xmrig | b375c8249a7230442cffbeaed81164df6a3b47706f4bae59fcb884ca64513aab

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
Size

1.0MB
MD5

02dc0734d9ce0b5f90f5d74ad6a5c552
SHA1

6abfe8d7de423eb89c1f78e8132f14e10dd3248a
SHA256

b375c8249a7230442cffbeaed81164df6a3b47706f4bae59fcb884ca64513aab
SHA512

f25ac38a801d57416ca64aef53fde5612f10fc54bd934ed93e3fa261b4c1a9c467fdb0166c033b09fbb47c4a19c35eef6b1607b1be417c3bf9fb469f01ef8f82
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejaXH0:knw9oUUEEDlGUrMa0

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1824-13-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp	xmrig
behavioral2/memory/2116-392-0x00007FF62F180000-0x00007FF62F571000-memory.dmp	xmrig
behavioral2/memory/4076-399-0x00007FF72C7C0000-0x00007FF72CBB1000-memory.dmp	xmrig
behavioral2/memory/2560-400-0x00007FF6A00B0000-0x00007FF6A04A1000-memory.dmp	xmrig
behavioral2/memory/3616-398-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp	xmrig
behavioral2/memory/364-417-0x00007FF72BAF0000-0x00007FF72BEE1000-memory.dmp	xmrig
behavioral2/memory/4852-422-0x00007FF7396D0000-0x00007FF739AC1000-memory.dmp	xmrig
behavioral2/memory/4360-425-0x00007FF771CF0000-0x00007FF7720E1000-memory.dmp	xmrig
behavioral2/memory/1088-416-0x00007FF66BB10000-0x00007FF66BF01000-memory.dmp	xmrig
behavioral2/memory/4644-437-0x00007FF7E81D0000-0x00007FF7E85C1000-memory.dmp	xmrig
behavioral2/memory/2996-442-0x00007FF630870000-0x00007FF630C61000-memory.dmp	xmrig
behavioral2/memory/4920-440-0x00007FF6E1650000-0x00007FF6E1A41000-memory.dmp	xmrig
behavioral2/memory/720-445-0x00007FF70C330000-0x00007FF70C721000-memory.dmp	xmrig
behavioral2/memory/4208-448-0x00007FF7647C0000-0x00007FF764BB1000-memory.dmp	xmrig
behavioral2/memory/1572-446-0x00007FF618FE0000-0x00007FF6193D1000-memory.dmp	xmrig
behavioral2/memory/5048-444-0x00007FF654860000-0x00007FF654C51000-memory.dmp	xmrig
behavioral2/memory/2420-379-0x00007FF73ABE0000-0x00007FF73AFD1000-memory.dmp	xmrig
behavioral2/memory/4448-374-0x00007FF6AECA0000-0x00007FF6AF091000-memory.dmp	xmrig
behavioral2/memory/1824-1987-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp	xmrig
behavioral2/memory/4416-1994-0x00007FF7BA4B0000-0x00007FF7BA8A1000-memory.dmp	xmrig
behavioral2/memory/2568-1996-0x00007FF719600000-0x00007FF7199F1000-memory.dmp	xmrig
behavioral2/memory/4908-1992-0x00007FF735D30000-0x00007FF736121000-memory.dmp	xmrig
behavioral2/memory/5096-1991-0x00007FF7DB370000-0x00007FF7DB761000-memory.dmp	xmrig
behavioral2/memory/5064-2013-0x00007FF63F160000-0x00007FF63F551000-memory.dmp	xmrig
behavioral2/memory/1184-2012-0x00007FF61AB10000-0x00007FF61AF01000-memory.dmp	xmrig
behavioral2/memory/1824-2032-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp	xmrig
behavioral2/memory/2996-2034-0x00007FF630870000-0x00007FF630C61000-memory.dmp	xmrig
behavioral2/memory/5096-2036-0x00007FF7DB370000-0x00007FF7DB761000-memory.dmp	xmrig
behavioral2/memory/4448-2038-0x00007FF6AECA0000-0x00007FF6AF091000-memory.dmp	xmrig
behavioral2/memory/5048-2044-0x00007FF654860000-0x00007FF654C51000-memory.dmp	xmrig
behavioral2/memory/720-2048-0x00007FF70C330000-0x00007FF70C721000-memory.dmp	xmrig
behavioral2/memory/4908-2046-0x00007FF735D30000-0x00007FF736121000-memory.dmp	xmrig
behavioral2/memory/2420-2050-0x00007FF73ABE0000-0x00007FF73AFD1000-memory.dmp	xmrig
behavioral2/memory/3616-2062-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp	xmrig
behavioral2/memory/364-2066-0x00007FF72BAF0000-0x00007FF72BEE1000-memory.dmp	xmrig
behavioral2/memory/2560-2072-0x00007FF6A00B0000-0x00007FF6A04A1000-memory.dmp	xmrig
behavioral2/memory/4852-2074-0x00007FF7396D0000-0x00007FF739AC1000-memory.dmp	xmrig
behavioral2/memory/4360-2071-0x00007FF771CF0000-0x00007FF7720E1000-memory.dmp	xmrig
behavioral2/memory/1088-2068-0x00007FF66BB10000-0x00007FF66BF01000-memory.dmp	xmrig
behavioral2/memory/4076-2064-0x00007FF72C7C0000-0x00007FF72CBB1000-memory.dmp	xmrig
behavioral2/memory/4208-2060-0x00007FF7647C0000-0x00007FF764BB1000-memory.dmp	xmrig
behavioral2/memory/4416-2058-0x00007FF7BA4B0000-0x00007FF7BA8A1000-memory.dmp	xmrig
behavioral2/memory/2116-2056-0x00007FF62F180000-0x00007FF62F571000-memory.dmp	xmrig
behavioral2/memory/5064-2052-0x00007FF63F160000-0x00007FF63F551000-memory.dmp	xmrig
behavioral2/memory/1572-2054-0x00007FF618FE0000-0x00007FF6193D1000-memory.dmp	xmrig
behavioral2/memory/4920-2077-0x00007FF6E1650000-0x00007FF6E1A41000-memory.dmp	xmrig
behavioral2/memory/4644-2082-0x00007FF7E81D0000-0x00007FF7E85C1000-memory.dmp	xmrig
behavioral2/memory/2568-2042-0x00007FF719600000-0x00007FF7199F1000-memory.dmp	xmrig
behavioral2/memory/1184-2040-0x00007FF61AB10000-0x00007FF61AF01000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1824	yydhGbq.exe
2996	eOjaewn.exe
5096	lWWbvgX.exe
5048	wsPNvKd.exe
4908	VponPAk.exe
1184	XGpKCPR.exe
720	gQKoyel.exe
4416	DvbtTqx.exe
5064	WjTjvzO.exe
2568	ddNMOYO.exe
4448	RFtUmfE.exe
2420	mLkPBdV.exe
2116	AWlhNlP.exe
3616	InOAxMj.exe
1572	djelQQc.exe
4208	ZEdsNBS.exe
4076	zmExrbM.exe
2560	HRRygSO.exe
1088	FITqKpu.exe
364	yHoNoKm.exe
4852	XDhjJSI.exe
4360	sSYDxVb.exe
4644	cwtPbpy.exe
4920	PEbjtFk.exe
2948	WKHIDUY.exe
1624	BdsDWnw.exe
4624	ffhOOtr.exe
4464	fyPCnyd.exe
3476	kHBoEgo.exe
2924	wPbaUpi.exe
1792	SFMeAMu.exe
3400	qRsKbaJ.exe
528	sRoAGRQ.exe
2044	KKtKHxb.exe
3412	UnUXMUK.exe
3432	YEOMbgj.exe
4588	EyXJlTL.exe
2300	hGzSvwC.exe
4728	dViHSwg.exe
4868	rqShsoz.exe
3632	YrbVXwH.exe
4468	qoLxvgg.exe
1900	YsjXhpn.exe
940	woeDAVU.exe
3560	YDLvfDE.exe
4488	pNNpaha.exe
1104	UKHQqLR.exe
4652	RWlMNrJ.exe
1156	PMyBxkO.exe
3928	yYPQeqP.exe
3788	VAxVpIc.exe
4272	YjUyQsI.exe
4824	oRCiTOk.exe
60	swpwmIL.exe
1796	ryvRHVt.exe
2076	CGhuHGH.exe
1380	UxxmgIo.exe
2872	bjfANPz.exe
2740	nRIkTsL.exe
4340	BCoroSl.exe
4176	LLJdWtb.exe
5012	XyPOsLR.exe
2856	jnwSNut.exe
2392	lguiwpJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1432-0-0x00007FF628B00000-0x00007FF628EF1000-memory.dmp	upx
behavioral2/files/0x0008000000023427-8.dat	upx
behavioral2/files/0x0006000000023298-6.dat	upx
behavioral2/memory/1824-13-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp	upx
behavioral2/files/0x000a0000000233ff-17.dat	upx
behavioral2/memory/4908-53-0x00007FF735D30000-0x00007FF736121000-memory.dmp	upx
behavioral2/memory/5064-59-0x00007FF63F160000-0x00007FF63F551000-memory.dmp	upx
behavioral2/files/0x0007000000023431-80.dat	upx
behavioral2/files/0x0007000000023435-96.dat	upx
behavioral2/files/0x000700000002343a-115.dat	upx
behavioral2/files/0x000700000002343f-140.dat	upx
behavioral2/files/0x0007000000023442-155.dat	upx
behavioral2/memory/2116-392-0x00007FF62F180000-0x00007FF62F571000-memory.dmp	upx
behavioral2/memory/4076-399-0x00007FF72C7C0000-0x00007FF72CBB1000-memory.dmp	upx
behavioral2/memory/2560-400-0x00007FF6A00B0000-0x00007FF6A04A1000-memory.dmp	upx
behavioral2/memory/3616-398-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp	upx
behavioral2/memory/364-417-0x00007FF72BAF0000-0x00007FF72BEE1000-memory.dmp	upx
behavioral2/memory/4852-422-0x00007FF7396D0000-0x00007FF739AC1000-memory.dmp	upx
behavioral2/memory/4360-425-0x00007FF771CF0000-0x00007FF7720E1000-memory.dmp	upx
behavioral2/memory/1088-416-0x00007FF66BB10000-0x00007FF66BF01000-memory.dmp	upx
behavioral2/memory/4644-437-0x00007FF7E81D0000-0x00007FF7E85C1000-memory.dmp	upx
behavioral2/memory/2996-442-0x00007FF630870000-0x00007FF630C61000-memory.dmp	upx
behavioral2/memory/4920-440-0x00007FF6E1650000-0x00007FF6E1A41000-memory.dmp	upx
behavioral2/memory/720-445-0x00007FF70C330000-0x00007FF70C721000-memory.dmp	upx
behavioral2/memory/4208-448-0x00007FF7647C0000-0x00007FF764BB1000-memory.dmp	upx
behavioral2/memory/1572-446-0x00007FF618FE0000-0x00007FF6193D1000-memory.dmp	upx
behavioral2/memory/5048-444-0x00007FF654860000-0x00007FF654C51000-memory.dmp	upx
behavioral2/memory/2420-379-0x00007FF73ABE0000-0x00007FF73AFD1000-memory.dmp	upx
behavioral2/memory/4448-374-0x00007FF6AECA0000-0x00007FF6AF091000-memory.dmp	upx
behavioral2/files/0x0007000000023444-168.dat	upx
behavioral2/files/0x0007000000023443-166.dat	upx
behavioral2/files/0x0007000000023441-153.dat	upx
behavioral2/files/0x0007000000023440-151.dat	upx
behavioral2/files/0x000700000002343e-138.dat	upx
behavioral2/files/0x000700000002343d-136.dat	upx
behavioral2/files/0x000700000002343c-128.dat	upx
behavioral2/files/0x000700000002343b-126.dat	upx
behavioral2/files/0x0007000000023439-113.dat	upx
behavioral2/files/0x0007000000023438-111.dat	upx
behavioral2/files/0x0007000000023437-106.dat	upx
behavioral2/files/0x0007000000023436-101.dat	upx
behavioral2/files/0x0007000000023434-93.dat	upx
behavioral2/files/0x0007000000023433-85.dat	upx
behavioral2/files/0x000700000002342c-84.dat	upx
behavioral2/files/0x000700000002342d-83.dat	upx
behavioral2/files/0x0007000000023432-82.dat	upx
behavioral2/memory/2568-76-0x00007FF719600000-0x00007FF7199F1000-memory.dmp	upx
behavioral2/files/0x0007000000023430-73.dat	upx
behavioral2/files/0x0007000000023428-68.dat	upx
behavioral2/files/0x0007000000023429-66.dat	upx
behavioral2/files/0x000700000002342a-64.dat	upx
behavioral2/files/0x000700000002342b-61.dat	upx
behavioral2/files/0x000700000002342f-60.dat	upx
behavioral2/files/0x000700000002342e-62.dat	upx
behavioral2/memory/4416-56-0x00007FF7BA4B0000-0x00007FF7BA8A1000-memory.dmp	upx
behavioral2/memory/1184-54-0x00007FF61AB10000-0x00007FF61AF01000-memory.dmp	upx
behavioral2/memory/5096-34-0x00007FF7DB370000-0x00007FF7DB761000-memory.dmp	upx
behavioral2/memory/1824-1987-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp	upx
behavioral2/memory/4416-1994-0x00007FF7BA4B0000-0x00007FF7BA8A1000-memory.dmp	upx
behavioral2/memory/2568-1996-0x00007FF719600000-0x00007FF7199F1000-memory.dmp	upx
behavioral2/memory/4908-1992-0x00007FF735D30000-0x00007FF736121000-memory.dmp	upx
behavioral2/memory/5096-1991-0x00007FF7DB370000-0x00007FF7DB761000-memory.dmp	upx
behavioral2/memory/5064-2013-0x00007FF63F160000-0x00007FF63F551000-memory.dmp	upx
behavioral2/memory/1184-2012-0x00007FF61AB10000-0x00007FF61AF01000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\kHBoEgo.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\OUCKHoZ.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\SHAOWtG.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\eNpbngy.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\qhoJcAt.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\PMyBxkO.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\TNQrywG.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\WpoPyzk.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\iaUHBYZ.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\KLiOUAx.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\wsPNvKd.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\XXOtuTr.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\DMnuTGo.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\krMmCrl.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\mPzfIuV.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\MCAAfGA.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\LZzeZuJ.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\oVEoRYs.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\ZRVhPcl.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\GENprSP.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\zkdTlYD.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\JzuNxit.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\sjuMAxt.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\WdvYUiw.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\gzsURwe.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\KlWbwLu.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\fFHTjOB.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\OTlFgwU.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\cxpGTkx.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\eAFENgX.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\cbWOQhi.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\gTICIPK.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\YttPcfV.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\SFQNRgE.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\IaYfxJS.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\yHcgnTU.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\eOjaewn.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\itHPnEK.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\OQoDxDE.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\AtygWJA.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\uFRpYyL.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\XyPOsLR.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\ZVTQMui.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\kagvAJb.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\kgYVMBm.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\pNzmUcs.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\fpiRLvR.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\ijmmLXG.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\AoSumGB.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\KeOTdTM.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\NJNjqmz.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\bjfANPz.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\FsFewyk.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\tXnVUoa.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\GqmmQKe.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\wmNABBT.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\EZJlYol.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\LSiWNob.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\UYRCDHa.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\RFtUmfE.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\YsjXhpn.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\LoFPOJK.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\evtlOIN.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
File created	C:\Windows\System32\IJjpXtl.exe	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13008	dwm.exe
Token: SeChangeNotifyPrivilege	13008	dwm.exe
Token: 33	13008	dwm.exe
Token: SeIncBasePriorityPrivilege	13008	dwm.exe
Token: SeShutdownPrivilege	13008	dwm.exe
Token: SeCreatePagefilePrivilege	13008	dwm.exe
Token: SeShutdownPrivilege	13008	dwm.exe
Token: SeCreatePagefilePrivilege	13008	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1824	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	82
PID 1432 wrote to memory of 1824	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	82
PID 1432 wrote to memory of 2996	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	83
PID 1432 wrote to memory of 2996	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	83
PID 1432 wrote to memory of 5096	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	84
PID 1432 wrote to memory of 5096	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	84
PID 1432 wrote to memory of 5048	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	85
PID 1432 wrote to memory of 5048	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	85
PID 1432 wrote to memory of 4908	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	86
PID 1432 wrote to memory of 4908	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	86
PID 1432 wrote to memory of 1184	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	87
PID 1432 wrote to memory of 1184	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	87
PID 1432 wrote to memory of 720	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	88
PID 1432 wrote to memory of 720	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	88
PID 1432 wrote to memory of 4416	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	89
PID 1432 wrote to memory of 4416	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	89
PID 1432 wrote to memory of 5064	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	90
PID 1432 wrote to memory of 5064	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	90
PID 1432 wrote to memory of 2568	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	91
PID 1432 wrote to memory of 2568	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	91
PID 1432 wrote to memory of 4448	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	92
PID 1432 wrote to memory of 4448	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	92
PID 1432 wrote to memory of 2420	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	93
PID 1432 wrote to memory of 2420	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	93
PID 1432 wrote to memory of 2116	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	94
PID 1432 wrote to memory of 2116	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	94
PID 1432 wrote to memory of 3616	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	95
PID 1432 wrote to memory of 3616	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	95
PID 1432 wrote to memory of 1572	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	96
PID 1432 wrote to memory of 1572	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	96
PID 1432 wrote to memory of 4208	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	97
PID 1432 wrote to memory of 4208	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	97
PID 1432 wrote to memory of 4076	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	98
PID 1432 wrote to memory of 4076	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	98
PID 1432 wrote to memory of 2560	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	100
PID 1432 wrote to memory of 2560	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	100
PID 1432 wrote to memory of 1088	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	101
PID 1432 wrote to memory of 1088	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	101
PID 1432 wrote to memory of 364	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	102
PID 1432 wrote to memory of 364	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	102
PID 1432 wrote to memory of 4852	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	103
PID 1432 wrote to memory of 4852	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	103
PID 1432 wrote to memory of 4360	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	104
PID 1432 wrote to memory of 4360	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	104
PID 1432 wrote to memory of 4644	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	105
PID 1432 wrote to memory of 4644	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	105
PID 1432 wrote to memory of 4920	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	106
PID 1432 wrote to memory of 4920	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	106
PID 1432 wrote to memory of 2948	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	107
PID 1432 wrote to memory of 2948	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	107
PID 1432 wrote to memory of 1624	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	108
PID 1432 wrote to memory of 1624	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	108
PID 1432 wrote to memory of 4624	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	109
PID 1432 wrote to memory of 4624	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	109
PID 1432 wrote to memory of 4464	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	110
PID 1432 wrote to memory of 4464	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	110
PID 1432 wrote to memory of 3476	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	111
PID 1432 wrote to memory of 3476	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	111
PID 1432 wrote to memory of 2924	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	112
PID 1432 wrote to memory of 2924	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	112
PID 1432 wrote to memory of 1792	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	113
PID 1432 wrote to memory of 1792	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	113
PID 1432 wrote to memory of 3400	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	114
PID 1432 wrote to memory of 3400	1432	02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02dc0734d9ce0b5f90f5d74ad6a5c552_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\System32\yydhGbq.exe
  C:\Windows\System32\yydhGbq.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System32\eOjaewn.exe
  C:\Windows\System32\eOjaewn.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\lWWbvgX.exe
  C:\Windows\System32\lWWbvgX.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System32\wsPNvKd.exe
  C:\Windows\System32\wsPNvKd.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\VponPAk.exe
  C:\Windows\System32\VponPAk.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\XGpKCPR.exe
  C:\Windows\System32\XGpKCPR.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System32\gQKoyel.exe
  C:\Windows\System32\gQKoyel.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\DvbtTqx.exe
  C:\Windows\System32\DvbtTqx.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System32\WjTjvzO.exe
  C:\Windows\System32\WjTjvzO.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\ddNMOYO.exe
  C:\Windows\System32\ddNMOYO.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\RFtUmfE.exe
  C:\Windows\System32\RFtUmfE.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System32\mLkPBdV.exe
  C:\Windows\System32\mLkPBdV.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\AWlhNlP.exe
  C:\Windows\System32\AWlhNlP.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System32\InOAxMj.exe
  C:\Windows\System32\InOAxMj.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\djelQQc.exe
  C:\Windows\System32\djelQQc.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\ZEdsNBS.exe
  C:\Windows\System32\ZEdsNBS.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System32\zmExrbM.exe
  C:\Windows\System32\zmExrbM.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\HRRygSO.exe
  C:\Windows\System32\HRRygSO.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System32\FITqKpu.exe
  C:\Windows\System32\FITqKpu.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\yHoNoKm.exe
  C:\Windows\System32\yHoNoKm.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System32\XDhjJSI.exe
  C:\Windows\System32\XDhjJSI.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\sSYDxVb.exe
  C:\Windows\System32\sSYDxVb.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\cwtPbpy.exe
  C:\Windows\System32\cwtPbpy.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System32\PEbjtFk.exe
  C:\Windows\System32\PEbjtFk.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System32\WKHIDUY.exe
  C:\Windows\System32\WKHIDUY.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System32\BdsDWnw.exe
  C:\Windows\System32\BdsDWnw.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System32\ffhOOtr.exe
  C:\Windows\System32\ffhOOtr.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\fyPCnyd.exe
  C:\Windows\System32\fyPCnyd.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\kHBoEgo.exe
  C:\Windows\System32\kHBoEgo.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System32\wPbaUpi.exe
  C:\Windows\System32\wPbaUpi.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System32\SFMeAMu.exe
  C:\Windows\System32\SFMeAMu.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System32\qRsKbaJ.exe
  C:\Windows\System32\qRsKbaJ.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\sRoAGRQ.exe
  C:\Windows\System32\sRoAGRQ.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System32\KKtKHxb.exe
  C:\Windows\System32\KKtKHxb.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\UnUXMUK.exe
  C:\Windows\System32\UnUXMUK.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\YEOMbgj.exe
  C:\Windows\System32\YEOMbgj.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System32\EyXJlTL.exe
  C:\Windows\System32\EyXJlTL.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\hGzSvwC.exe
  C:\Windows\System32\hGzSvwC.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System32\dViHSwg.exe
  C:\Windows\System32\dViHSwg.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System32\rqShsoz.exe
  C:\Windows\System32\rqShsoz.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\YrbVXwH.exe
  C:\Windows\System32\YrbVXwH.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\qoLxvgg.exe
  C:\Windows\System32\qoLxvgg.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\YsjXhpn.exe
  C:\Windows\System32\YsjXhpn.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\woeDAVU.exe
  C:\Windows\System32\woeDAVU.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System32\YDLvfDE.exe
  C:\Windows\System32\YDLvfDE.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\pNNpaha.exe
  C:\Windows\System32\pNNpaha.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\UKHQqLR.exe
  C:\Windows\System32\UKHQqLR.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System32\RWlMNrJ.exe
  C:\Windows\System32\RWlMNrJ.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\PMyBxkO.exe
  C:\Windows\System32\PMyBxkO.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System32\yYPQeqP.exe
  C:\Windows\System32\yYPQeqP.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\VAxVpIc.exe
  C:\Windows\System32\VAxVpIc.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System32\YjUyQsI.exe
  C:\Windows\System32\YjUyQsI.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\oRCiTOk.exe
  C:\Windows\System32\oRCiTOk.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\swpwmIL.exe
  C:\Windows\System32\swpwmIL.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System32\ryvRHVt.exe
  C:\Windows\System32\ryvRHVt.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System32\CGhuHGH.exe
  C:\Windows\System32\CGhuHGH.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\UxxmgIo.exe
  C:\Windows\System32\UxxmgIo.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\bjfANPz.exe
  C:\Windows\System32\bjfANPz.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System32\nRIkTsL.exe
  C:\Windows\System32\nRIkTsL.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System32\BCoroSl.exe
  C:\Windows\System32\BCoroSl.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\LLJdWtb.exe
  C:\Windows\System32\LLJdWtb.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System32\XyPOsLR.exe
  C:\Windows\System32\XyPOsLR.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\jnwSNut.exe
  C:\Windows\System32\jnwSNut.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\lguiwpJ.exe
  C:\Windows\System32\lguiwpJ.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System32\DizpRut.exe
  C:\Windows\System32\DizpRut.exe
  2⤵
  PID:856
- C:\Windows\System32\ydLruNg.exe
  C:\Windows\System32\ydLruNg.exe
  2⤵
  PID:1512
- C:\Windows\System32\vaVBXXn.exe
  C:\Windows\System32\vaVBXXn.exe
  2⤵
  PID:3144
- C:\Windows\System32\kvuVmMw.exe
  C:\Windows\System32\kvuVmMw.exe
  2⤵
  PID:3376
- C:\Windows\System32\IeEJQxi.exe
  C:\Windows\System32\IeEJQxi.exe
  2⤵
  PID:2456
- C:\Windows\System32\fpiRLvR.exe
  C:\Windows\System32\fpiRLvR.exe
  2⤵
  PID:3888
- C:\Windows\System32\qfnKkZZ.exe
  C:\Windows\System32\qfnKkZZ.exe
  2⤵
  PID:1952
- C:\Windows\System32\oGaRJfM.exe
  C:\Windows\System32\oGaRJfM.exe
  2⤵
  PID:64
- C:\Windows\System32\bHFyjBN.exe
  C:\Windows\System32\bHFyjBN.exe
  2⤵
  PID:2136
- C:\Windows\System32\aKRNWwm.exe
  C:\Windows\System32\aKRNWwm.exe
  2⤵
  PID:380
- C:\Windows\System32\sJQnAqT.exe
  C:\Windows\System32\sJQnAqT.exe
  2⤵
  PID:1440
- C:\Windows\System32\euYfZUJ.exe
  C:\Windows\System32\euYfZUJ.exe
  2⤵
  PID:1592
- C:\Windows\System32\jvnIrNP.exe
  C:\Windows\System32\jvnIrNP.exe
  2⤵
  PID:1752
- C:\Windows\System32\sjuMAxt.exe
  C:\Windows\System32\sjuMAxt.exe
  2⤵
  PID:3660
- C:\Windows\System32\JWezmcG.exe
  C:\Windows\System32\JWezmcG.exe
  2⤵
  PID:3184
- C:\Windows\System32\dJdsAhB.exe
  C:\Windows\System32\dJdsAhB.exe
  2⤵
  PID:4552
- C:\Windows\System32\hGkwtSw.exe
  C:\Windows\System32\hGkwtSw.exe
  2⤵
  PID:2672
- C:\Windows\System32\OUCKHoZ.exe
  C:\Windows\System32\OUCKHoZ.exe
  2⤵
  PID:1520
- C:\Windows\System32\edkMbyj.exe
  C:\Windows\System32\edkMbyj.exe
  2⤵
  PID:3244
- C:\Windows\System32\lMfuhbg.exe
  C:\Windows\System32\lMfuhbg.exe
  2⤵
  PID:4840
- C:\Windows\System32\NLAcbyX.exe
  C:\Windows\System32\NLAcbyX.exe
  2⤵
  PID:1588
- C:\Windows\System32\dfKhbdb.exe
  C:\Windows\System32\dfKhbdb.exe
  2⤵
  PID:1288
- C:\Windows\System32\wjuJDdT.exe
  C:\Windows\System32\wjuJDdT.exe
  2⤵
  PID:4296
- C:\Windows\System32\UKneunF.exe
  C:\Windows\System32\UKneunF.exe
  2⤵
  PID:1748
- C:\Windows\System32\Vusuobd.exe
  C:\Windows\System32\Vusuobd.exe
  2⤵
  PID:4524
- C:\Windows\System32\nfxdRBs.exe
  C:\Windows\System32\nfxdRBs.exe
  2⤵
  PID:2752
- C:\Windows\System32\rnoNouS.exe
  C:\Windows\System32\rnoNouS.exe
  2⤵
  PID:392
- C:\Windows\System32\dRtGtZB.exe
  C:\Windows\System32\dRtGtZB.exe
  2⤵
  PID:4712
- C:\Windows\System32\PfLukEy.exe
  C:\Windows\System32\PfLukEy.exe
  2⤵
  PID:4428
- C:\Windows\System32\ijmmLXG.exe
  C:\Windows\System32\ijmmLXG.exe
  2⤵
  PID:3756
- C:\Windows\System32\YXKHGjA.exe
  C:\Windows\System32\YXKHGjA.exe
  2⤵
  PID:4444
- C:\Windows\System32\ZVTQMui.exe
  C:\Windows\System32\ZVTQMui.exe
  2⤵
  PID:3192
- C:\Windows\System32\uODwLWW.exe
  C:\Windows\System32\uODwLWW.exe
  2⤵
  PID:4364
- C:\Windows\System32\YSsnuBL.exe
  C:\Windows\System32\YSsnuBL.exe
  2⤵
  PID:5056
- C:\Windows\System32\pgeVrNG.exe
  C:\Windows\System32\pgeVrNG.exe
  2⤵
  PID:5144
- C:\Windows\System32\cETfNUp.exe
  C:\Windows\System32\cETfNUp.exe
  2⤵
  PID:5172
- C:\Windows\System32\jkkKjZa.exe
  C:\Windows\System32\jkkKjZa.exe
  2⤵
  PID:5192
- C:\Windows\System32\qVZtXSA.exe
  C:\Windows\System32\qVZtXSA.exe
  2⤵
  PID:5232
- C:\Windows\System32\CqvmoLw.exe
  C:\Windows\System32\CqvmoLw.exe
  2⤵
  PID:5252
- C:\Windows\System32\erwdWYw.exe
  C:\Windows\System32\erwdWYw.exe
  2⤵
  PID:5272
- C:\Windows\System32\oSlJvJj.exe
  C:\Windows\System32\oSlJvJj.exe
  2⤵
  PID:5292
- C:\Windows\System32\XhrJDsK.exe
  C:\Windows\System32\XhrJDsK.exe
  2⤵
  PID:5308
- C:\Windows\System32\LXykdtg.exe
  C:\Windows\System32\LXykdtg.exe
  2⤵
  PID:5328
- C:\Windows\System32\vVVExUg.exe
  C:\Windows\System32\vVVExUg.exe
  2⤵
  PID:5344
- C:\Windows\System32\xRffFuz.exe
  C:\Windows\System32\xRffFuz.exe
  2⤵
  PID:5364
- C:\Windows\System32\IIZvVeh.exe
  C:\Windows\System32\IIZvVeh.exe
  2⤵
  PID:5384
- C:\Windows\System32\JSoyvJJ.exe
  C:\Windows\System32\JSoyvJJ.exe
  2⤵
  PID:5436
- C:\Windows\System32\mvizFAJ.exe
  C:\Windows\System32\mvizFAJ.exe
  2⤵
  PID:5464
- C:\Windows\System32\SNQgSoM.exe
  C:\Windows\System32\SNQgSoM.exe
  2⤵
  PID:5492
- C:\Windows\System32\IkyVULS.exe
  C:\Windows\System32\IkyVULS.exe
  2⤵
  PID:5556
- C:\Windows\System32\sHRAYQJ.exe
  C:\Windows\System32\sHRAYQJ.exe
  2⤵
  PID:5644
- C:\Windows\System32\FsFewyk.exe
  C:\Windows\System32\FsFewyk.exe
  2⤵
  PID:5712
- C:\Windows\System32\zhORezu.exe
  C:\Windows\System32\zhORezu.exe
  2⤵
  PID:5728
- C:\Windows\System32\unWBlml.exe
  C:\Windows\System32\unWBlml.exe
  2⤵
  PID:5748
- C:\Windows\System32\CLiofAS.exe
  C:\Windows\System32\CLiofAS.exe
  2⤵
  PID:5768
- C:\Windows\System32\hqnJrDQ.exe
  C:\Windows\System32\hqnJrDQ.exe
  2⤵
  PID:5808
- C:\Windows\System32\ukSeCHh.exe
  C:\Windows\System32\ukSeCHh.exe
  2⤵
  PID:5840
- C:\Windows\System32\WRRoppQ.exe
  C:\Windows\System32\WRRoppQ.exe
  2⤵
  PID:5860
- C:\Windows\System32\EVJOelY.exe
  C:\Windows\System32\EVJOelY.exe
  2⤵
  PID:5880
- C:\Windows\System32\LoFPOJK.exe
  C:\Windows\System32\LoFPOJK.exe
  2⤵
  PID:5904
- C:\Windows\System32\QxOUutN.exe
  C:\Windows\System32\QxOUutN.exe
  2⤵
  PID:5924
- C:\Windows\System32\kJaDUOB.exe
  C:\Windows\System32\kJaDUOB.exe
  2⤵
  PID:5984
- C:\Windows\System32\tCAKewO.exe
  C:\Windows\System32\tCAKewO.exe
  2⤵
  PID:6020
- C:\Windows\System32\EUDDpBX.exe
  C:\Windows\System32\EUDDpBX.exe
  2⤵
  PID:6040
- C:\Windows\System32\BBMVLoa.exe
  C:\Windows\System32\BBMVLoa.exe
  2⤵
  PID:6076
- C:\Windows\System32\WbspgYs.exe
  C:\Windows\System32\WbspgYs.exe
  2⤵
  PID:6096
- C:\Windows\System32\qUBjFDj.exe
  C:\Windows\System32\qUBjFDj.exe
  2⤵
  PID:6124
- C:\Windows\System32\JnszOrt.exe
  C:\Windows\System32\JnszOrt.exe
  2⤵
  PID:4932
- C:\Windows\System32\zfGlPAj.exe
  C:\Windows\System32\zfGlPAj.exe
  2⤵
  PID:5132
- C:\Windows\System32\hcqDNTW.exe
  C:\Windows\System32\hcqDNTW.exe
  2⤵
  PID:5152
- C:\Windows\System32\RrobLrW.exe
  C:\Windows\System32\RrobLrW.exe
  2⤵
  PID:4328
- C:\Windows\System32\FQSOynl.exe
  C:\Windows\System32\FQSOynl.exe
  2⤵
  PID:4184
- C:\Windows\System32\OAHPfmW.exe
  C:\Windows\System32\OAHPfmW.exe
  2⤵
  PID:5124
- C:\Windows\System32\YHmcfRE.exe
  C:\Windows\System32\YHmcfRE.exe
  2⤵
  PID:3924
- C:\Windows\System32\wQTDdDq.exe
  C:\Windows\System32\wQTDdDq.exe
  2⤵
  PID:5280
- C:\Windows\System32\IyOluul.exe
  C:\Windows\System32\IyOluul.exe
  2⤵
  PID:5380
- C:\Windows\System32\XbfYrbm.exe
  C:\Windows\System32\XbfYrbm.exe
  2⤵
  PID:5316
- C:\Windows\System32\JYOfzLN.exe
  C:\Windows\System32\JYOfzLN.exe
  2⤵
  PID:5448
- C:\Windows\System32\vehQhDp.exe
  C:\Windows\System32\vehQhDp.exe
  2⤵
  PID:5520
- C:\Windows\System32\CxPdJzD.exe
  C:\Windows\System32\CxPdJzD.exe
  2⤵
  PID:5632
- C:\Windows\System32\tkCewQN.exe
  C:\Windows\System32\tkCewQN.exe
  2⤵
  PID:5736
- C:\Windows\System32\CdPrszT.exe
  C:\Windows\System32\CdPrszT.exe
  2⤵
  PID:5788
- C:\Windows\System32\WSbwBwf.exe
  C:\Windows\System32\WSbwBwf.exe
  2⤵
  PID:5868
- C:\Windows\System32\mhZJrjD.exe
  C:\Windows\System32\mhZJrjD.exe
  2⤵
  PID:5900
- C:\Windows\System32\cXEhLoa.exe
  C:\Windows\System32\cXEhLoa.exe
  2⤵
  PID:5960
- C:\Windows\System32\NHExZQF.exe
  C:\Windows\System32\NHExZQF.exe
  2⤵
  PID:4832
- C:\Windows\System32\evtlOIN.exe
  C:\Windows\System32\evtlOIN.exe
  2⤵
  PID:6036
- C:\Windows\System32\JljexLx.exe
  C:\Windows\System32\JljexLx.exe
  2⤵
  PID:6052
- C:\Windows\System32\rDYLVNr.exe
  C:\Windows\System32\rDYLVNr.exe
  2⤵
  PID:4780
- C:\Windows\System32\SFjHWkS.exe
  C:\Windows\System32\SFjHWkS.exe
  2⤵
  PID:1480
- C:\Windows\System32\gbpxAAw.exe
  C:\Windows\System32\gbpxAAw.exe
  2⤵
  PID:5356
- C:\Windows\System32\aGTPXRn.exe
  C:\Windows\System32\aGTPXRn.exe
  2⤵
  PID:5472
- C:\Windows\System32\DMnuTGo.exe
  C:\Windows\System32\DMnuTGo.exe
  2⤵
  PID:5516
- C:\Windows\System32\utJgvmD.exe
  C:\Windows\System32\utJgvmD.exe
  2⤵
  PID:5724
- C:\Windows\System32\jzDqtDb.exe
  C:\Windows\System32\jzDqtDb.exe
  2⤵
  PID:5824
- C:\Windows\System32\hogvHHK.exe
  C:\Windows\System32\hogvHHK.exe
  2⤵
  PID:6092
- C:\Windows\System32\GmuvLWZ.exe
  C:\Windows\System32\GmuvLWZ.exe
  2⤵
  PID:2984
- C:\Windows\System32\yacZUqq.exe
  C:\Windows\System32\yacZUqq.exe
  2⤵
  PID:1284
- C:\Windows\System32\WQwfQZS.exe
  C:\Windows\System32\WQwfQZS.exe
  2⤵
  PID:5412
- C:\Windows\System32\LRjxOII.exe
  C:\Windows\System32\LRjxOII.exe
  2⤵
  PID:5780
- C:\Windows\System32\adFoXEZ.exe
  C:\Windows\System32\adFoXEZ.exe
  2⤵
  PID:4232
- C:\Windows\System32\BGzOPXU.exe
  C:\Windows\System32\BGzOPXU.exe
  2⤵
  PID:6148
- C:\Windows\System32\kNIAvqq.exe
  C:\Windows\System32\kNIAvqq.exe
  2⤵
  PID:6164
- C:\Windows\System32\lXyvurp.exe
  C:\Windows\System32\lXyvurp.exe
  2⤵
  PID:6188
- C:\Windows\System32\WdvYUiw.exe
  C:\Windows\System32\WdvYUiw.exe
  2⤵
  PID:6224
- C:\Windows\System32\FdZBRDO.exe
  C:\Windows\System32\FdZBRDO.exe
  2⤵
  PID:6284
- C:\Windows\System32\nKWbOPY.exe
  C:\Windows\System32\nKWbOPY.exe
  2⤵
  PID:6308
- C:\Windows\System32\oAPbOWE.exe
  C:\Windows\System32\oAPbOWE.exe
  2⤵
  PID:6324
- C:\Windows\System32\nrpYsnu.exe
  C:\Windows\System32\nrpYsnu.exe
  2⤵
  PID:6380
- C:\Windows\System32\IkQrcDK.exe
  C:\Windows\System32\IkQrcDK.exe
  2⤵
  PID:6404
- C:\Windows\System32\cLJSjym.exe
  C:\Windows\System32\cLJSjym.exe
  2⤵
  PID:6452
- C:\Windows\System32\SYgukKA.exe
  C:\Windows\System32\SYgukKA.exe
  2⤵
  PID:6468
- C:\Windows\System32\zcUxPRH.exe
  C:\Windows\System32\zcUxPRH.exe
  2⤵
  PID:6512
- C:\Windows\System32\aAuOYEk.exe
  C:\Windows\System32\aAuOYEk.exe
  2⤵
  PID:6536
- C:\Windows\System32\mteTyOR.exe
  C:\Windows\System32\mteTyOR.exe
  2⤵
  PID:6552
- C:\Windows\System32\TfsMokG.exe
  C:\Windows\System32\TfsMokG.exe
  2⤵
  PID:6572
- C:\Windows\System32\hNTJnNC.exe
  C:\Windows\System32\hNTJnNC.exe
  2⤵
  PID:6596
- C:\Windows\System32\mTxhGHl.exe
  C:\Windows\System32\mTxhGHl.exe
  2⤵
  PID:6628
- C:\Windows\System32\POFeWQd.exe
  C:\Windows\System32\POFeWQd.exe
  2⤵
  PID:6648
- C:\Windows\System32\YiGaBqj.exe
  C:\Windows\System32\YiGaBqj.exe
  2⤵
  PID:6672
- C:\Windows\System32\rImoXRT.exe
  C:\Windows\System32\rImoXRT.exe
  2⤵
  PID:6712
- C:\Windows\System32\YfYAnlR.exe
  C:\Windows\System32\YfYAnlR.exe
  2⤵
  PID:6736
- C:\Windows\System32\hVCIwAM.exe
  C:\Windows\System32\hVCIwAM.exe
  2⤵
  PID:6764
- C:\Windows\System32\GbuGogw.exe
  C:\Windows\System32\GbuGogw.exe
  2⤵
  PID:6784
- C:\Windows\System32\mnJPYeS.exe
  C:\Windows\System32\mnJPYeS.exe
  2⤵
  PID:6824
- C:\Windows\System32\jCDPkvf.exe
  C:\Windows\System32\jCDPkvf.exe
  2⤵
  PID:6872
- C:\Windows\System32\KCmJyFP.exe
  C:\Windows\System32\KCmJyFP.exe
  2⤵
  PID:6892
- C:\Windows\System32\fPEUFQl.exe
  C:\Windows\System32\fPEUFQl.exe
  2⤵
  PID:6916
- C:\Windows\System32\GVBzWDQ.exe
  C:\Windows\System32\GVBzWDQ.exe
  2⤵
  PID:6944
- C:\Windows\System32\tpCQNoX.exe
  C:\Windows\System32\tpCQNoX.exe
  2⤵
  PID:6980
- C:\Windows\System32\MPPGtda.exe
  C:\Windows\System32\MPPGtda.exe
  2⤵
  PID:7000
- C:\Windows\System32\JJaUaFn.exe
  C:\Windows\System32\JJaUaFn.exe
  2⤵
  PID:7036
- C:\Windows\System32\XUccjAQ.exe
  C:\Windows\System32\XUccjAQ.exe
  2⤵
  PID:7052
- C:\Windows\System32\tSxzgCc.exe
  C:\Windows\System32\tSxzgCc.exe
  2⤵
  PID:7088
- C:\Windows\System32\XQPGWCc.exe
  C:\Windows\System32\XQPGWCc.exe
  2⤵
  PID:7120
- C:\Windows\System32\mCAHpkl.exe
  C:\Windows\System32\mCAHpkl.exe
  2⤵
  PID:7140
- C:\Windows\System32\vmkfwfb.exe
  C:\Windows\System32\vmkfwfb.exe
  2⤵
  PID:7164
- C:\Windows\System32\SHAOWtG.exe
  C:\Windows\System32\SHAOWtG.exe
  2⤵
  PID:5168
- C:\Windows\System32\kagvAJb.exe
  C:\Windows\System32\kagvAJb.exe
  2⤵
  PID:6180
- C:\Windows\System32\QAMGMAG.exe
  C:\Windows\System32\QAMGMAG.exe
  2⤵
  PID:6256
- C:\Windows\System32\GTrtqLc.exe
  C:\Windows\System32\GTrtqLc.exe
  2⤵
  PID:6320
- C:\Windows\System32\hHBFZPC.exe
  C:\Windows\System32\hHBFZPC.exe
  2⤵
  PID:6360
- C:\Windows\System32\PQsrDmd.exe
  C:\Windows\System32\PQsrDmd.exe
  2⤵
  PID:5420
- C:\Windows\System32\uiayVSw.exe
  C:\Windows\System32\uiayVSw.exe
  2⤵
  PID:6392
- C:\Windows\System32\cUkXHaD.exe
  C:\Windows\System32\cUkXHaD.exe
  2⤵
  PID:6464
- C:\Windows\System32\mPydzrJ.exe
  C:\Windows\System32\mPydzrJ.exe
  2⤵
  PID:6524
- C:\Windows\System32\bSejmZP.exe
  C:\Windows\System32\bSejmZP.exe
  2⤵
  PID:5852
- C:\Windows\System32\aRiXNbf.exe
  C:\Windows\System32\aRiXNbf.exe
  2⤵
  PID:6584
- C:\Windows\System32\ebCnSbJ.exe
  C:\Windows\System32\ebCnSbJ.exe
  2⤵
  PID:6700
- C:\Windows\System32\aUBNPvP.exe
  C:\Windows\System32\aUBNPvP.exe
  2⤵
  PID:6760
- C:\Windows\System32\ahHwmvc.exe
  C:\Windows\System32\ahHwmvc.exe
  2⤵
  PID:6816
- C:\Windows\System32\iDtLXEM.exe
  C:\Windows\System32\iDtLXEM.exe
  2⤵
  PID:6792
- C:\Windows\System32\nignfjy.exe
  C:\Windows\System32\nignfjy.exe
  2⤵
  PID:6908
- C:\Windows\System32\NKTylAw.exe
  C:\Windows\System32\NKTylAw.exe
  2⤵
  PID:6968
- C:\Windows\System32\FPruiAm.exe
  C:\Windows\System32\FPruiAm.exe
  2⤵
  PID:7104
- C:\Windows\System32\MobENse.exe
  C:\Windows\System32\MobENse.exe
  2⤵
  PID:7152
- C:\Windows\System32\OjUVgWg.exe
  C:\Windows\System32\OjUVgWg.exe
  2⤵
  PID:6156
- C:\Windows\System32\QUOWLrx.exe
  C:\Windows\System32\QUOWLrx.exe
  2⤵
  PID:5264
- C:\Windows\System32\dMzEbpD.exe
  C:\Windows\System32\dMzEbpD.exe
  2⤵
  PID:6420
- C:\Windows\System32\YLGbISd.exe
  C:\Windows\System32\YLGbISd.exe
  2⤵
  PID:6808
- C:\Windows\System32\XnckUih.exe
  C:\Windows\System32\XnckUih.exe
  2⤵
  PID:6884
- C:\Windows\System32\AWAYTxl.exe
  C:\Windows\System32\AWAYTxl.exe
  2⤵
  PID:6940
- C:\Windows\System32\aQgqQxs.exe
  C:\Windows\System32\aQgqQxs.exe
  2⤵
  PID:7068
- C:\Windows\System32\cAOVUst.exe
  C:\Windows\System32\cAOVUst.exe
  2⤵
  PID:6396
- C:\Windows\System32\tRcmZZn.exe
  C:\Windows\System32\tRcmZZn.exe
  2⤵
  PID:4952
- C:\Windows\System32\WULabQE.exe
  C:\Windows\System32\WULabQE.exe
  2⤵
  PID:6936
- C:\Windows\System32\lBfcaAA.exe
  C:\Windows\System32\lBfcaAA.exe
  2⤵
  PID:6864
- C:\Windows\System32\obOYEqt.exe
  C:\Windows\System32\obOYEqt.exe
  2⤵
  PID:7096
- C:\Windows\System32\qnjZYrn.exe
  C:\Windows\System32\qnjZYrn.exe
  2⤵
  PID:7176
- C:\Windows\System32\yJsiOHe.exe
  C:\Windows\System32\yJsiOHe.exe
  2⤵
  PID:7228
- C:\Windows\System32\bgQOaaD.exe
  C:\Windows\System32\bgQOaaD.exe
  2⤵
  PID:7260
- C:\Windows\System32\HBIZTQK.exe
  C:\Windows\System32\HBIZTQK.exe
  2⤵
  PID:7292
- C:\Windows\System32\kppJtuz.exe
  C:\Windows\System32\kppJtuz.exe
  2⤵
  PID:7312
- C:\Windows\System32\TGbqDIn.exe
  C:\Windows\System32\TGbqDIn.exe
  2⤵
  PID:7352
- C:\Windows\System32\VKxQkPI.exe
  C:\Windows\System32\VKxQkPI.exe
  2⤵
  PID:7372
- C:\Windows\System32\GsjVYDT.exe
  C:\Windows\System32\GsjVYDT.exe
  2⤵
  PID:7424
- C:\Windows\System32\XUcpbtA.exe
  C:\Windows\System32\XUcpbtA.exe
  2⤵
  PID:7456
- C:\Windows\System32\ELHYaEO.exe
  C:\Windows\System32\ELHYaEO.exe
  2⤵
  PID:7484
- C:\Windows\System32\RcgUOBY.exe
  C:\Windows\System32\RcgUOBY.exe
  2⤵
  PID:7504
- C:\Windows\System32\zTbhoyF.exe
  C:\Windows\System32\zTbhoyF.exe
  2⤵
  PID:7524
- C:\Windows\System32\zcxlrCy.exe
  C:\Windows\System32\zcxlrCy.exe
  2⤵
  PID:7548
- C:\Windows\System32\dJTgqom.exe
  C:\Windows\System32\dJTgqom.exe
  2⤵
  PID:7600
- C:\Windows\System32\iHzWmih.exe
  C:\Windows\System32\iHzWmih.exe
  2⤵
  PID:7620
- C:\Windows\System32\TqavtKu.exe
  C:\Windows\System32\TqavtKu.exe
  2⤵
  PID:7636
- C:\Windows\System32\WSGFVLW.exe
  C:\Windows\System32\WSGFVLW.exe
  2⤵
  PID:7660
- C:\Windows\System32\PIkZDeM.exe
  C:\Windows\System32\PIkZDeM.exe
  2⤵
  PID:7676
- C:\Windows\System32\eNpbngy.exe
  C:\Windows\System32\eNpbngy.exe
  2⤵
  PID:7704
- C:\Windows\System32\LcOgWfz.exe
  C:\Windows\System32\LcOgWfz.exe
  2⤵
  PID:7724
- C:\Windows\System32\XRIkgou.exe
  C:\Windows\System32\XRIkgou.exe
  2⤵
  PID:7772
- C:\Windows\System32\kgYVMBm.exe
  C:\Windows\System32\kgYVMBm.exe
  2⤵
  PID:7792
- C:\Windows\System32\spAKrtm.exe
  C:\Windows\System32\spAKrtm.exe
  2⤵
  PID:7836
- C:\Windows\System32\furOfjN.exe
  C:\Windows\System32\furOfjN.exe
  2⤵
  PID:7868
- C:\Windows\System32\hDUzhxO.exe
  C:\Windows\System32\hDUzhxO.exe
  2⤵
  PID:7888
- C:\Windows\System32\CmafPSQ.exe
  C:\Windows\System32\CmafPSQ.exe
  2⤵
  PID:7916
- C:\Windows\System32\bxNZTxo.exe
  C:\Windows\System32\bxNZTxo.exe
  2⤵
  PID:7952
- C:\Windows\System32\HtiIuCS.exe
  C:\Windows\System32\HtiIuCS.exe
  2⤵
  PID:7968
- C:\Windows\System32\KgrROlz.exe
  C:\Windows\System32\KgrROlz.exe
  2⤵
  PID:8000
- C:\Windows\System32\rtTiitX.exe
  C:\Windows\System32\rtTiitX.exe
  2⤵
  PID:8036
- C:\Windows\System32\vDekgHH.exe
  C:\Windows\System32\vDekgHH.exe
  2⤵
  PID:8056
- C:\Windows\System32\oYuaeaJ.exe
  C:\Windows\System32\oYuaeaJ.exe
  2⤵
  PID:8104
- C:\Windows\System32\fuUOpHC.exe
  C:\Windows\System32\fuUOpHC.exe
  2⤵
  PID:8144
- C:\Windows\System32\znEWAtH.exe
  C:\Windows\System32\znEWAtH.exe
  2⤵
  PID:8172
- C:\Windows\System32\cdehVxw.exe
  C:\Windows\System32\cdehVxw.exe
  2⤵
  PID:6780
- C:\Windows\System32\FMEJpCs.exe
  C:\Windows\System32\FMEJpCs.exe
  2⤵
  PID:6492
- C:\Windows\System32\yGtuOIB.exe
  C:\Windows\System32\yGtuOIB.exe
  2⤵
  PID:7252
- C:\Windows\System32\SEKRcUo.exe
  C:\Windows\System32\SEKRcUo.exe
  2⤵
  PID:7364
- C:\Windows\System32\pwJtmcC.exe
  C:\Windows\System32\pwJtmcC.exe
  2⤵
  PID:7392
- C:\Windows\System32\zutQyzl.exe
  C:\Windows\System32\zutQyzl.exe
  2⤵
  PID:7432
- C:\Windows\System32\ERlqJwC.exe
  C:\Windows\System32\ERlqJwC.exe
  2⤵
  PID:7496
- C:\Windows\System32\yUufcaK.exe
  C:\Windows\System32\yUufcaK.exe
  2⤵
  PID:7520
- C:\Windows\System32\QKncpqC.exe
  C:\Windows\System32\QKncpqC.exe
  2⤵
  PID:7580
- C:\Windows\System32\vuLfHmw.exe
  C:\Windows\System32\vuLfHmw.exe
  2⤵
  PID:7684
- C:\Windows\System32\ACNiqYu.exe
  C:\Windows\System32\ACNiqYu.exe
  2⤵
  PID:7668
- C:\Windows\System32\CiESJKi.exe
  C:\Windows\System32\CiESJKi.exe
  2⤵
  PID:7784
- C:\Windows\System32\MVxKmyp.exe
  C:\Windows\System32\MVxKmyp.exe
  2⤵
  PID:7880
- C:\Windows\System32\jcXUOPm.exe
  C:\Windows\System32\jcXUOPm.exe
  2⤵
  PID:7912
- C:\Windows\System32\tXnVUoa.exe
  C:\Windows\System32\tXnVUoa.exe
  2⤵
  PID:7960
- C:\Windows\System32\krMmCrl.exe
  C:\Windows\System32\krMmCrl.exe
  2⤵
  PID:8024
- C:\Windows\System32\CSWHCFq.exe
  C:\Windows\System32\CSWHCFq.exe
  2⤵
  PID:8092
- C:\Windows\System32\cYjvziJ.exe
  C:\Windows\System32\cYjvziJ.exe
  2⤵
  PID:8168
- C:\Windows\System32\qHqyjIk.exe
  C:\Windows\System32\qHqyjIk.exe
  2⤵
  PID:8188
- C:\Windows\System32\IJjpXtl.exe
  C:\Windows\System32\IJjpXtl.exe
  2⤵
  PID:7336
- C:\Windows\System32\RrKROUc.exe
  C:\Windows\System32\RrKROUc.exe
  2⤵
  PID:6344
- C:\Windows\System32\oGtLTLP.exe
  C:\Windows\System32\oGtLTLP.exe
  2⤵
  PID:7720
- C:\Windows\System32\XFRkdOL.exe
  C:\Windows\System32\XFRkdOL.exe
  2⤵
  PID:7932
- C:\Windows\System32\aFXXdGy.exe
  C:\Windows\System32\aFXXdGy.exe
  2⤵
  PID:8032
- C:\Windows\System32\XshSVwB.exe
  C:\Windows\System32\XshSVwB.exe
  2⤵
  PID:8152
- C:\Windows\System32\fwMNanz.exe
  C:\Windows\System32\fwMNanz.exe
  2⤵
  PID:7340
- C:\Windows\System32\VyoRNYI.exe
  C:\Windows\System32\VyoRNYI.exe
  2⤵
  PID:7652
- C:\Windows\System32\xcnUXcK.exe
  C:\Windows\System32\xcnUXcK.exe
  2⤵
  PID:7964
- C:\Windows\System32\IHhgVFU.exe
  C:\Windows\System32\IHhgVFU.exe
  2⤵
  PID:7416
- C:\Windows\System32\ASDrsgs.exe
  C:\Windows\System32\ASDrsgs.exe
  2⤵
  PID:8196
- C:\Windows\System32\lSPhdwa.exe
  C:\Windows\System32\lSPhdwa.exe
  2⤵
  PID:8232
- C:\Windows\System32\oVEoRYs.exe
  C:\Windows\System32\oVEoRYs.exe
  2⤵
  PID:8260
- C:\Windows\System32\vLiJsfd.exe
  C:\Windows\System32\vLiJsfd.exe
  2⤵
  PID:8280
- C:\Windows\System32\cIEKxKx.exe
  C:\Windows\System32\cIEKxKx.exe
  2⤵
  PID:8300
- C:\Windows\System32\CvRyhJM.exe
  C:\Windows\System32\CvRyhJM.exe
  2⤵
  PID:8320
- C:\Windows\System32\TNQrywG.exe
  C:\Windows\System32\TNQrywG.exe
  2⤵
  PID:8364
- C:\Windows\System32\oKIFlHE.exe
  C:\Windows\System32\oKIFlHE.exe
  2⤵
  PID:8388
- C:\Windows\System32\rfAOfZt.exe
  C:\Windows\System32\rfAOfZt.exe
  2⤵
  PID:8404
- C:\Windows\System32\kGCjwIR.exe
  C:\Windows\System32\kGCjwIR.exe
  2⤵
  PID:8420
- C:\Windows\System32\uydKSZC.exe
  C:\Windows\System32\uydKSZC.exe
  2⤵
  PID:8448
- C:\Windows\System32\QJjtjKP.exe
  C:\Windows\System32\QJjtjKP.exe
  2⤵
  PID:8480
- C:\Windows\System32\eJNpwfB.exe
  C:\Windows\System32\eJNpwfB.exe
  2⤵
  PID:8500
- C:\Windows\System32\ezcukkx.exe
  C:\Windows\System32\ezcukkx.exe
  2⤵
  PID:8524
- C:\Windows\System32\CMBdyBY.exe
  C:\Windows\System32\CMBdyBY.exe
  2⤵
  PID:8540
- C:\Windows\System32\saNpiJJ.exe
  C:\Windows\System32\saNpiJJ.exe
  2⤵
  PID:8608
- C:\Windows\System32\DJgQEck.exe
  C:\Windows\System32\DJgQEck.exe
  2⤵
  PID:8660
- C:\Windows\System32\HREhygX.exe
  C:\Windows\System32\HREhygX.exe
  2⤵
  PID:8712
- C:\Windows\System32\WAxPhty.exe
  C:\Windows\System32\WAxPhty.exe
  2⤵
  PID:8728
- C:\Windows\System32\zXgrAns.exe
  C:\Windows\System32\zXgrAns.exe
  2⤵
  PID:8756
- C:\Windows\System32\XXtsgdA.exe
  C:\Windows\System32\XXtsgdA.exe
  2⤵
  PID:8776
- C:\Windows\System32\hyZASlS.exe
  C:\Windows\System32\hyZASlS.exe
  2⤵
  PID:8804
- C:\Windows\System32\XAxiQuW.exe
  C:\Windows\System32\XAxiQuW.exe
  2⤵
  PID:8828
- C:\Windows\System32\RUhOYVy.exe
  C:\Windows\System32\RUhOYVy.exe
  2⤵
  PID:8844
- C:\Windows\System32\mxuNvBt.exe
  C:\Windows\System32\mxuNvBt.exe
  2⤵
  PID:8868
- C:\Windows\System32\GqmmQKe.exe
  C:\Windows\System32\GqmmQKe.exe
  2⤵
  PID:8884
- C:\Windows\System32\mbPOQdG.exe
  C:\Windows\System32\mbPOQdG.exe
  2⤵
  PID:8912
- C:\Windows\System32\eLdVsWl.exe
  C:\Windows\System32\eLdVsWl.exe
  2⤵
  PID:8960
- C:\Windows\System32\jSaXWPC.exe
  C:\Windows\System32\jSaXWPC.exe
  2⤵
  PID:9016
- C:\Windows\System32\JYceDxi.exe
  C:\Windows\System32\JYceDxi.exe
  2⤵
  PID:9048
- C:\Windows\System32\XCkMYfc.exe
  C:\Windows\System32\XCkMYfc.exe
  2⤵
  PID:9072
- C:\Windows\System32\VcgITVr.exe
  C:\Windows\System32\VcgITVr.exe
  2⤵
  PID:9104
- C:\Windows\System32\ddicNfv.exe
  C:\Windows\System32\ddicNfv.exe
  2⤵
  PID:9124
- C:\Windows\System32\EcPHxoe.exe
  C:\Windows\System32\EcPHxoe.exe
  2⤵
  PID:9148
- C:\Windows\System32\pnUtUcc.exe
  C:\Windows\System32\pnUtUcc.exe
  2⤵
  PID:9176
- C:\Windows\System32\kWcTYLn.exe
  C:\Windows\System32\kWcTYLn.exe
  2⤵
  PID:9196
- C:\Windows\System32\WpoPyzk.exe
  C:\Windows\System32\WpoPyzk.exe
  2⤵
  PID:9212
- C:\Windows\System32\RaQYRzx.exe
  C:\Windows\System32\RaQYRzx.exe
  2⤵
  PID:8228
- C:\Windows\System32\CGLsMYn.exe
  C:\Windows\System32\CGLsMYn.exe
  2⤵
  PID:8272
- C:\Windows\System32\WNqGJCs.exe
  C:\Windows\System32\WNqGJCs.exe
  2⤵
  PID:8296
- C:\Windows\System32\PpevKyc.exe
  C:\Windows\System32\PpevKyc.exe
  2⤵
  PID:8400
- C:\Windows\System32\DMSYwyu.exe
  C:\Windows\System32\DMSYwyu.exe
  2⤵
  PID:8476
- C:\Windows\System32\qFqabSW.exe
  C:\Windows\System32\qFqabSW.exe
  2⤵
  PID:8508
- C:\Windows\System32\lWlRyGv.exe
  C:\Windows\System32\lWlRyGv.exe
  2⤵
  PID:8560
- C:\Windows\System32\PkCDFFf.exe
  C:\Windows\System32\PkCDFFf.exe
  2⤵
  PID:8764
- C:\Windows\System32\rdkddzC.exe
  C:\Windows\System32\rdkddzC.exe
  2⤵
  PID:8768
- C:\Windows\System32\UOPjMEb.exe
  C:\Windows\System32\UOPjMEb.exe
  2⤵
  PID:8920
- C:\Windows\System32\lmaSWYi.exe
  C:\Windows\System32\lmaSWYi.exe
  2⤵
  PID:8864
- C:\Windows\System32\pNzmUcs.exe
  C:\Windows\System32\pNzmUcs.exe
  2⤵
  PID:8860
- C:\Windows\System32\FFtWGFz.exe
  C:\Windows\System32\FFtWGFz.exe
  2⤵
  PID:9100
- C:\Windows\System32\DklelCN.exe
  C:\Windows\System32\DklelCN.exe
  2⤵
  PID:9132
- C:\Windows\System32\cZSxZEG.exe
  C:\Windows\System32\cZSxZEG.exe
  2⤵
  PID:9168
- C:\Windows\System32\zOFBOEO.exe
  C:\Windows\System32\zOFBOEO.exe
  2⤵
  PID:9204
- C:\Windows\System32\iKhPwff.exe
  C:\Windows\System32\iKhPwff.exe
  2⤵
  PID:8276
- C:\Windows\System32\WAesPmN.exe
  C:\Windows\System32\WAesPmN.exe
  2⤵
  PID:8456
- C:\Windows\System32\zIhkJyb.exe
  C:\Windows\System32\zIhkJyb.exe
  2⤵
  PID:8616
- C:\Windows\System32\PtWXMVU.exe
  C:\Windows\System32\PtWXMVU.exe
  2⤵
  PID:8704
- C:\Windows\System32\ChNeqRJ.exe
  C:\Windows\System32\ChNeqRJ.exe
  2⤵
  PID:8940
- C:\Windows\System32\MQqLoEf.exe
  C:\Windows\System32\MQqLoEf.exe
  2⤵
  PID:8968
- C:\Windows\System32\UUTSIIi.exe
  C:\Windows\System32\UUTSIIi.exe
  2⤵
  PID:9060
- C:\Windows\System32\suhaxmd.exe
  C:\Windows\System32\suhaxmd.exe
  2⤵
  PID:8584
- C:\Windows\System32\whxADEY.exe
  C:\Windows\System32\whxADEY.exe
  2⤵
  PID:8548
- C:\Windows\System32\SeOloNd.exe
  C:\Windows\System32\SeOloNd.exe
  2⤵
  PID:9224
- C:\Windows\System32\pvPZsGR.exe
  C:\Windows\System32\pvPZsGR.exe
  2⤵
  PID:9248
- C:\Windows\System32\XVGWSju.exe
  C:\Windows\System32\XVGWSju.exe
  2⤵
  PID:9308
- C:\Windows\System32\RuJoGAe.exe
  C:\Windows\System32\RuJoGAe.exe
  2⤵
  PID:9328
- C:\Windows\System32\iFhahse.exe
  C:\Windows\System32\iFhahse.exe
  2⤵
  PID:9352
- C:\Windows\System32\gshRgti.exe
  C:\Windows\System32\gshRgti.exe
  2⤵
  PID:9376
- C:\Windows\System32\HQcZCft.exe
  C:\Windows\System32\HQcZCft.exe
  2⤵
  PID:9392
- C:\Windows\System32\IQWZWLc.exe
  C:\Windows\System32\IQWZWLc.exe
  2⤵
  PID:9416
- C:\Windows\System32\iaUHBYZ.exe
  C:\Windows\System32\iaUHBYZ.exe
  2⤵
  PID:9452
- C:\Windows\System32\qACddDV.exe
  C:\Windows\System32\qACddDV.exe
  2⤵
  PID:9540
- C:\Windows\System32\UPRzbIC.exe
  C:\Windows\System32\UPRzbIC.exe
  2⤵
  PID:9568
- C:\Windows\System32\sioYFUk.exe
  C:\Windows\System32\sioYFUk.exe
  2⤵
  PID:9592
- C:\Windows\System32\EZJlYol.exe
  C:\Windows\System32\EZJlYol.exe
  2⤵
  PID:9616
- C:\Windows\System32\jrYaAYs.exe
  C:\Windows\System32\jrYaAYs.exe
  2⤵
  PID:9636
- C:\Windows\System32\rcCAIYW.exe
  C:\Windows\System32\rcCAIYW.exe
  2⤵
  PID:9652
- C:\Windows\System32\YmhQInn.exe
  C:\Windows\System32\YmhQInn.exe
  2⤵
  PID:9668
- C:\Windows\System32\xppsHND.exe
  C:\Windows\System32\xppsHND.exe
  2⤵
  PID:9684
- C:\Windows\System32\jedKCDH.exe
  C:\Windows\System32\jedKCDH.exe
  2⤵
  PID:9704
- C:\Windows\System32\KkKfpXV.exe
  C:\Windows\System32\KkKfpXV.exe
  2⤵
  PID:9760
- C:\Windows\System32\uuhvUpB.exe
  C:\Windows\System32\uuhvUpB.exe
  2⤵
  PID:9788
- C:\Windows\System32\FlkRRqk.exe
  C:\Windows\System32\FlkRRqk.exe
  2⤵
  PID:9820
- C:\Windows\System32\wSJvkGV.exe
  C:\Windows\System32\wSJvkGV.exe
  2⤵
  PID:9836
- C:\Windows\System32\pErDLTN.exe
  C:\Windows\System32\pErDLTN.exe
  2⤵
  PID:9944
- C:\Windows\System32\rfGOyDo.exe
  C:\Windows\System32\rfGOyDo.exe
  2⤵
  PID:9988
- C:\Windows\System32\BxMSATz.exe
  C:\Windows\System32\BxMSATz.exe
  2⤵
  PID:10004
- C:\Windows\System32\wmNABBT.exe
  C:\Windows\System32\wmNABBT.exe
  2⤵
  PID:10032
- C:\Windows\System32\mDHcpYL.exe
  C:\Windows\System32\mDHcpYL.exe
  2⤵
  PID:10052
- C:\Windows\System32\VjsIrjT.exe
  C:\Windows\System32\VjsIrjT.exe
  2⤵
  PID:10080
- C:\Windows\System32\GjkyPWi.exe
  C:\Windows\System32\GjkyPWi.exe
  2⤵
  PID:10124
- C:\Windows\System32\Rstuatx.exe
  C:\Windows\System32\Rstuatx.exe
  2⤵
  PID:10176
- C:\Windows\System32\iNlAeYQ.exe
  C:\Windows\System32\iNlAeYQ.exe
  2⤵
  PID:10208
- C:\Windows\System32\pshsjJg.exe
  C:\Windows\System32\pshsjJg.exe
  2⤵
  PID:10224
- C:\Windows\System32\CwkEjJp.exe
  C:\Windows\System32\CwkEjJp.exe
  2⤵
  PID:9080
- C:\Windows\System32\RPVDfuc.exe
  C:\Windows\System32\RPVDfuc.exe
  2⤵
  PID:9140
- C:\Windows\System32\LWWgeht.exe
  C:\Windows\System32\LWWgeht.exe
  2⤵
  PID:9268
- C:\Windows\System32\cIlvevf.exe
  C:\Windows\System32\cIlvevf.exe
  2⤵
  PID:9324
- C:\Windows\System32\LSiWNob.exe
  C:\Windows\System32\LSiWNob.exe
  2⤵
  PID:9348
- C:\Windows\System32\BosFdWi.exe
  C:\Windows\System32\BosFdWi.exe
  2⤵
  PID:9424
- C:\Windows\System32\AcDgMoF.exe
  C:\Windows\System32\AcDgMoF.exe
  2⤵
  PID:9368
- C:\Windows\System32\ppEnBzI.exe
  C:\Windows\System32\ppEnBzI.exe
  2⤵
  PID:9552
- C:\Windows\System32\YKLxfMI.exe
  C:\Windows\System32\YKLxfMI.exe
  2⤵
  PID:9664
- C:\Windows\System32\kIKtHwT.exe
  C:\Windows\System32\kIKtHwT.exe
  2⤵
  PID:9744
- C:\Windows\System32\UYRCDHa.exe
  C:\Windows\System32\UYRCDHa.exe
  2⤵
  PID:9796
- C:\Windows\System32\vAZQYTA.exe
  C:\Windows\System32\vAZQYTA.exe
  2⤵
  PID:9808
- C:\Windows\System32\TWxRkrF.exe
  C:\Windows\System32\TWxRkrF.exe
  2⤵
  PID:9832
- C:\Windows\System32\yZwfJPA.exe
  C:\Windows\System32\yZwfJPA.exe
  2⤵
  PID:9860
- C:\Windows\System32\lBpALwq.exe
  C:\Windows\System32\lBpALwq.exe
  2⤵
  PID:9884
- C:\Windows\System32\JfRtJvG.exe
  C:\Windows\System32\JfRtJvG.exe
  2⤵
  PID:10012
- C:\Windows\System32\AoSumGB.exe
  C:\Windows\System32\AoSumGB.exe
  2⤵
  PID:10020
- C:\Windows\System32\vJSZCWJ.exe
  C:\Windows\System32\vJSZCWJ.exe
  2⤵
  PID:10092
- C:\Windows\System32\aWQhLiI.exe
  C:\Windows\System32\aWQhLiI.exe
  2⤵
  PID:10132
- C:\Windows\System32\rJGZsWh.exe
  C:\Windows\System32\rJGZsWh.exe
  2⤵
  PID:8592
- C:\Windows\System32\uUQKicI.exe
  C:\Windows\System32\uUQKicI.exe
  2⤵
  PID:9388
- C:\Windows\System32\hjMcKBg.exe
  C:\Windows\System32\hjMcKBg.exe
  2⤵
  PID:9504
- C:\Windows\System32\ApzFgaE.exe
  C:\Windows\System32\ApzFgaE.exe
  2⤵
  PID:9680
- C:\Windows\System32\ZRVhPcl.exe
  C:\Windows\System32\ZRVhPcl.exe
  2⤵
  PID:9912
- C:\Windows\System32\GENprSP.exe
  C:\Windows\System32\GENprSP.exe
  2⤵
  PID:9940
- C:\Windows\System32\baOWAUi.exe
  C:\Windows\System32\baOWAUi.exe
  2⤵
  PID:10072
- C:\Windows\System32\zXnFbNc.exe
  C:\Windows\System32\zXnFbNc.exe
  2⤵
  PID:10188
- C:\Windows\System32\enQkjod.exe
  C:\Windows\System32\enQkjod.exe
  2⤵
  PID:9232
- C:\Windows\System32\neCMuMO.exe
  C:\Windows\System32\neCMuMO.exe
  2⤵
  PID:9632
- C:\Windows\System32\ZrGHqdu.exe
  C:\Windows\System32\ZrGHqdu.exe
  2⤵
  PID:9800
- C:\Windows\System32\TixDXlF.exe
  C:\Windows\System32\TixDXlF.exe
  2⤵
  PID:9976
- C:\Windows\System32\wVjoDuE.exe
  C:\Windows\System32\wVjoDuE.exe
  2⤵
  PID:9716
- C:\Windows\System32\qhoJcAt.exe
  C:\Windows\System32\qhoJcAt.exe
  2⤵
  PID:9776
- C:\Windows\System32\gAAOnvX.exe
  C:\Windows\System32\gAAOnvX.exe
  2⤵
  PID:10268
- C:\Windows\System32\LYhWGEU.exe
  C:\Windows\System32\LYhWGEU.exe
  2⤵
  PID:10320
- C:\Windows\System32\AoHJbvc.exe
  C:\Windows\System32\AoHJbvc.exe
  2⤵
  PID:10360
- C:\Windows\System32\hYndQoH.exe
  C:\Windows\System32\hYndQoH.exe
  2⤵
  PID:10388
- C:\Windows\System32\QuGyuFX.exe
  C:\Windows\System32\QuGyuFX.exe
  2⤵
  PID:10404
- C:\Windows\System32\QFWbUXD.exe
  C:\Windows\System32\QFWbUXD.exe
  2⤵
  PID:10424
- C:\Windows\System32\OQtsyyj.exe
  C:\Windows\System32\OQtsyyj.exe
  2⤵
  PID:10444
- C:\Windows\System32\fNEOsTe.exe
  C:\Windows\System32\fNEOsTe.exe
  2⤵
  PID:10464
- C:\Windows\System32\NcQoyfi.exe
  C:\Windows\System32\NcQoyfi.exe
  2⤵
  PID:10508
- C:\Windows\System32\VCkAOxa.exe
  C:\Windows\System32\VCkAOxa.exe
  2⤵
  PID:10528
- C:\Windows\System32\VDtQXCg.exe
  C:\Windows\System32\VDtQXCg.exe
  2⤵
  PID:10584
- C:\Windows\System32\OTlFgwU.exe
  C:\Windows\System32\OTlFgwU.exe
  2⤵
  PID:10600
- C:\Windows\System32\uMZIWQh.exe
  C:\Windows\System32\uMZIWQh.exe
  2⤵
  PID:10628
- C:\Windows\System32\BGWBAQc.exe
  C:\Windows\System32\BGWBAQc.exe
  2⤵
  PID:10644
- C:\Windows\System32\ntCaqcM.exe
  C:\Windows\System32\ntCaqcM.exe
  2⤵
  PID:10676
- C:\Windows\System32\CnFzTcQ.exe
  C:\Windows\System32\CnFzTcQ.exe
  2⤵
  PID:10692
- C:\Windows\System32\xvoGrxn.exe
  C:\Windows\System32\xvoGrxn.exe
  2⤵
  PID:10712
- C:\Windows\System32\KLiOUAx.exe
  C:\Windows\System32\KLiOUAx.exe
  2⤵
  PID:10748
- C:\Windows\System32\AtygWJA.exe
  C:\Windows\System32\AtygWJA.exe
  2⤵
  PID:10784
- C:\Windows\System32\YFfNAkh.exe
  C:\Windows\System32\YFfNAkh.exe
  2⤵
  PID:10804
- C:\Windows\System32\yQPoigG.exe
  C:\Windows\System32\yQPoigG.exe
  2⤵
  PID:10820
- C:\Windows\System32\YiQxNVL.exe
  C:\Windows\System32\YiQxNVL.exe
  2⤵
  PID:10860
- C:\Windows\System32\lAtsYqC.exe
  C:\Windows\System32\lAtsYqC.exe
  2⤵
  PID:10908
- C:\Windows\System32\kcScVAJ.exe
  C:\Windows\System32\kcScVAJ.exe
  2⤵
  PID:10940
- C:\Windows\System32\BRgxmlF.exe
  C:\Windows\System32\BRgxmlF.exe
  2⤵
  PID:10964
- C:\Windows\System32\GhtfmIN.exe
  C:\Windows\System32\GhtfmIN.exe
  2⤵
  PID:10980
- C:\Windows\System32\fexhKwa.exe
  C:\Windows\System32\fexhKwa.exe
  2⤵
  PID:11000
- C:\Windows\System32\GwfPjtZ.exe
  C:\Windows\System32\GwfPjtZ.exe
  2⤵
  PID:11040
- C:\Windows\System32\QVvLDls.exe
  C:\Windows\System32\QVvLDls.exe
  2⤵
  PID:11056
- C:\Windows\System32\itHPnEK.exe
  C:\Windows\System32\itHPnEK.exe
  2⤵
  PID:11084
- C:\Windows\System32\pTUmoso.exe
  C:\Windows\System32\pTUmoso.exe
  2⤵
  PID:11100
- C:\Windows\System32\OQoDxDE.exe
  C:\Windows\System32\OQoDxDE.exe
  2⤵
  PID:11124
- C:\Windows\System32\XXOtuTr.exe
  C:\Windows\System32\XXOtuTr.exe
  2⤵
  PID:11192
- C:\Windows\System32\gzsURwe.exe
  C:\Windows\System32\gzsURwe.exe
  2⤵
  PID:11216
- C:\Windows\System32\edXRHXF.exe
  C:\Windows\System32\edXRHXF.exe
  2⤵
  PID:11252
- C:\Windows\System32\utFrhdV.exe
  C:\Windows\System32\utFrhdV.exe
  2⤵
  PID:9492
- C:\Windows\System32\hFesIzA.exe
  C:\Windows\System32\hFesIzA.exe
  2⤵
  PID:10260
- C:\Windows\System32\UcdHZJT.exe
  C:\Windows\System32\UcdHZJT.exe
  2⤵
  PID:10340
- C:\Windows\System32\FfZmQlX.exe
  C:\Windows\System32\FfZmQlX.exe
  2⤵
  PID:10396
- C:\Windows\System32\orSBSjJ.exe
  C:\Windows\System32\orSBSjJ.exe
  2⤵
  PID:10416
- C:\Windows\System32\NJNjqmz.exe
  C:\Windows\System32\NJNjqmz.exe
  2⤵
  PID:10500
- C:\Windows\System32\FHEqnQY.exe
  C:\Windows\System32\FHEqnQY.exe
  2⤵
  PID:10624
- C:\Windows\System32\mGMXvfm.exe
  C:\Windows\System32\mGMXvfm.exe
  2⤵
  PID:10684
- C:\Windows\System32\fqEtACz.exe
  C:\Windows\System32\fqEtACz.exe
  2⤵
  PID:10728
- C:\Windows\System32\XgsBiSZ.exe
  C:\Windows\System32\XgsBiSZ.exe
  2⤵
  PID:10760
- C:\Windows\System32\tHahqmr.exe
  C:\Windows\System32\tHahqmr.exe
  2⤵
  PID:10836
- C:\Windows\System32\MSzCIlI.exe
  C:\Windows\System32\MSzCIlI.exe
  2⤵
  PID:10896
- C:\Windows\System32\CXrvFMw.exe
  C:\Windows\System32\CXrvFMw.exe
  2⤵
  PID:10932
- C:\Windows\System32\cxpGTkx.exe
  C:\Windows\System32\cxpGTkx.exe
  2⤵
  PID:11008
- C:\Windows\System32\UnSgdqE.exe
  C:\Windows\System32\UnSgdqE.exe
  2⤵
  PID:10992
- C:\Windows\System32\bOigOKk.exe
  C:\Windows\System32\bOigOKk.exe
  2⤵
  PID:11108
- C:\Windows\System32\hYMIqne.exe
  C:\Windows\System32\hYMIqne.exe
  2⤵
  PID:11092
- C:\Windows\System32\KlWbwLu.exe
  C:\Windows\System32\KlWbwLu.exe
  2⤵
  PID:11212
- C:\Windows\System32\rCQkbsH.exe
  C:\Windows\System32\rCQkbsH.exe
  2⤵
  PID:9364
- C:\Windows\System32\mDXLdab.exe
  C:\Windows\System32\mDXLdab.exe
  2⤵
  PID:10332
- C:\Windows\System32\BCbdkLi.exe
  C:\Windows\System32\BCbdkLi.exe
  2⤵
  PID:10472
- C:\Windows\System32\ByrTfpP.exe
  C:\Windows\System32\ByrTfpP.exe
  2⤵
  PID:10596
- C:\Windows\System32\zQhTcaX.exe
  C:\Windows\System32\zQhTcaX.exe
  2⤵
  PID:10828
- C:\Windows\System32\kLKHFfC.exe
  C:\Windows\System32\kLKHFfC.exe
  2⤵
  PID:10924
- C:\Windows\System32\BUoFqCx.exe
  C:\Windows\System32\BUoFqCx.exe
  2⤵
  PID:11096
- C:\Windows\System32\bSLliYN.exe
  C:\Windows\System32\bSLliYN.exe
  2⤵
  PID:11168
- C:\Windows\System32\ZfFuBPi.exe
  C:\Windows\System32\ZfFuBPi.exe
  2⤵
  PID:10592
- C:\Windows\System32\EUTtNlW.exe
  C:\Windows\System32\EUTtNlW.exe
  2⤵
  PID:10976
- C:\Windows\System32\beBLNQm.exe
  C:\Windows\System32\beBLNQm.exe
  2⤵
  PID:11272
- C:\Windows\System32\tPLxHYC.exe
  C:\Windows\System32\tPLxHYC.exe
  2⤵
  PID:11320
- C:\Windows\System32\LChacCQ.exe
  C:\Windows\System32\LChacCQ.exe
  2⤵
  PID:11344
- C:\Windows\System32\xQYZojW.exe
  C:\Windows\System32\xQYZojW.exe
  2⤵
  PID:11408
- C:\Windows\System32\nvLRVXn.exe
  C:\Windows\System32\nvLRVXn.exe
  2⤵
  PID:11428
- C:\Windows\System32\hSAbCfu.exe
  C:\Windows\System32\hSAbCfu.exe
  2⤵
  PID:11448
- C:\Windows\System32\wVMYVoJ.exe
  C:\Windows\System32\wVMYVoJ.exe
  2⤵
  PID:11472
- C:\Windows\System32\YttPcfV.exe
  C:\Windows\System32\YttPcfV.exe
  2⤵
  PID:11496
- C:\Windows\System32\GVTHAPU.exe
  C:\Windows\System32\GVTHAPU.exe
  2⤵
  PID:11512
- C:\Windows\System32\nNMNkGd.exe
  C:\Windows\System32\nNMNkGd.exe
  2⤵
  PID:11548
- C:\Windows\System32\KIcabAZ.exe
  C:\Windows\System32\KIcabAZ.exe
  2⤵
  PID:11564
- C:\Windows\System32\JKBiUxJ.exe
  C:\Windows\System32\JKBiUxJ.exe
  2⤵
  PID:11624
- C:\Windows\System32\VdbNDWB.exe
  C:\Windows\System32\VdbNDWB.exe
  2⤵
  PID:11652
- C:\Windows\System32\eMkDiGo.exe
  C:\Windows\System32\eMkDiGo.exe
  2⤵
  PID:11676
- C:\Windows\System32\eAFENgX.exe
  C:\Windows\System32\eAFENgX.exe
  2⤵
  PID:11696
- C:\Windows\System32\KXhtFLk.exe
  C:\Windows\System32\KXhtFLk.exe
  2⤵
  PID:11728
- C:\Windows\System32\loIIAAx.exe
  C:\Windows\System32\loIIAAx.exe
  2⤵
  PID:11772
- C:\Windows\System32\onLZXmj.exe
  C:\Windows\System32\onLZXmj.exe
  2⤵
  PID:11792
- C:\Windows\System32\dFeNUXJ.exe
  C:\Windows\System32\dFeNUXJ.exe
  2⤵
  PID:11820
- C:\Windows\System32\DhuEQqr.exe
  C:\Windows\System32\DhuEQqr.exe
  2⤵
  PID:11840
- C:\Windows\System32\AEwYwQk.exe
  C:\Windows\System32\AEwYwQk.exe
  2⤵
  PID:11856
- C:\Windows\System32\vaiWhbV.exe
  C:\Windows\System32\vaiWhbV.exe
  2⤵
  PID:11892
- C:\Windows\System32\uFRpYyL.exe
  C:\Windows\System32\uFRpYyL.exe
  2⤵
  PID:11944
- C:\Windows\System32\zkdTlYD.exe
  C:\Windows\System32\zkdTlYD.exe
  2⤵
  PID:11972
- C:\Windows\System32\SFQNRgE.exe
  C:\Windows\System32\SFQNRgE.exe
  2⤵
  PID:12000
- C:\Windows\System32\NuqdTIY.exe
  C:\Windows\System32\NuqdTIY.exe
  2⤵
  PID:12024
- C:\Windows\System32\mugQQSK.exe
  C:\Windows\System32\mugQQSK.exe
  2⤵
  PID:12044
- C:\Windows\System32\iqgciUh.exe
  C:\Windows\System32\iqgciUh.exe
  2⤵
  PID:12068
- C:\Windows\System32\bQTlzWv.exe
  C:\Windows\System32\bQTlzWv.exe
  2⤵
  PID:12100
- C:\Windows\System32\MRyFijH.exe
  C:\Windows\System32\MRyFijH.exe
  2⤵
  PID:12120
- C:\Windows\System32\MXQuLcK.exe
  C:\Windows\System32\MXQuLcK.exe
  2⤵
  PID:12140
- C:\Windows\System32\NewFjEA.exe
  C:\Windows\System32\NewFjEA.exe
  2⤵
  PID:12168
- C:\Windows\System32\VGWNckP.exe
  C:\Windows\System32\VGWNckP.exe
  2⤵
  PID:12188
- C:\Windows\System32\DcNVpXS.exe
  C:\Windows\System32\DcNVpXS.exe
  2⤵
  PID:12208
- C:\Windows\System32\effFjhi.exe
  C:\Windows\System32\effFjhi.exe
  2⤵
  PID:12256
- C:\Windows\System32\mznDIuM.exe
  C:\Windows\System32\mznDIuM.exe
  2⤵
  PID:12272
- C:\Windows\System32\ccBlzlf.exe
  C:\Windows\System32\ccBlzlf.exe
  2⤵
  PID:10796
- C:\Windows\System32\CugQdZl.exe
  C:\Windows\System32\CugQdZl.exe
  2⤵
  PID:11300
- C:\Windows\System32\LWWhvJp.exe
  C:\Windows\System32\LWWhvJp.exe
  2⤵
  PID:11328
- C:\Windows\System32\atXCFVY.exe
  C:\Windows\System32\atXCFVY.exe
  2⤵
  PID:11440
- C:\Windows\System32\qOxUSCo.exe
  C:\Windows\System32\qOxUSCo.exe
  2⤵
  PID:11436
- C:\Windows\System32\MHLLujl.exe
  C:\Windows\System32\MHLLujl.exe
  2⤵
  PID:11420
- C:\Windows\System32\iREGxIJ.exe
  C:\Windows\System32\iREGxIJ.exe
  2⤵
  PID:11660
- C:\Windows\System32\bOBBuES.exe
  C:\Windows\System32\bOBBuES.exe
  2⤵
  PID:11768
- C:\Windows\System32\cOQKpzo.exe
  C:\Windows\System32\cOQKpzo.exe
  2⤵
  PID:11848
- C:\Windows\System32\RqlAFSk.exe
  C:\Windows\System32\RqlAFSk.exe
  2⤵
  PID:11876
- C:\Windows\System32\auTUgYl.exe
  C:\Windows\System32\auTUgYl.exe
  2⤵
  PID:11920
- C:\Windows\System32\bDWvFtS.exe
  C:\Windows\System32\bDWvFtS.exe
  2⤵
  PID:11952
- C:\Windows\System32\usbYUZQ.exe
  C:\Windows\System32\usbYUZQ.exe
  2⤵
  PID:12036
- C:\Windows\System32\TXHCTxm.exe
  C:\Windows\System32\TXHCTxm.exe
  2⤵
  PID:12088
- C:\Windows\System32\qLGstYv.exe
  C:\Windows\System32\qLGstYv.exe
  2⤵
  PID:12148
- C:\Windows\System32\eNJMYqV.exe
  C:\Windows\System32\eNJMYqV.exe
  2⤵
  PID:12180
- C:\Windows\System32\oLWyrEL.exe
  C:\Windows\System32\oLWyrEL.exe
  2⤵
  PID:11280
- C:\Windows\System32\UHSrtnr.exe
  C:\Windows\System32\UHSrtnr.exe
  2⤵
  PID:11380
- C:\Windows\System32\wUEVKVb.exe
  C:\Windows\System32\wUEVKVb.exe
  2⤵
  PID:5060
- C:\Windows\System32\uxhaweT.exe
  C:\Windows\System32\uxhaweT.exe
  2⤵
  PID:11648
- C:\Windows\System32\uJkLUKh.exe
  C:\Windows\System32\uJkLUKh.exe
  2⤵
  PID:11760
- C:\Windows\System32\xAveaCt.exe
  C:\Windows\System32\xAveaCt.exe
  2⤵
  PID:11852
- C:\Windows\System32\DOFmoxK.exe
  C:\Windows\System32\DOFmoxK.exe
  2⤵
  PID:12012
- C:\Windows\System32\ZAwuWJY.exe
  C:\Windows\System32\ZAwuWJY.exe
  2⤵
  PID:12084
- C:\Windows\System32\MGyPIVD.exe
  C:\Windows\System32\MGyPIVD.exe
  2⤵
  PID:12232
- C:\Windows\System32\Uskvkxj.exe
  C:\Windows\System32\Uskvkxj.exe
  2⤵
  PID:12264
- C:\Windows\System32\wOTPQBc.exe
  C:\Windows\System32\wOTPQBc.exe
  2⤵
  PID:11560
- C:\Windows\System32\MDfKauv.exe
  C:\Windows\System32\MDfKauv.exe
  2⤵
  PID:11984
- C:\Windows\System32\PohMung.exe
  C:\Windows\System32\PohMung.exe
  2⤵
  PID:11864
- C:\Windows\System32\pXCXKQK.exe
  C:\Windows\System32\pXCXKQK.exe
  2⤵
  PID:12320
- C:\Windows\System32\KcTXRGY.exe
  C:\Windows\System32\KcTXRGY.exe
  2⤵
  PID:12348
- C:\Windows\System32\IaYfxJS.exe
  C:\Windows\System32\IaYfxJS.exe
  2⤵
  PID:12380
- C:\Windows\System32\xJPRgDm.exe
  C:\Windows\System32\xJPRgDm.exe
  2⤵
  PID:12400
- C:\Windows\System32\JzuNxit.exe
  C:\Windows\System32\JzuNxit.exe
  2⤵
  PID:12428
- C:\Windows\System32\BNNbjMI.exe
  C:\Windows\System32\BNNbjMI.exe
  2⤵
  PID:12444
- C:\Windows\System32\aIBfcBu.exe
  C:\Windows\System32\aIBfcBu.exe
  2⤵
  PID:12488
- C:\Windows\System32\bTRPjxU.exe
  C:\Windows\System32\bTRPjxU.exe
  2⤵
  PID:12508
- C:\Windows\System32\zwAhBBF.exe
  C:\Windows\System32\zwAhBBF.exe
  2⤵
  PID:12540
- C:\Windows\System32\bmNtOxH.exe
  C:\Windows\System32\bmNtOxH.exe
  2⤵
  PID:12564
- C:\Windows\System32\bWEfKbn.exe
  C:\Windows\System32\bWEfKbn.exe
  2⤵
  PID:12584
- C:\Windows\System32\cbWOQhi.exe
  C:\Windows\System32\cbWOQhi.exe
  2⤵
  PID:12604
- C:\Windows\System32\pRTeURL.exe
  C:\Windows\System32\pRTeURL.exe
  2⤵
  PID:12624
- C:\Windows\System32\ZpgnFgM.exe
  C:\Windows\System32\ZpgnFgM.exe
  2⤵
  PID:12640
- C:\Windows\System32\lQgkcrz.exe
  C:\Windows\System32\lQgkcrz.exe
  2⤵
  PID:12668
- C:\Windows\System32\KeOTdTM.exe
  C:\Windows\System32\KeOTdTM.exe
  2⤵
  PID:12740
- C:\Windows\System32\CIZefvw.exe
  C:\Windows\System32\CIZefvw.exe
  2⤵
  PID:12760
- C:\Windows\System32\dzwlTob.exe
  C:\Windows\System32\dzwlTob.exe
  2⤵
  PID:12780
- C:\Windows\System32\ozMuTBV.exe
  C:\Windows\System32\ozMuTBV.exe
  2⤵
  PID:12824
- C:\Windows\System32\PkOYvqT.exe
  C:\Windows\System32\PkOYvqT.exe
  2⤵
  PID:12844
- C:\Windows\System32\NIuUPkj.exe
  C:\Windows\System32\NIuUPkj.exe
  2⤵
  PID:12884
- C:\Windows\System32\yHcgnTU.exe
  C:\Windows\System32\yHcgnTU.exe
  2⤵
  PID:12908
- C:\Windows\System32\tUqyTWb.exe
  C:\Windows\System32\tUqyTWb.exe
  2⤵
  PID:12932
- C:\Windows\System32\JTMVSfN.exe
  C:\Windows\System32\JTMVSfN.exe
  2⤵
  PID:12968
- C:\Windows\System32\CEcEwTE.exe
  C:\Windows\System32\CEcEwTE.exe
  2⤵
  PID:12996
- C:\Windows\System32\azcBUyi.exe
  C:\Windows\System32\azcBUyi.exe
  2⤵
  PID:13016
- C:\Windows\System32\EUTJJcZ.exe
  C:\Windows\System32\EUTJJcZ.exe
  2⤵
  PID:13032
- C:\Windows\System32\krYTcAN.exe
  C:\Windows\System32\krYTcAN.exe
  2⤵
  PID:13072
- C:\Windows\System32\jBSjDTE.exe
  C:\Windows\System32\jBSjDTE.exe
  2⤵
  PID:13120
- C:\Windows\System32\lvgHEIm.exe
  C:\Windows\System32\lvgHEIm.exe
  2⤵
  PID:13144
- C:\Windows\System32\pJtZNav.exe
  C:\Windows\System32\pJtZNav.exe
  2⤵
  PID:13164
- C:\Windows\System32\lxIZndE.exe
  C:\Windows\System32\lxIZndE.exe
  2⤵
  PID:13184
- C:\Windows\System32\NQgcdDH.exe
  C:\Windows\System32\NQgcdDH.exe
  2⤵
  PID:13220
- C:\Windows\System32\APHaSAR.exe
  C:\Windows\System32\APHaSAR.exe
  2⤵
  PID:13256
- C:\Windows\System32\YwrOGdQ.exe
  C:\Windows\System32\YwrOGdQ.exe
  2⤵
  PID:13296
- C:\Windows\System32\WaWDMmg.exe
  C:\Windows\System32\WaWDMmg.exe
  2⤵
  PID:11936
- C:\Windows\System32\HSrYBBV.exe
  C:\Windows\System32\HSrYBBV.exe
  2⤵
  PID:12392
- C:\Windows\System32\jKPKNlW.exe
  C:\Windows\System32\jKPKNlW.exe
  2⤵
  PID:12436
- C:\Windows\System32\mPzfIuV.exe
  C:\Windows\System32\mPzfIuV.exe
  2⤵
  PID:12464
- C:\Windows\System32\SPSpJJY.exe
  C:\Windows\System32\SPSpJJY.exe
  2⤵
  PID:12548
- C:\Windows\System32\QHwCNHz.exe
  C:\Windows\System32\QHwCNHz.exe
  2⤵
  PID:12576

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AWlhNlP.exe

Filesize
1.1MB

MD5
5e6db43be3f92fb003a94157732f90c0

SHA1
1073d30402b2335a038b94eed2829e2bcadf5cd9

SHA256
7a0c76e9831b26528cd9a558ec105d58aabcc26fd3a7124a9b9c2e9a7607cd8e

SHA512
d4d9049e5ad5961ee08c25e45d81571e0687a9e788425d234fb64de870b253a93c2be92e1e1b97019ba1270331d72338302e5da70415ae242e44e05abc13aa78

Download Submit
C:\Windows\System32\BdsDWnw.exe

Filesize
1.1MB

MD5
691ca4c689b15b6ba38223a3f879eb7c

SHA1
3ea674027aa1a5864694c399725e1f0176a1d8aa

SHA256
525c3eabd08d3e694dde431472857a4b0941f4f2ef28d672643c9ba8b846fff2

SHA512
6214f6d12a573397ac61dfe0666cb17df0592b31f028876dedb891f4ca6ee5c7f811b68787339b0db7a9a5714fc3fda58bea7df88422a3f5912b7310e6285c50

Download Submit
C:\Windows\System32\DvbtTqx.exe

Filesize
1.1MB

MD5
185ec57109cb27c3b3ed10c02c4e6d02

SHA1
d5188d3b239db2e58d89121c5a55c73ccff83d7e

SHA256
4a452876621d13e09fa97e0c3fdfac98f6831040d687804c67a6739595e4ecc0

SHA512
2aed4ca8754306a9cf7693e82b8d937fea85c79a4f700bc108e97d05b179b686a2df1cb95c444e39b961fae87e8fde6228691f7140a6471afd40f22a9ddce6dd

Download Submit
C:\Windows\System32\FITqKpu.exe

Filesize
1.1MB

MD5
a2b302832eca1ec42b0efee7c4c69c66

SHA1
1806b190838051da14e61d4b6bd2f7beda92c084

SHA256
29e558ebc7e62a77db2fe0fea049417ddd74f18f07694f624a45b778ec204731

SHA512
c416789f8cbc76cbb317781f9552202b82ce794f2f061b63b7ea718ee1c3c1ccd153f0b0feae94af03c7f0b9948c92acc00650d23cc6ea7d8d8628b1a377d6d1

Download Submit
C:\Windows\System32\HRRygSO.exe

Filesize
1.1MB

MD5
7eeafadc269058c775b51f03ccf3948a

SHA1
92a975c4c43ebfee1dbe5023276ce99ca433d46a

SHA256
252b7707bfc709cf636851b0bc65bac6d5e837a4113d81e7bbbe44b1420159f9

SHA512
1a7ffe865d92448a78f90f18b68a0e5c6b710c7de77f6f8be74d8cfb9f11cf0a998adac11ba54ecb7c5e0d61887ce65356bedd1a3c2a9dbd9ce5436ec85fc5e9

Download Submit
C:\Windows\System32\InOAxMj.exe

Filesize
1.1MB

MD5
f8ffa72bce3a2c2beb810725159fb204

SHA1
81e5f1c0218b8c8fd793cf3452b827d7a66aa3b0

SHA256
7e76efdcd64c8cd7e335df7dc8c384505d33cc5679dd95c29ff2b9fbf59a1b67

SHA512
ef3618b9aa30fed3ab11a285bccd1252fc9e7aac2accc7c12e97c484ef9bfc0340c168e0e5c32b63601dcb5b79b0d6080a04f191b3a3a989747291d5b96d76a1

Download Submit
C:\Windows\System32\PEbjtFk.exe

Filesize
1.1MB

MD5
b289117219b9d094993c197cf76f10fc

SHA1
b80aa09b33d1821137c1fdf67ef9f3e00989e27a

SHA256
7f7ce7cca53478db24b43eceb6034cf59d916ab80e02d43823d747bd2e91cdcc

SHA512
295ff033710cbda519a3425aa5c8ede756b20ae6e2cc870c58edabe041d25d847c23bbebfab0663dc4d98e6e7ee0f82ae96dbcf3fdbc419a737d72579838cc61

Download Submit
C:\Windows\System32\RFtUmfE.exe

Filesize
1.1MB

MD5
b9f3b006ce89afbc659463d839cbf420

SHA1
e5d61c11f6f3766d056438e35702fb5c24e56cb7

SHA256
cd890e9ebf4b0a340b7e4e1d104fa747587cafbe123cedaf8cde9745b188c735

SHA512
95743f1061813670f82bd7423f8a3f0793d61c969fb9c91de53668959c143b5ceef367eec069c78970889cea37dc439da84dae279741a4def531ec6dff42fef7

Download Submit
C:\Windows\System32\SFMeAMu.exe

Filesize
1.1MB

MD5
6aa637f0ef931d24fdff15adc2e616ec

SHA1
c87aeaeda6aa9de70d1437d44c66373a8e5e8b16

SHA256
ea7eea29d46758b290ff70d7cbfb9d9b4e3876a6796f22f88cc6186f6b9e36ac

SHA512
e22beb8da9d31b5b7d44fadb1b80e11560c6403bb5fc29d630dfb68ad42ddcebd80b311c57e27e6828df3997fb29fafbe2f0e0b0f282d48a10d6cf6a6e41f673

Download Submit
C:\Windows\System32\VponPAk.exe

Filesize
1.1MB

MD5
4686034c09fd61fa1ef174c98b0a10c0

SHA1
dea5156f0dc5f3319df5d81aace41f9025bef605

SHA256
5cabb8c8d3f12bfa7881372df859fb04a01bfd8d3d3a517f2132275c55ef7177

SHA512
ba7bcedc7dd2bb1fcae510199c6facca6b2d722314d302c0e3e95af000c969b5c160713b1431a96c19d8a0509fcea04199ca7bed577a059bae7912cd232812c5

Download Submit
C:\Windows\System32\WKHIDUY.exe

Filesize
1.1MB

MD5
250b56b60be057ba92af17e8c2df1c33

SHA1
1d731ec959774fd08bab044131e9f3f3804839db

SHA256
b3f507cdbccc609a41dbd2311b8b35ce496e498ecaa5ee29a6c6c1128736f6a2

SHA512
c984ddaf095b3252eb0f801e377b6f0013cb3e95ff8f705456d506d28c8477c7781282b655895ebc3549e6129928853e41b16169387852a061a2d115ed7a0dd0

Download Submit
C:\Windows\System32\WjTjvzO.exe

Filesize
1.1MB

MD5
835c7fd8eb925d4b130124dd83dbe7a7

SHA1
fd03fee4811a8c824bd4f900a1b55d33dbee3a3a

SHA256
1b8ebcd74a7d3e4e5b5092b9efe06da23ad4b9ada4ac9f28cd018c1cdaf4e0c2

SHA512
56fbac733e934ebc461f3148fc8fd3ac5db07e340be24e4d10ca36e6df5dd8068eba07eb81eb9725ce253ab3b5963e3bc3bf68f3cb71192ab48d886220732d69

Download Submit
C:\Windows\System32\XDhjJSI.exe

Filesize
1.1MB

MD5
b21debc328468ec577ad4b2b278a7983

SHA1
80695cccf365badeb5fb6ff7539d48e1f9da9276

SHA256
cd7d0543f453e5365d4b8c134b29c10c776069941a5524be44b1ef114ee447c7

SHA512
4b28352ae44b8bc080eded1710f7e0038718a1f5fd5ff29fe4358b3bcbc68300dcc060eacd73ba7b9c6bad6923c85d4190258da2944eaa100ee59dc0182d14e3

Download Submit
C:\Windows\System32\XGpKCPR.exe

Filesize
1.1MB

MD5
c1c4fd6ed3eac8d3101f5007a8d3075d

SHA1
312d222a34c6e42e2d9f95aca2cdceb89927ef18

SHA256
c5a2bd9826ba19f07d9c587f07106f3ce6e5dc43a8cdbe3186b0a304de08b25b

SHA512
1296c5d8363a56fe5dd0ae4b1f4a46d77ee0b9c71435f51617b4112a0946c292023e857d77ac601eb1fc19ba702bff640d8174b2142269db32045738740426d0

Download Submit
C:\Windows\System32\ZEdsNBS.exe

Filesize
1.1MB

MD5
1b0f280652add6841d2ad10b712cbfd7

SHA1
c3113630434b87ea9051d02ec5ac06df169e7896

SHA256
40a347b9e9612f0b8c21d4696a27c612fb993cf89a2f79c368b943a554c174a1

SHA512
07c59782f821f098c0c3d3e90af926c9e2154e35bba874d58cf0f7a4237e1c70bcc52b95f2f48c43a1e49a5a52198d7a2b76c52088f8e8b99990ea36a651c7c3

Download Submit
C:\Windows\System32\cwtPbpy.exe

Filesize
1.1MB

MD5
f1865806ea14a5622a30c8c5a2c124b5

SHA1
465a71247fc5fe73857ba442453f59b7c562f629

SHA256
d0d260eef7f11f69f57e899d437e921758792bf37792e3e80a5cc3569c3f46c5

SHA512
2f98409b10275f580a1df61f0b5dbe0eaaaad3907b39d0ab49caab85f652c38dea122fa23cadcb4dac7c1c0f2aea19f167c51df8863ca314948df2503cdf5dd6

Download Submit
C:\Windows\System32\ddNMOYO.exe

Filesize
1.1MB

MD5
70c4651713910383e5fde9e548cb3957

SHA1
0446c13f608987b5ccee78b09428ad6a8e9a70b9

SHA256
1ff1080fef851605b80007187e62fce01886c516f13af4ce9c84db041c9b5650

SHA512
1de1ced77078dacb708eee2a469ad72ae5be5c09955ba652d54a522909bfb8fb03ff4153e8b56e8fa0d3525e6620d8474c367feebded1206425c25c18359f202

Download Submit
C:\Windows\System32\djelQQc.exe

Filesize
1.1MB

MD5
d868c6d814aa9f1f60bb1ea1350caa44

SHA1
781cb06f022f0fe5a5fd7c411d286954d0e42070

SHA256
60be7c8931dc731c93233f0286c076148707110eb94d57deea7ff93369b9c134

SHA512
b4ff52e292be507cc99f551bc438fc8e546566af67c60650965809456ae50ac4641a235f2b72ad721648bc4335fc831f12378c6beed6b94c7afc503815c06826

Download Submit
C:\Windows\System32\eOjaewn.exe

Filesize
1.0MB

MD5
792032289d5f3c54a22135aba454ceee

SHA1
5cea44504d30e2e608e1d70e16c0e601fa1186dc

SHA256
ccf1ac91ca91c6675149532c0ac6c5e89b33a0e6182766513c9816013bf2e8d1

SHA512
4a154dd1c468b94bf8c9fb146e1b05f459bc78edbc67e8dfad565e55ffa6f44268a9dd0e2e770d41d34d5e58f58a7e6d239345ee99c04fe4504385f2d442e37b

Download Submit
C:\Windows\System32\ffhOOtr.exe

Filesize
1.1MB

MD5
756c17e2872db3f9a36b6cd0b3d321c6

SHA1
d4de5b707b6becc27052ca69589d3009ea0721ab

SHA256
f168e72c05850acf3fb7f526577a4f5a2c58e1fd3a7aa7370421b7365a5734c3

SHA512
68df5da5f7e917492e253b9688c431d955d763b3d2ef11e61dcb0747b27c11f9d1c2d5ee47a908c093df78d52e37725c2d690c205ee9357f79d48919a33b70f5

Download Submit
C:\Windows\System32\fyPCnyd.exe

Filesize
1.1MB

MD5
779539c6a6fb19027d5a1bc90f3ff4cb

SHA1
b9f4e158d7cbd2f3de5bc1c9a9cb50fca1531f7b

SHA256
9f35a06795f8400265fc1f747f4fca23244cde2de749066757b94247453c8d39

SHA512
f2d2ab73eb0bf6d6b413c83f152b0a8ee89e7c2c497af694ffbae20c0f72c13d040d9a0ad5084f23dcfdffd4dffee197050ee1bfbcc4999c38045b563aaa32e0

Download Submit
C:\Windows\System32\gQKoyel.exe

Filesize
1.1MB

MD5
846b528195f4ec67fc8404c73b93cfa2

SHA1
4b924c41bf8b93feb75070ca2d03cb25aee80823

SHA256
f8b76f730504f7477130557c7cb687044a20fb0ddfd46f93bd67fe29d0d69e4f

SHA512
de662f5d3692a6cc9b9c9933d029c5485e9eb86a651f0db1d73c5d40cddb9867b7c7384a3124e17ec6049a99e66ba5376e8a393513757365c937de24a29fb03b

Download Submit
C:\Windows\System32\kHBoEgo.exe

Filesize
1.1MB

MD5
64aa4b5d9d97120862455790b979172d

SHA1
744389f8e27c321ca4dd68d67a904eac836e7c1e

SHA256
2666fc77877bba025b1467d09bc3cea0f037d8370574786c3c84d63411c4ae8a

SHA512
dc08ec5085297fd54570c323ffed0d759547aa05744ca8beef4dfad76144b59378c4fa9285e676f6a52cff48e3fe09ab31dd28e05a9e4d3decd63a35bc9674be

Download Submit
C:\Windows\System32\lWWbvgX.exe

Filesize
1.0MB

MD5
2f79184c1dfc5cd1c95165a73f022613

SHA1
760b6e74f7e6fbddb51496f30051a45dc33e35b1

SHA256
e38a824597bc3afcc8bc0900f49f3a042bb0c407ff397d6e6e879ce2354e958e

SHA512
5b888e83e23a4fcd5041a47994b3e99b297c7cacdbf4cc50ef98f7a07c6d6708f7cc14e8cb8599ccc3f800feab4f720cd35adc51602adfefda6f3e5fd04df21e

Download Submit
C:\Windows\System32\mLkPBdV.exe

Filesize
1.1MB

MD5
031e8e518a736b9d537ca01856736d03

SHA1
e271046e33fd3c6ee24ed43460e2607ad67457ba

SHA256
6fe722e7484dcc6e085b8f2a3c50faf061d74c94aa3520238572e2e2162f9e0d

SHA512
030cb03fb32e8cde66c62362d96564f301f9a1a017038a8bae71c04334512021870fdb68c5e2fc14bd3d32ed5b4dfcea05589727859027776050018b75b566f5

Download Submit
C:\Windows\System32\qRsKbaJ.exe

Filesize
1.1MB

MD5
c38763ceeade3e3a8e368ea9c8538e73

SHA1
55f3f9bf9305f79c28ff0a4d7cce19041989eafb

SHA256
9c6fabe1c4ddcf10877d4fcec50f6b25a4ed11af4d543af18cd76db089f6c1e5

SHA512
ad62a60a8bd922d79390f4fa40aaf6fb462eb5e211d3d0d05ee60b54272505ef840775feb3ae7fb6cf5c6dba768bb7dca2842b71a76ce91526bcb765ccbd7555

Download Submit
C:\Windows\System32\sSYDxVb.exe

Filesize
1.1MB

MD5
4da077a3b06e195966fe9068a88f6d63

SHA1
98eea37c7c90964fda1b4a66673b3573beb2f5fb

SHA256
487eb57462aebe646ba7fa78c267a33745d6b842950452648e2218611466780b

SHA512
ea1fe9f4e3998bb742da1a62e367014c721d5f3f4ec0b7d4549312b157fce977fcaace8c97e6823863aa2b20d8a68554f4563760dd140b674d0a94a842d9ddec

Download Submit
C:\Windows\System32\wPbaUpi.exe

Filesize
1.1MB

MD5
a8a469848974f89f22547d372f937665

SHA1
888aed9a11984e974c00f9c4c1b73ba09d001e1d

SHA256
373ea4a3e0e18d74c691cf19a5338b48bc0c81d37b397cfaff4948ba2212b7c9

SHA512
0e85e542004b08ad6de064129e076299fd1ba9821aa09f5a5ee55884a3ddfd4980d4d02ce5bfb4d14da7c637a01730771a22075200860c0ca1a240fbb036e521

Download Submit
C:\Windows\System32\wsPNvKd.exe

Filesize
1.0MB

MD5
c2acc0bc2eaaa5ad9b2220b72aea4214

SHA1
595b5248e51af764e4391bffe7fb3e4c8f81c83e

SHA256
a0f1374911bf7949e8b086c444e466562427a1c361a2f7e05f5624be66bf3a53

SHA512
9674d30781c76991973b0e9696caa1df186d233a5bc56bd27f98c70f1d25de0b0cd0d3bc5df1d9c853f456fb183b19a40e5905600b8fdd52adc2f57eb259daa8

Download Submit
C:\Windows\System32\yHoNoKm.exe

Filesize
1.1MB

MD5
f97c66c94cc550e2a19e674a8ee7409b

SHA1
fc0cb548f127b650f72d374acee389408af7427d

SHA256
e449ac4c7a57d3a7b25219d6ec051713a6fa8cedb4eec298cec45086b900d76a

SHA512
7af8035bdeafd4603f5a4ee84976f79d2b0d0acbc514e50063132f016aa32a5235d2c78a5a1ada7db1f8d77c7acbfba5320ae357a7ff3fb69a45daf7bdfebb01

Download Submit
C:\Windows\System32\yydhGbq.exe

Filesize
1.0MB

MD5
9861ccbeb21ccc8b7644536b0f9a4f95

SHA1
c18d2a2f965f3932628c4158deba33d37e6beceb

SHA256
5a4af7d9188ea52365dc4ce41dc6b8bbea775922e33ef2ff83beffb9ca96bd5c

SHA512
a47bd87edc85805d2efef5af69917a7024c2f23277d7dc0334397cedfec95754ac766dddf48f290387dc0f986506dd277307a7591d53254ff84e5fb9e6a70b3f

Download Submit
C:\Windows\System32\zmExrbM.exe

Filesize
1.1MB

MD5
7ab433a93f540a3880e845c4ba29d808

SHA1
2a94159cd045cc8df27ce0b7fec55a8d554afb39

SHA256
d8feefe6b49b8ab30b1715daeeb98d485e3c188c9e7a3fe8d2c08aaeb5328740

SHA512
9686bf70dfd56eecf5210713ade0f20fa005aa9eb6463cd9420e9fe0ebd990a33c682a286a41a91127272bb396cfd71c8ab39eb5678b94152179bc8f28aab864

Download Submit
memory/364-2066-0x00007FF72BAF0000-0x00007FF72BEE1000-memory.dmp

Filesize
3.9MB

Download
memory/364-417-0x00007FF72BAF0000-0x00007FF72BEE1000-memory.dmp

Filesize
3.9MB

Download
memory/720-445-0x00007FF70C330000-0x00007FF70C721000-memory.dmp

Filesize
3.9MB

Download
memory/720-2048-0x00007FF70C330000-0x00007FF70C721000-memory.dmp

Filesize
3.9MB

Download
memory/1088-416-0x00007FF66BB10000-0x00007FF66BF01000-memory.dmp

Filesize
3.9MB

Download
memory/1088-2068-0x00007FF66BB10000-0x00007FF66BF01000-memory.dmp

Filesize
3.9MB

Download
memory/1184-2012-0x00007FF61AB10000-0x00007FF61AF01000-memory.dmp

Filesize
3.9MB

Download
memory/1184-2040-0x00007FF61AB10000-0x00007FF61AF01000-memory.dmp

Filesize
3.9MB

Download
memory/1184-54-0x00007FF61AB10000-0x00007FF61AF01000-memory.dmp

Filesize
3.9MB

Download
memory/1432-0-0x00007FF628B00000-0x00007FF628EF1000-memory.dmp

Filesize
3.9MB

Download
memory/1432-1-0x000001BF23900000-0x000001BF23910000-memory.dmp

Filesize
64KB

Download
memory/1572-446-0x00007FF618FE0000-0x00007FF6193D1000-memory.dmp

Filesize
3.9MB

Download
memory/1572-2054-0x00007FF618FE0000-0x00007FF6193D1000-memory.dmp

Filesize
3.9MB

Download
memory/1824-2032-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp

Filesize
3.9MB

Download
memory/1824-1987-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp

Filesize
3.9MB

Download
memory/1824-13-0x00007FF7C2620000-0x00007FF7C2A11000-memory.dmp

Filesize
3.9MB

Download
memory/2116-2056-0x00007FF62F180000-0x00007FF62F571000-memory.dmp

Filesize
3.9MB

Download
memory/2116-392-0x00007FF62F180000-0x00007FF62F571000-memory.dmp

Filesize
3.9MB

Download
memory/2420-379-0x00007FF73ABE0000-0x00007FF73AFD1000-memory.dmp

Filesize
3.9MB

Download
memory/2420-2050-0x00007FF73ABE0000-0x00007FF73AFD1000-memory.dmp

Filesize
3.9MB

Download
memory/2560-2072-0x00007FF6A00B0000-0x00007FF6A04A1000-memory.dmp

Filesize
3.9MB

Download
memory/2560-400-0x00007FF6A00B0000-0x00007FF6A04A1000-memory.dmp

Filesize
3.9MB

Download
memory/2568-76-0x00007FF719600000-0x00007FF7199F1000-memory.dmp

Filesize
3.9MB

Download
memory/2568-2042-0x00007FF719600000-0x00007FF7199F1000-memory.dmp

Filesize
3.9MB

Download
memory/2568-1996-0x00007FF719600000-0x00007FF7199F1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-2034-0x00007FF630870000-0x00007FF630C61000-memory.dmp

Filesize
3.9MB

Download
memory/2996-442-0x00007FF630870000-0x00007FF630C61000-memory.dmp

Filesize
3.9MB

Download
memory/3616-398-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp

Filesize
3.9MB

Download
memory/3616-2062-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp

Filesize
3.9MB

Download
memory/4076-2064-0x00007FF72C7C0000-0x00007FF72CBB1000-memory.dmp

Filesize
3.9MB

Download
memory/4076-399-0x00007FF72C7C0000-0x00007FF72CBB1000-memory.dmp

Filesize
3.9MB

Download
memory/4208-448-0x00007FF7647C0000-0x00007FF764BB1000-memory.dmp

Filesize
3.9MB

Download
memory/4208-2060-0x00007FF7647C0000-0x00007FF764BB1000-memory.dmp

Filesize
3.9MB

Download
memory/4360-2071-0x00007FF771CF0000-0x00007FF7720E1000-memory.dmp

Filesize
3.9MB

Download
memory/4360-425-0x00007FF771CF0000-0x00007FF7720E1000-memory.dmp

Filesize
3.9MB

Download
memory/4416-56-0x00007FF7BA4B0000-0x00007FF7BA8A1000-memory.dmp

Filesize
3.9MB

Download
memory/4416-1994-0x00007FF7BA4B0000-0x00007FF7BA8A1000-memory.dmp

Filesize
3.9MB

Download
memory/4416-2058-0x00007FF7BA4B0000-0x00007FF7BA8A1000-memory.dmp

Filesize
3.9MB

Download
memory/4448-2038-0x00007FF6AECA0000-0x00007FF6AF091000-memory.dmp

Filesize
3.9MB

Download
memory/4448-374-0x00007FF6AECA0000-0x00007FF6AF091000-memory.dmp

Filesize
3.9MB

Download
memory/4644-437-0x00007FF7E81D0000-0x00007FF7E85C1000-memory.dmp

Filesize
3.9MB

Download
memory/4644-2082-0x00007FF7E81D0000-0x00007FF7E85C1000-memory.dmp

Filesize
3.9MB

Download
memory/4852-2074-0x00007FF7396D0000-0x00007FF739AC1000-memory.dmp

Filesize
3.9MB

Download
memory/4852-422-0x00007FF7396D0000-0x00007FF739AC1000-memory.dmp

Filesize
3.9MB

Download
memory/4908-2046-0x00007FF735D30000-0x00007FF736121000-memory.dmp

Filesize
3.9MB

Download
memory/4908-1992-0x00007FF735D30000-0x00007FF736121000-memory.dmp

Filesize
3.9MB

Download
memory/4908-53-0x00007FF735D30000-0x00007FF736121000-memory.dmp

Filesize
3.9MB

Download
memory/4920-440-0x00007FF6E1650000-0x00007FF6E1A41000-memory.dmp

Filesize
3.9MB

Download
memory/4920-2077-0x00007FF6E1650000-0x00007FF6E1A41000-memory.dmp

Filesize
3.9MB

Download
memory/5048-2044-0x00007FF654860000-0x00007FF654C51000-memory.dmp

Filesize
3.9MB

Download
memory/5048-444-0x00007FF654860000-0x00007FF654C51000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2052-0x00007FF63F160000-0x00007FF63F551000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2013-0x00007FF63F160000-0x00007FF63F551000-memory.dmp

Filesize
3.9MB

Download
memory/5064-59-0x00007FF63F160000-0x00007FF63F551000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2036-0x00007FF7DB370000-0x00007FF7DB761000-memory.dmp

Filesize
3.9MB

Download
memory/5096-34-0x00007FF7DB370000-0x00007FF7DB761000-memory.dmp

Filesize
3.9MB

Download
memory/5096-1991-0x00007FF7DB370000-0x00007FF7DB761000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads