ae9430c605d4068a23a1969a32a89787dfa9a8fa10a6c98056224

Analysis

max time kernel
97s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
Size

1.3MB
MD5

016879d83620823cfed09056e2d5298d
SHA1

274b18949a2029d97ca2ef35a0ed6ade3505a11a
SHA256

6372e71c3a6ae9430c605d4068a23a1969a32a89787dfa9a8fa10a6c98056224
SHA512

6cd45984007ac149567593d4fe877e6de78cdad387afd2e5a213afbda893c0af795801130907add35560a6ac4579182fea9d9098abf2377f8bb6f4594595bccd
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOeR:knw9oUUEEDlGUh+hN8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2792-384-0x00007FF62B150000-0x00007FF62B541000-memory.dmp	xmrig
behavioral2/memory/1892-385-0x00007FF6F9260000-0x00007FF6F9651000-memory.dmp	xmrig
behavioral2/memory/2640-386-0x00007FF7199B0000-0x00007FF719DA1000-memory.dmp	xmrig
behavioral2/memory/5064-388-0x00007FF6AADE0000-0x00007FF6AB1D1000-memory.dmp	xmrig
behavioral2/memory/1076-389-0x00007FF61EF60000-0x00007FF61F351000-memory.dmp	xmrig
behavioral2/memory/3720-387-0x00007FF6C2770000-0x00007FF6C2B61000-memory.dmp	xmrig
behavioral2/memory/1092-394-0x00007FF70F640000-0x00007FF70FA31000-memory.dmp	xmrig
behavioral2/memory/3976-413-0x00007FF6F93A0000-0x00007FF6F9791000-memory.dmp	xmrig
behavioral2/memory/4592-397-0x00007FF7843F0000-0x00007FF7847E1000-memory.dmp	xmrig
behavioral2/memory/4440-404-0x00007FF6AA090000-0x00007FF6AA481000-memory.dmp	xmrig
behavioral2/memory/2396-419-0x00007FF686540000-0x00007FF686931000-memory.dmp	xmrig
behavioral2/memory/3864-426-0x00007FF6BAB40000-0x00007FF6BAF31000-memory.dmp	xmrig
behavioral2/memory/3064-437-0x00007FF7B7CC0000-0x00007FF7B80B1000-memory.dmp	xmrig
behavioral2/memory/4940-423-0x00007FF636BB0000-0x00007FF636FA1000-memory.dmp	xmrig
behavioral2/memory/2104-444-0x00007FF6288E0000-0x00007FF628CD1000-memory.dmp	xmrig
behavioral2/memory/3528-449-0x00007FF6569E0000-0x00007FF656DD1000-memory.dmp	xmrig
behavioral2/memory/1688-457-0x00007FF7D85B0000-0x00007FF7D89A1000-memory.dmp	xmrig
behavioral2/memory/4200-465-0x00007FF7C4730000-0x00007FF7C4B21000-memory.dmp	xmrig
behavioral2/memory/3616-464-0x00007FF7E7AC0000-0x00007FF7E7EB1000-memory.dmp	xmrig
behavioral2/memory/1300-475-0x00007FF7B90D0000-0x00007FF7B94C1000-memory.dmp	xmrig
behavioral2/memory/3276-482-0x00007FF6921A0000-0x00007FF692591000-memory.dmp	xmrig
behavioral2/memory/5104-484-0x00007FF75F370000-0x00007FF75F761000-memory.dmp	xmrig
behavioral2/memory/2792-2028-0x00007FF62B150000-0x00007FF62B541000-memory.dmp	xmrig
behavioral2/memory/4752-2031-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp	xmrig
behavioral2/memory/4752-2056-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp	xmrig
behavioral2/memory/3276-2060-0x00007FF6921A0000-0x00007FF692591000-memory.dmp	xmrig
behavioral2/memory/3220-2062-0x00007FF7CC110000-0x00007FF7CC501000-memory.dmp	xmrig
behavioral2/memory/2792-2058-0x00007FF62B150000-0x00007FF62B541000-memory.dmp	xmrig
behavioral2/memory/2396-2066-0x00007FF686540000-0x00007FF686931000-memory.dmp	xmrig
behavioral2/memory/5104-2064-0x00007FF75F370000-0x00007FF75F761000-memory.dmp	xmrig
behavioral2/memory/3720-2084-0x00007FF6C2770000-0x00007FF6C2B61000-memory.dmp	xmrig
behavioral2/memory/1092-2082-0x00007FF70F640000-0x00007FF70FA31000-memory.dmp	xmrig
behavioral2/memory/5064-2080-0x00007FF6AADE0000-0x00007FF6AB1D1000-memory.dmp	xmrig
behavioral2/memory/1076-2078-0x00007FF61EF60000-0x00007FF61F351000-memory.dmp	xmrig
behavioral2/memory/4592-2076-0x00007FF7843F0000-0x00007FF7847E1000-memory.dmp	xmrig
behavioral2/memory/4440-2074-0x00007FF6AA090000-0x00007FF6AA481000-memory.dmp	xmrig
behavioral2/memory/2640-2070-0x00007FF7199B0000-0x00007FF719DA1000-memory.dmp	xmrig
behavioral2/memory/1892-2072-0x00007FF6F9260000-0x00007FF6F9651000-memory.dmp	xmrig
behavioral2/memory/3976-2068-0x00007FF6F93A0000-0x00007FF6F9791000-memory.dmp	xmrig
behavioral2/memory/3864-2091-0x00007FF6BAB40000-0x00007FF6BAF31000-memory.dmp	xmrig
behavioral2/memory/3616-2111-0x00007FF7E7AC0000-0x00007FF7E7EB1000-memory.dmp	xmrig
behavioral2/memory/1300-2106-0x00007FF7B90D0000-0x00007FF7B94C1000-memory.dmp	xmrig
behavioral2/memory/2104-2101-0x00007FF6288E0000-0x00007FF628CD1000-memory.dmp	xmrig
behavioral2/memory/3528-2099-0x00007FF6569E0000-0x00007FF656DD1000-memory.dmp	xmrig
behavioral2/memory/1688-2096-0x00007FF7D85B0000-0x00007FF7D89A1000-memory.dmp	xmrig
behavioral2/memory/3064-2089-0x00007FF7B7CC0000-0x00007FF7B80B1000-memory.dmp	xmrig
behavioral2/memory/4200-2109-0x00007FF7C4730000-0x00007FF7C4B21000-memory.dmp	xmrig
behavioral2/memory/4940-2087-0x00007FF636BB0000-0x00007FF636FA1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

QBinvvq.exeWJylISI.exeFsQiUqY.exetjnwtCK.exeoenUrEr.exeuJgqOCi.exeATYCZKC.exefaTLrUu.exetfRVhtV.exeoxTQDAf.exejrbPYVn.exeirMCMSs.execxTPcOU.exezIjZRrN.exehdDSITU.exejGJYNen.execwylglQ.exeIiwzqRX.exeouCvIiZ.execgJvcMt.exeuqqmkIS.exeqDPntCP.exeqAKoSgh.exelHiMePC.exeZgSCYDv.exewWuNZlw.exeExTPqps.exeSgOjykB.exeIJXJhCm.exenjUTTbZ.exeMbeQVoo.exePahIpAb.exemQXaaML.exerRJmfwp.exebiewopH.exeWQXBlnW.exepOjSbuL.exevlGrtPb.exeFzYhaWK.exezfqjVff.exeMAjZcgD.exehDvmPUQ.exeyBZWTcR.exeRxAOdno.exeDwhNzHI.exeaBOHhFk.exesReVHOA.exeisyqXew.exeDqWLBWc.exeTLGfCdw.exepmwkKTM.exeRtNBwGV.exejubvGiL.exeMBkMfkc.exeJzfnpIs.exefwwypPe.exeNfrPOkd.exeYDZonlR.exeHtNPqoq.exedPNtHjN.exelIIapUe.exeRtGxhpm.exefGHGfTH.exeugHoRNZ.exe

pid	process
4752	QBinvvq.exe
3220	WJylISI.exe
3276	FsQiUqY.exe
2792	tjnwtCK.exe
5104	oenUrEr.exe
1892	uJgqOCi.exe
2640	ATYCZKC.exe
3720	faTLrUu.exe
5064	tfRVhtV.exe
1076	oxTQDAf.exe
1092	jrbPYVn.exe
4592	irMCMSs.exe
4440	cxTPcOU.exe
3976	zIjZRrN.exe
2396	hdDSITU.exe
4940	jGJYNen.exe
3864	cwylglQ.exe
3064	IiwzqRX.exe
2104	ouCvIiZ.exe
3528	cgJvcMt.exe
1688	uqqmkIS.exe
3616	qDPntCP.exe
4200	qAKoSgh.exe
1300	lHiMePC.exe
1408	ZgSCYDv.exe
5052	wWuNZlw.exe
1828	ExTPqps.exe
3044	SgOjykB.exe
812	IJXJhCm.exe
464	njUTTbZ.exe
1100	MbeQVoo.exe
1344	PahIpAb.exe
1736	mQXaaML.exe
1612	rRJmfwp.exe
4524	biewopH.exe
4068	WQXBlnW.exe
4176	pOjSbuL.exe
4064	vlGrtPb.exe
3048	FzYhaWK.exe
448	zfqjVff.exe
452	MAjZcgD.exe
2336	hDvmPUQ.exe
3532	yBZWTcR.exe
456	RxAOdno.exe
1144	DwhNzHI.exe
1572	aBOHhFk.exe
224	sReVHOA.exe
3692	isyqXew.exe
1356	DqWLBWc.exe
1700	TLGfCdw.exe
4324	pmwkKTM.exe
1148	RtNBwGV.exe
3176	jubvGiL.exe
3188	MBkMfkc.exe
704	JzfnpIs.exe
1732	fwwypPe.exe
1972	NfrPOkd.exe
4620	YDZonlR.exe
4604	HtNPqoq.exe
4936	dPNtHjN.exe
2064	lIIapUe.exe
1256	RtGxhpm.exe
2900	fGHGfTH.exe
3328	ugHoRNZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4460-0-0x00007FF79FF20000-0x00007FF7A0311000-memory.dmp	upx
C:\Windows\System32\WJylISI.exe	upx
C:\Windows\System32\QBinvvq.exe	upx
C:\Windows\System32\FsQiUqY.exe	upx
behavioral2/memory/3220-24-0x00007FF7CC110000-0x00007FF7CC501000-memory.dmp	upx
C:\Windows\System32\oenUrEr.exe	upx
C:\Windows\System32\faTLrUu.exe	upx
C:\Windows\System32\tfRVhtV.exe	upx
C:\Windows\System32\irMCMSs.exe	upx
C:\Windows\System32\hdDSITU.exe	upx
C:\Windows\System32\cwylglQ.exe	upx
C:\Windows\System32\ouCvIiZ.exe	upx
C:\Windows\System32\qDPntCP.exe	upx
C:\Windows\System32\lHiMePC.exe	upx
C:\Windows\System32\wWuNZlw.exe	upx
C:\Windows\System32\SgOjykB.exe	upx
C:\Windows\System32\PahIpAb.exe	upx
C:\Windows\System32\MbeQVoo.exe	upx
behavioral2/memory/2792-384-0x00007FF62B150000-0x00007FF62B541000-memory.dmp	upx
C:\Windows\System32\njUTTbZ.exe	upx
C:\Windows\System32\IJXJhCm.exe	upx
C:\Windows\System32\ExTPqps.exe	upx
C:\Windows\System32\ZgSCYDv.exe	upx
C:\Windows\System32\qAKoSgh.exe	upx
C:\Windows\System32\uqqmkIS.exe	upx
C:\Windows\System32\cgJvcMt.exe	upx
C:\Windows\System32\IiwzqRX.exe	upx
C:\Windows\System32\jGJYNen.exe	upx
C:\Windows\System32\zIjZRrN.exe	upx
C:\Windows\System32\cxTPcOU.exe	upx
C:\Windows\System32\jrbPYVn.exe	upx
C:\Windows\System32\oxTQDAf.exe	upx
C:\Windows\System32\ATYCZKC.exe	upx
C:\Windows\System32\uJgqOCi.exe	upx
C:\Windows\System32\tjnwtCK.exe	upx
behavioral2/memory/4752-15-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp	upx
behavioral2/memory/1892-385-0x00007FF6F9260000-0x00007FF6F9651000-memory.dmp	upx
behavioral2/memory/2640-386-0x00007FF7199B0000-0x00007FF719DA1000-memory.dmp	upx
behavioral2/memory/5064-388-0x00007FF6AADE0000-0x00007FF6AB1D1000-memory.dmp	upx
behavioral2/memory/1076-389-0x00007FF61EF60000-0x00007FF61F351000-memory.dmp	upx
behavioral2/memory/3720-387-0x00007FF6C2770000-0x00007FF6C2B61000-memory.dmp	upx
behavioral2/memory/1092-394-0x00007FF70F640000-0x00007FF70FA31000-memory.dmp	upx
behavioral2/memory/3976-413-0x00007FF6F93A0000-0x00007FF6F9791000-memory.dmp	upx
behavioral2/memory/4592-397-0x00007FF7843F0000-0x00007FF7847E1000-memory.dmp	upx
behavioral2/memory/4440-404-0x00007FF6AA090000-0x00007FF6AA481000-memory.dmp	upx
behavioral2/memory/2396-419-0x00007FF686540000-0x00007FF686931000-memory.dmp	upx
behavioral2/memory/3864-426-0x00007FF6BAB40000-0x00007FF6BAF31000-memory.dmp	upx
behavioral2/memory/3064-437-0x00007FF7B7CC0000-0x00007FF7B80B1000-memory.dmp	upx
behavioral2/memory/4940-423-0x00007FF636BB0000-0x00007FF636FA1000-memory.dmp	upx
behavioral2/memory/2104-444-0x00007FF6288E0000-0x00007FF628CD1000-memory.dmp	upx
behavioral2/memory/3528-449-0x00007FF6569E0000-0x00007FF656DD1000-memory.dmp	upx
behavioral2/memory/1688-457-0x00007FF7D85B0000-0x00007FF7D89A1000-memory.dmp	upx
behavioral2/memory/4200-465-0x00007FF7C4730000-0x00007FF7C4B21000-memory.dmp	upx
behavioral2/memory/3616-464-0x00007FF7E7AC0000-0x00007FF7E7EB1000-memory.dmp	upx
behavioral2/memory/1300-475-0x00007FF7B90D0000-0x00007FF7B94C1000-memory.dmp	upx
behavioral2/memory/3276-482-0x00007FF6921A0000-0x00007FF692591000-memory.dmp	upx
behavioral2/memory/5104-484-0x00007FF75F370000-0x00007FF75F761000-memory.dmp	upx
behavioral2/memory/2792-2028-0x00007FF62B150000-0x00007FF62B541000-memory.dmp	upx
behavioral2/memory/4752-2031-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp	upx
behavioral2/memory/4752-2056-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp	upx
behavioral2/memory/3276-2060-0x00007FF6921A0000-0x00007FF692591000-memory.dmp	upx
behavioral2/memory/3220-2062-0x00007FF7CC110000-0x00007FF7CC501000-memory.dmp	upx
behavioral2/memory/2792-2058-0x00007FF62B150000-0x00007FF62B541000-memory.dmp	upx
behavioral2/memory/2396-2066-0x00007FF686540000-0x00007FF686931000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

016879d83620823cfed09056e2d5298d_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\vkKrzpI.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\DleQLnx.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\VLnMyTl.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\MuSozTi.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\jLpeHhi.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\MdOfSni.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\lcugaut.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\hdDSITU.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\hDvmPUQ.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\kCdbgvC.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\fUWAaUF.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\nAqvNMQ.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\FLMAdrD.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\ZIHcgtT.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\jNIdYGk.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\wrvNHcX.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\cxTPcOU.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\TLGfCdw.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\SPYpVMr.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\QEDppjf.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\bENDXXu.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\LMCMMbf.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\MxXHPva.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\DURTpVm.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\XxVbxwF.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\GLPthyR.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\fwasBlc.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\fvKqhoX.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\LZgrymS.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\czQkIBB.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\qAGHOss.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\nBmVNIZ.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\Vjtdlvq.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\MdtYVyy.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\xRewlLz.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\AbYAcuU.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\xGqsJgJ.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\uWBbRdE.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\YZPlguF.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\lrHKIDn.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\hkciJWl.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\JiBQOdM.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\OFQEMPE.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\PBBSWrS.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\fimxKsC.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\EbAPwrK.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\KBZLrdF.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\PxSDVTa.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\HNzYVUy.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\JBfAbnq.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\WZOLRRl.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\sReVHOA.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\sjEMSGW.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\prKxTTs.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\tYjKXXN.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\ecdFYzR.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\pHJGDOj.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\qarDVIS.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\aJEbFVg.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\lMQBATL.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\PlpLXHp.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\uPljtdv.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\CGKRplL.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
File created	C:\Windows\System32\zbeTwVw.exe	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	4996	dwm.exe
Token: SeChangeNotifyPrivilege	4996	dwm.exe
Token: 33	4996	dwm.exe
Token: SeIncBasePriorityPrivilege	4996	dwm.exe
Token: SeShutdownPrivilege	4996	dwm.exe
Token: SeCreatePagefilePrivilege	4996	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

016879d83620823cfed09056e2d5298d_JaffaCakes118.exe

description	pid	process	target process
PID 4460 wrote to memory of 4752	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	QBinvvq.exe
PID 4460 wrote to memory of 4752	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	QBinvvq.exe
PID 4460 wrote to memory of 3220	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	WJylISI.exe
PID 4460 wrote to memory of 3220	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	WJylISI.exe
PID 4460 wrote to memory of 3276	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	FsQiUqY.exe
PID 4460 wrote to memory of 3276	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	FsQiUqY.exe
PID 4460 wrote to memory of 2792	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	tjnwtCK.exe
PID 4460 wrote to memory of 2792	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	tjnwtCK.exe
PID 4460 wrote to memory of 5104	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	oenUrEr.exe
PID 4460 wrote to memory of 5104	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	oenUrEr.exe
PID 4460 wrote to memory of 1892	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	uJgqOCi.exe
PID 4460 wrote to memory of 1892	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	uJgqOCi.exe
PID 4460 wrote to memory of 2640	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ATYCZKC.exe
PID 4460 wrote to memory of 2640	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ATYCZKC.exe
PID 4460 wrote to memory of 3720	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	faTLrUu.exe
PID 4460 wrote to memory of 3720	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	faTLrUu.exe
PID 4460 wrote to memory of 5064	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	tfRVhtV.exe
PID 4460 wrote to memory of 5064	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	tfRVhtV.exe
PID 4460 wrote to memory of 1076	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	oxTQDAf.exe
PID 4460 wrote to memory of 1076	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	oxTQDAf.exe
PID 4460 wrote to memory of 1092	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	jrbPYVn.exe
PID 4460 wrote to memory of 1092	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	jrbPYVn.exe
PID 4460 wrote to memory of 4592	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	irMCMSs.exe
PID 4460 wrote to memory of 4592	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	irMCMSs.exe
PID 4460 wrote to memory of 4440	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	cxTPcOU.exe
PID 4460 wrote to memory of 4440	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	cxTPcOU.exe
PID 4460 wrote to memory of 3976	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	zIjZRrN.exe
PID 4460 wrote to memory of 3976	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	zIjZRrN.exe
PID 4460 wrote to memory of 2396	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	hdDSITU.exe
PID 4460 wrote to memory of 2396	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	hdDSITU.exe
PID 4460 wrote to memory of 4940	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	jGJYNen.exe
PID 4460 wrote to memory of 4940	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	jGJYNen.exe
PID 4460 wrote to memory of 3864	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	cwylglQ.exe
PID 4460 wrote to memory of 3864	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	cwylglQ.exe
PID 4460 wrote to memory of 3064	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	IiwzqRX.exe
PID 4460 wrote to memory of 3064	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	IiwzqRX.exe
PID 4460 wrote to memory of 2104	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ouCvIiZ.exe
PID 4460 wrote to memory of 2104	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ouCvIiZ.exe
PID 4460 wrote to memory of 3528	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	cgJvcMt.exe
PID 4460 wrote to memory of 3528	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	cgJvcMt.exe
PID 4460 wrote to memory of 1688	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	uqqmkIS.exe
PID 4460 wrote to memory of 1688	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	uqqmkIS.exe
PID 4460 wrote to memory of 3616	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	qDPntCP.exe
PID 4460 wrote to memory of 3616	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	qDPntCP.exe
PID 4460 wrote to memory of 4200	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	qAKoSgh.exe
PID 4460 wrote to memory of 4200	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	qAKoSgh.exe
PID 4460 wrote to memory of 1300	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	lHiMePC.exe
PID 4460 wrote to memory of 1300	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	lHiMePC.exe
PID 4460 wrote to memory of 1408	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ZgSCYDv.exe
PID 4460 wrote to memory of 1408	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ZgSCYDv.exe
PID 4460 wrote to memory of 5052	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	wWuNZlw.exe
PID 4460 wrote to memory of 5052	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	wWuNZlw.exe
PID 4460 wrote to memory of 1828	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ExTPqps.exe
PID 4460 wrote to memory of 1828	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	ExTPqps.exe
PID 4460 wrote to memory of 3044	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	SgOjykB.exe
PID 4460 wrote to memory of 3044	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	SgOjykB.exe
PID 4460 wrote to memory of 812	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	IJXJhCm.exe
PID 4460 wrote to memory of 812	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	IJXJhCm.exe
PID 4460 wrote to memory of 464	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	njUTTbZ.exe
PID 4460 wrote to memory of 464	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	njUTTbZ.exe
PID 4460 wrote to memory of 1100	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	MbeQVoo.exe
PID 4460 wrote to memory of 1100	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	MbeQVoo.exe
PID 4460 wrote to memory of 1344	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	PahIpAb.exe
PID 4460 wrote to memory of 1344	4460	016879d83620823cfed09056e2d5298d_JaffaCakes118.exe	PahIpAb.exe

C:\Users\Admin\AppData\Local\Temp\016879d83620823cfed09056e2d5298d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\016879d83620823cfed09056e2d5298d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\System32\QBinvvq.exe
C:\Windows\System32\QBinvvq.exe
2⤵
- Executes dropped EXE
PID:4752

C:\Windows\System32\WJylISI.exe
C:\Windows\System32\WJylISI.exe
2⤵
- Executes dropped EXE
PID:3220

C:\Windows\System32\FsQiUqY.exe
C:\Windows\System32\FsQiUqY.exe
2⤵
- Executes dropped EXE
PID:3276

C:\Windows\System32\tjnwtCK.exe
C:\Windows\System32\tjnwtCK.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System32\oenUrEr.exe
C:\Windows\System32\oenUrEr.exe
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\uJgqOCi.exe
C:\Windows\System32\uJgqOCi.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\ATYCZKC.exe
C:\Windows\System32\ATYCZKC.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System32\faTLrUu.exe
C:\Windows\System32\faTLrUu.exe
2⤵
- Executes dropped EXE
PID:3720

C:\Windows\System32\tfRVhtV.exe
C:\Windows\System32\tfRVhtV.exe
2⤵
- Executes dropped EXE
PID:5064

C:\Windows\System32\oxTQDAf.exe
C:\Windows\System32\oxTQDAf.exe
2⤵
- Executes dropped EXE
PID:1076

C:\Windows\System32\jrbPYVn.exe
C:\Windows\System32\jrbPYVn.exe
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\System32\irMCMSs.exe
C:\Windows\System32\irMCMSs.exe
2⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\cxTPcOU.exe
C:\Windows\System32\cxTPcOU.exe
2⤵
- Executes dropped EXE
PID:4440

C:\Windows\System32\zIjZRrN.exe
C:\Windows\System32\zIjZRrN.exe
2⤵
- Executes dropped EXE
PID:3976

C:\Windows\System32\hdDSITU.exe
C:\Windows\System32\hdDSITU.exe
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\System32\jGJYNen.exe
C:\Windows\System32\jGJYNen.exe
2⤵
- Executes dropped EXE
PID:4940

C:\Windows\System32\cwylglQ.exe
C:\Windows\System32\cwylglQ.exe
2⤵
- Executes dropped EXE
PID:3864

C:\Windows\System32\IiwzqRX.exe
C:\Windows\System32\IiwzqRX.exe
2⤵
- Executes dropped EXE
PID:3064

C:\Windows\System32\ouCvIiZ.exe
C:\Windows\System32\ouCvIiZ.exe
2⤵
- Executes dropped EXE
PID:2104

C:\Windows\System32\cgJvcMt.exe
C:\Windows\System32\cgJvcMt.exe
2⤵
- Executes dropped EXE
PID:3528

C:\Windows\System32\uqqmkIS.exe
C:\Windows\System32\uqqmkIS.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\qDPntCP.exe
C:\Windows\System32\qDPntCP.exe
2⤵
- Executes dropped EXE
PID:3616

C:\Windows\System32\qAKoSgh.exe
C:\Windows\System32\qAKoSgh.exe
2⤵
- Executes dropped EXE
PID:4200

C:\Windows\System32\lHiMePC.exe
C:\Windows\System32\lHiMePC.exe
2⤵
- Executes dropped EXE
PID:1300

C:\Windows\System32\ZgSCYDv.exe
C:\Windows\System32\ZgSCYDv.exe
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\System32\wWuNZlw.exe
C:\Windows\System32\wWuNZlw.exe
2⤵
- Executes dropped EXE
PID:5052

C:\Windows\System32\ExTPqps.exe
C:\Windows\System32\ExTPqps.exe
2⤵
- Executes dropped EXE
PID:1828

C:\Windows\System32\SgOjykB.exe
C:\Windows\System32\SgOjykB.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System32\IJXJhCm.exe
C:\Windows\System32\IJXJhCm.exe
2⤵
- Executes dropped EXE
PID:812

C:\Windows\System32\njUTTbZ.exe
C:\Windows\System32\njUTTbZ.exe
2⤵
- Executes dropped EXE
PID:464

C:\Windows\System32\MbeQVoo.exe
C:\Windows\System32\MbeQVoo.exe
2⤵
- Executes dropped EXE
PID:1100

C:\Windows\System32\PahIpAb.exe
C:\Windows\System32\PahIpAb.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\System32\mQXaaML.exe
C:\Windows\System32\mQXaaML.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System32\rRJmfwp.exe
C:\Windows\System32\rRJmfwp.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\biewopH.exe
C:\Windows\System32\biewopH.exe
2⤵
- Executes dropped EXE
PID:4524

C:\Windows\System32\WQXBlnW.exe
C:\Windows\System32\WQXBlnW.exe
2⤵
- Executes dropped EXE
PID:4068

C:\Windows\System32\pOjSbuL.exe
C:\Windows\System32\pOjSbuL.exe
2⤵
- Executes dropped EXE
PID:4176

C:\Windows\System32\vlGrtPb.exe
C:\Windows\System32\vlGrtPb.exe
2⤵
- Executes dropped EXE
PID:4064

C:\Windows\System32\FzYhaWK.exe
C:\Windows\System32\FzYhaWK.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System32\zfqjVff.exe
C:\Windows\System32\zfqjVff.exe
2⤵
- Executes dropped EXE
PID:448

C:\Windows\System32\MAjZcgD.exe
C:\Windows\System32\MAjZcgD.exe
2⤵
- Executes dropped EXE
PID:452

C:\Windows\System32\hDvmPUQ.exe
C:\Windows\System32\hDvmPUQ.exe
2⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\yBZWTcR.exe
C:\Windows\System32\yBZWTcR.exe
2⤵
- Executes dropped EXE
PID:3532

C:\Windows\System32\RxAOdno.exe
C:\Windows\System32\RxAOdno.exe
2⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\DwhNzHI.exe
C:\Windows\System32\DwhNzHI.exe
2⤵
- Executes dropped EXE
PID:1144

C:\Windows\System32\aBOHhFk.exe
C:\Windows\System32\aBOHhFk.exe
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\sReVHOA.exe
C:\Windows\System32\sReVHOA.exe
2⤵
- Executes dropped EXE
PID:224

C:\Windows\System32\isyqXew.exe
C:\Windows\System32\isyqXew.exe
2⤵
- Executes dropped EXE
PID:3692

C:\Windows\System32\DqWLBWc.exe
C:\Windows\System32\DqWLBWc.exe
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\System32\TLGfCdw.exe
C:\Windows\System32\TLGfCdw.exe
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\pmwkKTM.exe
C:\Windows\System32\pmwkKTM.exe
2⤵
- Executes dropped EXE
PID:4324

C:\Windows\System32\RtNBwGV.exe
C:\Windows\System32\RtNBwGV.exe
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\System32\jubvGiL.exe
C:\Windows\System32\jubvGiL.exe
2⤵
- Executes dropped EXE
PID:3176

C:\Windows\System32\MBkMfkc.exe
C:\Windows\System32\MBkMfkc.exe
2⤵
- Executes dropped EXE
PID:3188

C:\Windows\System32\JzfnpIs.exe
C:\Windows\System32\JzfnpIs.exe
2⤵
- Executes dropped EXE
PID:704

C:\Windows\System32\fwwypPe.exe
C:\Windows\System32\fwwypPe.exe
2⤵
- Executes dropped EXE
PID:1732

C:\Windows\System32\NfrPOkd.exe
C:\Windows\System32\NfrPOkd.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\YDZonlR.exe
C:\Windows\System32\YDZonlR.exe
2⤵
- Executes dropped EXE
PID:4620

C:\Windows\System32\HtNPqoq.exe
C:\Windows\System32\HtNPqoq.exe
2⤵
- Executes dropped EXE
PID:4604

C:\Windows\System32\dPNtHjN.exe
C:\Windows\System32\dPNtHjN.exe
2⤵
- Executes dropped EXE
PID:4936

C:\Windows\System32\lIIapUe.exe
C:\Windows\System32\lIIapUe.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\System32\RtGxhpm.exe
C:\Windows\System32\RtGxhpm.exe
2⤵
- Executes dropped EXE
PID:1256

C:\Windows\System32\fGHGfTH.exe
C:\Windows\System32\fGHGfTH.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System32\ugHoRNZ.exe
C:\Windows\System32\ugHoRNZ.exe
2⤵
- Executes dropped EXE
PID:3328

C:\Windows\System32\yOSATbr.exe
C:\Windows\System32\yOSATbr.exe
2⤵
PID:2024

C:\Windows\System32\rHLBMHz.exe
C:\Windows\System32\rHLBMHz.exe
2⤵
PID:3576

C:\Windows\System32\MxXHPva.exe
C:\Windows\System32\MxXHPva.exe
2⤵
PID:3980

C:\Windows\System32\cQpSnxB.exe
C:\Windows\System32\cQpSnxB.exe
2⤵
PID:1488

C:\Windows\System32\KbOmJbn.exe
C:\Windows\System32\KbOmJbn.exe
2⤵
PID:1560

C:\Windows\System32\ibqrjGP.exe
C:\Windows\System32\ibqrjGP.exe
2⤵
PID:3120

C:\Windows\System32\VNlIpaF.exe
C:\Windows\System32\VNlIpaF.exe
2⤵
PID:2160

C:\Windows\System32\ogWuYZv.exe
C:\Windows\System32\ogWuYZv.exe
2⤵
PID:624

C:\Windows\System32\yxYCdRi.exe
C:\Windows\System32\yxYCdRi.exe
2⤵
PID:2476

C:\Windows\System32\pzjXHNm.exe
C:\Windows\System32\pzjXHNm.exe
2⤵
PID:2340

C:\Windows\System32\DvGacSe.exe
C:\Windows\System32\DvGacSe.exe
2⤵
PID:4636

C:\Windows\System32\kWScwYz.exe
C:\Windows\System32\kWScwYz.exe
2⤵
PID:540

C:\Windows\System32\QgjaxbY.exe
C:\Windows\System32\QgjaxbY.exe
2⤵
PID:2300

C:\Windows\System32\gjWqdtc.exe
C:\Windows\System32\gjWqdtc.exe
2⤵
PID:1636

C:\Windows\System32\KLJySQd.exe
C:\Windows\System32\KLJySQd.exe
2⤵
PID:60

C:\Windows\System32\bkTXksK.exe
C:\Windows\System32\bkTXksK.exe
2⤵
PID:1452

C:\Windows\System32\eRqqvsB.exe
C:\Windows\System32\eRqqvsB.exe
2⤵
PID:2068

C:\Windows\System32\zzWiXTs.exe
C:\Windows\System32\zzWiXTs.exe
2⤵
PID:2556

C:\Windows\System32\DEHtFKC.exe
C:\Windows\System32\DEHtFKC.exe
2⤵
PID:4216

C:\Windows\System32\WPRYIAy.exe
C:\Windows\System32\WPRYIAy.exe
2⤵
PID:1140

C:\Windows\System32\DgBSgeS.exe
C:\Windows\System32\DgBSgeS.exe
2⤵
PID:3056

C:\Windows\System32\NBhJJFh.exe
C:\Windows\System32\NBhJJFh.exe
2⤵
PID:536

C:\Windows\System32\qbQbGHi.exe
C:\Windows\System32\qbQbGHi.exe
2⤵
PID:2696

C:\Windows\System32\YYtdHcH.exe
C:\Windows\System32\YYtdHcH.exe
2⤵
PID:1956

C:\Windows\System32\GAZslqh.exe
C:\Windows\System32\GAZslqh.exe
2⤵
PID:2432

C:\Windows\System32\JkDcSEZ.exe
C:\Windows\System32\JkDcSEZ.exe
2⤵
PID:3612

C:\Windows\System32\lYHLWId.exe
C:\Windows\System32\lYHLWId.exe
2⤵
PID:5148

C:\Windows\System32\HfVyTOd.exe
C:\Windows\System32\HfVyTOd.exe
2⤵
PID:5176

C:\Windows\System32\jKSrCMr.exe
C:\Windows\System32\jKSrCMr.exe
2⤵
PID:5204

C:\Windows\System32\UIphkMC.exe
C:\Windows\System32\UIphkMC.exe
2⤵
PID:5228

C:\Windows\System32\rhLczjN.exe
C:\Windows\System32\rhLczjN.exe
2⤵
PID:5260

C:\Windows\System32\OqedzGm.exe
C:\Windows\System32\OqedzGm.exe
2⤵
PID:5288

C:\Windows\System32\MvkJWsz.exe
C:\Windows\System32\MvkJWsz.exe
2⤵
PID:5316

C:\Windows\System32\wPRithd.exe
C:\Windows\System32\wPRithd.exe
2⤵
PID:5340

C:\Windows\System32\yWbgpep.exe
C:\Windows\System32\yWbgpep.exe
2⤵
PID:5372

C:\Windows\System32\vMieUFP.exe
C:\Windows\System32\vMieUFP.exe
2⤵
PID:5400

C:\Windows\System32\hkciJWl.exe
C:\Windows\System32\hkciJWl.exe
2⤵
PID:5424

C:\Windows\System32\KleHHKz.exe
C:\Windows\System32\KleHHKz.exe
2⤵
PID:5456

C:\Windows\System32\DREwJqP.exe
C:\Windows\System32\DREwJqP.exe
2⤵
PID:5484

C:\Windows\System32\AUEdYUE.exe
C:\Windows\System32\AUEdYUE.exe
2⤵
PID:5508

C:\Windows\System32\STdCycE.exe
C:\Windows\System32\STdCycE.exe
2⤵
PID:5540

C:\Windows\System32\EiIvqDV.exe
C:\Windows\System32\EiIvqDV.exe
2⤵
PID:5616

C:\Windows\System32\BiNzCgy.exe
C:\Windows\System32\BiNzCgy.exe
2⤵
PID:5652

C:\Windows\System32\MoukkyQ.exe
C:\Windows\System32\MoukkyQ.exe
2⤵
PID:5676

C:\Windows\System32\fBPwuEI.exe
C:\Windows\System32\fBPwuEI.exe
2⤵
PID:5704

C:\Windows\System32\ZhCAAIs.exe
C:\Windows\System32\ZhCAAIs.exe
2⤵
PID:5720

C:\Windows\System32\cBZPmZf.exe
C:\Windows\System32\cBZPmZf.exe
2⤵
PID:5740

C:\Windows\System32\UIwHNyt.exe
C:\Windows\System32\UIwHNyt.exe
2⤵
PID:5780

C:\Windows\System32\MJXetAk.exe
C:\Windows\System32\MJXetAk.exe
2⤵
PID:5796

C:\Windows\System32\DfnlELl.exe
C:\Windows\System32\DfnlELl.exe
2⤵
PID:5824

C:\Windows\System32\xDkZFLh.exe
C:\Windows\System32\xDkZFLh.exe
2⤵
PID:5880

C:\Windows\System32\HeioQxd.exe
C:\Windows\System32\HeioQxd.exe
2⤵
PID:5928

C:\Windows\System32\WpTAGil.exe
C:\Windows\System32\WpTAGil.exe
2⤵
PID:5976

C:\Windows\System32\yOAQsdc.exe
C:\Windows\System32\yOAQsdc.exe
2⤵
PID:5992

C:\Windows\System32\uStnXtl.exe
C:\Windows\System32\uStnXtl.exe
2⤵
PID:6016

C:\Windows\System32\vkKrzpI.exe
C:\Windows\System32\vkKrzpI.exe
2⤵
PID:6056

C:\Windows\System32\fvKqhoX.exe
C:\Windows\System32\fvKqhoX.exe
2⤵
PID:6092

C:\Windows\System32\LZbkyeE.exe
C:\Windows\System32\LZbkyeE.exe
2⤵
PID:6124

C:\Windows\System32\GKWcOdh.exe
C:\Windows\System32\GKWcOdh.exe
2⤵
PID:2308

C:\Windows\System32\sjEMSGW.exe
C:\Windows\System32\sjEMSGW.exe
2⤵
PID:384

C:\Windows\System32\oUqczyC.exe
C:\Windows\System32\oUqczyC.exe
2⤵
PID:1072

C:\Windows\System32\MVajQUg.exe
C:\Windows\System32\MVajQUg.exe
2⤵
PID:2984

C:\Windows\System32\CGKRplL.exe
C:\Windows\System32\CGKRplL.exe
2⤵
PID:4060

C:\Windows\System32\LZgrymS.exe
C:\Windows\System32\LZgrymS.exe
2⤵
PID:4476

C:\Windows\System32\DbSKEOC.exe
C:\Windows\System32\DbSKEOC.exe
2⤵
PID:5248

C:\Windows\System32\vAessja.exe
C:\Windows\System32\vAessja.exe
2⤵
PID:5280

C:\Windows\System32\TtjzmdE.exe
C:\Windows\System32\TtjzmdE.exe
2⤵
PID:2804

C:\Windows\System32\cCKZXrB.exe
C:\Windows\System32\cCKZXrB.exe
2⤵
PID:5332

C:\Windows\System32\CiwOWpH.exe
C:\Windows\System32\CiwOWpH.exe
2⤵
PID:5388

C:\Windows\System32\FSIiBQu.exe
C:\Windows\System32\FSIiBQu.exe
2⤵
PID:4416

C:\Windows\System32\xbxjyPK.exe
C:\Windows\System32\xbxjyPK.exe
2⤵
PID:5464

C:\Windows\System32\ZIHcgtT.exe
C:\Windows\System32\ZIHcgtT.exe
2⤵
PID:4172

C:\Windows\System32\NsqfeCn.exe
C:\Windows\System32\NsqfeCn.exe
2⤵
PID:5516

C:\Windows\System32\eDFBZKE.exe
C:\Windows\System32\eDFBZKE.exe
2⤵
PID:1268

C:\Windows\System32\shmlmwA.exe
C:\Windows\System32\shmlmwA.exe
2⤵
PID:3456

C:\Windows\System32\gAcDphk.exe
C:\Windows\System32\gAcDphk.exe
2⤵
PID:5688

C:\Windows\System32\ocnwBIf.exe
C:\Windows\System32\ocnwBIf.exe
2⤵
PID:5852

C:\Windows\System32\Ayubadx.exe
C:\Windows\System32\Ayubadx.exe
2⤵
PID:5804

C:\Windows\System32\WFuzZjb.exe
C:\Windows\System32\WFuzZjb.exe
2⤵
PID:5948

C:\Windows\System32\oxmmOSZ.exe
C:\Windows\System32\oxmmOSZ.exe
2⤵
PID:6032

C:\Windows\System32\JiBQOdM.exe
C:\Windows\System32\JiBQOdM.exe
2⤵
PID:6064

C:\Windows\System32\TnNkWIo.exe
C:\Windows\System32\TnNkWIo.exe
2⤵
PID:5756

C:\Windows\System32\UAaatTC.exe
C:\Windows\System32\UAaatTC.exe
2⤵
PID:5896

C:\Windows\System32\kSIKxuJ.exe
C:\Windows\System32\kSIKxuJ.exe
2⤵
PID:112

C:\Windows\System32\QNusYkW.exe
C:\Windows\System32\QNusYkW.exe
2⤵
PID:4508

C:\Windows\System32\DMLkmlV.exe
C:\Windows\System32\DMLkmlV.exe
2⤵
PID:1392

C:\Windows\System32\xiNwrdp.exe
C:\Windows\System32\xiNwrdp.exe
2⤵
PID:5380

C:\Windows\System32\wOiCayw.exe
C:\Windows\System32\wOiCayw.exe
2⤵
PID:5304

C:\Windows\System32\hcRLWfY.exe
C:\Windows\System32\hcRLWfY.exe
2⤵
PID:5504

C:\Windows\System32\CruWUnB.exe
C:\Windows\System32\CruWUnB.exe
2⤵
PID:4136

C:\Windows\System32\COxldvZ.exe
C:\Windows\System32\COxldvZ.exe
2⤵
PID:4672

C:\Windows\System32\HHPOIxD.exe
C:\Windows\System32\HHPOIxD.exe
2⤵
PID:5156

C:\Windows\System32\eNfwFqr.exe
C:\Windows\System32\eNfwFqr.exe
2⤵
PID:3756

C:\Windows\System32\wYZzRIo.exe
C:\Windows\System32\wYZzRIo.exe
2⤵
PID:5788

C:\Windows\System32\ReoZyAQ.exe
C:\Windows\System32\ReoZyAQ.exe
2⤵
PID:6004

C:\Windows\System32\dZMpbgZ.exe
C:\Windows\System32\dZMpbgZ.exe
2⤵
PID:6104

C:\Windows\System32\gyqWHul.exe
C:\Windows\System32\gyqWHul.exe
2⤵
PID:6112

C:\Windows\System32\lrelWuc.exe
C:\Windows\System32\lrelWuc.exe
2⤵
PID:5276

C:\Windows\System32\hlqglcj.exe
C:\Windows\System32\hlqglcj.exe
2⤵
PID:5692

C:\Windows\System32\rvdYkyq.exe
C:\Windows\System32\rvdYkyq.exe
2⤵
PID:2956

C:\Windows\System32\XhGgxiz.exe
C:\Windows\System32\XhGgxiz.exe
2⤵
PID:5912

C:\Windows\System32\tqFkBAJ.exe
C:\Windows\System32\tqFkBAJ.exe
2⤵
PID:3488

C:\Windows\System32\czQkIBB.exe
C:\Windows\System32\czQkIBB.exe
2⤵
PID:5832

C:\Windows\System32\NETrVcI.exe
C:\Windows\System32\NETrVcI.exe
2⤵
PID:6000

C:\Windows\System32\XizhifD.exe
C:\Windows\System32\XizhifD.exe
2⤵
PID:6156

C:\Windows\System32\jnijjOp.exe
C:\Windows\System32\jnijjOp.exe
2⤵
PID:6172

C:\Windows\System32\gNuIozm.exe
C:\Windows\System32\gNuIozm.exe
2⤵
PID:6188

C:\Windows\System32\RbLLQcF.exe
C:\Windows\System32\RbLLQcF.exe
2⤵
PID:6208

C:\Windows\System32\PxfSPxb.exe
C:\Windows\System32\PxfSPxb.exe
2⤵
PID:6252

C:\Windows\System32\OgtyUZa.exe
C:\Windows\System32\OgtyUZa.exe
2⤵
PID:6268

C:\Windows\System32\vlQndHo.exe
C:\Windows\System32\vlQndHo.exe
2⤵
PID:6300

C:\Windows\System32\nNsvqCe.exe
C:\Windows\System32\nNsvqCe.exe
2⤵
PID:6328

C:\Windows\System32\DURTpVm.exe
C:\Windows\System32\DURTpVm.exe
2⤵
PID:6348

C:\Windows\System32\zCVDBkl.exe
C:\Windows\System32\zCVDBkl.exe
2⤵
PID:6364

C:\Windows\System32\KCVGOUq.exe
C:\Windows\System32\KCVGOUq.exe
2⤵
PID:6392

C:\Windows\System32\cETEVvO.exe
C:\Windows\System32\cETEVvO.exe
2⤵
PID:6440

C:\Windows\System32\OPZLVXr.exe
C:\Windows\System32\OPZLVXr.exe
2⤵
PID:6460

C:\Windows\System32\TvHtVBv.exe
C:\Windows\System32\TvHtVBv.exe
2⤵
PID:6476

C:\Windows\System32\DleQLnx.exe
C:\Windows\System32\DleQLnx.exe
2⤵
PID:6492

C:\Windows\System32\QGiXMax.exe
C:\Windows\System32\QGiXMax.exe
2⤵
PID:6516

C:\Windows\System32\vbBqoWz.exe
C:\Windows\System32\vbBqoWz.exe
2⤵
PID:6532

C:\Windows\System32\zOTsMny.exe
C:\Windows\System32\zOTsMny.exe
2⤵
PID:6560

C:\Windows\System32\FEhQEOz.exe
C:\Windows\System32\FEhQEOz.exe
2⤵
PID:6648

C:\Windows\System32\FnadxrU.exe
C:\Windows\System32\FnadxrU.exe
2⤵
PID:6680

C:\Windows\System32\kuCEcwi.exe
C:\Windows\System32\kuCEcwi.exe
2⤵
PID:6720

C:\Windows\System32\RBWCPwr.exe
C:\Windows\System32\RBWCPwr.exe
2⤵
PID:6744

C:\Windows\System32\POBJEdw.exe
C:\Windows\System32\POBJEdw.exe
2⤵
PID:6772

C:\Windows\System32\cRfhCmv.exe
C:\Windows\System32\cRfhCmv.exe
2⤵
PID:6788

C:\Windows\System32\fINNlzD.exe
C:\Windows\System32\fINNlzD.exe
2⤵
PID:6812

C:\Windows\System32\NfmbKot.exe
C:\Windows\System32\NfmbKot.exe
2⤵
PID:6828

C:\Windows\System32\qWZaiTZ.exe
C:\Windows\System32\qWZaiTZ.exe
2⤵
PID:6852

C:\Windows\System32\cLzOffK.exe
C:\Windows\System32\cLzOffK.exe
2⤵
PID:6892

C:\Windows\System32\pLzulvu.exe
C:\Windows\System32\pLzulvu.exe
2⤵
PID:6936

C:\Windows\System32\WVRavwT.exe
C:\Windows\System32\WVRavwT.exe
2⤵
PID:6988

C:\Windows\System32\LxxzzTR.exe
C:\Windows\System32\LxxzzTR.exe
2⤵
PID:7004

C:\Windows\System32\unZBahz.exe
C:\Windows\System32\unZBahz.exe
2⤵
PID:7024

C:\Windows\System32\PPYakOD.exe
C:\Windows\System32\PPYakOD.exe
2⤵
PID:7040

C:\Windows\System32\cNMfGbi.exe
C:\Windows\System32\cNMfGbi.exe
2⤵
PID:7072

C:\Windows\System32\tJpnzlK.exe
C:\Windows\System32\tJpnzlK.exe
2⤵
PID:7092

C:\Windows\System32\XbVKnvW.exe
C:\Windows\System32\XbVKnvW.exe
2⤵
PID:7116

C:\Windows\System32\cfqFsVO.exe
C:\Windows\System32\cfqFsVO.exe
2⤵
PID:6148

C:\Windows\System32\nOFigUM.exe
C:\Windows\System32\nOFigUM.exe
2⤵
PID:6260

C:\Windows\System32\sKvNFYH.exe
C:\Windows\System32\sKvNFYH.exe
2⤵
PID:6292

C:\Windows\System32\qAGHOss.exe
C:\Windows\System32\qAGHOss.exe
2⤵
PID:6340

C:\Windows\System32\crszjwV.exe
C:\Windows\System32\crszjwV.exe
2⤵
PID:6404

C:\Windows\System32\YwOxsan.exe
C:\Windows\System32\YwOxsan.exe
2⤵
PID:6472

C:\Windows\System32\UmyysHf.exe
C:\Windows\System32\UmyysHf.exe
2⤵
PID:6604

C:\Windows\System32\IiDYSjd.exe
C:\Windows\System32\IiDYSjd.exe
2⤵
PID:6488

C:\Windows\System32\CMwemKZ.exe
C:\Windows\System32\CMwemKZ.exe
2⤵
PID:6484

C:\Windows\System32\vXIIgYS.exe
C:\Windows\System32\vXIIgYS.exe
2⤵
PID:6704

C:\Windows\System32\nBmVNIZ.exe
C:\Windows\System32\nBmVNIZ.exe
2⤵
PID:6752

C:\Windows\System32\tTACcjp.exe
C:\Windows\System32\tTACcjp.exe
2⤵
PID:6808

C:\Windows\System32\OAvXAGl.exe
C:\Windows\System32\OAvXAGl.exe
2⤵
PID:6964

C:\Windows\System32\sJDPGiJ.exe
C:\Windows\System32\sJDPGiJ.exe
2⤵
PID:6996

C:\Windows\System32\PlpLXHp.exe
C:\Windows\System32\PlpLXHp.exe
2⤵
PID:7064

C:\Windows\System32\ublsKni.exe
C:\Windows\System32\ublsKni.exe
2⤵
PID:7156

C:\Windows\System32\mCSkbcP.exe
C:\Windows\System32\mCSkbcP.exe
2⤵
PID:6284

C:\Windows\System32\KBZLrdF.exe
C:\Windows\System32\KBZLrdF.exe
2⤵
PID:6316

C:\Windows\System32\ucFQdIg.exe
C:\Windows\System32\ucFQdIg.exe
2⤵
PID:6452

C:\Windows\System32\UxEROWA.exe
C:\Windows\System32\UxEROWA.exe
2⤵
PID:6528

C:\Windows\System32\fRHrhNU.exe
C:\Windows\System32\fRHrhNU.exe
2⤵
PID:6740

C:\Windows\System32\PxSDVTa.exe
C:\Windows\System32\PxSDVTa.exe
2⤵
PID:6796

C:\Windows\System32\dhvHvKM.exe
C:\Windows\System32\dhvHvKM.exe
2⤵
PID:6840

C:\Windows\System32\CvgHYha.exe
C:\Windows\System32\CvgHYha.exe
2⤵
PID:7056

C:\Windows\System32\prKxTTs.exe
C:\Windows\System32\prKxTTs.exe
2⤵
PID:6376

C:\Windows\System32\ObEuErx.exe
C:\Windows\System32\ObEuErx.exe
2⤵
PID:6432

C:\Windows\System32\jNIdYGk.exe
C:\Windows\System32\jNIdYGk.exe
2⤵
PID:6804

C:\Windows\System32\PZwPwls.exe
C:\Windows\System32\PZwPwls.exe
2⤵
PID:7060

C:\Windows\System32\CZFUyYv.exe
C:\Windows\System32\CZFUyYv.exe
2⤵
PID:6664

C:\Windows\System32\DKiuoRB.exe
C:\Windows\System32\DKiuoRB.exe
2⤵
PID:7180

C:\Windows\System32\kCdbgvC.exe
C:\Windows\System32\kCdbgvC.exe
2⤵
PID:7240

C:\Windows\System32\OFQEMPE.exe
C:\Windows\System32\OFQEMPE.exe
2⤵
PID:7272

C:\Windows\System32\YvornGO.exe
C:\Windows\System32\YvornGO.exe
2⤵
PID:7292

C:\Windows\System32\WwQpcBW.exe
C:\Windows\System32\WwQpcBW.exe
2⤵
PID:7312

C:\Windows\System32\xRewlLz.exe
C:\Windows\System32\xRewlLz.exe
2⤵
PID:7344

C:\Windows\System32\PBBSWrS.exe
C:\Windows\System32\PBBSWrS.exe
2⤵
PID:7372

C:\Windows\System32\Vjtdlvq.exe
C:\Windows\System32\Vjtdlvq.exe
2⤵
PID:7392

C:\Windows\System32\AbYAcuU.exe
C:\Windows\System32\AbYAcuU.exe
2⤵
PID:7440

C:\Windows\System32\TTIVKpW.exe
C:\Windows\System32\TTIVKpW.exe
2⤵
PID:7504

C:\Windows\System32\fpUmyOh.exe
C:\Windows\System32\fpUmyOh.exe
2⤵
PID:7532

C:\Windows\System32\SnUWufI.exe
C:\Windows\System32\SnUWufI.exe
2⤵
PID:7552

C:\Windows\System32\fQywfXn.exe
C:\Windows\System32\fQywfXn.exe
2⤵
PID:7576

C:\Windows\System32\uUbPPDO.exe
C:\Windows\System32\uUbPPDO.exe
2⤵
PID:7600

C:\Windows\System32\luriPoa.exe
C:\Windows\System32\luriPoa.exe
2⤵
PID:7616

C:\Windows\System32\WnwjYHF.exe
C:\Windows\System32\WnwjYHF.exe
2⤵
PID:7664

C:\Windows\System32\XYJvlkT.exe
C:\Windows\System32\XYJvlkT.exe
2⤵
PID:7692

C:\Windows\System32\xRJwRIV.exe
C:\Windows\System32\xRJwRIV.exe
2⤵
PID:7712

C:\Windows\System32\JbQrJeN.exe
C:\Windows\System32\JbQrJeN.exe
2⤵
PID:7736

C:\Windows\System32\IOEsvmW.exe
C:\Windows\System32\IOEsvmW.exe
2⤵
PID:7756

C:\Windows\System32\MyiLQjg.exe
C:\Windows\System32\MyiLQjg.exe
2⤵
PID:7780

C:\Windows\System32\zaXGTQn.exe
C:\Windows\System32\zaXGTQn.exe
2⤵
PID:7836

C:\Windows\System32\WmsmEGv.exe
C:\Windows\System32\WmsmEGv.exe
2⤵
PID:7868

C:\Windows\System32\JJnxjVx.exe
C:\Windows\System32\JJnxjVx.exe
2⤵
PID:7896

C:\Windows\System32\LRocLJP.exe
C:\Windows\System32\LRocLJP.exe
2⤵
PID:7912

C:\Windows\System32\XikZCVy.exe
C:\Windows\System32\XikZCVy.exe
2⤵
PID:7944

C:\Windows\System32\uBwQLhi.exe
C:\Windows\System32\uBwQLhi.exe
2⤵
PID:7960

C:\Windows\System32\eHjhfWN.exe
C:\Windows\System32\eHjhfWN.exe
2⤵
PID:7980

C:\Windows\System32\jsmnuzZ.exe
C:\Windows\System32\jsmnuzZ.exe
2⤵
PID:8004

C:\Windows\System32\gEhNRVG.exe
C:\Windows\System32\gEhNRVG.exe
2⤵
PID:8028

C:\Windows\System32\xrVhPOf.exe
C:\Windows\System32\xrVhPOf.exe
2⤵
PID:8084

C:\Windows\System32\weeiakM.exe
C:\Windows\System32\weeiakM.exe
2⤵
PID:8104

C:\Windows\System32\KFFolAU.exe
C:\Windows\System32\KFFolAU.exe
2⤵
PID:8128

C:\Windows\System32\szdcTzg.exe
C:\Windows\System32\szdcTzg.exe
2⤵
PID:8148

C:\Windows\System32\xGqsJgJ.exe
C:\Windows\System32\xGqsJgJ.exe
2⤵
PID:8164

C:\Windows\System32\ioGqVjp.exe
C:\Windows\System32\ioGqVjp.exe
2⤵
PID:8188

C:\Windows\System32\oubBfIA.exe
C:\Windows\System32\oubBfIA.exe
2⤵
PID:6672

C:\Windows\System32\REXgSDw.exe
C:\Windows\System32\REXgSDw.exe
2⤵
PID:7224

C:\Windows\System32\MdtYVyy.exe
C:\Windows\System32\MdtYVyy.exe
2⤵
PID:7288

C:\Windows\System32\dcnkQpc.exe
C:\Windows\System32\dcnkQpc.exe
2⤵
PID:7340

C:\Windows\System32\NIsCxYL.exe
C:\Windows\System32\NIsCxYL.exe
2⤵
PID:7400

C:\Windows\System32\SPYpVMr.exe
C:\Windows\System32\SPYpVMr.exe
2⤵
PID:7460

C:\Windows\System32\WVyEzJu.exe
C:\Windows\System32\WVyEzJu.exe
2⤵
PID:7512

C:\Windows\System32\JxceCZM.exe
C:\Windows\System32\JxceCZM.exe
2⤵
PID:7548

C:\Windows\System32\eaJdKlF.exe
C:\Windows\System32\eaJdKlF.exe
2⤵
PID:7680

C:\Windows\System32\Aofwniz.exe
C:\Windows\System32\Aofwniz.exe
2⤵
PID:7768

C:\Windows\System32\DTldhJW.exe
C:\Windows\System32\DTldhJW.exe
2⤵
PID:7804

C:\Windows\System32\OUCkOID.exe
C:\Windows\System32\OUCkOID.exe
2⤵
PID:7852

C:\Windows\System32\TAtoiWs.exe
C:\Windows\System32\TAtoiWs.exe
2⤵
PID:7956

C:\Windows\System32\yjmXnid.exe
C:\Windows\System32\yjmXnid.exe
2⤵
PID:6612

C:\Windows\System32\jHzmwPE.exe
C:\Windows\System32\jHzmwPE.exe
2⤵
PID:8180

C:\Windows\System32\aWDXUub.exe
C:\Windows\System32\aWDXUub.exe
2⤵
PID:7300

C:\Windows\System32\bdRkBBm.exe
C:\Windows\System32\bdRkBBm.exe
2⤵
PID:7360

C:\Windows\System32\OmBQUtd.exe
C:\Windows\System32\OmBQUtd.exe
2⤵
PID:7752

C:\Windows\System32\VkCnQJG.exe
C:\Windows\System32\VkCnQJG.exe
2⤵
PID:7748

C:\Windows\System32\tYjKXXN.exe
C:\Windows\System32\tYjKXXN.exe
2⤵
PID:8056

C:\Windows\System32\JKmErEk.exe
C:\Windows\System32\JKmErEk.exe
2⤵
PID:7904

C:\Windows\System32\ecdFYzR.exe
C:\Windows\System32\ecdFYzR.exe
2⤵
PID:7952

C:\Windows\System32\HGbTACh.exe
C:\Windows\System32\HGbTACh.exe
2⤵
PID:7256

C:\Windows\System32\ETHhtjx.exe
C:\Windows\System32\ETHhtjx.exe
2⤵
PID:7476

C:\Windows\System32\dwvObEq.exe
C:\Windows\System32\dwvObEq.exe
2⤵
PID:8144

C:\Windows\System32\FMIPglR.exe
C:\Windows\System32\FMIPglR.exe
2⤵
PID:7336

C:\Windows\System32\utXDPhP.exe
C:\Windows\System32\utXDPhP.exe
2⤵
PID:8208

C:\Windows\System32\YQSJCfN.exe
C:\Windows\System32\YQSJCfN.exe
2⤵
PID:8232

C:\Windows\System32\svgMmlc.exe
C:\Windows\System32\svgMmlc.exe
2⤵
PID:8248

C:\Windows\System32\stuibOR.exe
C:\Windows\System32\stuibOR.exe
2⤵
PID:8288

C:\Windows\System32\wolaEtt.exe
C:\Windows\System32\wolaEtt.exe
2⤵
PID:8336

C:\Windows\System32\pTTPJrQ.exe
C:\Windows\System32\pTTPJrQ.exe
2⤵
PID:8360

C:\Windows\System32\lcuKYav.exe
C:\Windows\System32\lcuKYav.exe
2⤵
PID:8384

C:\Windows\System32\xBdqehr.exe
C:\Windows\System32\xBdqehr.exe
2⤵
PID:8400

C:\Windows\System32\sIwpIrH.exe
C:\Windows\System32\sIwpIrH.exe
2⤵
PID:8428

C:\Windows\System32\xSaYTTf.exe
C:\Windows\System32\xSaYTTf.exe
2⤵
PID:8444

C:\Windows\System32\GpdPyFH.exe
C:\Windows\System32\GpdPyFH.exe
2⤵
PID:8504

C:\Windows\System32\luNosax.exe
C:\Windows\System32\luNosax.exe
2⤵
PID:8532

C:\Windows\System32\tHcooQx.exe
C:\Windows\System32\tHcooQx.exe
2⤵
PID:8556

C:\Windows\System32\TtFxSgs.exe
C:\Windows\System32\TtFxSgs.exe
2⤵
PID:8572

C:\Windows\System32\tNZfRXQ.exe
C:\Windows\System32\tNZfRXQ.exe
2⤵
PID:8596

C:\Windows\System32\kMPaTGY.exe
C:\Windows\System32\kMPaTGY.exe
2⤵
PID:8624

C:\Windows\System32\XMepteq.exe
C:\Windows\System32\XMepteq.exe
2⤵
PID:8668

C:\Windows\System32\jbaAhFU.exe
C:\Windows\System32\jbaAhFU.exe
2⤵
PID:8684

C:\Windows\System32\sFsNkyx.exe
C:\Windows\System32\sFsNkyx.exe
2⤵
PID:8708

C:\Windows\System32\RkvulaC.exe
C:\Windows\System32\RkvulaC.exe
2⤵
PID:8728

C:\Windows\System32\jnSauHH.exe
C:\Windows\System32\jnSauHH.exe
2⤵
PID:8768

C:\Windows\System32\MZvnhJR.exe
C:\Windows\System32\MZvnhJR.exe
2⤵
PID:8816

C:\Windows\System32\qbZoEwf.exe
C:\Windows\System32\qbZoEwf.exe
2⤵
PID:8848

C:\Windows\System32\KiaorMX.exe
C:\Windows\System32\KiaorMX.exe
2⤵
PID:8864

C:\Windows\System32\FuXOdfX.exe
C:\Windows\System32\FuXOdfX.exe
2⤵
PID:8880

C:\Windows\System32\DSquNOE.exe
C:\Windows\System32\DSquNOE.exe
2⤵
PID:8900

C:\Windows\System32\KYERqfp.exe
C:\Windows\System32\KYERqfp.exe
2⤵
PID:8964

C:\Windows\System32\vIhqkmb.exe
C:\Windows\System32\vIhqkmb.exe
2⤵
PID:8988

C:\Windows\System32\OrwCEdH.exe
C:\Windows\System32\OrwCEdH.exe
2⤵
PID:9008

C:\Windows\System32\rIdvkcv.exe
C:\Windows\System32\rIdvkcv.exe
2⤵
PID:9032

C:\Windows\System32\VLnMyTl.exe
C:\Windows\System32\VLnMyTl.exe
2⤵
PID:9056

C:\Windows\System32\PyYHsqc.exe
C:\Windows\System32\PyYHsqc.exe
2⤵
PID:9084

C:\Windows\System32\MuSozTi.exe
C:\Windows\System32\MuSozTi.exe
2⤵
PID:9104

C:\Windows\System32\HNzYVUy.exe
C:\Windows\System32\HNzYVUy.exe
2⤵
PID:9120

C:\Windows\System32\NHzbPOx.exe
C:\Windows\System32\NHzbPOx.exe
2⤵
PID:9144

C:\Windows\System32\eHGcpNF.exe
C:\Windows\System32\eHGcpNF.exe
2⤵
PID:9168

C:\Windows\System32\JlOWYSv.exe
C:\Windows\System32\JlOWYSv.exe
2⤵
PID:9200

C:\Windows\System32\nfvVkkn.exe
C:\Windows\System32\nfvVkkn.exe
2⤵
PID:8156

C:\Windows\System32\UhZeWym.exe
C:\Windows\System32\UhZeWym.exe
2⤵
PID:8268

C:\Windows\System32\wrvNHcX.exe
C:\Windows\System32\wrvNHcX.exe
2⤵
PID:8312

C:\Windows\System32\LZAMvhI.exe
C:\Windows\System32\LZAMvhI.exe
2⤵
PID:8344

C:\Windows\System32\JltdCVs.exe
C:\Windows\System32\JltdCVs.exe
2⤵
PID:8516

C:\Windows\System32\PuclQPa.exe
C:\Windows\System32\PuclQPa.exe
2⤵
PID:8592

C:\Windows\System32\ghTnhFK.exe
C:\Windows\System32\ghTnhFK.exe
2⤵
PID:8652

C:\Windows\System32\AJQFFCu.exe
C:\Windows\System32\AJQFFCu.exe
2⤵
PID:8656

C:\Windows\System32\AwCmeEC.exe
C:\Windows\System32\AwCmeEC.exe
2⤵
PID:8740

C:\Windows\System32\XxVbxwF.exe
C:\Windows\System32\XxVbxwF.exe
2⤵
PID:8928

C:\Windows\System32\LQTkaxW.exe
C:\Windows\System32\LQTkaxW.exe
2⤵
PID:8912

C:\Windows\System32\RMqHUGa.exe
C:\Windows\System32\RMqHUGa.exe
2⤵
PID:8984

C:\Windows\System32\ZIkrNLn.exe
C:\Windows\System32\ZIkrNLn.exe
2⤵
PID:9020

C:\Windows\System32\uWBbRdE.exe
C:\Windows\System32\uWBbRdE.exe
2⤵
PID:9076

C:\Windows\System32\wzxvmSQ.exe
C:\Windows\System32\wzxvmSQ.exe
2⤵
PID:9164

C:\Windows\System32\PzoJHOK.exe
C:\Windows\System32\PzoJHOK.exe
2⤵
PID:9044

C:\Windows\System32\jLpeHhi.exe
C:\Windows\System32\jLpeHhi.exe
2⤵
PID:9136

C:\Windows\System32\HWMOBfq.exe
C:\Windows\System32\HWMOBfq.exe
2⤵
PID:8468

C:\Windows\System32\IFNktJl.exe
C:\Windows\System32\IFNktJl.exe
2⤵
PID:8636

C:\Windows\System32\WlpFEfA.exe
C:\Windows\System32\WlpFEfA.exe
2⤵
PID:8356

C:\Windows\System32\ugfyCTv.exe
C:\Windows\System32\ugfyCTv.exe
2⤵
PID:8716

C:\Windows\System32\gAtMcZu.exe
C:\Windows\System32\gAtMcZu.exe
2⤵
PID:9228

C:\Windows\System32\TBxyvFV.exe
C:\Windows\System32\TBxyvFV.exe
2⤵
PID:9256

C:\Windows\System32\DOhZGCQ.exe
C:\Windows\System32\DOhZGCQ.exe
2⤵
PID:9272

C:\Windows\System32\TCaxBMB.exe
C:\Windows\System32\TCaxBMB.exe
2⤵
PID:9304

C:\Windows\System32\XBFOvcR.exe
C:\Windows\System32\XBFOvcR.exe
2⤵
PID:9328

C:\Windows\System32\iyrWRqE.exe
C:\Windows\System32\iyrWRqE.exe
2⤵
PID:9344

C:\Windows\System32\JXvyoqy.exe
C:\Windows\System32\JXvyoqy.exe
2⤵
PID:9404

C:\Windows\System32\cnrHnME.exe
C:\Windows\System32\cnrHnME.exe
2⤵
PID:9468

C:\Windows\System32\CiPKYQH.exe
C:\Windows\System32\CiPKYQH.exe
2⤵
PID:9492

C:\Windows\System32\tmcfVyU.exe
C:\Windows\System32\tmcfVyU.exe
2⤵
PID:9508

C:\Windows\System32\OzZcpJX.exe
C:\Windows\System32\OzZcpJX.exe
2⤵
PID:9552

C:\Windows\System32\UNjeClW.exe
C:\Windows\System32\UNjeClW.exe
2⤵
PID:9576

C:\Windows\System32\aHIriie.exe
C:\Windows\System32\aHIriie.exe
2⤵
PID:9596

C:\Windows\System32\YZPlguF.exe
C:\Windows\System32\YZPlguF.exe
2⤵
PID:9616

C:\Windows\System32\tYpyNwO.exe
C:\Windows\System32\tYpyNwO.exe
2⤵
PID:9636

C:\Windows\System32\IaqEdqu.exe
C:\Windows\System32\IaqEdqu.exe
2⤵
PID:9688

C:\Windows\System32\saozqnq.exe
C:\Windows\System32\saozqnq.exe
2⤵
PID:9708

C:\Windows\System32\XnvamLh.exe
C:\Windows\System32\XnvamLh.exe
2⤵
PID:9768

C:\Windows\System32\SdwQTAw.exe
C:\Windows\System32\SdwQTAw.exe
2⤵
PID:9808

C:\Windows\System32\wlfORxB.exe
C:\Windows\System32\wlfORxB.exe
2⤵
PID:9836

C:\Windows\System32\CmbkpRI.exe
C:\Windows\System32\CmbkpRI.exe
2⤵
PID:9856

C:\Windows\System32\EXjWVnR.exe
C:\Windows\System32\EXjWVnR.exe
2⤵
PID:9880

C:\Windows\System32\ldurZvm.exe
C:\Windows\System32\ldurZvm.exe
2⤵
PID:9900

C:\Windows\System32\jPQESSN.exe
C:\Windows\System32\jPQESSN.exe
2⤵
PID:9936

C:\Windows\System32\mAFiSnJ.exe
C:\Windows\System32\mAFiSnJ.exe
2⤵
PID:9956

C:\Windows\System32\HNzrXIX.exe
C:\Windows\System32\HNzrXIX.exe
2⤵
PID:9972

C:\Windows\System32\UrzOorC.exe
C:\Windows\System32\UrzOorC.exe
2⤵
PID:10000

C:\Windows\System32\WxcRGbI.exe
C:\Windows\System32\WxcRGbI.exe
2⤵
PID:10024

C:\Windows\System32\HccTCLz.exe
C:\Windows\System32\HccTCLz.exe
2⤵
PID:10040

C:\Windows\System32\LWjUwLS.exe
C:\Windows\System32\LWjUwLS.exe
2⤵
PID:10096

C:\Windows\System32\QEDppjf.exe
C:\Windows\System32\QEDppjf.exe
2⤵
PID:10140

C:\Windows\System32\WkAVpJi.exe
C:\Windows\System32\WkAVpJi.exe
2⤵
PID:10180

C:\Windows\System32\NRNtpMH.exe
C:\Windows\System32\NRNtpMH.exe
2⤵
PID:10200

C:\Windows\System32\NksbpFT.exe
C:\Windows\System32\NksbpFT.exe
2⤵
PID:10228

C:\Windows\System32\dhUyygh.exe
C:\Windows\System32\dhUyygh.exe
2⤵
PID:9212

C:\Windows\System32\MMJYXru.exe
C:\Windows\System32\MMJYXru.exe
2⤵
PID:8256

C:\Windows\System32\TenYamj.exe
C:\Windows\System32\TenYamj.exe
2⤵
PID:8896

C:\Windows\System32\hUDXkQX.exe
C:\Windows\System32\hUDXkQX.exe
2⤵
PID:9128

C:\Windows\System32\nLlnpUx.exe
C:\Windows\System32\nLlnpUx.exe
2⤵
PID:8676

C:\Windows\System32\lhfKZKf.exe
C:\Windows\System32\lhfKZKf.exe
2⤵
PID:9268

C:\Windows\System32\hkoeMTG.exe
C:\Windows\System32\hkoeMTG.exe
2⤵
PID:9372

C:\Windows\System32\impXuKy.exe
C:\Windows\System32\impXuKy.exe
2⤵
PID:9312

C:\Windows\System32\cIGpEPK.exe
C:\Windows\System32\cIGpEPK.exe
2⤵
PID:9392

C:\Windows\System32\SozETed.exe
C:\Windows\System32\SozETed.exe
2⤵
PID:9476

C:\Windows\System32\LxXERfe.exe
C:\Windows\System32\LxXERfe.exe
2⤵
PID:9608

C:\Windows\System32\jdDChvw.exe
C:\Windows\System32\jdDChvw.exe
2⤵
PID:9648

C:\Windows\System32\OOiLLIW.exe
C:\Windows\System32\OOiLLIW.exe
2⤵
PID:9724

C:\Windows\System32\vffosWF.exe
C:\Windows\System32\vffosWF.exe
2⤵
PID:9796

C:\Windows\System32\WSGclxM.exe
C:\Windows\System32\WSGclxM.exe
2⤵
PID:9876

C:\Windows\System32\OFYYnil.exe
C:\Windows\System32\OFYYnil.exe
2⤵
PID:9968

C:\Windows\System32\DBpgMpL.exe
C:\Windows\System32\DBpgMpL.exe
2⤵
PID:9948

C:\Windows\System32\wNdxIKE.exe
C:\Windows\System32\wNdxIKE.exe
2⤵
PID:10032

C:\Windows\System32\IcVrUhz.exe
C:\Windows\System32\IcVrUhz.exe
2⤵
PID:10080

C:\Windows\System32\kbXNmzn.exe
C:\Windows\System32\kbXNmzn.exe
2⤵
PID:10192

C:\Windows\System32\nXWYycq.exe
C:\Windows\System32\nXWYycq.exe
2⤵
PID:3452

C:\Windows\System32\CsNiVFF.exe
C:\Windows\System32\CsNiVFF.exe
2⤵
PID:8960

C:\Windows\System32\eqbGOxe.exe
C:\Windows\System32\eqbGOxe.exe
2⤵
PID:9300

C:\Windows\System32\cxBygyH.exe
C:\Windows\System32\cxBygyH.exe
2⤵
PID:9288

C:\Windows\System32\pHJGDOj.exe
C:\Windows\System32\pHJGDOj.exe
2⤵
PID:9628

C:\Windows\System32\dzovpvh.exe
C:\Windows\System32\dzovpvh.exe
2⤵
PID:9744

C:\Windows\System32\Bzeiggv.exe
C:\Windows\System32\Bzeiggv.exe
2⤵
PID:9824

C:\Windows\System32\JfZepve.exe
C:\Windows\System32\JfZepve.exe
2⤵
PID:9844

C:\Windows\System32\jACyXCF.exe
C:\Windows\System32\jACyXCF.exe
2⤵
PID:10220

C:\Windows\System32\xDzvJRb.exe
C:\Windows\System32\xDzvJRb.exe
2⤵
PID:8472

C:\Windows\System32\kAlrMrI.exe
C:\Windows\System32\kAlrMrI.exe
2⤵
PID:8648

C:\Windows\System32\hQiOBYJ.exe
C:\Windows\System32\hQiOBYJ.exe
2⤵
PID:9588

C:\Windows\System32\diOnkTO.exe
C:\Windows\System32\diOnkTO.exe
2⤵
PID:9952

C:\Windows\System32\PWPAbRJ.exe
C:\Windows\System32\PWPAbRJ.exe
2⤵
PID:8320

C:\Windows\System32\ganEAaB.exe
C:\Windows\System32\ganEAaB.exe
2⤵
PID:10260

C:\Windows\System32\xheSbqF.exe
C:\Windows\System32\xheSbqF.exe
2⤵
PID:10284

C:\Windows\System32\tfxojTF.exe
C:\Windows\System32\tfxojTF.exe
2⤵
PID:10308

C:\Windows\System32\baYytjp.exe
C:\Windows\System32\baYytjp.exe
2⤵
PID:10336

C:\Windows\System32\MAsCYcO.exe
C:\Windows\System32\MAsCYcO.exe
2⤵
PID:10380

C:\Windows\System32\DOAslqD.exe
C:\Windows\System32\DOAslqD.exe
2⤵
PID:10400

C:\Windows\System32\GzxAfyv.exe
C:\Windows\System32\GzxAfyv.exe
2⤵
PID:10424

C:\Windows\System32\qttoCzI.exe
C:\Windows\System32\qttoCzI.exe
2⤵
PID:10440

C:\Windows\System32\GbKmwrW.exe
C:\Windows\System32\GbKmwrW.exe
2⤵
PID:10460

C:\Windows\System32\pqAtSEg.exe
C:\Windows\System32\pqAtSEg.exe
2⤵
PID:10488

C:\Windows\System32\qarDVIS.exe
C:\Windows\System32\qarDVIS.exe
2⤵
PID:10532

C:\Windows\System32\iFqVXfO.exe
C:\Windows\System32\iFqVXfO.exe
2⤵
PID:10576

C:\Windows\System32\vJddpFo.exe
C:\Windows\System32\vJddpFo.exe
2⤵
PID:10608

C:\Windows\System32\ivHnZgY.exe
C:\Windows\System32\ivHnZgY.exe
2⤵
PID:10636

C:\Windows\System32\BzkFGmX.exe
C:\Windows\System32\BzkFGmX.exe
2⤵
PID:10660

C:\Windows\System32\ibjWSdB.exe
C:\Windows\System32\ibjWSdB.exe
2⤵
PID:10692

C:\Windows\System32\tHhOkhp.exe
C:\Windows\System32\tHhOkhp.exe
2⤵
PID:10712

C:\Windows\System32\LbjAeSr.exe
C:\Windows\System32\LbjAeSr.exe
2⤵
PID:10732

C:\Windows\System32\ovVvxhC.exe
C:\Windows\System32\ovVvxhC.exe
2⤵
PID:10772

C:\Windows\System32\mrdgYwL.exe
C:\Windows\System32\mrdgYwL.exe
2⤵
PID:10788

C:\Windows\System32\IprrrNG.exe
C:\Windows\System32\IprrrNG.exe
2⤵
PID:10816

C:\Windows\System32\ckgUYuo.exe
C:\Windows\System32\ckgUYuo.exe
2⤵
PID:10844

C:\Windows\System32\cTsHOko.exe
C:\Windows\System32\cTsHOko.exe
2⤵
PID:10868

C:\Windows\System32\cYWCpGr.exe
C:\Windows\System32\cYWCpGr.exe
2⤵
PID:10904

C:\Windows\System32\PdzTQoV.exe
C:\Windows\System32\PdzTQoV.exe
2⤵
PID:10932

C:\Windows\System32\zXdQRgl.exe
C:\Windows\System32\zXdQRgl.exe
2⤵
PID:10980

C:\Windows\System32\EAcQPoS.exe
C:\Windows\System32\EAcQPoS.exe
2⤵
PID:10996

C:\Windows\System32\IyRMQbR.exe
C:\Windows\System32\IyRMQbR.exe
2⤵
PID:11020

C:\Windows\System32\RBsIldI.exe
C:\Windows\System32\RBsIldI.exe
2⤵
PID:11040

C:\Windows\System32\jiQaYXT.exe
C:\Windows\System32\jiQaYXT.exe
2⤵
PID:11060

C:\Windows\System32\LLzDEEd.exe
C:\Windows\System32\LLzDEEd.exe
2⤵
PID:11084

C:\Windows\System32\vxysNSg.exe
C:\Windows\System32\vxysNSg.exe
2⤵
PID:11128

C:\Windows\System32\PNisbDa.exe
C:\Windows\System32\PNisbDa.exe
2⤵
PID:11148

C:\Windows\System32\avmEUoI.exe
C:\Windows\System32\avmEUoI.exe
2⤵
PID:11172

C:\Windows\System32\nqKwKZr.exe
C:\Windows\System32\nqKwKZr.exe
2⤵
PID:11220

C:\Windows\System32\dooFluM.exe
C:\Windows\System32\dooFluM.exe
2⤵
PID:11248

C:\Windows\System32\lSdcLtG.exe
C:\Windows\System32\lSdcLtG.exe
2⤵
PID:9928

C:\Windows\System32\WnKRWAf.exe
C:\Windows\System32\WnKRWAf.exe
2⤵
PID:10268

C:\Windows\System32\lvixImL.exe
C:\Windows\System32\lvixImL.exe
2⤵
PID:10364

C:\Windows\System32\lrHKIDn.exe
C:\Windows\System32\lrHKIDn.exe
2⤵
PID:10416

C:\Windows\System32\MNlnRmr.exe
C:\Windows\System32\MNlnRmr.exe
2⤵
PID:10432

C:\Windows\System32\PzGxPAu.exe
C:\Windows\System32\PzGxPAu.exe
2⤵
PID:10540

C:\Windows\System32\ChJZKyz.exe
C:\Windows\System32\ChJZKyz.exe
2⤵
PID:10592

C:\Windows\System32\gpdATSR.exe
C:\Windows\System32\gpdATSR.exe
2⤵
PID:10624

C:\Windows\System32\BwVlqXy.exe
C:\Windows\System32\BwVlqXy.exe
2⤵
PID:10728

C:\Windows\System32\WoPZcsA.exe
C:\Windows\System32\WoPZcsA.exe
2⤵
PID:10800

C:\Windows\System32\CZjvEuZ.exe
C:\Windows\System32\CZjvEuZ.exe
2⤵
PID:10836

C:\Windows\System32\sAuncFG.exe
C:\Windows\System32\sAuncFG.exe
2⤵
PID:10856

C:\Windows\System32\uPljtdv.exe
C:\Windows\System32\uPljtdv.exe
2⤵
PID:10940

C:\Windows\System32\kXTnWPy.exe
C:\Windows\System32\kXTnWPy.exe
2⤵
PID:11048

C:\Windows\System32\PBLYWGh.exe
C:\Windows\System32\PBLYWGh.exe
2⤵
PID:11076

C:\Windows\System32\exbDpAE.exe
C:\Windows\System32\exbDpAE.exe
2⤵
PID:11112

C:\Windows\System32\fUWAaUF.exe
C:\Windows\System32\fUWAaUF.exe
2⤵
PID:11244

C:\Windows\System32\UZbkQyO.exe
C:\Windows\System32\UZbkQyO.exe
2⤵
PID:11256

C:\Windows\System32\OXSQLlJ.exe
C:\Windows\System32\OXSQLlJ.exe
2⤵
PID:9684

C:\Windows\System32\bxmcOKb.exe
C:\Windows\System32\bxmcOKb.exe
2⤵
PID:10436

C:\Windows\System32\eIpWZCx.exe
C:\Windows\System32\eIpWZCx.exe
2⤵
PID:10556

C:\Windows\System32\AxEhXrM.exe
C:\Windows\System32\AxEhXrM.exe
2⤵
PID:10924

C:\Windows\System32\xtpKZxa.exe
C:\Windows\System32\xtpKZxa.exe
2⤵
PID:11092

C:\Windows\System32\GLPthyR.exe
C:\Windows\System32\GLPthyR.exe
2⤵
PID:11192

C:\Windows\System32\YXKWWAp.exe
C:\Windows\System32\YXKWWAp.exe
2⤵
PID:11260

C:\Windows\System32\DhVFuOp.exe
C:\Windows\System32\DhVFuOp.exe
2⤵
PID:10828

C:\Windows\System32\jqgbXvl.exe
C:\Windows\System32\jqgbXvl.exe
2⤵
PID:10316

C:\Windows\System32\kBpVoyN.exe
C:\Windows\System32\kBpVoyN.exe
2⤵
PID:10760

C:\Windows\System32\QPxfBhr.exe
C:\Windows\System32\QPxfBhr.exe
2⤵
PID:10812

C:\Windows\System32\TnwbBXD.exe
C:\Windows\System32\TnwbBXD.exe
2⤵
PID:11284

C:\Windows\System32\CVAtxof.exe
C:\Windows\System32\CVAtxof.exe
2⤵
PID:11308

C:\Windows\System32\RaESXAs.exe
C:\Windows\System32\RaESXAs.exe
2⤵
PID:11368

C:\Windows\System32\OQDSyDc.exe
C:\Windows\System32\OQDSyDc.exe
2⤵
PID:11384

C:\Windows\System32\tUqMEWV.exe
C:\Windows\System32\tUqMEWV.exe
2⤵
PID:11404

C:\Windows\System32\ZmhpCCA.exe
C:\Windows\System32\ZmhpCCA.exe
2⤵
PID:11424

C:\Windows\System32\qrlGMMB.exe
C:\Windows\System32\qrlGMMB.exe
2⤵
PID:11444

C:\Windows\System32\EzThmbw.exe
C:\Windows\System32\EzThmbw.exe
2⤵
PID:11476

C:\Windows\System32\RyZKwQt.exe
C:\Windows\System32\RyZKwQt.exe
2⤵
PID:11532

C:\Windows\System32\xbfrfNZ.exe
C:\Windows\System32\xbfrfNZ.exe
2⤵
PID:11556

C:\Windows\System32\aFtQrtZ.exe
C:\Windows\System32\aFtQrtZ.exe
2⤵
PID:11572

C:\Windows\System32\rSjiXUe.exe
C:\Windows\System32\rSjiXUe.exe
2⤵
PID:11592

C:\Windows\System32\WNsvQJi.exe
C:\Windows\System32\WNsvQJi.exe
2⤵
PID:11620

C:\Windows\System32\rtrWSuJ.exe
C:\Windows\System32\rtrWSuJ.exe
2⤵
PID:11644

C:\Windows\System32\xLxqCqU.exe
C:\Windows\System32\xLxqCqU.exe
2⤵
PID:11664

C:\Windows\System32\LUSlhQP.exe
C:\Windows\System32\LUSlhQP.exe
2⤵
PID:11688

C:\Windows\System32\VHuHlDe.exe
C:\Windows\System32\VHuHlDe.exe
2⤵
PID:11724

C:\Windows\System32\wcBXCQh.exe
C:\Windows\System32\wcBXCQh.exe
2⤵
PID:11756

C:\Windows\System32\fAexHVn.exe
C:\Windows\System32\fAexHVn.exe
2⤵
PID:11776

C:\Windows\System32\DEPOqfy.exe
C:\Windows\System32\DEPOqfy.exe
2⤵
PID:11800

C:\Windows\System32\ztzMroo.exe
C:\Windows\System32\ztzMroo.exe
2⤵
PID:11852

C:\Windows\System32\jXEFIYD.exe
C:\Windows\System32\jXEFIYD.exe
2⤵
PID:11880

C:\Windows\System32\qBiGjUd.exe
C:\Windows\System32\qBiGjUd.exe
2⤵
PID:11900

C:\Windows\System32\JCpPHEQ.exe
C:\Windows\System32\JCpPHEQ.exe
2⤵
PID:11936

C:\Windows\System32\izSWbvf.exe
C:\Windows\System32\izSWbvf.exe
2⤵
PID:11956

C:\Windows\System32\oqUBsNd.exe
C:\Windows\System32\oqUBsNd.exe
2⤵
PID:11984

C:\Windows\System32\NjvVFmR.exe
C:\Windows\System32\NjvVFmR.exe
2⤵
PID:12012

C:\Windows\System32\insONvZ.exe
C:\Windows\System32\insONvZ.exe
2⤵
PID:12040

C:\Windows\System32\CeOtWVG.exe
C:\Windows\System32\CeOtWVG.exe
2⤵
PID:12076

C:\Windows\System32\sdLiHnr.exe
C:\Windows\System32\sdLiHnr.exe
2⤵
PID:12104

C:\Windows\System32\WZOLRRl.exe
C:\Windows\System32\WZOLRRl.exe
2⤵
PID:12128

C:\Windows\System32\egWhxOb.exe
C:\Windows\System32\egWhxOb.exe
2⤵
PID:12152

C:\Windows\System32\xCoGEfD.exe
C:\Windows\System32\xCoGEfD.exe
2⤵
PID:12168

C:\Windows\System32\sjgBJqV.exe
C:\Windows\System32\sjgBJqV.exe
2⤵
PID:12200

C:\Windows\System32\wzgiFkQ.exe
C:\Windows\System32\wzgiFkQ.exe
2⤵
PID:12232

C:\Windows\System32\WvxehfW.exe
C:\Windows\System32\WvxehfW.exe
2⤵
PID:12284

C:\Windows\System32\OtgjcOP.exe
C:\Windows\System32\OtgjcOP.exe
2⤵
PID:11292

C:\Windows\System32\tjNPhjJ.exe
C:\Windows\System32\tjNPhjJ.exe
2⤵
PID:11340

C:\Windows\System32\VsWnfxQ.exe
C:\Windows\System32\VsWnfxQ.exe
2⤵
PID:11392

C:\Windows\System32\MdOfSni.exe
C:\Windows\System32\MdOfSni.exe
2⤵
PID:11496

C:\Windows\System32\TSBROQO.exe
C:\Windows\System32\TSBROQO.exe
2⤵
PID:11604

C:\Windows\System32\zbeTwVw.exe
C:\Windows\System32\zbeTwVw.exe
2⤵
PID:11600

C:\Windows\System32\fimxKsC.exe
C:\Windows\System32\fimxKsC.exe
2⤵
PID:11680

C:\Windows\System32\gQmmJeA.exe
C:\Windows\System32\gQmmJeA.exe
2⤵
PID:11696

C:\Windows\System32\GtzsERO.exe
C:\Windows\System32\GtzsERO.exe
2⤵
PID:11828

C:\Windows\System32\fJEvwdm.exe
C:\Windows\System32\fJEvwdm.exe
2⤵
PID:11844

C:\Windows\System32\dFUoDsf.exe
C:\Windows\System32\dFUoDsf.exe
2⤵
PID:11980

C:\Windows\System32\smspNqA.exe
C:\Windows\System32\smspNqA.exe
2⤵
PID:12036

C:\Windows\System32\TDCSbNa.exe
C:\Windows\System32\TDCSbNa.exe
2⤵
PID:12124

C:\Windows\System32\fwasBlc.exe
C:\Windows\System32\fwasBlc.exe
2⤵
PID:12112

C:\Windows\System32\thfdiGx.exe
C:\Windows\System32\thfdiGx.exe
2⤵
PID:3464

C:\Windows\System32\EZvZkcD.exe
C:\Windows\System32\EZvZkcD.exe
2⤵
PID:12220

C:\Windows\System32\ZrLWvmY.exe
C:\Windows\System32\ZrLWvmY.exe
2⤵
PID:12264

C:\Windows\System32\mkObQlx.exe
C:\Windows\System32\mkObQlx.exe
2⤵
PID:11396

C:\Windows\System32\ahhIZht.exe
C:\Windows\System32\ahhIZht.exe
2⤵
PID:11452

C:\Windows\System32\RdfTeyO.exe
C:\Windows\System32\RdfTeyO.exe
2⤵
PID:11484

C:\Windows\System32\qoOBhNp.exe
C:\Windows\System32\qoOBhNp.exe
2⤵
PID:11796

C:\Windows\System32\UshxFYX.exe
C:\Windows\System32\UshxFYX.exe
2⤵
PID:11872

C:\Windows\System32\ivaYGEN.exe
C:\Windows\System32\ivaYGEN.exe
2⤵
PID:12004

C:\Windows\System32\lcugaut.exe
C:\Windows\System32\lcugaut.exe
2⤵
PID:12116

C:\Windows\System32\nAqvNMQ.exe
C:\Windows\System32\nAqvNMQ.exe
2⤵
PID:12160

C:\Windows\System32\CmsoCox.exe
C:\Windows\System32\CmsoCox.exe
2⤵
PID:12272

C:\Windows\System32\ZexSUHE.exe
C:\Windows\System32\ZexSUHE.exe
2⤵
PID:11432

C:\Windows\System32\ateLPfP.exe
C:\Windows\System32\ateLPfP.exe
2⤵
PID:3060

C:\Windows\System32\bOyOQfi.exe
C:\Windows\System32\bOyOQfi.exe
2⤵
PID:12300

C:\Windows\System32\rhhtKth.exe
C:\Windows\System32\rhhtKth.exe
2⤵
PID:12324

C:\Windows\System32\ZxUreDk.exe
C:\Windows\System32\ZxUreDk.exe
2⤵
PID:12340

C:\Windows\System32\JBfAbnq.exe
C:\Windows\System32\JBfAbnq.exe
2⤵
PID:12384

C:\Windows\System32\gHFzpez.exe
C:\Windows\System32\gHFzpez.exe
2⤵
PID:12408

C:\Windows\System32\aJEbFVg.exe
C:\Windows\System32\aJEbFVg.exe
2⤵
PID:12432

C:\Windows\System32\mHmSFGa.exe
C:\Windows\System32\mHmSFGa.exe
2⤵
PID:12472

C:\Windows\System32\GMgKJto.exe
C:\Windows\System32\GMgKJto.exe
2⤵
PID:12500

C:\Windows\System32\wHiVYLA.exe
C:\Windows\System32\wHiVYLA.exe
2⤵
PID:12520

C:\Windows\System32\ICdGgOr.exe
C:\Windows\System32\ICdGgOr.exe
2⤵
PID:12556

C:\Windows\System32\FBwHeWk.exe
C:\Windows\System32\FBwHeWk.exe
2⤵
PID:12572

C:\Windows\System32\jCOePOQ.exe
C:\Windows\System32\jCOePOQ.exe
2⤵
PID:12600

C:\Windows\System32\aAgmtrF.exe
C:\Windows\System32\aAgmtrF.exe
2⤵
PID:12628

C:\Windows\System32\jrWOKUo.exe
C:\Windows\System32\jrWOKUo.exe
2⤵
PID:12648

C:\Windows\System32\BmMNEbH.exe
C:\Windows\System32\BmMNEbH.exe
2⤵
PID:12680

C:\Windows\System32\kiDtKgv.exe
C:\Windows\System32\kiDtKgv.exe
2⤵
PID:12724

C:\Windows\System32\hzRiIKf.exe
C:\Windows\System32\hzRiIKf.exe
2⤵
PID:12776

C:\Windows\System32\kCymjew.exe
C:\Windows\System32\kCymjew.exe
2⤵
PID:12796

C:\Windows\System32\TkTzisl.exe
C:\Windows\System32\TkTzisl.exe
2⤵
PID:12836

C:\Windows\System32\aOFhQVu.exe
C:\Windows\System32\aOFhQVu.exe
2⤵
PID:12852

C:\Windows\System32\iMIGhKY.exe
C:\Windows\System32\iMIGhKY.exe
2⤵
PID:12868

C:\Windows\System32\oUEUUtn.exe
C:\Windows\System32\oUEUUtn.exe
2⤵
PID:12888

C:\Windows\System32\lMQBATL.exe
C:\Windows\System32\lMQBATL.exe
2⤵
PID:12924

C:\Windows\System32\urPSixR.exe
C:\Windows\System32\urPSixR.exe
2⤵
PID:12972

C:\Windows\System32\rgeslEW.exe
C:\Windows\System32\rgeslEW.exe
2⤵
PID:12992

C:\Windows\System32\BKJiwSs.exe
C:\Windows\System32\BKJiwSs.exe
2⤵
PID:13008

C:\Windows\System32\ZJYDafz.exe
C:\Windows\System32\ZJYDafz.exe
2⤵
PID:13028

C:\Windows\System32\juirjJa.exe
C:\Windows\System32\juirjJa.exe
2⤵
PID:13052

C:\Windows\System32\NgdfboS.exe
C:\Windows\System32\NgdfboS.exe
2⤵
PID:13116

C:\Windows\System32\jHBlHvX.exe
C:\Windows\System32\jHBlHvX.exe
2⤵
PID:13136

C:\Windows\System32\hfGytce.exe
C:\Windows\System32\hfGytce.exe
2⤵
PID:13160

C:\Windows\System32\bENDXXu.exe
C:\Windows\System32\bENDXXu.exe
2⤵
PID:13176

C:\Windows\System32\jNKNurI.exe
C:\Windows\System32\jNKNurI.exe
2⤵
PID:13200

C:\Windows\System32\CiYxzbz.exe
C:\Windows\System32\CiYxzbz.exe
2⤵
PID:13244

C:\Windows\System32\aDvIHNV.exe
C:\Windows\System32\aDvIHNV.exe
2⤵
PID:13276

C:\Windows\System32\semadtG.exe
C:\Windows\System32\semadtG.exe
2⤵
PID:13304

C:\Windows\System32\PuUgsFH.exe
C:\Windows\System32\PuUgsFH.exe
2⤵
PID:11812

C:\Windows\System32\oekimGl.exe
C:\Windows\System32\oekimGl.exe
2⤵
PID:11588

C:\Windows\System32\ZUGrxrd.exe
C:\Windows\System32\ZUGrxrd.exe
2⤵
PID:12332

C:\Windows\System32\WOHZEWm.exe
C:\Windows\System32\WOHZEWm.exe
2⤵
PID:12428

C:\Windows\System32\ZpTKmeP.exe
C:\Windows\System32\ZpTKmeP.exe
2⤵
PID:12548

C:\Windows\System32\YfQLQYo.exe
C:\Windows\System32\YfQLQYo.exe
2⤵
PID:12644

C:\Windows\System32\aMjPfEs.exe
C:\Windows\System32\aMjPfEs.exe
2⤵
PID:12636

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4996

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ATYCZKC.exe
Filesize
1.3MB

MD5
6858a0692f2c30f2e1287d52eab762ff

SHA1
4e2fd450d3a37e552898aa66b157d6b021df9db3

SHA256
f5dbea6444ea75cb79f70d7287c357c150544c3f2de1592277ea23d9f7508932

SHA512
ff5f96e5fdb74dcb35a1d0d7e2936bc9236470a186c910469255b1ec6e06c9355fd0247fa1e5de27a4172a3c0c5d6cb4f5c91d4e4dfb9656c7adce10090e7f42

Download Submit
C:\Windows\System32\ExTPqps.exe
Filesize
1.3MB

MD5
a0482440b663e51c151b15913a8c7a67

SHA1
fb64f33e8d51e3c49180c8ac4a240cfedea06d44

SHA256
2f14369bda6ad91e3ac9bab35f0c106ef8f829f9efda265b79ec6b2369d665d5

SHA512
5875580b80e19415e42510e90f87f93d4ca9ddc8fe987201c885e7bc890504fe61bab03ad0cbb0f57cce858b1f03d30bfab15d0f2cfe04375917175f582ccb76

Download Submit
C:\Windows\System32\FsQiUqY.exe
Filesize
1.3MB

MD5
26b3b8a74d85e2e32d4da6a17c31c124

SHA1
1110c101aae4ba7466051696d3643f35784bb2eb

SHA256
3f2f0dab95f5033191a9a2fdaa2d7cc0b7b83d65043fc0bbd2b86d7383bc606c

SHA512
624d2f1b480dd2a75b881f8638c973b4ecab20ef90074800ccd71587732e265890cb6b1c6569b3c23535aab809d49cba9468d1510c6a8011969d80960bd50eec

Download Submit
C:\Windows\System32\IJXJhCm.exe
Filesize
1.3MB

MD5
cf7af09ef1d98fccd75a3ba8846438c1

SHA1
cb844d75e670b349f02fc59e002e460eb01aa6dd

SHA256
9d058f63560425c63673b5821382ca9a814cfca3b184246ee0101cbde7c0d4d1

SHA512
7761432e1254b98f37c018cfc126fb2f85a8903061ee41275f0c8d6e400e6b0c4b4205f32c8f535265570e71f27d17420ef676bdcdd3d0c22487aa6bf07f0fdf

Download Submit
C:\Windows\System32\IiwzqRX.exe
Filesize
1.3MB

MD5
4ca22a01abeaf0aa1eade1897cea0207

SHA1
657ebd94980546ddf5416d47293f8d8cf2808698

SHA256
44fd363bee2e36cef78b7282810cb184236c2f419e28f3e47a5aacad8546e714

SHA512
97146a31d05eb72cb9173f5e8a39b4f65464dcde560a5dc931b72d5151769ed969b2c3f332f5045197474222c94414d79fb508415eed7db627f00df21b5d3a6b

Download Submit
C:\Windows\System32\MbeQVoo.exe
Filesize
1.3MB

MD5
bf4d704ca9b3a347af13710a70e3bf20

SHA1
5e95655c3ca32a3af0293d5c6568c2212ccb116a

SHA256
c60e60a2850ee51ec65dc00fe5d6f0bba3af98c33a879dc006f4f44715360f61

SHA512
35d199db80bba458a106e8c4825b14b1b56c03b3150f5ed3b92ffe406273569feb4f8e8a0d516209140a744dd89ead5cc8d225d11f26d61efbb1cb59f3c906df

Download Submit
C:\Windows\System32\PahIpAb.exe
Filesize
1.3MB

MD5
b35cd12dab04ad22842c67636a5ddebc

SHA1
702a6b8c4ed99b4a2ca141098241b637e1f06644

SHA256
b5f966fa9f54244d56d225274e5f9aef793894a7142004d74205302822e6c95c

SHA512
2f797be28006dce5b6392f950d1f496a7ed4f25e6be3b0b47f7f012ae395909ac2a20495128d0a61406f8b63bd2bc2d7ef5c5f75e374d454668e70c5a419a8e5

Download Submit
C:\Windows\System32\QBinvvq.exe
Filesize
1.3MB

MD5
7797fcc3d6d80f4a0c8b9ef5600c1992

SHA1
73f568ee7d5801c021608e8cce369fe6c374b6d3

SHA256
4e3408e8518a0d8cf5c3dd1e7f9e167a06646453a5466bf792c73fbbdb200083

SHA512
7616dcf8cce6dbdacf187e634c94dd96064b6b6938045aeeb3b7f4c7bc6ee1ae534c9f4ba58a5f20b12a2039d89d56b9831414ccab457ae35a03fe08c083fc79

Download Submit
C:\Windows\System32\SgOjykB.exe
Filesize
1.3MB

MD5
bcdef405d26d4fa1c83416f556e97e23

SHA1
dd33985aae02cdba4e0677ac5276d07921072cd2

SHA256
e5b615a11d813d6b564784047d433d6ad202b95628f5798087427ea86a5b4a3f

SHA512
02e16577b316524e9ed352977c81f2511930018533891cab02c620d04fefbc25d2b6297b631adfc7fad06e81a3bfe7f09aede414bc3b62d792aac0fa9424ab58

Download Submit
C:\Windows\System32\WJylISI.exe
Filesize
1.3MB

MD5
4cf3b4f0ab97287045aa66d0373eed12

SHA1
271add5ffb196137a4ad28420554c8507fa7b9d7

SHA256
4182d7fdedc004b4a26174501152691aaf76da21c331be8194e3724b7931e687

SHA512
d4f0635a9e549bd46f406274a9a3f285bb11e301e03ca9fc7c5fc784b6753f166c31f9610c9e150dd37e9ff14cc8c47191377bbe164f9217043578037954e70d

Download Submit
C:\Windows\System32\ZgSCYDv.exe
Filesize
1.3MB

MD5
dfb523b208839f8605bdfcb8beceaf17

SHA1
7f6fefc811072bd6eac29636ec0f5305843612fc

SHA256
4b46e8bfa833e0eb77e9c0f4677b47b1b8c3e3e745103f82411eef765e4f3d4d

SHA512
4292b2481ad3a7412eebd4e1c5a1fcde9a7c24bd2ecff68f9733bc6b1f70c6aac997368ad4945e5f358a36cfe72ce5a3b6e63d375e6750893b79a9973e09b2fc

Download Submit
C:\Windows\System32\cgJvcMt.exe
Filesize
1.3MB

MD5
8677050be97907b7e661037895877ffa

SHA1
216dc3b015c6706f28307e69d24b355e99160f90

SHA256
6c8d60630e9563c044636212edb31c9a8be07de4890d45a52d04f3c563e27401

SHA512
543d5c941478e39b9d58c30d83422a25fee01632ff723cff77cd682114368033b18f7c955ece1d33d129531b728ea766d4e08253f6f93ba44dc87800b3af7921

Download Submit
C:\Windows\System32\cwylglQ.exe
Filesize
1.3MB

MD5
46473aceb015cd4dbe226c4f0d2e1e55

SHA1
96c4c8abc81bcfd4c319e4d2443038435f707aeb

SHA256
12d5b4772bbc6677fff93b42286f5d76ac95c8a6f3324d78218f93bc7d219418

SHA512
35088c5c8b6f5601e7af04b14bd5273397b7c35863b4e0bdfb4706eced261d142affa8dc244dc04fd5ff95a794b88daa82c4da3e54f5bb45ab6549187a939891

Download Submit
C:\Windows\System32\cxTPcOU.exe
Filesize
1.3MB

MD5
0339afbdc5e0836a6f1ad9217564170e

SHA1
bf09aff160f8d2b540434b68c81349a411fad3e6

SHA256
8511fb3be509ff2f1c927c8f1b13f8bb69482ae031a175235c5c0eb896d302cf

SHA512
ac13f4c72092cb870b0a8427fe91f6ff693443a3694fb64bfa2be50d9bdd403fb5723784b53913382d7dcbe063d547def0a3559a22dcad7ea1b0948444c3f915

Download Submit
C:\Windows\System32\faTLrUu.exe
Filesize
1.3MB

MD5
923fd15286aeac5dba5431290b22e059

SHA1
ab5d35192083f80fb7c53dca0e03bb748dcf92e9

SHA256
0a32de78407478f1d944bc7cec3c64c6360365ba0592aecce238edc6cba4dec0

SHA512
8178f73640d5add50efb1d7c2b17c278a18fe24282d28abe013d22789348da27495032d3bbc9cf71e27edbf24faf8486bb9b76677d18d34c12cb6c1d8dfdac76

Download Submit
C:\Windows\System32\hdDSITU.exe
Filesize
1.3MB

MD5
e8dabf85a5c6dd2c910fce0fd159733f

SHA1
46b1c9c9ba873469d28688d2d782c85427919006

SHA256
7aac65e17d7cccea6a99a78c34f317e4eef8ef5cc8fdcc9d11a5f41fce96970f

SHA512
853344381f2206236cf4b1d695b61597ce9f6b6c439779064aba7d89d48c522d4e27dac9f1c77ea29c659405307737d20f26862f786053c52127ffba9a8ea47f

Download Submit
C:\Windows\System32\irMCMSs.exe
Filesize
1.3MB

MD5
f805c324d3b431079efd4e218243d16e

SHA1
8b5da4a8db0a6e58a8b7ce6e02218f2da597bf67

SHA256
3d64d6c008890386761b7e374ea8c7b78636489aa56948e118880c36e509cf6a

SHA512
b14c3ebf9d11ca578b5d5961eb651d49118d49b78512e8e68e887f8c51d0b4a0d17ad81d878ede5d5444b80638751f7fa8fd3030803bc79f7891ac321f0f8a42

Download Submit
C:\Windows\System32\jGJYNen.exe
Filesize
1.3MB

MD5
72651a3f0cf732f3f94733d741b2e559

SHA1
b4c920aabb4ce7a560af2dc86b0cadff70e026ab

SHA256
0d5d941a12c27b02bc45b47a578f25bd87de07d51abcf53e149312ec4f777688

SHA512
72f8a84f23929d92ef2f54932b8d2351915ad625f9715b9359004303a6e0264de9a1fb6089ec82d3776a6800e53ecf212a6187c258d81b5f3fdf489a5b30c504

Download Submit
C:\Windows\System32\jrbPYVn.exe
Filesize
1.3MB

MD5
f77a4770dd1d35684985045410d0fcc8

SHA1
e1fffcb9c554f0e9e5e62d378715d23fabee306b

SHA256
6ec9aabd6cdc13d39f93c782028a5cbb4a182e69b04846021b62dc692edc3903

SHA512
3136c8a1062fcaaa658ba6343da8f61553452bd9d8e60f2061b52fce445dab89830a02038de58b311142d716e72ebfd912700316e2018387ceb404d171f3232c

Download Submit
C:\Windows\System32\lHiMePC.exe
Filesize
1.3MB

MD5
df91173ef403e27e4fadd9652fe0617a

SHA1
6c0192f235abd24e0e7335e70e00347dd3a25442

SHA256
fa4e5459ee743e5fa8f38c52500b76e0423bcfcd95c8cf16b174499b61188429

SHA512
338780d5597055230c49a79863c8dcba447c281e598a86f5d74d9d939b8825d73cf833744a2869f599993f32695e69cc4a3ba3bc0b62876dd6e2335420b795a2

Download Submit
C:\Windows\System32\njUTTbZ.exe
Filesize
1.3MB

MD5
5f629b899a80fa6d5118da0d3545e1bd

SHA1
1b45ae5dc511266710a38a9986981e8be7c97b09

SHA256
f0713d1f296128500a5988303ef682ecd2919c473e6117f3ab712117d91e4ca1

SHA512
6460c83d25b7b632e5d257fe2c2a9dc6cefe64bcf0ac083bcf93f5367b7f84eec01e30da93c818ca307d9eb7fe683fd136189f4724d70feb555ce8014fb8d747

Download Submit
C:\Windows\System32\oenUrEr.exe
Filesize
1.3MB

MD5
35b6fb950d31b8d6264426814a56ce96

SHA1
d8c194eaa7bc50f85016bdebfeea36147d1baf07

SHA256
9c4a49b16fb4eb1f4a71346f5c527b348de6f16a7f8df0b04bc4d820fa21e33c

SHA512
1acc170b8b0fabf49dad3c147927b60d192dfbbe8ae437f6072639f9a859912689f833636c1dffc61d1aded9988b8bd4670d4f06344ac74dc6e39a2ec98a80ca

Download Submit
C:\Windows\System32\ouCvIiZ.exe
Filesize
1.3MB

MD5
6416cefea42559f47890c8eac0bca306

SHA1
3022a7b3b019bfe664b5b2ee1766477786a9eeac

SHA256
9b03beb813d6fb1b729392d6bf7f9eb14d117a4ee7edfb655f1e01dfd681b192

SHA512
01695be6377c8ecfc5ff4716ad8e57f5a9475459a3350a609a86a4e2641ab96309174cab16b549c8704ad10cf819b7a8301bfdc4bd51e108ce35ba829ba014ea

Download Submit
C:\Windows\System32\oxTQDAf.exe
Filesize
1.3MB

MD5
e9a5c13d970f83071a7f672fb5fab756

SHA1
6deb4b4b3372964131c5b9edfa3847cc2ab40009

SHA256
8f1ebf8de391f3df8dc5fab06018be698891ebc9baf0b664b0a60b261bbd50d2

SHA512
c562d02eeb9252ec090584d9f2e2ff285f4162a58e9f23671405ad716cc6623bfaaa283a3d21cb3b0500e4974faa05385c70cc8dad4c640269e39956ed54b3c6

Download Submit
C:\Windows\System32\qAKoSgh.exe
Filesize
1.3MB

MD5
24366cbc63c270a9baa6e8d38775262a

SHA1
4bf590cdb59fca02dcc84cdb1216b4cc3421b1a9

SHA256
18e30cf76871c5654069c70c8bfe207edcddc74759638cd72f3eadc423b92db4

SHA512
2b8b18c6c48bdc88beecd7cc92f92095e46b1643f09b2047cf9cddd102b7bdf7414dd2932a1d80c65a24661ba2daada596ba17ca0223629ca43e65de9eb1d3c9

Download Submit
C:\Windows\System32\qDPntCP.exe
Filesize
1.3MB

MD5
46684d5dea0c1836f5e811bd531d66db

SHA1
8abfaa961aeab235aeb97320fe651fe303fc0e8c

SHA256
141e017a80139be75e309a8f49a37df34a562012a299effc30c45899a49595a3

SHA512
8454e507352d5d3336c72f4fbacf4990dd97c68ca2f1f7ac98ba9f2b9d096e3b1f90e42ba563b3f2cb0ed87935207dd3ec900f6b21d2fa1fdb39aff4f906f659

Download Submit
C:\Windows\System32\tfRVhtV.exe
Filesize
1.3MB

MD5
6013f77333e21cb56ae1a0bf1e45a462

SHA1
0584686ee84ba1b1dc83baf58573fe16f937b32a

SHA256
cfbf95acd989b1e185d5a06dc7fb31028766c915181b6eece86632846dd2ecfc

SHA512
dd1dd3f73b839ba27987285065476073f79bd8c1bb2d614cde72d4f88fdd4f733dbdd1d8a8ce8001c3cb66bf14ea30bb59d2182279b02ad9ea0c286d7eb3d722

Download Submit
C:\Windows\System32\tjnwtCK.exe
Filesize
1.3MB

MD5
9419f61cedd9fc0797b8441d4b06ecf0

SHA1
0022fd95b71ede0a90542f6779014c7be852f074

SHA256
fd7dad52ee7e13345faca02b813987a99b699f7419b6216ab57410ac97177797

SHA512
bcf5ff905c9b5c443aa47a55feab06e511986e8f24504071562b4093130b014bdde337f968467242519b7b7299d21e63eae32dfcace2256b7a1c663f97925ecf

Download Submit
C:\Windows\System32\uJgqOCi.exe
Filesize
1.3MB

MD5
9e4652cd26158def8521e5e5f95026b3

SHA1
b5b798a45cefb2b813b591beffcdf7b965530db1

SHA256
bd52a27efb98174ee12ce69251529114f552a463b48d6696562c67e171112364

SHA512
6c11bad932649596e5ced47699c46cbe3f2ca93d3d3d5e8109156c4610c84d697c0669d1acf8668a9be3eb55b487efe3d1ebddf54269e50d31abe837657832c6

Download Submit
C:\Windows\System32\uqqmkIS.exe
Filesize
1.3MB

MD5
bb90455f927fc4420d7fa4cba0693a5a

SHA1
db6090258ad1b2329be6e7c2d2dc79bb825ec99a

SHA256
529f2d80e442a30ec2ea9a4478531987268a6e86740ef888a43f539aec5809e5

SHA512
bb24672416b91116eb636765f2663f1650e99b0f29d341114a988396aea18db522e066d430d841413382943cf4d9571d05281f83628793a5c05ce803c5a93e4a

Download Submit
C:\Windows\System32\wWuNZlw.exe
Filesize
1.3MB

MD5
1606cd5319f629a2e7e28bfe9c823d2a

SHA1
0003dd8ef196b9d004b701d323dc8874aab89655

SHA256
a4503be6d791ecac4087d3af8ded9fd8b0811526f4e12382cf64037690bfc816

SHA512
d12a902dcdaf09104df25a3383ba45290c1bd7fa9c4c0850a20d7d170de900c9541cc9f10441e5ab33f0d83328b3832ca0025cae3dab3edbefd0055e52482d97

Download Submit
C:\Windows\System32\zIjZRrN.exe
Filesize
1.3MB

MD5
b329ddcfbdc46cc525d667a6b369e020

SHA1
c3ff323df9160cbc13df7ee7ade9485a743a5584

SHA256
a8140b286b3b55846da15ec6778abfe514348c21cbd112fe194f7150bfabbc9f

SHA512
4c265f2abdbc2c1c1fe46866f666d71e868682b8eef37a82967f453582061321e1683b47a60aa5b041d278bbfbd7943c48aef9deba75170b5514d7dbd1768f9c

Download Submit
memory/1076-389-0x00007FF61EF60000-0x00007FF61F351000-memory.dmp

Filesize
3.9MB

Download
memory/1076-2078-0x00007FF61EF60000-0x00007FF61F351000-memory.dmp

Filesize
3.9MB

Download
memory/1092-2082-0x00007FF70F640000-0x00007FF70FA31000-memory.dmp

Filesize
3.9MB

Download
memory/1092-394-0x00007FF70F640000-0x00007FF70FA31000-memory.dmp

Filesize
3.9MB

Download
memory/1300-2106-0x00007FF7B90D0000-0x00007FF7B94C1000-memory.dmp

Filesize
3.9MB

Download
memory/1300-475-0x00007FF7B90D0000-0x00007FF7B94C1000-memory.dmp

Filesize
3.9MB

Download
memory/1688-2096-0x00007FF7D85B0000-0x00007FF7D89A1000-memory.dmp

Filesize
3.9MB

Download
memory/1688-457-0x00007FF7D85B0000-0x00007FF7D89A1000-memory.dmp

Filesize
3.9MB

Download
memory/1892-385-0x00007FF6F9260000-0x00007FF6F9651000-memory.dmp

Filesize
3.9MB

Download
memory/1892-2072-0x00007FF6F9260000-0x00007FF6F9651000-memory.dmp

Filesize
3.9MB

Download
memory/2104-2101-0x00007FF6288E0000-0x00007FF628CD1000-memory.dmp

Filesize
3.9MB

Download
memory/2104-444-0x00007FF6288E0000-0x00007FF628CD1000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2066-0x00007FF686540000-0x00007FF686931000-memory.dmp

Filesize
3.9MB

Download
memory/2396-419-0x00007FF686540000-0x00007FF686931000-memory.dmp

Filesize
3.9MB

Download
memory/2640-2070-0x00007FF7199B0000-0x00007FF719DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2640-386-0x00007FF7199B0000-0x00007FF719DA1000-memory.dmp

Filesize
3.9MB

Download
memory/2792-2058-0x00007FF62B150000-0x00007FF62B541000-memory.dmp

Filesize
3.9MB

Download
memory/2792-384-0x00007FF62B150000-0x00007FF62B541000-memory.dmp

Filesize
3.9MB

Download
memory/2792-2028-0x00007FF62B150000-0x00007FF62B541000-memory.dmp

Filesize
3.9MB

Download
memory/3064-437-0x00007FF7B7CC0000-0x00007FF7B80B1000-memory.dmp

Filesize
3.9MB

Download
memory/3064-2089-0x00007FF7B7CC0000-0x00007FF7B80B1000-memory.dmp

Filesize
3.9MB

Download
memory/3220-24-0x00007FF7CC110000-0x00007FF7CC501000-memory.dmp

Filesize
3.9MB

Download
memory/3220-2062-0x00007FF7CC110000-0x00007FF7CC501000-memory.dmp

Filesize
3.9MB

Download
memory/3276-2060-0x00007FF6921A0000-0x00007FF692591000-memory.dmp

Filesize
3.9MB

Download
memory/3276-482-0x00007FF6921A0000-0x00007FF692591000-memory.dmp

Filesize
3.9MB

Download
memory/3528-449-0x00007FF6569E0000-0x00007FF656DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3528-2099-0x00007FF6569E0000-0x00007FF656DD1000-memory.dmp

Filesize
3.9MB

Download
memory/3616-464-0x00007FF7E7AC0000-0x00007FF7E7EB1000-memory.dmp

Filesize
3.9MB

Download
memory/3616-2111-0x00007FF7E7AC0000-0x00007FF7E7EB1000-memory.dmp

Filesize
3.9MB

Download
memory/3720-2084-0x00007FF6C2770000-0x00007FF6C2B61000-memory.dmp

Filesize
3.9MB

Download
memory/3720-387-0x00007FF6C2770000-0x00007FF6C2B61000-memory.dmp

Filesize
3.9MB

Download
memory/3864-426-0x00007FF6BAB40000-0x00007FF6BAF31000-memory.dmp

Filesize
3.9MB

Download
memory/3864-2091-0x00007FF6BAB40000-0x00007FF6BAF31000-memory.dmp

Filesize
3.9MB

Download
memory/3976-413-0x00007FF6F93A0000-0x00007FF6F9791000-memory.dmp

Filesize
3.9MB

Download
memory/3976-2068-0x00007FF6F93A0000-0x00007FF6F9791000-memory.dmp

Filesize
3.9MB

Download
memory/4200-465-0x00007FF7C4730000-0x00007FF7C4B21000-memory.dmp

Filesize
3.9MB

Download
memory/4200-2109-0x00007FF7C4730000-0x00007FF7C4B21000-memory.dmp

Filesize
3.9MB

Download
memory/4440-404-0x00007FF6AA090000-0x00007FF6AA481000-memory.dmp

Filesize
3.9MB

Download
memory/4440-2074-0x00007FF6AA090000-0x00007FF6AA481000-memory.dmp

Filesize
3.9MB

Download
memory/4460-0-0x00007FF79FF20000-0x00007FF7A0311000-memory.dmp

Filesize
3.9MB

Download
memory/4460-1-0x0000023A9FA90000-0x0000023A9FAA0000-memory.dmp

Filesize
64KB

Download
memory/4592-2076-0x00007FF7843F0000-0x00007FF7847E1000-memory.dmp

Filesize
3.9MB

Download
memory/4592-397-0x00007FF7843F0000-0x00007FF7847E1000-memory.dmp

Filesize
3.9MB

Download
memory/4752-15-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2056-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2031-0x00007FF6A80A0000-0x00007FF6A8491000-memory.dmp

Filesize
3.9MB

Download
memory/4940-423-0x00007FF636BB0000-0x00007FF636FA1000-memory.dmp

Filesize
3.9MB

Download
memory/4940-2087-0x00007FF636BB0000-0x00007FF636FA1000-memory.dmp

Filesize
3.9MB

Download
memory/5064-388-0x00007FF6AADE0000-0x00007FF6AB1D1000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2080-0x00007FF6AADE0000-0x00007FF6AB1D1000-memory.dmp

Filesize
3.9MB

Download
memory/5104-484-0x00007FF75F370000-0x00007FF75F761000-memory.dmp

Filesize
3.9MB

Download
memory/5104-2064-0x00007FF75F370000-0x00007FF75F761000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads