xmrig | 6456042e622f1dd3148b3cf555dc010a632ab54b7f2f9b9677b1b264d8501eb5

Analysis

max time kernel
98s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
Size

1.3MB
MD5

0350f614a0d1ca3fe22a3ccadc8920b1
SHA1

78bac9b37aded315ad5ddec7b395b4ff3626f758
SHA256

6456042e622f1dd3148b3cf555dc010a632ab54b7f2f9b9677b1b264d8501eb5
SHA512

2e720d110e0cb813c9c35cd75c432a95931292a8b68ca5ec15af7bcc16fbeb2305ef2f279f62909b96edb3bdf39ef0a9156152983731e1e0f52f26e66ea96cb2
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOeF:knw9oUUEEDlGUh+hNM

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1684-16-0x00007FF7CB790000-0x00007FF7CBB81000-memory.dmp	xmrig
behavioral2/memory/3244-32-0x00007FF6C4FB0000-0x00007FF6C53A1000-memory.dmp	xmrig
behavioral2/memory/1860-427-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp	xmrig
behavioral2/memory/2184-429-0x00007FF679E90000-0x00007FF67A281000-memory.dmp	xmrig
behavioral2/memory/3012-430-0x00007FF705D60000-0x00007FF706151000-memory.dmp	xmrig
behavioral2/memory/2100-438-0x00007FF796990000-0x00007FF796D81000-memory.dmp	xmrig
behavioral2/memory/4752-439-0x00007FF766F40000-0x00007FF767331000-memory.dmp	xmrig
behavioral2/memory/1076-443-0x00007FF6E9980000-0x00007FF6E9D71000-memory.dmp	xmrig
behavioral2/memory/1512-449-0x00007FF78A4E0000-0x00007FF78A8D1000-memory.dmp	xmrig
behavioral2/memory/2712-451-0x00007FF6708C0000-0x00007FF670CB1000-memory.dmp	xmrig
behavioral2/memory/2332-452-0x00007FF7AEDF0000-0x00007FF7AF1E1000-memory.dmp	xmrig
behavioral2/memory/1548-455-0x00007FF60E2F0000-0x00007FF60E6E1000-memory.dmp	xmrig
behavioral2/memory/2212-460-0x00007FF7F96D0000-0x00007FF7F9AC1000-memory.dmp	xmrig
behavioral2/memory/1968-458-0x00007FF79EA40000-0x00007FF79EE31000-memory.dmp	xmrig
behavioral2/memory/4884-457-0x00007FF792600000-0x00007FF7929F1000-memory.dmp	xmrig
behavioral2/memory/2852-446-0x00007FF7B90C0000-0x00007FF7B94B1000-memory.dmp	xmrig
behavioral2/memory/4168-441-0x00007FF616180000-0x00007FF616571000-memory.dmp	xmrig
behavioral2/memory/1128-59-0x00007FF7999B0000-0x00007FF799DA1000-memory.dmp	xmrig
behavioral2/memory/2136-58-0x00007FF7363B0000-0x00007FF7367A1000-memory.dmp	xmrig
behavioral2/memory/2916-57-0x00007FF616F40000-0x00007FF617331000-memory.dmp	xmrig
behavioral2/memory/4904-54-0x00007FF700890000-0x00007FF700C81000-memory.dmp	xmrig
behavioral2/memory/940-48-0x00007FF729EB0000-0x00007FF72A2A1000-memory.dmp	xmrig
behavioral2/memory/2824-1988-0x00007FF7108A0000-0x00007FF710C91000-memory.dmp	xmrig
behavioral2/memory/1860-1989-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp	xmrig
behavioral2/memory/1684-2009-0x00007FF7CB790000-0x00007FF7CBB81000-memory.dmp	xmrig
behavioral2/memory/2172-2011-0x00007FF6678C0000-0x00007FF667CB1000-memory.dmp	xmrig
behavioral2/memory/3244-2023-0x00007FF6C4FB0000-0x00007FF6C53A1000-memory.dmp	xmrig
behavioral2/memory/2136-2025-0x00007FF7363B0000-0x00007FF7367A1000-memory.dmp	xmrig
behavioral2/memory/940-2021-0x00007FF729EB0000-0x00007FF72A2A1000-memory.dmp	xmrig
behavioral2/memory/4904-2019-0x00007FF700890000-0x00007FF700C81000-memory.dmp	xmrig
behavioral2/memory/2916-2017-0x00007FF616F40000-0x00007FF617331000-memory.dmp	xmrig
behavioral2/memory/1128-2015-0x00007FF7999B0000-0x00007FF799DA1000-memory.dmp	xmrig
behavioral2/memory/2824-2013-0x00007FF7108A0000-0x00007FF710C91000-memory.dmp	xmrig
behavioral2/memory/1860-2031-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp	xmrig
behavioral2/memory/2100-2035-0x00007FF796990000-0x00007FF796D81000-memory.dmp	xmrig
behavioral2/memory/2184-2029-0x00007FF679E90000-0x00007FF67A281000-memory.dmp	xmrig
behavioral2/memory/2212-2027-0x00007FF7F96D0000-0x00007FF7F9AC1000-memory.dmp	xmrig
behavioral2/memory/2712-2056-0x00007FF6708C0000-0x00007FF670CB1000-memory.dmp	xmrig
behavioral2/memory/1512-2054-0x00007FF78A4E0000-0x00007FF78A8D1000-memory.dmp	xmrig
behavioral2/memory/2852-2044-0x00007FF7B90C0000-0x00007FF7B94B1000-memory.dmp	xmrig
behavioral2/memory/4168-2042-0x00007FF616180000-0x00007FF616571000-memory.dmp	xmrig
behavioral2/memory/3012-2033-0x00007FF705D60000-0x00007FF706151000-memory.dmp	xmrig
behavioral2/memory/2332-2052-0x00007FF7AEDF0000-0x00007FF7AF1E1000-memory.dmp	xmrig
behavioral2/memory/1548-2050-0x00007FF60E2F0000-0x00007FF60E6E1000-memory.dmp	xmrig
behavioral2/memory/4884-2066-0x00007FF792600000-0x00007FF7929F1000-memory.dmp	xmrig
behavioral2/memory/1968-2048-0x00007FF79EA40000-0x00007FF79EE31000-memory.dmp	xmrig
behavioral2/memory/1076-2040-0x00007FF6E9980000-0x00007FF6E9D71000-memory.dmp	xmrig
behavioral2/memory/4752-2038-0x00007FF766F40000-0x00007FF767331000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2172	kXPuDVr.exe
1684	xFNmXdF.exe
3244	rmlNOgL.exe
940	jVsIOyg.exe
1128	GQgUWZx.exe
2824	ONGfdgL.exe
4904	rNAwEEu.exe
2916	OzLSIfb.exe
2136	UdKiaAn.exe
1860	RfWHCsc.exe
2212	bSyNYJR.exe
2184	KyTdOqS.exe
3012	LIDoiiw.exe
2100	eIERjJX.exe
4752	hTbzaAX.exe
4168	aZBUxbD.exe
1076	zBDeggv.exe
2852	DKrblqW.exe
1512	oFGvpHc.exe
2712	CJAnUOu.exe
2332	yJSCTlC.exe
1548	vnblsfA.exe
4884	RvHJItl.exe
1968	YfdBlAW.exe
4400	LTjBtbL.exe
2624	gwkGAOq.exe
872	dJgEEIO.exe
1660	WdjadfN.exe
1380	wNyGCRt.exe
4268	uTzWeWi.exe
2084	etnESRb.exe
3948	Zpbonwy.exe
3628	TCOouYS.exe
432	xhIvvke.exe
4236	FLJAKqT.exe
4872	oiGJJHk.exe
2940	QKgXHLT.exe
3224	rnasauo.exe
4352	IPPEDLY.exe
3876	ZbsoPCO.exe
4824	MwWzKTC.exe
1144	tyRMzhO.exe
2168	wbLFQJE.exe
4760	OvqqMzq.exe
3092	GrrZlqD.exe
3368	ALgvTsL.exe
1508	CElTWpK.exe
2856	UNbdsNG.exe
2936	EFXxZsy.exe
2132	BjSfxCy.exe
3420	ysHWmfR.exe
5084	gIotSKH.exe
3032	mymaHKb.exe
4104	BhFTrOh.exe
1016	slYrVQb.exe
4608	RnKyvcx.exe
2480	PTOvdjR.exe
2808	FlSyQBq.exe
4284	XMTzSyL.exe
3740	eSxAnWA.exe
656	JhyKEnf.exe
4516	WWRKtJH.exe
4132	EySYJzn.exe
4988	FwORhxA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3380-0-0x00007FF660750000-0x00007FF660B41000-memory.dmp	upx
behavioral2/files/0x000c000000023b98-6.dat	upx
behavioral2/files/0x000a000000023ba0-8.dat	upx
behavioral2/memory/1684-16-0x00007FF7CB790000-0x00007FF7CBB81000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-25.dat	upx
behavioral2/files/0x000a000000023ba4-36.dat	upx
behavioral2/files/0x000a000000023ba3-35.dat	upx
behavioral2/files/0x000a000000023ba2-34.dat	upx
behavioral2/memory/3244-32-0x00007FF6C4FB0000-0x00007FF6C53A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-11.dat	upx
behavioral2/memory/2172-9-0x00007FF6678C0000-0x00007FF667CB1000-memory.dmp	upx
behavioral2/memory/2824-50-0x00007FF7108A0000-0x00007FF710C91000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-65.dat	upx
behavioral2/files/0x000a000000023bac-85.dat	upx
behavioral2/files/0x000a000000023bae-95.dat	upx
behavioral2/files/0x000a000000023bb1-108.dat	upx
behavioral2/files/0x000a000000023bb3-120.dat	upx
behavioral2/files/0x000a000000023bb8-145.dat	upx
behavioral2/memory/1860-427-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp	upx
behavioral2/memory/2184-429-0x00007FF679E90000-0x00007FF67A281000-memory.dmp	upx
behavioral2/memory/3012-430-0x00007FF705D60000-0x00007FF706151000-memory.dmp	upx
behavioral2/memory/2100-438-0x00007FF796990000-0x00007FF796D81000-memory.dmp	upx
behavioral2/memory/4752-439-0x00007FF766F40000-0x00007FF767331000-memory.dmp	upx
behavioral2/memory/1076-443-0x00007FF6E9980000-0x00007FF6E9D71000-memory.dmp	upx
behavioral2/memory/1512-449-0x00007FF78A4E0000-0x00007FF78A8D1000-memory.dmp	upx
behavioral2/memory/2712-451-0x00007FF6708C0000-0x00007FF670CB1000-memory.dmp	upx
behavioral2/memory/2332-452-0x00007FF7AEDF0000-0x00007FF7AF1E1000-memory.dmp	upx
behavioral2/memory/1548-455-0x00007FF60E2F0000-0x00007FF60E6E1000-memory.dmp	upx
behavioral2/memory/2212-460-0x00007FF7F96D0000-0x00007FF7F9AC1000-memory.dmp	upx
behavioral2/memory/1968-458-0x00007FF79EA40000-0x00007FF79EE31000-memory.dmp	upx
behavioral2/memory/4884-457-0x00007FF792600000-0x00007FF7929F1000-memory.dmp	upx
behavioral2/memory/2852-446-0x00007FF7B90C0000-0x00007FF7B94B1000-memory.dmp	upx
behavioral2/memory/4168-441-0x00007FF616180000-0x00007FF616571000-memory.dmp	upx
behavioral2/files/0x0031000000023bbd-170.dat	upx
behavioral2/files/0x000a000000023bbc-165.dat	upx
behavioral2/files/0x000a000000023bbb-160.dat	upx
behavioral2/files/0x000a000000023bba-155.dat	upx
behavioral2/files/0x000a000000023bb9-150.dat	upx
behavioral2/files/0x000a000000023bb7-140.dat	upx
behavioral2/files/0x000a000000023bb6-136.dat	upx
behavioral2/files/0x000a000000023bb5-130.dat	upx
behavioral2/files/0x000a000000023bb4-125.dat	upx
behavioral2/files/0x000a000000023bb2-115.dat	upx
behavioral2/files/0x000a000000023bb0-105.dat	upx
behavioral2/files/0x000a000000023baf-100.dat	upx
behavioral2/files/0x000a000000023bad-90.dat	upx
behavioral2/files/0x000a000000023bab-80.dat	upx
behavioral2/files/0x000a000000023baa-75.dat	upx
behavioral2/files/0x000a000000023ba9-70.dat	upx
behavioral2/files/0x000a000000023ba7-60.dat	upx
behavioral2/memory/1128-59-0x00007FF7999B0000-0x00007FF799DA1000-memory.dmp	upx
behavioral2/memory/2136-58-0x00007FF7363B0000-0x00007FF7367A1000-memory.dmp	upx
behavioral2/memory/2916-57-0x00007FF616F40000-0x00007FF617331000-memory.dmp	upx
behavioral2/memory/4904-54-0x00007FF700890000-0x00007FF700C81000-memory.dmp	upx
behavioral2/memory/940-48-0x00007FF729EB0000-0x00007FF72A2A1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-51.dat	upx
behavioral2/files/0x000a000000023ba5-43.dat	upx
behavioral2/memory/2824-1988-0x00007FF7108A0000-0x00007FF710C91000-memory.dmp	upx
behavioral2/memory/1860-1989-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp	upx
behavioral2/memory/1684-2009-0x00007FF7CB790000-0x00007FF7CBB81000-memory.dmp	upx
behavioral2/memory/2172-2011-0x00007FF6678C0000-0x00007FF667CB1000-memory.dmp	upx
behavioral2/memory/3244-2023-0x00007FF6C4FB0000-0x00007FF6C53A1000-memory.dmp	upx
behavioral2/memory/2136-2025-0x00007FF7363B0000-0x00007FF7367A1000-memory.dmp	upx
behavioral2/memory/940-2021-0x00007FF729EB0000-0x00007FF72A2A1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\FXTkNyd.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\GEgGTfN.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\hYZRpnt.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\WEcLqSP.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\yuXLzYF.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\aUJwgNP.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\tKmAkUS.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\RvHJItl.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\LIMwbWp.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\idxkmmg.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\tigewwn.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\jVsIOyg.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\IKyGiUs.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\FGoUzWO.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\CDNQtUa.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\cDmWbSl.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\rdekpPM.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\VsWFrfs.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\kRkhvXt.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\uhUVSwU.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\eSxAnWA.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\RCuSLPv.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\BPHbksu.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\CuoSLId.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\hQalFYQ.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\ZkBKvyC.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\BTPXbTk.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\IPPEDLY.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\NDGPqMG.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\hVXfuLq.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\EPARQtC.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\VbaIqTv.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\qhAITkA.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\NhXlSpS.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\RNYDdDB.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\qXeRVKK.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\MwWzKTC.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\dPzOreW.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\spSAxQn.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\TNsLcoF.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\OGfDjLo.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\jvWORFM.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\BXaBOCB.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\sntzMgD.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\gRRdPmF.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\kVMydBI.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\ecQELWS.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\hxxAklS.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\JOqOuUw.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\GBDKcyD.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\PPNUQvD.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\KytsCbg.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\HYzXXVt.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\oiGJJHk.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\XMTzSyL.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\SJgBPPu.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\JbDRISj.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\WZdbdpL.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\wWfOlbg.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\LIDoiiw.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\FWgLvoW.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\OtHxzBT.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\VhprzkY.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
File created	C:\Windows\System32\wPlvofY.exe	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3116	dwm.exe
Token: SeChangeNotifyPrivilege	3116	dwm.exe
Token: 33	3116	dwm.exe
Token: SeIncBasePriorityPrivilege	3116	dwm.exe
Token: SeShutdownPrivilege	3116	dwm.exe
Token: SeCreatePagefilePrivilege	3116	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 2172	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	85
PID 3380 wrote to memory of 2172	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	85
PID 3380 wrote to memory of 1684	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	86
PID 3380 wrote to memory of 1684	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	86
PID 3380 wrote to memory of 3244	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	87
PID 3380 wrote to memory of 3244	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	87
PID 3380 wrote to memory of 940	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	88
PID 3380 wrote to memory of 940	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	88
PID 3380 wrote to memory of 1128	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	89
PID 3380 wrote to memory of 1128	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	89
PID 3380 wrote to memory of 2824	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	90
PID 3380 wrote to memory of 2824	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	90
PID 3380 wrote to memory of 4904	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	91
PID 3380 wrote to memory of 4904	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	91
PID 3380 wrote to memory of 2916	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	92
PID 3380 wrote to memory of 2916	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	92
PID 3380 wrote to memory of 2136	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	93
PID 3380 wrote to memory of 2136	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	93
PID 3380 wrote to memory of 1860	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	94
PID 3380 wrote to memory of 1860	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	94
PID 3380 wrote to memory of 2212	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	95
PID 3380 wrote to memory of 2212	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	95
PID 3380 wrote to memory of 2184	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	96
PID 3380 wrote to memory of 2184	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	96
PID 3380 wrote to memory of 3012	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	97
PID 3380 wrote to memory of 3012	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	97
PID 3380 wrote to memory of 2100	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	98
PID 3380 wrote to memory of 2100	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	98
PID 3380 wrote to memory of 4752	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	99
PID 3380 wrote to memory of 4752	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	99
PID 3380 wrote to memory of 4168	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	100
PID 3380 wrote to memory of 4168	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	100
PID 3380 wrote to memory of 1076	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	101
PID 3380 wrote to memory of 1076	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	101
PID 3380 wrote to memory of 2852	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	102
PID 3380 wrote to memory of 2852	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	102
PID 3380 wrote to memory of 1512	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	103
PID 3380 wrote to memory of 1512	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	103
PID 3380 wrote to memory of 2712	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	104
PID 3380 wrote to memory of 2712	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	104
PID 3380 wrote to memory of 2332	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	105
PID 3380 wrote to memory of 2332	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	105
PID 3380 wrote to memory of 1548	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	106
PID 3380 wrote to memory of 1548	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	106
PID 3380 wrote to memory of 4884	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	107
PID 3380 wrote to memory of 4884	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	107
PID 3380 wrote to memory of 1968	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	108
PID 3380 wrote to memory of 1968	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	108
PID 3380 wrote to memory of 4400	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	109
PID 3380 wrote to memory of 4400	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	109
PID 3380 wrote to memory of 2624	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	110
PID 3380 wrote to memory of 2624	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	110
PID 3380 wrote to memory of 872	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	111
PID 3380 wrote to memory of 872	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	111
PID 3380 wrote to memory of 1660	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	112
PID 3380 wrote to memory of 1660	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	112
PID 3380 wrote to memory of 1380	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	113
PID 3380 wrote to memory of 1380	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	113
PID 3380 wrote to memory of 4268	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	114
PID 3380 wrote to memory of 4268	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	114
PID 3380 wrote to memory of 2084	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	115
PID 3380 wrote to memory of 2084	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	115
PID 3380 wrote to memory of 3948	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	116
PID 3380 wrote to memory of 3948	3380	0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0350f614a0d1ca3fe22a3ccadc8920b1_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\System32\kXPuDVr.exe
  C:\Windows\System32\kXPuDVr.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\xFNmXdF.exe
  C:\Windows\System32\xFNmXdF.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System32\rmlNOgL.exe
  C:\Windows\System32\rmlNOgL.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System32\jVsIOyg.exe
  C:\Windows\System32\jVsIOyg.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System32\GQgUWZx.exe
  C:\Windows\System32\GQgUWZx.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System32\ONGfdgL.exe
  C:\Windows\System32\ONGfdgL.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System32\rNAwEEu.exe
  C:\Windows\System32\rNAwEEu.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System32\OzLSIfb.exe
  C:\Windows\System32\OzLSIfb.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System32\UdKiaAn.exe
  C:\Windows\System32\UdKiaAn.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System32\RfWHCsc.exe
  C:\Windows\System32\RfWHCsc.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System32\bSyNYJR.exe
  C:\Windows\System32\bSyNYJR.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\KyTdOqS.exe
  C:\Windows\System32\KyTdOqS.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System32\LIDoiiw.exe
  C:\Windows\System32\LIDoiiw.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System32\eIERjJX.exe
  C:\Windows\System32\eIERjJX.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\hTbzaAX.exe
  C:\Windows\System32\hTbzaAX.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\aZBUxbD.exe
  C:\Windows\System32\aZBUxbD.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System32\zBDeggv.exe
  C:\Windows\System32\zBDeggv.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\DKrblqW.exe
  C:\Windows\System32\DKrblqW.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System32\oFGvpHc.exe
  C:\Windows\System32\oFGvpHc.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System32\CJAnUOu.exe
  C:\Windows\System32\CJAnUOu.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System32\yJSCTlC.exe
  C:\Windows\System32\yJSCTlC.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System32\vnblsfA.exe
  C:\Windows\System32\vnblsfA.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System32\RvHJItl.exe
  C:\Windows\System32\RvHJItl.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\YfdBlAW.exe
  C:\Windows\System32\YfdBlAW.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\LTjBtbL.exe
  C:\Windows\System32\LTjBtbL.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\gwkGAOq.exe
  C:\Windows\System32\gwkGAOq.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System32\dJgEEIO.exe
  C:\Windows\System32\dJgEEIO.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System32\WdjadfN.exe
  C:\Windows\System32\WdjadfN.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System32\wNyGCRt.exe
  C:\Windows\System32\wNyGCRt.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\uTzWeWi.exe
  C:\Windows\System32\uTzWeWi.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System32\etnESRb.exe
  C:\Windows\System32\etnESRb.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System32\Zpbonwy.exe
  C:\Windows\System32\Zpbonwy.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System32\TCOouYS.exe
  C:\Windows\System32\TCOouYS.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System32\xhIvvke.exe
  C:\Windows\System32\xhIvvke.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\FLJAKqT.exe
  C:\Windows\System32\FLJAKqT.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\oiGJJHk.exe
  C:\Windows\System32\oiGJJHk.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\QKgXHLT.exe
  C:\Windows\System32\QKgXHLT.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\rnasauo.exe
  C:\Windows\System32\rnasauo.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\IPPEDLY.exe
  C:\Windows\System32\IPPEDLY.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\ZbsoPCO.exe
  C:\Windows\System32\ZbsoPCO.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System32\MwWzKTC.exe
  C:\Windows\System32\MwWzKTC.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\tyRMzhO.exe
  C:\Windows\System32\tyRMzhO.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\wbLFQJE.exe
  C:\Windows\System32\wbLFQJE.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System32\OvqqMzq.exe
  C:\Windows\System32\OvqqMzq.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System32\GrrZlqD.exe
  C:\Windows\System32\GrrZlqD.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\ALgvTsL.exe
  C:\Windows\System32\ALgvTsL.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System32\CElTWpK.exe
  C:\Windows\System32\CElTWpK.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\UNbdsNG.exe
  C:\Windows\System32\UNbdsNG.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System32\EFXxZsy.exe
  C:\Windows\System32\EFXxZsy.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System32\BjSfxCy.exe
  C:\Windows\System32\BjSfxCy.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System32\ysHWmfR.exe
  C:\Windows\System32\ysHWmfR.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\gIotSKH.exe
  C:\Windows\System32\gIotSKH.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System32\mymaHKb.exe
  C:\Windows\System32\mymaHKb.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\BhFTrOh.exe
  C:\Windows\System32\BhFTrOh.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System32\slYrVQb.exe
  C:\Windows\System32\slYrVQb.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\RnKyvcx.exe
  C:\Windows\System32\RnKyvcx.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\PTOvdjR.exe
  C:\Windows\System32\PTOvdjR.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System32\FlSyQBq.exe
  C:\Windows\System32\FlSyQBq.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System32\XMTzSyL.exe
  C:\Windows\System32\XMTzSyL.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System32\eSxAnWA.exe
  C:\Windows\System32\eSxAnWA.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\JhyKEnf.exe
  C:\Windows\System32\JhyKEnf.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System32\WWRKtJH.exe
  C:\Windows\System32\WWRKtJH.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\EySYJzn.exe
  C:\Windows\System32\EySYJzn.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\FwORhxA.exe
  C:\Windows\System32\FwORhxA.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\pMkcnGT.exe
  C:\Windows\System32\pMkcnGT.exe
  2⤵
  PID:3816
- C:\Windows\System32\nEFbkDD.exe
  C:\Windows\System32\nEFbkDD.exe
  2⤵
  PID:2352
- C:\Windows\System32\FEGBrkw.exe
  C:\Windows\System32\FEGBrkw.exe
  2⤵
  PID:2812
- C:\Windows\System32\PKiAeYd.exe
  C:\Windows\System32\PKiAeYd.exe
  2⤵
  PID:4344
- C:\Windows\System32\zABvzwY.exe
  C:\Windows\System32\zABvzwY.exe
  2⤵
  PID:700
- C:\Windows\System32\fbevFju.exe
  C:\Windows\System32\fbevFju.exe
  2⤵
  PID:3028
- C:\Windows\System32\owRMqkq.exe
  C:\Windows\System32\owRMqkq.exe
  2⤵
  PID:5036
- C:\Windows\System32\DcIfUec.exe
  C:\Windows\System32\DcIfUec.exe
  2⤵
  PID:4580
- C:\Windows\System32\trGLkeI.exe
  C:\Windows\System32\trGLkeI.exe
  2⤵
  PID:4376
- C:\Windows\System32\ICEgSjm.exe
  C:\Windows\System32\ICEgSjm.exe
  2⤵
  PID:3904
- C:\Windows\System32\FWgLvoW.exe
  C:\Windows\System32\FWgLvoW.exe
  2⤵
  PID:948
- C:\Windows\System32\txfBOWP.exe
  C:\Windows\System32\txfBOWP.exe
  2⤵
  PID:3636
- C:\Windows\System32\LScJMPm.exe
  C:\Windows\System32\LScJMPm.exe
  2⤵
  PID:3020
- C:\Windows\System32\yqNPCUS.exe
  C:\Windows\System32\yqNPCUS.exe
  2⤵
  PID:1372
- C:\Windows\System32\QZYfvMe.exe
  C:\Windows\System32\QZYfvMe.exe
  2⤵
  PID:5124
- C:\Windows\System32\tGtFIPy.exe
  C:\Windows\System32\tGtFIPy.exe
  2⤵
  PID:5148
- C:\Windows\System32\FGoUzWO.exe
  C:\Windows\System32\FGoUzWO.exe
  2⤵
  PID:5180
- C:\Windows\System32\fVOPgQt.exe
  C:\Windows\System32\fVOPgQt.exe
  2⤵
  PID:5208
- C:\Windows\System32\uMHtNiM.exe
  C:\Windows\System32\uMHtNiM.exe
  2⤵
  PID:5232
- C:\Windows\System32\AvUsAfo.exe
  C:\Windows\System32\AvUsAfo.exe
  2⤵
  PID:5264
- C:\Windows\System32\kUVRUgV.exe
  C:\Windows\System32\kUVRUgV.exe
  2⤵
  PID:5292
- C:\Windows\System32\otMMaaC.exe
  C:\Windows\System32\otMMaaC.exe
  2⤵
  PID:5316
- C:\Windows\System32\PblVqHN.exe
  C:\Windows\System32\PblVqHN.exe
  2⤵
  PID:5348
- C:\Windows\System32\zUZmSAQ.exe
  C:\Windows\System32\zUZmSAQ.exe
  2⤵
  PID:5376
- C:\Windows\System32\SFouOqQ.exe
  C:\Windows\System32\SFouOqQ.exe
  2⤵
  PID:5404
- C:\Windows\System32\PMBcCbW.exe
  C:\Windows\System32\PMBcCbW.exe
  2⤵
  PID:5432
- C:\Windows\System32\DfVSJdt.exe
  C:\Windows\System32\DfVSJdt.exe
  2⤵
  PID:5456
- C:\Windows\System32\PoTmBNe.exe
  C:\Windows\System32\PoTmBNe.exe
  2⤵
  PID:5488
- C:\Windows\System32\DSquMjg.exe
  C:\Windows\System32\DSquMjg.exe
  2⤵
  PID:5516
- C:\Windows\System32\XeOAlOh.exe
  C:\Windows\System32\XeOAlOh.exe
  2⤵
  PID:5540
- C:\Windows\System32\NCUXFBB.exe
  C:\Windows\System32\NCUXFBB.exe
  2⤵
  PID:5572
- C:\Windows\System32\SmxQSAt.exe
  C:\Windows\System32\SmxQSAt.exe
  2⤵
  PID:5600
- C:\Windows\System32\LFBXxUm.exe
  C:\Windows\System32\LFBXxUm.exe
  2⤵
  PID:5624
- C:\Windows\System32\zWMuVlZ.exe
  C:\Windows\System32\zWMuVlZ.exe
  2⤵
  PID:5656
- C:\Windows\System32\qLJxTaB.exe
  C:\Windows\System32\qLJxTaB.exe
  2⤵
  PID:5684
- C:\Windows\System32\yJaiQgs.exe
  C:\Windows\System32\yJaiQgs.exe
  2⤵
  PID:5712
- C:\Windows\System32\yvTmCEg.exe
  C:\Windows\System32\yvTmCEg.exe
  2⤵
  PID:5740
- C:\Windows\System32\CDNQtUa.exe
  C:\Windows\System32\CDNQtUa.exe
  2⤵
  PID:5772
- C:\Windows\System32\yGdhmoB.exe
  C:\Windows\System32\yGdhmoB.exe
  2⤵
  PID:5792
- C:\Windows\System32\QOFrSxw.exe
  C:\Windows\System32\QOFrSxw.exe
  2⤵
  PID:5820
- C:\Windows\System32\KRmWAyV.exe
  C:\Windows\System32\KRmWAyV.exe
  2⤵
  PID:5852
- C:\Windows\System32\WyQAhiT.exe
  C:\Windows\System32\WyQAhiT.exe
  2⤵
  PID:5876
- C:\Windows\System32\jvWORFM.exe
  C:\Windows\System32\jvWORFM.exe
  2⤵
  PID:5908
- C:\Windows\System32\eJqYZAV.exe
  C:\Windows\System32\eJqYZAV.exe
  2⤵
  PID:5936
- C:\Windows\System32\mcvnzrZ.exe
  C:\Windows\System32\mcvnzrZ.exe
  2⤵
  PID:5960
- C:\Windows\System32\MlOGkgQ.exe
  C:\Windows\System32\MlOGkgQ.exe
  2⤵
  PID:5992
- C:\Windows\System32\HPYTnvh.exe
  C:\Windows\System32\HPYTnvh.exe
  2⤵
  PID:6020
- C:\Windows\System32\wnZxdLv.exe
  C:\Windows\System32\wnZxdLv.exe
  2⤵
  PID:6048
- C:\Windows\System32\HYzXXVt.exe
  C:\Windows\System32\HYzXXVt.exe
  2⤵
  PID:6076
- C:\Windows\System32\hxxAklS.exe
  C:\Windows\System32\hxxAklS.exe
  2⤵
  PID:6100
- C:\Windows\System32\nKcAeKe.exe
  C:\Windows\System32\nKcAeKe.exe
  2⤵
  PID:6132
- C:\Windows\System32\JsejmSA.exe
  C:\Windows\System32\JsejmSA.exe
  2⤵
  PID:2304
- C:\Windows\System32\NSOfifQ.exe
  C:\Windows\System32\NSOfifQ.exe
  2⤵
  PID:1784
- C:\Windows\System32\oRUGQYi.exe
  C:\Windows\System32\oRUGQYi.exe
  2⤵
  PID:3944
- C:\Windows\System32\KAzhoiY.exe
  C:\Windows\System32\KAzhoiY.exe
  2⤵
  PID:3936
- C:\Windows\System32\LPtUUAU.exe
  C:\Windows\System32\LPtUUAU.exe
  2⤵
  PID:5140
- C:\Windows\System32\KxTufME.exe
  C:\Windows\System32\KxTufME.exe
  2⤵
  PID:5216
- C:\Windows\System32\JWloXMe.exe
  C:\Windows\System32\JWloXMe.exe
  2⤵
  PID:5312
- C:\Windows\System32\WWalhgx.exe
  C:\Windows\System32\WWalhgx.exe
  2⤵
  PID:5396
- C:\Windows\System32\zOmuElX.exe
  C:\Windows\System32\zOmuElX.exe
  2⤵
  PID:5464
- C:\Windows\System32\PRZQvUH.exe
  C:\Windows\System32\PRZQvUH.exe
  2⤵
  PID:5560
- C:\Windows\System32\TVwKqev.exe
  C:\Windows\System32\TVwKqev.exe
  2⤵
  PID:5620
- C:\Windows\System32\hBuQIOM.exe
  C:\Windows\System32\hBuQIOM.exe
  2⤵
  PID:3892
- C:\Windows\System32\XqhxGDi.exe
  C:\Windows\System32\XqhxGDi.exe
  2⤵
  PID:5728
- C:\Windows\System32\vpWMJxD.exe
  C:\Windows\System32\vpWMJxD.exe
  2⤵
  PID:2148
- C:\Windows\System32\EQZXxEe.exe
  C:\Windows\System32\EQZXxEe.exe
  2⤵
  PID:5808
- C:\Windows\System32\tKmAkUS.exe
  C:\Windows\System32\tKmAkUS.exe
  2⤵
  PID:892
- C:\Windows\System32\kaVpQQp.exe
  C:\Windows\System32\kaVpQQp.exe
  2⤵
  PID:5892
- C:\Windows\System32\uJNusPQ.exe
  C:\Windows\System32\uJNusPQ.exe
  2⤵
  PID:5916
- C:\Windows\System32\MhALKsM.exe
  C:\Windows\System32\MhALKsM.exe
  2⤵
  PID:3600
- C:\Windows\System32\xevECmp.exe
  C:\Windows\System32\xevECmp.exe
  2⤵
  PID:6012
- C:\Windows\System32\VutPLhu.exe
  C:\Windows\System32\VutPLhu.exe
  2⤵
  PID:6028
- C:\Windows\System32\LQuJTiZ.exe
  C:\Windows\System32\LQuJTiZ.exe
  2⤵
  PID:6056
- C:\Windows\System32\aPskteK.exe
  C:\Windows\System32\aPskteK.exe
  2⤵
  PID:6116
- C:\Windows\System32\CvlrOmE.exe
  C:\Windows\System32\CvlrOmE.exe
  2⤵
  PID:1520
- C:\Windows\System32\BofNFFk.exe
  C:\Windows\System32\BofNFFk.exe
  2⤵
  PID:2744
- C:\Windows\System32\aFHMGXA.exe
  C:\Windows\System32\aFHMGXA.exe
  2⤵
  PID:1760
- C:\Windows\System32\iXztsww.exe
  C:\Windows\System32\iXztsww.exe
  2⤵
  PID:1468
- C:\Windows\System32\btWfeIA.exe
  C:\Windows\System32\btWfeIA.exe
  2⤵
  PID:2264
- C:\Windows\System32\SJgBPPu.exe
  C:\Windows\System32\SJgBPPu.exe
  2⤵
  PID:5356
- C:\Windows\System32\zXfvQpU.exe
  C:\Windows\System32\zXfvQpU.exe
  2⤵
  PID:6120
- C:\Windows\System32\iVQGufK.exe
  C:\Windows\System32\iVQGufK.exe
  2⤵
  PID:6064
- C:\Windows\System32\vxUpRcG.exe
  C:\Windows\System32\vxUpRcG.exe
  2⤵
  PID:5980
- C:\Windows\System32\OliiSxw.exe
  C:\Windows\System32\OliiSxw.exe
  2⤵
  PID:5924
- C:\Windows\System32\xVHOBnJ.exe
  C:\Windows\System32\xVHOBnJ.exe
  2⤵
  PID:5840
- C:\Windows\System32\VbaIqTv.exe
  C:\Windows\System32\VbaIqTv.exe
  2⤵
  PID:5720
- C:\Windows\System32\FestpmL.exe
  C:\Windows\System32\FestpmL.exe
  2⤵
  PID:4980
- C:\Windows\System32\IqcauQP.exe
  C:\Windows\System32\IqcauQP.exe
  2⤵
  PID:5532
- C:\Windows\System32\xMxIBgN.exe
  C:\Windows\System32\xMxIBgN.exe
  2⤵
  PID:6148
- C:\Windows\System32\kjCtTfk.exe
  C:\Windows\System32\kjCtTfk.exe
  2⤵
  PID:6172
- C:\Windows\System32\nhlPixK.exe
  C:\Windows\System32\nhlPixK.exe
  2⤵
  PID:6204
- C:\Windows\System32\fkNiPVe.exe
  C:\Windows\System32\fkNiPVe.exe
  2⤵
  PID:6232
- C:\Windows\System32\cSomrEY.exe
  C:\Windows\System32\cSomrEY.exe
  2⤵
  PID:6260
- C:\Windows\System32\cZeSucP.exe
  C:\Windows\System32\cZeSucP.exe
  2⤵
  PID:6284
- C:\Windows\System32\cDmWbSl.exe
  C:\Windows\System32\cDmWbSl.exe
  2⤵
  PID:6320
- C:\Windows\System32\QAqTNYF.exe
  C:\Windows\System32\QAqTNYF.exe
  2⤵
  PID:6344
- C:\Windows\System32\zYifDuV.exe
  C:\Windows\System32\zYifDuV.exe
  2⤵
  PID:6368
- C:\Windows\System32\CZziSTY.exe
  C:\Windows\System32\CZziSTY.exe
  2⤵
  PID:6400
- C:\Windows\System32\llhRIpQ.exe
  C:\Windows\System32\llhRIpQ.exe
  2⤵
  PID:6432
- C:\Windows\System32\YboOxTX.exe
  C:\Windows\System32\YboOxTX.exe
  2⤵
  PID:6452
- C:\Windows\System32\WtxoNJS.exe
  C:\Windows\System32\WtxoNJS.exe
  2⤵
  PID:6480
- C:\Windows\System32\pGFFJfc.exe
  C:\Windows\System32\pGFFJfc.exe
  2⤵
  PID:6508
- C:\Windows\System32\LIMwbWp.exe
  C:\Windows\System32\LIMwbWp.exe
  2⤵
  PID:6552
- C:\Windows\System32\yAdkGIW.exe
  C:\Windows\System32\yAdkGIW.exe
  2⤵
  PID:6580
- C:\Windows\System32\QvyGlnb.exe
  C:\Windows\System32\QvyGlnb.exe
  2⤵
  PID:6596
- C:\Windows\System32\kkeIvfd.exe
  C:\Windows\System32\kkeIvfd.exe
  2⤵
  PID:6612
- C:\Windows\System32\BFcamBE.exe
  C:\Windows\System32\BFcamBE.exe
  2⤵
  PID:6632
- C:\Windows\System32\iMbbxzn.exe
  C:\Windows\System32\iMbbxzn.exe
  2⤵
  PID:6652
- C:\Windows\System32\rdekpPM.exe
  C:\Windows\System32\rdekpPM.exe
  2⤵
  PID:6672
- C:\Windows\System32\MahyfRY.exe
  C:\Windows\System32\MahyfRY.exe
  2⤵
  PID:6720
- C:\Windows\System32\EFlABDX.exe
  C:\Windows\System32\EFlABDX.exe
  2⤵
  PID:6744
- C:\Windows\System32\yXxFKRS.exe
  C:\Windows\System32\yXxFKRS.exe
  2⤵
  PID:6764
- C:\Windows\System32\nDcOgXT.exe
  C:\Windows\System32\nDcOgXT.exe
  2⤵
  PID:6780
- C:\Windows\System32\LMDZCTL.exe
  C:\Windows\System32\LMDZCTL.exe
  2⤵
  PID:6804
- C:\Windows\System32\SOMmmEY.exe
  C:\Windows\System32\SOMmmEY.exe
  2⤵
  PID:6832
- C:\Windows\System32\VsWFrfs.exe
  C:\Windows\System32\VsWFrfs.exe
  2⤵
  PID:6848
- C:\Windows\System32\jQWcRwn.exe
  C:\Windows\System32\jQWcRwn.exe
  2⤵
  PID:6864
- C:\Windows\System32\LJJODsf.exe
  C:\Windows\System32\LJJODsf.exe
  2⤵
  PID:6884
- C:\Windows\System32\FXTkNyd.exe
  C:\Windows\System32\FXTkNyd.exe
  2⤵
  PID:6900
- C:\Windows\System32\TJUNYMP.exe
  C:\Windows\System32\TJUNYMP.exe
  2⤵
  PID:6920
- C:\Windows\System32\xgZOveG.exe
  C:\Windows\System32\xgZOveG.exe
  2⤵
  PID:7068
- C:\Windows\System32\vSbsjmq.exe
  C:\Windows\System32\vSbsjmq.exe
  2⤵
  PID:7088
- C:\Windows\System32\rhwGoqc.exe
  C:\Windows\System32\rhwGoqc.exe
  2⤵
  PID:7104
- C:\Windows\System32\oVgNfmh.exe
  C:\Windows\System32\oVgNfmh.exe
  2⤵
  PID:7124
- C:\Windows\System32\jczgiWf.exe
  C:\Windows\System32\jczgiWf.exe
  2⤵
  PID:7140
- C:\Windows\System32\wblHcof.exe
  C:\Windows\System32\wblHcof.exe
  2⤵
  PID:6408
- C:\Windows\System32\ioabMWx.exe
  C:\Windows\System32\ioabMWx.exe
  2⤵
  PID:6352
- C:\Windows\System32\CxUnnso.exe
  C:\Windows\System32\CxUnnso.exe
  2⤵
  PID:6316
- C:\Windows\System32\tGesiWl.exe
  C:\Windows\System32\tGesiWl.exe
  2⤵
  PID:6276
- C:\Windows\System32\OtHxzBT.exe
  C:\Windows\System32\OtHxzBT.exe
  2⤵
  PID:6224
- C:\Windows\System32\jjNttvO.exe
  C:\Windows\System32\jjNttvO.exe
  2⤵
  PID:6156
- C:\Windows\System32\oiNGoOQ.exe
  C:\Windows\System32\oiNGoOQ.exe
  2⤵
  PID:3656
- C:\Windows\System32\PgMnpxw.exe
  C:\Windows\System32\PgMnpxw.exe
  2⤵
  PID:5704
- C:\Windows\System32\BXaBOCB.exe
  C:\Windows\System32\BXaBOCB.exe
  2⤵
  PID:4480
- C:\Windows\System32\nUCJAJD.exe
  C:\Windows\System32\nUCJAJD.exe
  2⤵
  PID:1848
- C:\Windows\System32\CuoSLId.exe
  C:\Windows\System32\CuoSLId.exe
  2⤵
  PID:5144
- C:\Windows\System32\dZvLFwR.exe
  C:\Windows\System32\dZvLFwR.exe
  2⤵
  PID:904
- C:\Windows\System32\eaYnxoa.exe
  C:\Windows\System32\eaYnxoa.exe
  2⤵
  PID:5252
- C:\Windows\System32\QyoztcQ.exe
  C:\Windows\System32\QyoztcQ.exe
  2⤵
  PID:6564
- C:\Windows\System32\tqdypJH.exe
  C:\Windows\System32\tqdypJH.exe
  2⤵
  PID:6604
- C:\Windows\System32\WlqKoQA.exe
  C:\Windows\System32\WlqKoQA.exe
  2⤵
  PID:6684
- C:\Windows\System32\yRLjgmO.exe
  C:\Windows\System32\yRLjgmO.exe
  2⤵
  PID:6640
- C:\Windows\System32\TyNFfLx.exe
  C:\Windows\System32\TyNFfLx.exe
  2⤵
  PID:6752
- C:\Windows\System32\tZuICfX.exe
  C:\Windows\System32\tZuICfX.exe
  2⤵
  PID:6876
- C:\Windows\System32\dPzOreW.exe
  C:\Windows\System32\dPzOreW.exe
  2⤵
  PID:6776
- C:\Windows\System32\MYpAYVz.exe
  C:\Windows\System32\MYpAYVz.exe
  2⤵
  PID:6944
- C:\Windows\System32\lIkIlig.exe
  C:\Windows\System32\lIkIlig.exe
  2⤵
  PID:6932
- C:\Windows\System32\lLAMvRc.exe
  C:\Windows\System32\lLAMvRc.exe
  2⤵
  PID:7032
- C:\Windows\System32\XvDWLKK.exe
  C:\Windows\System32\XvDWLKK.exe
  2⤵
  PID:7100
- C:\Windows\System32\qsNUsyL.exe
  C:\Windows\System32\qsNUsyL.exe
  2⤵
  PID:6416
- C:\Windows\System32\QoxuLXR.exe
  C:\Windows\System32\QoxuLXR.exe
  2⤵
  PID:5860
- C:\Windows\System32\TfeIfII.exe
  C:\Windows\System32\TfeIfII.exe
  2⤵
  PID:3920
- C:\Windows\System32\LRkWOvE.exe
  C:\Windows\System32\LRkWOvE.exe
  2⤵
  PID:6516
- C:\Windows\System32\jXVohEz.exe
  C:\Windows\System32\jXVohEz.exe
  2⤵
  PID:6736
- C:\Windows\System32\lOhDXMn.exe
  C:\Windows\System32\lOhDXMn.exe
  2⤵
  PID:6772
- C:\Windows\System32\EqMDLGS.exe
  C:\Windows\System32\EqMDLGS.exe
  2⤵
  PID:6700
- C:\Windows\System32\XrinHll.exe
  C:\Windows\System32\XrinHll.exe
  2⤵
  PID:6840
- C:\Windows\System32\xLCBqXQ.exe
  C:\Windows\System32\xLCBqXQ.exe
  2⤵
  PID:7048
- C:\Windows\System32\DfeHfBZ.exe
  C:\Windows\System32\DfeHfBZ.exe
  2⤵
  PID:7076
- C:\Windows\System32\ZUuYQUP.exe
  C:\Windows\System32\ZUuYQUP.exe
  2⤵
  PID:6624
- C:\Windows\System32\TGUzntH.exe
  C:\Windows\System32\TGUzntH.exe
  2⤵
  PID:7160
- C:\Windows\System32\AFNKEYl.exe
  C:\Windows\System32\AFNKEYl.exe
  2⤵
  PID:6384
- C:\Windows\System32\iwEHpUw.exe
  C:\Windows\System32\iwEHpUw.exe
  2⤵
  PID:6468
- C:\Windows\System32\jUikMrW.exe
  C:\Windows\System32\jUikMrW.exe
  2⤵
  PID:7024
- C:\Windows\System32\tZFkwpS.exe
  C:\Windows\System32\tZFkwpS.exe
  2⤵
  PID:7180
- C:\Windows\System32\tqTiskl.exe
  C:\Windows\System32\tqTiskl.exe
  2⤵
  PID:7224
- C:\Windows\System32\lNADGvR.exe
  C:\Windows\System32\lNADGvR.exe
  2⤵
  PID:7264
- C:\Windows\System32\VmQoWCK.exe
  C:\Windows\System32\VmQoWCK.exe
  2⤵
  PID:7288
- C:\Windows\System32\qPYHrJB.exe
  C:\Windows\System32\qPYHrJB.exe
  2⤵
  PID:7304
- C:\Windows\System32\RoQmwvt.exe
  C:\Windows\System32\RoQmwvt.exe
  2⤵
  PID:7336
- C:\Windows\System32\ABBpXNS.exe
  C:\Windows\System32\ABBpXNS.exe
  2⤵
  PID:7376
- C:\Windows\System32\qhBmGwI.exe
  C:\Windows\System32\qhBmGwI.exe
  2⤵
  PID:7392
- C:\Windows\System32\vhEInAg.exe
  C:\Windows\System32\vhEInAg.exe
  2⤵
  PID:7428
- C:\Windows\System32\sntzMgD.exe
  C:\Windows\System32\sntzMgD.exe
  2⤵
  PID:7452
- C:\Windows\System32\ePuddAj.exe
  C:\Windows\System32\ePuddAj.exe
  2⤵
  PID:7468
- C:\Windows\System32\Ogprbep.exe
  C:\Windows\System32\Ogprbep.exe
  2⤵
  PID:7500
- C:\Windows\System32\gFPeuTs.exe
  C:\Windows\System32\gFPeuTs.exe
  2⤵
  PID:7520
- C:\Windows\System32\MZUoBlZ.exe
  C:\Windows\System32\MZUoBlZ.exe
  2⤵
  PID:7544
- C:\Windows\System32\AMoaaeL.exe
  C:\Windows\System32\AMoaaeL.exe
  2⤵
  PID:7564
- C:\Windows\System32\aDLbjZo.exe
  C:\Windows\System32\aDLbjZo.exe
  2⤵
  PID:7584
- C:\Windows\System32\ebErZoe.exe
  C:\Windows\System32\ebErZoe.exe
  2⤵
  PID:7600
- C:\Windows\System32\rQaPlNW.exe
  C:\Windows\System32\rQaPlNW.exe
  2⤵
  PID:7624
- C:\Windows\System32\DSEnsUM.exe
  C:\Windows\System32\DSEnsUM.exe
  2⤵
  PID:7664
- C:\Windows\System32\hQalFYQ.exe
  C:\Windows\System32\hQalFYQ.exe
  2⤵
  PID:7680
- C:\Windows\System32\AJBvFCj.exe
  C:\Windows\System32\AJBvFCj.exe
  2⤵
  PID:7748
- C:\Windows\System32\QaomDYw.exe
  C:\Windows\System32\QaomDYw.exe
  2⤵
  PID:7812
- C:\Windows\System32\qOhpzrU.exe
  C:\Windows\System32\qOhpzrU.exe
  2⤵
  PID:7832
- C:\Windows\System32\hkPpIYS.exe
  C:\Windows\System32\hkPpIYS.exe
  2⤵
  PID:7856
- C:\Windows\System32\KnUXhPl.exe
  C:\Windows\System32\KnUXhPl.exe
  2⤵
  PID:7880
- C:\Windows\System32\ddCsElR.exe
  C:\Windows\System32\ddCsElR.exe
  2⤵
  PID:7896
- C:\Windows\System32\MuAgXow.exe
  C:\Windows\System32\MuAgXow.exe
  2⤵
  PID:7920
- C:\Windows\System32\sxprlaQ.exe
  C:\Windows\System32\sxprlaQ.exe
  2⤵
  PID:7956
- C:\Windows\System32\spSAxQn.exe
  C:\Windows\System32\spSAxQn.exe
  2⤵
  PID:8012
- C:\Windows\System32\TFxJASA.exe
  C:\Windows\System32\TFxJASA.exe
  2⤵
  PID:8032
- C:\Windows\System32\TpYVOVa.exe
  C:\Windows\System32\TpYVOVa.exe
  2⤵
  PID:8056
- C:\Windows\System32\BpyoSRq.exe
  C:\Windows\System32\BpyoSRq.exe
  2⤵
  PID:8080
- C:\Windows\System32\LtHLnIm.exe
  C:\Windows\System32\LtHLnIm.exe
  2⤵
  PID:8104
- C:\Windows\System32\jgCOkKa.exe
  C:\Windows\System32\jgCOkKa.exe
  2⤵
  PID:8124
- C:\Windows\System32\ZFvqRKg.exe
  C:\Windows\System32\ZFvqRKg.exe
  2⤵
  PID:8144
- C:\Windows\System32\sszvmjJ.exe
  C:\Windows\System32\sszvmjJ.exe
  2⤵
  PID:8168
- C:\Windows\System32\bmmCBnQ.exe
  C:\Windows\System32\bmmCBnQ.exe
  2⤵
  PID:8188
- C:\Windows\System32\LeasRWw.exe
  C:\Windows\System32\LeasRWw.exe
  2⤵
  PID:7208
- C:\Windows\System32\NrfQYlg.exe
  C:\Windows\System32\NrfQYlg.exe
  2⤵
  PID:7388
- C:\Windows\System32\xjfYEGq.exe
  C:\Windows\System32\xjfYEGq.exe
  2⤵
  PID:7384
- C:\Windows\System32\xrcjqnV.exe
  C:\Windows\System32\xrcjqnV.exe
  2⤵
  PID:7436
- C:\Windows\System32\uCYeWWu.exe
  C:\Windows\System32\uCYeWWu.exe
  2⤵
  PID:7560
- C:\Windows\System32\yaBCHnN.exe
  C:\Windows\System32\yaBCHnN.exe
  2⤵
  PID:7576
- C:\Windows\System32\uLLBqmZ.exe
  C:\Windows\System32\uLLBqmZ.exe
  2⤵
  PID:7676
- C:\Windows\System32\zrkysBy.exe
  C:\Windows\System32\zrkysBy.exe
  2⤵
  PID:7728
- C:\Windows\System32\vHycvCi.exe
  C:\Windows\System32\vHycvCi.exe
  2⤵
  PID:7828
- C:\Windows\System32\uNXpFoY.exe
  C:\Windows\System32\uNXpFoY.exe
  2⤵
  PID:7868
- C:\Windows\System32\EEMHazP.exe
  C:\Windows\System32\EEMHazP.exe
  2⤵
  PID:7932
- C:\Windows\System32\sfkAkos.exe
  C:\Windows\System32\sfkAkos.exe
  2⤵
  PID:7984
- C:\Windows\System32\UJtqxSK.exe
  C:\Windows\System32\UJtqxSK.exe
  2⤵
  PID:8020
- C:\Windows\System32\rTTbbda.exe
  C:\Windows\System32\rTTbbda.exe
  2⤵
  PID:8048
- C:\Windows\System32\kRkhvXt.exe
  C:\Windows\System32\kRkhvXt.exe
  2⤵
  PID:8136
- C:\Windows\System32\CXIZFPv.exe
  C:\Windows\System32\CXIZFPv.exe
  2⤵
  PID:6592
- C:\Windows\System32\ZEoyLLb.exe
  C:\Windows\System32\ZEoyLLb.exe
  2⤵
  PID:7496
- C:\Windows\System32\JIoGMIS.exe
  C:\Windows\System32\JIoGMIS.exe
  2⤵
  PID:7460
- C:\Windows\System32\FVUBFlY.exe
  C:\Windows\System32\FVUBFlY.exe
  2⤵
  PID:7656
- C:\Windows\System32\AdqMqeP.exe
  C:\Windows\System32\AdqMqeP.exe
  2⤵
  PID:7732
- C:\Windows\System32\qhAITkA.exe
  C:\Windows\System32\qhAITkA.exe
  2⤵
  PID:7824
- C:\Windows\System32\PTGrtNJ.exe
  C:\Windows\System32\PTGrtNJ.exe
  2⤵
  PID:7976
- C:\Windows\System32\DRlMoHZ.exe
  C:\Windows\System32\DRlMoHZ.exe
  2⤵
  PID:7992
- C:\Windows\System32\PwIkgyx.exe
  C:\Windows\System32\PwIkgyx.exe
  2⤵
  PID:7320
- C:\Windows\System32\QrCAdED.exe
  C:\Windows\System32\QrCAdED.exe
  2⤵
  PID:7512
- C:\Windows\System32\hVxVXmR.exe
  C:\Windows\System32\hVxVXmR.exe
  2⤵
  PID:7536
- C:\Windows\System32\KxKGxlr.exe
  C:\Windows\System32\KxKGxlr.exe
  2⤵
  PID:7096
- C:\Windows\System32\lzNngtm.exe
  C:\Windows\System32\lzNngtm.exe
  2⤵
  PID:6548
- C:\Windows\System32\UhFxRTZ.exe
  C:\Windows\System32\UhFxRTZ.exe
  2⤵
  PID:8244
- C:\Windows\System32\vaMzwZw.exe
  C:\Windows\System32\vaMzwZw.exe
  2⤵
  PID:8280
- C:\Windows\System32\HvuyRhL.exe
  C:\Windows\System32\HvuyRhL.exe
  2⤵
  PID:8296
- C:\Windows\System32\AojMIFZ.exe
  C:\Windows\System32\AojMIFZ.exe
  2⤵
  PID:8332
- C:\Windows\System32\ElIqiWh.exe
  C:\Windows\System32\ElIqiWh.exe
  2⤵
  PID:8372
- C:\Windows\System32\SDyaEkN.exe
  C:\Windows\System32\SDyaEkN.exe
  2⤵
  PID:8412
- C:\Windows\System32\OLMiCDo.exe
  C:\Windows\System32\OLMiCDo.exe
  2⤵
  PID:8428
- C:\Windows\System32\xWmKCbK.exe
  C:\Windows\System32\xWmKCbK.exe
  2⤵
  PID:8456
- C:\Windows\System32\YIvBfMx.exe
  C:\Windows\System32\YIvBfMx.exe
  2⤵
  PID:8476
- C:\Windows\System32\bNhnkvH.exe
  C:\Windows\System32\bNhnkvH.exe
  2⤵
  PID:8496
- C:\Windows\System32\ZXwLBnO.exe
  C:\Windows\System32\ZXwLBnO.exe
  2⤵
  PID:8512
- C:\Windows\System32\IKyGiUs.exe
  C:\Windows\System32\IKyGiUs.exe
  2⤵
  PID:8536
- C:\Windows\System32\ObrdTKp.exe
  C:\Windows\System32\ObrdTKp.exe
  2⤵
  PID:8584
- C:\Windows\System32\UrKVGfP.exe
  C:\Windows\System32\UrKVGfP.exe
  2⤵
  PID:8608
- C:\Windows\System32\rylbIOS.exe
  C:\Windows\System32\rylbIOS.exe
  2⤵
  PID:8632
- C:\Windows\System32\wIyVQoT.exe
  C:\Windows\System32\wIyVQoT.exe
  2⤵
  PID:8680
- C:\Windows\System32\eDFcUcZ.exe
  C:\Windows\System32\eDFcUcZ.exe
  2⤵
  PID:8700
- C:\Windows\System32\eICThbP.exe
  C:\Windows\System32\eICThbP.exe
  2⤵
  PID:8720
- C:\Windows\System32\hVXfuLq.exe
  C:\Windows\System32\hVXfuLq.exe
  2⤵
  PID:8736
- C:\Windows\System32\nLRpmPr.exe
  C:\Windows\System32\nLRpmPr.exe
  2⤵
  PID:8760
- C:\Windows\System32\udIHHGS.exe
  C:\Windows\System32\udIHHGS.exe
  2⤵
  PID:8800
- C:\Windows\System32\zZBWypx.exe
  C:\Windows\System32\zZBWypx.exe
  2⤵
  PID:8828
- C:\Windows\System32\uCwpAsK.exe
  C:\Windows\System32\uCwpAsK.exe
  2⤵
  PID:8868
- C:\Windows\System32\GBlFUHo.exe
  C:\Windows\System32\GBlFUHo.exe
  2⤵
  PID:8904
- C:\Windows\System32\qXpFPDX.exe
  C:\Windows\System32\qXpFPDX.exe
  2⤵
  PID:8924
- C:\Windows\System32\VwMVAXH.exe
  C:\Windows\System32\VwMVAXH.exe
  2⤵
  PID:8940
- C:\Windows\System32\DYGzumF.exe
  C:\Windows\System32\DYGzumF.exe
  2⤵
  PID:8968
- C:\Windows\System32\uhUVSwU.exe
  C:\Windows\System32\uhUVSwU.exe
  2⤵
  PID:8988
- C:\Windows\System32\ylGgmOr.exe
  C:\Windows\System32\ylGgmOr.exe
  2⤵
  PID:9008
- C:\Windows\System32\VhprzkY.exe
  C:\Windows\System32\VhprzkY.exe
  2⤵
  PID:9028
- C:\Windows\System32\uAVySBX.exe
  C:\Windows\System32\uAVySBX.exe
  2⤵
  PID:9044
- C:\Windows\System32\EPARQtC.exe
  C:\Windows\System32\EPARQtC.exe
  2⤵
  PID:9068
- C:\Windows\System32\oljRgLB.exe
  C:\Windows\System32\oljRgLB.exe
  2⤵
  PID:9088
- C:\Windows\System32\HCskIZw.exe
  C:\Windows\System32\HCskIZw.exe
  2⤵
  PID:9136
- C:\Windows\System32\FTpjKpG.exe
  C:\Windows\System32\FTpjKpG.exe
  2⤵
  PID:9156
- C:\Windows\System32\FyVFaQC.exe
  C:\Windows\System32\FyVFaQC.exe
  2⤵
  PID:924
- C:\Windows\System32\Hcgwxgz.exe
  C:\Windows\System32\Hcgwxgz.exe
  2⤵
  PID:8252
- C:\Windows\System32\gRRdPmF.exe
  C:\Windows\System32\gRRdPmF.exe
  2⤵
  PID:8360
- C:\Windows\System32\BUPulpA.exe
  C:\Windows\System32\BUPulpA.exe
  2⤵
  PID:8404
- C:\Windows\System32\GjhTVfP.exe
  C:\Windows\System32\GjhTVfP.exe
  2⤵
  PID:8472
- C:\Windows\System32\Sieumvq.exe
  C:\Windows\System32\Sieumvq.exe
  2⤵
  PID:8488
- C:\Windows\System32\CmjNkJV.exe
  C:\Windows\System32\CmjNkJV.exe
  2⤵
  PID:8504
- C:\Windows\System32\JzwdFVY.exe
  C:\Windows\System32\JzwdFVY.exe
  2⤵
  PID:8616
- C:\Windows\System32\KGmCYVS.exe
  C:\Windows\System32\KGmCYVS.exe
  2⤵
  PID:8732
- C:\Windows\System32\oVdXege.exe
  C:\Windows\System32\oVdXege.exe
  2⤵
  PID:8768
- C:\Windows\System32\NbNtZlB.exe
  C:\Windows\System32\NbNtZlB.exe
  2⤵
  PID:8836
- C:\Windows\System32\DNELOat.exe
  C:\Windows\System32\DNELOat.exe
  2⤵
  PID:8816
- C:\Windows\System32\vxvJORQ.exe
  C:\Windows\System32\vxvJORQ.exe
  2⤵
  PID:8936
- C:\Windows\System32\daKPvQk.exe
  C:\Windows\System32\daKPvQk.exe
  2⤵
  PID:9064
- C:\Windows\System32\ylNydeS.exe
  C:\Windows\System32\ylNydeS.exe
  2⤵
  PID:9108
- C:\Windows\System32\UYtUESM.exe
  C:\Windows\System32\UYtUESM.exe
  2⤵
  PID:9056
- C:\Windows\System32\ZghJLWp.exe
  C:\Windows\System32\ZghJLWp.exe
  2⤵
  PID:8288
- C:\Windows\System32\sMVipPg.exe
  C:\Windows\System32\sMVipPg.exe
  2⤵
  PID:8392
- C:\Windows\System32\HLFXdGO.exe
  C:\Windows\System32\HLFXdGO.exe
  2⤵
  PID:8600
- C:\Windows\System32\KXhLZKe.exe
  C:\Windows\System32\KXhLZKe.exe
  2⤵
  PID:8652
- C:\Windows\System32\ziuDtWa.exe
  C:\Windows\System32\ziuDtWa.exe
  2⤵
  PID:8712
- C:\Windows\System32\cOkQfDr.exe
  C:\Windows\System32\cOkQfDr.exe
  2⤵
  PID:8920
- C:\Windows\System32\OnEZdQD.exe
  C:\Windows\System32\OnEZdQD.exe
  2⤵
  PID:7792
- C:\Windows\System32\AEDzPBJ.exe
  C:\Windows\System32\AEDzPBJ.exe
  2⤵
  PID:8688
- C:\Windows\System32\QpkNwBd.exe
  C:\Windows\System32\QpkNwBd.exe
  2⤵
  PID:8860
- C:\Windows\System32\GzzIDgO.exe
  C:\Windows\System32\GzzIDgO.exe
  2⤵
  PID:9164
- C:\Windows\System32\zwWUMFj.exe
  C:\Windows\System32\zwWUMFj.exe
  2⤵
  PID:8788
- C:\Windows\System32\NKrxhFI.exe
  C:\Windows\System32\NKrxhFI.exe
  2⤵
  PID:8276
- C:\Windows\System32\rKAtAJI.exe
  C:\Windows\System32\rKAtAJI.exe
  2⤵
  PID:9224
- C:\Windows\System32\wPlvofY.exe
  C:\Windows\System32\wPlvofY.exe
  2⤵
  PID:9260
- C:\Windows\System32\BPHbksu.exe
  C:\Windows\System32\BPHbksu.exe
  2⤵
  PID:9284
- C:\Windows\System32\HJogFbU.exe
  C:\Windows\System32\HJogFbU.exe
  2⤵
  PID:9328
- C:\Windows\System32\GEgGTfN.exe
  C:\Windows\System32\GEgGTfN.exe
  2⤵
  PID:9368
- C:\Windows\System32\JbDRISj.exe
  C:\Windows\System32\JbDRISj.exe
  2⤵
  PID:9388
- C:\Windows\System32\mZVSRLV.exe
  C:\Windows\System32\mZVSRLV.exe
  2⤵
  PID:9404
- C:\Windows\System32\KQojwzw.exe
  C:\Windows\System32\KQojwzw.exe
  2⤵
  PID:9428
- C:\Windows\System32\hUeeMWw.exe
  C:\Windows\System32\hUeeMWw.exe
  2⤵
  PID:9456
- C:\Windows\System32\BMZHgrG.exe
  C:\Windows\System32\BMZHgrG.exe
  2⤵
  PID:9476
- C:\Windows\System32\NvheIvK.exe
  C:\Windows\System32\NvheIvK.exe
  2⤵
  PID:9512
- C:\Windows\System32\BbSDrns.exe
  C:\Windows\System32\BbSDrns.exe
  2⤵
  PID:9572
- C:\Windows\System32\oEnOlbX.exe
  C:\Windows\System32\oEnOlbX.exe
  2⤵
  PID:9588
- C:\Windows\System32\WjnimTh.exe
  C:\Windows\System32\WjnimTh.exe
  2⤵
  PID:9608
- C:\Windows\System32\iEsKjYl.exe
  C:\Windows\System32\iEsKjYl.exe
  2⤵
  PID:9636
- C:\Windows\System32\MNkTQMc.exe
  C:\Windows\System32\MNkTQMc.exe
  2⤵
  PID:9664
- C:\Windows\System32\AjiFsIl.exe
  C:\Windows\System32\AjiFsIl.exe
  2⤵
  PID:9692
- C:\Windows\System32\uOhKalb.exe
  C:\Windows\System32\uOhKalb.exe
  2⤵
  PID:9728
- C:\Windows\System32\RRRzEkY.exe
  C:\Windows\System32\RRRzEkY.exe
  2⤵
  PID:9756
- C:\Windows\System32\EPkInZq.exe
  C:\Windows\System32\EPkInZq.exe
  2⤵
  PID:9772
- C:\Windows\System32\awbjoWT.exe
  C:\Windows\System32\awbjoWT.exe
  2⤵
  PID:9808
- C:\Windows\System32\OFPPXXO.exe
  C:\Windows\System32\OFPPXXO.exe
  2⤵
  PID:9844
- C:\Windows\System32\WZdbdpL.exe
  C:\Windows\System32\WZdbdpL.exe
  2⤵
  PID:9860
- C:\Windows\System32\vgCRxRx.exe
  C:\Windows\System32\vgCRxRx.exe
  2⤵
  PID:9876
- C:\Windows\System32\QgApwDY.exe
  C:\Windows\System32\QgApwDY.exe
  2⤵
  PID:9904
- C:\Windows\System32\vgpovec.exe
  C:\Windows\System32\vgpovec.exe
  2⤵
  PID:9940
- C:\Windows\System32\TNsLcoF.exe
  C:\Windows\System32\TNsLcoF.exe
  2⤵
  PID:9972
- C:\Windows\System32\hAKBIrv.exe
  C:\Windows\System32\hAKBIrv.exe
  2⤵
  PID:9992
- C:\Windows\System32\QAnXZiA.exe
  C:\Windows\System32\QAnXZiA.exe
  2⤵
  PID:10008
- C:\Windows\System32\jYNysyi.exe
  C:\Windows\System32\jYNysyi.exe
  2⤵
  PID:10032
- C:\Windows\System32\OaGoFVm.exe
  C:\Windows\System32\OaGoFVm.exe
  2⤵
  PID:10060
- C:\Windows\System32\TDsddIf.exe
  C:\Windows\System32\TDsddIf.exe
  2⤵
  PID:10232
- C:\Windows\System32\nLdmOfK.exe
  C:\Windows\System32\nLdmOfK.exe
  2⤵
  PID:9252
- C:\Windows\System32\idxkmmg.exe
  C:\Windows\System32\idxkmmg.exe
  2⤵
  PID:9300
- C:\Windows\System32\pTjbkCY.exe
  C:\Windows\System32\pTjbkCY.exe
  2⤵
  PID:9296
- C:\Windows\System32\AUGNait.exe
  C:\Windows\System32\AUGNait.exe
  2⤵
  PID:9340
- C:\Windows\System32\faSCOmb.exe
  C:\Windows\System32\faSCOmb.exe
  2⤵
  PID:9400
- C:\Windows\System32\FzRCJBr.exe
  C:\Windows\System32\FzRCJBr.exe
  2⤵
  PID:9440
- C:\Windows\System32\RNSECbo.exe
  C:\Windows\System32\RNSECbo.exe
  2⤵
  PID:9500
- C:\Windows\System32\hZoJMmV.exe
  C:\Windows\System32\hZoJMmV.exe
  2⤵
  PID:9544
- C:\Windows\System32\lhFpraK.exe
  C:\Windows\System32\lhFpraK.exe
  2⤵
  PID:9600
- C:\Windows\System32\jatzUiJ.exe
  C:\Windows\System32\jatzUiJ.exe
  2⤵
  PID:9748
- C:\Windows\System32\hddLMcr.exe
  C:\Windows\System32\hddLMcr.exe
  2⤵
  PID:9936
- C:\Windows\System32\ncToRvp.exe
  C:\Windows\System32\ncToRvp.exe
  2⤵
  PID:10044
- C:\Windows\System32\AqVnhnl.exe
  C:\Windows\System32\AqVnhnl.exe
  2⤵
  PID:10100
- C:\Windows\System32\EMYBhgL.exe
  C:\Windows\System32\EMYBhgL.exe
  2⤵
  PID:10048
- C:\Windows\System32\GjPEaan.exe
  C:\Windows\System32\GjPEaan.exe
  2⤵
  PID:10080
- C:\Windows\System32\ySuXhTy.exe
  C:\Windows\System32\ySuXhTy.exe
  2⤵
  PID:10024
- C:\Windows\System32\wdtETLI.exe
  C:\Windows\System32\wdtETLI.exe
  2⤵
  PID:10116
- C:\Windows\System32\TqFNkfV.exe
  C:\Windows\System32\TqFNkfV.exe
  2⤵
  PID:10188
- C:\Windows\System32\FSFwenN.exe
  C:\Windows\System32\FSFwenN.exe
  2⤵
  PID:10216
- C:\Windows\System32\ZWkXVlw.exe
  C:\Windows\System32\ZWkXVlw.exe
  2⤵
  PID:9276
- C:\Windows\System32\NhXlSpS.exe
  C:\Windows\System32\NhXlSpS.exe
  2⤵
  PID:9448
- C:\Windows\System32\aduWLOH.exe
  C:\Windows\System32\aduWLOH.exe
  2⤵
  PID:9652
- C:\Windows\System32\YsCnndC.exe
  C:\Windows\System32\YsCnndC.exe
  2⤵
  PID:9964
- C:\Windows\System32\PFPSjgP.exe
  C:\Windows\System32\PFPSjgP.exe
  2⤵
  PID:10220
- C:\Windows\System32\RvxNtSH.exe
  C:\Windows\System32\RvxNtSH.exe
  2⤵
  PID:10140
- C:\Windows\System32\trAZRfm.exe
  C:\Windows\System32\trAZRfm.exe
  2⤵
  PID:10176
- C:\Windows\System32\OGfDjLo.exe
  C:\Windows\System32\OGfDjLo.exe
  2⤵
  PID:10184
- C:\Windows\System32\vJRMrEV.exe
  C:\Windows\System32\vJRMrEV.exe
  2⤵
  PID:9584
- C:\Windows\System32\IShjyVl.exe
  C:\Windows\System32\IShjyVl.exe
  2⤵
  PID:9788
- C:\Windows\System32\aoiXRkj.exe
  C:\Windows\System32\aoiXRkj.exe
  2⤵
  PID:10104
- C:\Windows\System32\mAubieS.exe
  C:\Windows\System32\mAubieS.exe
  2⤵
  PID:9416
- C:\Windows\System32\IjVsmeI.exe
  C:\Windows\System32\IjVsmeI.exe
  2⤵
  PID:10280
- C:\Windows\System32\MXOJncP.exe
  C:\Windows\System32\MXOJncP.exe
  2⤵
  PID:10300
- C:\Windows\System32\LKBbmxu.exe
  C:\Windows\System32\LKBbmxu.exe
  2⤵
  PID:10316
- C:\Windows\System32\PAOAdtz.exe
  C:\Windows\System32\PAOAdtz.exe
  2⤵
  PID:10344
- C:\Windows\System32\NAgExAv.exe
  C:\Windows\System32\NAgExAv.exe
  2⤵
  PID:10364
- C:\Windows\System32\IENYweY.exe
  C:\Windows\System32\IENYweY.exe
  2⤵
  PID:10396
- C:\Windows\System32\QoiLGJx.exe
  C:\Windows\System32\QoiLGJx.exe
  2⤵
  PID:10452
- C:\Windows\System32\YmckuNy.exe
  C:\Windows\System32\YmckuNy.exe
  2⤵
  PID:10480
- C:\Windows\System32\SReookW.exe
  C:\Windows\System32\SReookW.exe
  2⤵
  PID:10496
- C:\Windows\System32\zBqSDFM.exe
  C:\Windows\System32\zBqSDFM.exe
  2⤵
  PID:10520
- C:\Windows\System32\ZkBKvyC.exe
  C:\Windows\System32\ZkBKvyC.exe
  2⤵
  PID:10536
- C:\Windows\System32\fkOFDCs.exe
  C:\Windows\System32\fkOFDCs.exe
  2⤵
  PID:10600
- C:\Windows\System32\DObBMIL.exe
  C:\Windows\System32\DObBMIL.exe
  2⤵
  PID:10624
- C:\Windows\System32\hFpQdQu.exe
  C:\Windows\System32\hFpQdQu.exe
  2⤵
  PID:10644
- C:\Windows\System32\dhpwRUX.exe
  C:\Windows\System32\dhpwRUX.exe
  2⤵
  PID:10660
- C:\Windows\System32\yfVqzxj.exe
  C:\Windows\System32\yfVqzxj.exe
  2⤵
  PID:10680
- C:\Windows\System32\xQRLmDo.exe
  C:\Windows\System32\xQRLmDo.exe
  2⤵
  PID:10704
- C:\Windows\System32\OjugYfs.exe
  C:\Windows\System32\OjugYfs.exe
  2⤵
  PID:10752
- C:\Windows\System32\awmZyzo.exe
  C:\Windows\System32\awmZyzo.exe
  2⤵
  PID:10780
- C:\Windows\System32\snaAJLh.exe
  C:\Windows\System32\snaAJLh.exe
  2⤵
  PID:10796
- C:\Windows\System32\wPHcAYa.exe
  C:\Windows\System32\wPHcAYa.exe
  2⤵
  PID:10812
- C:\Windows\System32\hYZRpnt.exe
  C:\Windows\System32\hYZRpnt.exe
  2⤵
  PID:10836
- C:\Windows\System32\xPaeHkL.exe
  C:\Windows\System32\xPaeHkL.exe
  2⤵
  PID:10872
- C:\Windows\System32\MHTeNqf.exe
  C:\Windows\System32\MHTeNqf.exe
  2⤵
  PID:10944
- C:\Windows\System32\kqQDYEn.exe
  C:\Windows\System32\kqQDYEn.exe
  2⤵
  PID:10964
- C:\Windows\System32\RhqYXzF.exe
  C:\Windows\System32\RhqYXzF.exe
  2⤵
  PID:10984
- C:\Windows\System32\RlqXOTk.exe
  C:\Windows\System32\RlqXOTk.exe
  2⤵
  PID:11012
- C:\Windows\System32\hyBVtmq.exe
  C:\Windows\System32\hyBVtmq.exe
  2⤵
  PID:11028
- C:\Windows\System32\BNFByPz.exe
  C:\Windows\System32\BNFByPz.exe
  2⤵
  PID:11048
- C:\Windows\System32\DPneClb.exe
  C:\Windows\System32\DPneClb.exe
  2⤵
  PID:11100
- C:\Windows\System32\WEcLqSP.exe
  C:\Windows\System32\WEcLqSP.exe
  2⤵
  PID:11124
- C:\Windows\System32\sJJQnTq.exe
  C:\Windows\System32\sJJQnTq.exe
  2⤵
  PID:11156
- C:\Windows\System32\MpRVFkr.exe
  C:\Windows\System32\MpRVFkr.exe
  2⤵
  PID:11196
- C:\Windows\System32\xpcFooD.exe
  C:\Windows\System32\xpcFooD.exe
  2⤵
  PID:11220
- C:\Windows\System32\kFtkWTN.exe
  C:\Windows\System32\kFtkWTN.exe
  2⤵
  PID:11240
- C:\Windows\System32\TTTqvbO.exe
  C:\Windows\System32\TTTqvbO.exe
  2⤵
  PID:9596
- C:\Windows\System32\JOqOuUw.exe
  C:\Windows\System32\JOqOuUw.exe
  2⤵
  PID:10248
- C:\Windows\System32\dJImdOL.exe
  C:\Windows\System32\dJImdOL.exe
  2⤵
  PID:10296
- C:\Windows\System32\lgljldI.exe
  C:\Windows\System32\lgljldI.exe
  2⤵
  PID:10384
- C:\Windows\System32\wWfOlbg.exe
  C:\Windows\System32\wWfOlbg.exe
  2⤵
  PID:10516
- C:\Windows\System32\FmOcxVB.exe
  C:\Windows\System32\FmOcxVB.exe
  2⤵
  PID:10556
- C:\Windows\System32\ScFNyRe.exe
  C:\Windows\System32\ScFNyRe.exe
  2⤵
  PID:10576
- C:\Windows\System32\zKhQYHm.exe
  C:\Windows\System32\zKhQYHm.exe
  2⤵
  PID:10640
- C:\Windows\System32\NYdfKxR.exe
  C:\Windows\System32\NYdfKxR.exe
  2⤵
  PID:10652
- C:\Windows\System32\CPmhNtm.exe
  C:\Windows\System32\CPmhNtm.exe
  2⤵
  PID:10724
- C:\Windows\System32\DkBwZeK.exe
  C:\Windows\System32\DkBwZeK.exe
  2⤵
  PID:10848
- C:\Windows\System32\ZUKFcJF.exe
  C:\Windows\System32\ZUKFcJF.exe
  2⤵
  PID:10916
- C:\Windows\System32\xcvFvqq.exe
  C:\Windows\System32\xcvFvqq.exe
  2⤵
  PID:10956
- C:\Windows\System32\ZCVomxG.exe
  C:\Windows\System32\ZCVomxG.exe
  2⤵
  PID:10980
- C:\Windows\System32\LKajZQW.exe
  C:\Windows\System32\LKajZQW.exe
  2⤵
  PID:11056
- C:\Windows\System32\RyIYvkq.exe
  C:\Windows\System32\RyIYvkq.exe
  2⤵
  PID:11164
- C:\Windows\System32\IvSYQHo.exe
  C:\Windows\System32\IvSYQHo.exe
  2⤵
  PID:11228
- C:\Windows\System32\ZVnbaPV.exe
  C:\Windows\System32\ZVnbaPV.exe
  2⤵
  PID:11248
- C:\Windows\System32\EZOeMrS.exe
  C:\Windows\System32\EZOeMrS.exe
  2⤵
  PID:10324
- C:\Windows\System32\NDGPqMG.exe
  C:\Windows\System32\NDGPqMG.exe
  2⤵
  PID:10388
- C:\Windows\System32\CTSJUDw.exe
  C:\Windows\System32\CTSJUDw.exe
  2⤵
  PID:10472
- C:\Windows\System32\FOWuogn.exe
  C:\Windows\System32\FOWuogn.exe
  2⤵
  PID:10820
- C:\Windows\System32\hDXJQms.exe
  C:\Windows\System32\hDXJQms.exe
  2⤵
  PID:10804
- C:\Windows\System32\zsxegdv.exe
  C:\Windows\System32\zsxegdv.exe
  2⤵
  PID:11072
- C:\Windows\System32\WdzSExd.exe
  C:\Windows\System32\WdzSExd.exe
  2⤵
  PID:9924
- C:\Windows\System32\sPxEftT.exe
  C:\Windows\System32\sPxEftT.exe
  2⤵
  PID:10356
- C:\Windows\System32\xHoOznk.exe
  C:\Windows\System32\xHoOznk.exe
  2⤵
  PID:10560
- C:\Windows\System32\sThpDzw.exe
  C:\Windows\System32\sThpDzw.exe
  2⤵
  PID:11140
- C:\Windows\System32\AGGfnYP.exe
  C:\Windows\System32\AGGfnYP.exe
  2⤵
  PID:11252
- C:\Windows\System32\zrwQitP.exe
  C:\Windows\System32\zrwQitP.exe
  2⤵
  PID:10772
- C:\Windows\System32\fZbMzbX.exe
  C:\Windows\System32\fZbMzbX.exe
  2⤵
  PID:11280
- C:\Windows\System32\XkvXxwr.exe
  C:\Windows\System32\XkvXxwr.exe
  2⤵
  PID:11348
- C:\Windows\System32\tcOFxwn.exe
  C:\Windows\System32\tcOFxwn.exe
  2⤵
  PID:11376
- C:\Windows\System32\RmompRM.exe
  C:\Windows\System32\RmompRM.exe
  2⤵
  PID:11404
- C:\Windows\System32\uHnfEfV.exe
  C:\Windows\System32\uHnfEfV.exe
  2⤵
  PID:11420
- C:\Windows\System32\RNYDdDB.exe
  C:\Windows\System32\RNYDdDB.exe
  2⤵
  PID:11444
- C:\Windows\System32\AompwcA.exe
  C:\Windows\System32\AompwcA.exe
  2⤵
  PID:11468
- C:\Windows\System32\mdweSoA.exe
  C:\Windows\System32\mdweSoA.exe
  2⤵
  PID:11520
- C:\Windows\System32\baRcpkx.exe
  C:\Windows\System32\baRcpkx.exe
  2⤵
  PID:11564
- C:\Windows\System32\ewZxQIh.exe
  C:\Windows\System32\ewZxQIh.exe
  2⤵
  PID:11600
- C:\Windows\System32\hlVhEdy.exe
  C:\Windows\System32\hlVhEdy.exe
  2⤵
  PID:11620
- C:\Windows\System32\wtQhOfH.exe
  C:\Windows\System32\wtQhOfH.exe
  2⤵
  PID:11648
- C:\Windows\System32\GBDKcyD.exe
  C:\Windows\System32\GBDKcyD.exe
  2⤵
  PID:11676
- C:\Windows\System32\KUCKAQh.exe
  C:\Windows\System32\KUCKAQh.exe
  2⤵
  PID:11696
- C:\Windows\System32\MLxtMBj.exe
  C:\Windows\System32\MLxtMBj.exe
  2⤵
  PID:11724
- C:\Windows\System32\aWaAGRc.exe
  C:\Windows\System32\aWaAGRc.exe
  2⤵
  PID:11752
- C:\Windows\System32\ClplUxF.exe
  C:\Windows\System32\ClplUxF.exe
  2⤵
  PID:11780
- C:\Windows\System32\NuAEfLo.exe
  C:\Windows\System32\NuAEfLo.exe
  2⤵
  PID:11832
- C:\Windows\System32\fkTmRnR.exe
  C:\Windows\System32\fkTmRnR.exe
  2⤵
  PID:11848
- C:\Windows\System32\LBFuNun.exe
  C:\Windows\System32\LBFuNun.exe
  2⤵
  PID:11864
- C:\Windows\System32\RlRQgNH.exe
  C:\Windows\System32\RlRQgNH.exe
  2⤵
  PID:11884
- C:\Windows\System32\yuXLzYF.exe
  C:\Windows\System32\yuXLzYF.exe
  2⤵
  PID:11912
- C:\Windows\System32\UTtYoSr.exe
  C:\Windows\System32\UTtYoSr.exe
  2⤵
  PID:11932
- C:\Windows\System32\iTYpOBF.exe
  C:\Windows\System32\iTYpOBF.exe
  2⤵
  PID:11956
- C:\Windows\System32\sjoOrvv.exe
  C:\Windows\System32\sjoOrvv.exe
  2⤵
  PID:11976
- C:\Windows\System32\vBYKLKf.exe
  C:\Windows\System32\vBYKLKf.exe
  2⤵
  PID:12000
- C:\Windows\System32\PfUQkSO.exe
  C:\Windows\System32\PfUQkSO.exe
  2⤵
  PID:12052
- C:\Windows\System32\HUTwIjD.exe
  C:\Windows\System32\HUTwIjD.exe
  2⤵
  PID:12072
- C:\Windows\System32\qyIxZFK.exe
  C:\Windows\System32\qyIxZFK.exe
  2⤵
  PID:12108
- C:\Windows\System32\vGLCcNJ.exe
  C:\Windows\System32\vGLCcNJ.exe
  2⤵
  PID:12128
- C:\Windows\System32\tigewwn.exe
  C:\Windows\System32\tigewwn.exe
  2⤵
  PID:12188
- C:\Windows\System32\tfbpwRZ.exe
  C:\Windows\System32\tfbpwRZ.exe
  2⤵
  PID:12204
- C:\Windows\System32\hEbkWQm.exe
  C:\Windows\System32\hEbkWQm.exe
  2⤵
  PID:12252
- C:\Windows\System32\qtdUBlu.exe
  C:\Windows\System32\qtdUBlu.exe
  2⤵
  PID:12268
- C:\Windows\System32\dvwOwLE.exe
  C:\Windows\System32\dvwOwLE.exe
  2⤵
  PID:10932
- C:\Windows\System32\UupOHBJ.exe
  C:\Windows\System32\UupOHBJ.exe
  2⤵
  PID:11328
- C:\Windows\System32\IhvoBcP.exe
  C:\Windows\System32\IhvoBcP.exe
  2⤵
  PID:11356
- C:\Windows\System32\EvVfmib.exe
  C:\Windows\System32\EvVfmib.exe
  2⤵
  PID:11364
- C:\Windows\System32\FZSSZbd.exe
  C:\Windows\System32\FZSSZbd.exe
  2⤵
  PID:11460
- C:\Windows\System32\qORcMNk.exe
  C:\Windows\System32\qORcMNk.exe
  2⤵
  PID:11536
- C:\Windows\System32\pkHFxDA.exe
  C:\Windows\System32\pkHFxDA.exe
  2⤵
  PID:11628
- C:\Windows\System32\MtyxnhX.exe
  C:\Windows\System32\MtyxnhX.exe
  2⤵
  PID:11672
- C:\Windows\System32\dKqDGze.exe
  C:\Windows\System32\dKqDGze.exe
  2⤵
  PID:11732
- C:\Windows\System32\EEopNDV.exe
  C:\Windows\System32\EEopNDV.exe
  2⤵
  PID:11764
- C:\Windows\System32\BTPXbTk.exe
  C:\Windows\System32\BTPXbTk.exe
  2⤵
  PID:11876
- C:\Windows\System32\JuSELZo.exe
  C:\Windows\System32\JuSELZo.exe
  2⤵
  PID:11972
- C:\Windows\System32\qLuZEqO.exe
  C:\Windows\System32\qLuZEqO.exe
  2⤵
  PID:11968
- C:\Windows\System32\gmpFiJm.exe
  C:\Windows\System32\gmpFiJm.exe
  2⤵
  PID:12068
- C:\Windows\System32\Ecjbvkd.exe
  C:\Windows\System32\Ecjbvkd.exe
  2⤵
  PID:12144
- C:\Windows\System32\LqZAMDZ.exe
  C:\Windows\System32\LqZAMDZ.exe
  2⤵
  PID:12168
- C:\Windows\System32\noNAokB.exe
  C:\Windows\System32\noNAokB.exe
  2⤵
  PID:12216
- C:\Windows\System32\WVhfkdD.exe
  C:\Windows\System32\WVhfkdD.exe
  2⤵
  PID:12280
- C:\Windows\System32\UWyMYqN.exe
  C:\Windows\System32\UWyMYqN.exe
  2⤵
  PID:11664
- C:\Windows\System32\PPNUQvD.exe
  C:\Windows\System32\PPNUQvD.exe
  2⤵
  PID:11740
- C:\Windows\System32\bQCOOlE.exe
  C:\Windows\System32\bQCOOlE.exe
  2⤵
  PID:11768
- C:\Windows\System32\mXCWnuG.exe
  C:\Windows\System32\mXCWnuG.exe
  2⤵
  PID:11896
- C:\Windows\System32\aUJwgNP.exe
  C:\Windows\System32\aUJwgNP.exe
  2⤵
  PID:1384
- C:\Windows\System32\dUcYiVE.exe
  C:\Windows\System32\dUcYiVE.exe
  2⤵
  PID:12276
- C:\Windows\System32\OHstaco.exe
  C:\Windows\System32\OHstaco.exe
  2⤵
  PID:11616
- C:\Windows\System32\HDJibri.exe
  C:\Windows\System32\HDJibri.exe
  2⤵
  PID:1056
- C:\Windows\System32\FjMihLR.exe
  C:\Windows\System32\FjMihLR.exe
  2⤵
  PID:11920
- C:\Windows\System32\skGyFaG.exe
  C:\Windows\System32\skGyFaG.exe
  2⤵
  PID:11332
- C:\Windows\System32\PREDxdY.exe
  C:\Windows\System32\PREDxdY.exe
  2⤵
  PID:5064
- C:\Windows\System32\mrMprJl.exe
  C:\Windows\System32\mrMprJl.exe
  2⤵
  PID:12064
- C:\Windows\System32\fFsxLVI.exe
  C:\Windows\System32\fFsxLVI.exe
  2⤵
  PID:12296
- C:\Windows\System32\XtqIepX.exe
  C:\Windows\System32\XtqIepX.exe
  2⤵
  PID:12324
- C:\Windows\System32\PrbPnUe.exe
  C:\Windows\System32\PrbPnUe.exe
  2⤵
  PID:12372
- C:\Windows\System32\LVPneCB.exe
  C:\Windows\System32\LVPneCB.exe
  2⤵
  PID:12388
- C:\Windows\System32\JCrHFSG.exe
  C:\Windows\System32\JCrHFSG.exe
  2⤵
  PID:12404
- C:\Windows\System32\kFlafpy.exe
  C:\Windows\System32\kFlafpy.exe
  2⤵
  PID:12432
- C:\Windows\System32\esLttZg.exe
  C:\Windows\System32\esLttZg.exe
  2⤵
  PID:12448
- C:\Windows\System32\HtYcioZ.exe
  C:\Windows\System32\HtYcioZ.exe
  2⤵
  PID:12464
- C:\Windows\System32\pOjEQaz.exe
  C:\Windows\System32\pOjEQaz.exe
  2⤵
  PID:12480
- C:\Windows\System32\CHvhETI.exe
  C:\Windows\System32\CHvhETI.exe
  2⤵
  PID:12552
- C:\Windows\System32\rFohvvW.exe
  C:\Windows\System32\rFohvvW.exe
  2⤵
  PID:12580
- C:\Windows\System32\XTzUEHQ.exe
  C:\Windows\System32\XTzUEHQ.exe
  2⤵
  PID:12612
- C:\Windows\System32\mlfUlqE.exe
  C:\Windows\System32\mlfUlqE.exe
  2⤵
  PID:12632
- C:\Windows\System32\oazKfYN.exe
  C:\Windows\System32\oazKfYN.exe
  2⤵
  PID:12656
- C:\Windows\System32\kVMydBI.exe
  C:\Windows\System32\kVMydBI.exe
  2⤵
  PID:12684
- C:\Windows\System32\rfFqoHz.exe
  C:\Windows\System32\rfFqoHz.exe
  2⤵
  PID:12724
- C:\Windows\System32\RAnlAUS.exe
  C:\Windows\System32\RAnlAUS.exe
  2⤵
  PID:12748
- C:\Windows\System32\tbTwPYL.exe
  C:\Windows\System32\tbTwPYL.exe
  2⤵
  PID:12768
- C:\Windows\System32\fsWMGZA.exe
  C:\Windows\System32\fsWMGZA.exe
  2⤵
  PID:12788
- C:\Windows\System32\PcbOqsi.exe
  C:\Windows\System32\PcbOqsi.exe
  2⤵
  PID:12804
- C:\Windows\System32\IUiIJto.exe
  C:\Windows\System32\IUiIJto.exe
  2⤵
  PID:12832
- C:\Windows\System32\BXMyosw.exe
  C:\Windows\System32\BXMyosw.exe
  2⤵
  PID:12880
- C:\Windows\System32\lspkERh.exe
  C:\Windows\System32\lspkERh.exe
  2⤵
  PID:12908
- C:\Windows\System32\XgdLyvF.exe
  C:\Windows\System32\XgdLyvF.exe
  2⤵
  PID:12928
- C:\Windows\System32\VnVuHam.exe
  C:\Windows\System32\VnVuHam.exe
  2⤵
  PID:12952
- C:\Windows\System32\AtHiqqi.exe
  C:\Windows\System32\AtHiqqi.exe
  2⤵
  PID:13000
- C:\Windows\System32\ZnzsSIV.exe
  C:\Windows\System32\ZnzsSIV.exe
  2⤵
  PID:13024
- C:\Windows\System32\YdEeueU.exe
  C:\Windows\System32\YdEeueU.exe
  2⤵
  PID:13048
- C:\Windows\System32\QkOhaAf.exe
  C:\Windows\System32\QkOhaAf.exe
  2⤵
  PID:13064
- C:\Windows\System32\HtQIqYI.exe
  C:\Windows\System32\HtQIqYI.exe
  2⤵
  PID:13124
- C:\Windows\System32\jcWbOVp.exe
  C:\Windows\System32\jcWbOVp.exe
  2⤵
  PID:13144
- C:\Windows\System32\mVWqUtz.exe
  C:\Windows\System32\mVWqUtz.exe
  2⤵
  PID:13176
- C:\Windows\System32\LJFMMxu.exe
  C:\Windows\System32\LJFMMxu.exe
  2⤵
  PID:13196
- C:\Windows\System32\YwrxRxO.exe
  C:\Windows\System32\YwrxRxO.exe
  2⤵
  PID:13216
- C:\Windows\System32\vyaiPoN.exe
  C:\Windows\System32\vyaiPoN.exe
  2⤵
  PID:13256
- C:\Windows\System32\VMYZHVr.exe
  C:\Windows\System32\VMYZHVr.exe
  2⤵
  PID:13272
- C:\Windows\System32\unTqPbV.exe
  C:\Windows\System32\unTqPbV.exe
  2⤵
  PID:13300
- C:\Windows\System32\sTLNiuC.exe
  C:\Windows\System32\sTLNiuC.exe
  2⤵
  PID:11688
- C:\Windows\System32\IiRVFav.exe
  C:\Windows\System32\IiRVFav.exe
  2⤵
  PID:12304
- C:\Windows\System32\uaZBNTz.exe
  C:\Windows\System32\uaZBNTz.exe
  2⤵
  PID:12428
- C:\Windows\System32\bnNifRm.exe
  C:\Windows\System32\bnNifRm.exe
  2⤵
  PID:1416
- C:\Windows\System32\RANwvRr.exe
  C:\Windows\System32\RANwvRr.exe
  2⤵
  PID:12512
- C:\Windows\System32\pVEgEny.exe
  C:\Windows\System32\pVEgEny.exe
  2⤵
  PID:12572

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\CJAnUOu.exe

Filesize
1.3MB

MD5
3d7509a451ddfa8b964d4d674843c7af

SHA1
c70ff9d74e62c27a3eccec5a4a018b0bc04db07d

SHA256
27500a778a28d3f3762479c8ef71b5527509787045c75f6c9170c02b79da8f72

SHA512
5005d340cc6ac326fd51258f425d4d2d94d8c4dc2de75443dfc8edae3b16ca22d9b05a8989ac5d694782de799bf63358c9fe4b4fee4baf4b6a72689f299478ae

Download Submit
C:\Windows\System32\DKrblqW.exe

Filesize
1.3MB

MD5
d0d89f2c28bfb2afff743a25e0ee5d64

SHA1
deb0678a2323294688fd2470637e84696aea34fa

SHA256
cb2aff03fe91907700b968ea24615a3211ed91a0884784dd40a83b675b05396f

SHA512
9b7976d770e5ea92b907f3afe8fa726b7caccc89a2a81667eb3a21077bf03d84e8f3a0de009edd18f287c69fb07e2633d1cde321b2e24a6491f4504bcc3e3ef3

Download Submit
C:\Windows\System32\GQgUWZx.exe

Filesize
1.3MB

MD5
bc633e4d15ad5a4938cc9bcaaaa2e03c

SHA1
2825acee5b9f8d8afd232bd6da18255f5fdf7cdb

SHA256
9e9eccadb56617913ab36394a3223130f2df554b28367f33b79714d46f824b84

SHA512
442c25b1a676069ca32ae2834d1c1f86e86cf3db3e91fc97f019a090716a06d4531072526d73ddca12e55363398a9cfc6c072b0f4e37c96080f273c902981725

Download Submit
C:\Windows\System32\KyTdOqS.exe

Filesize
1.3MB

MD5
4c44507b03f59f6402d92922c2cea1f3

SHA1
1d644365d8701df81c28320207bc34e5fc06e330

SHA256
b646ef0be5db5097a030a1d5e4409ff4393518899a78c55244bbee9ee4e2254f

SHA512
3ae903025997eb14c37fd777aef78ab8ae454dec81d9a69e28fb31feefe53c54aa69b4b7c470104507503960b60ec200ffb74ef0d155c6742d97812a1921adc1

Download Submit
C:\Windows\System32\LIDoiiw.exe

Filesize
1.3MB

MD5
ce499005df14387da868edbdef021b21

SHA1
056fe53965be984e0ea64bd141364f70ee3b61da

SHA256
5dbcd95be2fce8b02dfd35fe09157d33d23472ee4616d26e0d7447581cc3aba6

SHA512
ed2f41851c2640eef42cac279c1757a371eefa67c42055dcb64a762e9115b2ef40dbca9afce597908fb525d38264e3f8d817cc2e4ae6b70022e8721603161fde

Download Submit
C:\Windows\System32\LTjBtbL.exe

Filesize
1.3MB

MD5
51aa0d846922c03486c03d222fea4b34

SHA1
a1be06e9360bac7fcfede30179b45a1e7cb1446a

SHA256
c51768c56dea73611ccb9f5f134ab0d71b18f675bec088936f46b59d410e812a

SHA512
c6d2dbfa09e264fe8a5ad73f0d675f967765eb4821088410b1ed1c09b38b6f18ff970268dbcb926b0bf3d0b4619e33693d1f5172c4bb11ebe1099a5f2fef751a

Download Submit
C:\Windows\System32\ONGfdgL.exe

Filesize
1.3MB

MD5
09fd5a1e545d70ddcfee7dc145b9ff8f

SHA1
b5e5c74547f1192d7c2b119373623fc245e3461d

SHA256
30080292b16b0c56f1a05c006f8b18208556b107f9078b4c9a57f9c421173f11

SHA512
49eef1ab86fb3fd2dd9e2f937b020345ffc6cdd916b2da6191f7c4fcb34b312e74d1e827f72a1ec0830e5aecf62ce744bf6d7320f3dbeaa3f641db51496bde1e

Download Submit
C:\Windows\System32\OzLSIfb.exe

Filesize
1.3MB

MD5
89fb0e19bed31e7f43d8c20e103f5adc

SHA1
846c0ca7ee522a1211c23d91a9fe9634e214084e

SHA256
69dccd9b79827a425d4842bc79060e139587d8c553676f3c3dfdac8fb0417d1c

SHA512
2a7148a508298c13646ca5e2b6e1fd477e09609ca30559cba555c7fe42826bdf58105870c7b6565b34e794a7020700cf5a5a67b82ac1a27629f5aaddf38fac51

Download Submit
C:\Windows\System32\RfWHCsc.exe

Filesize
1.3MB

MD5
3be1b6482586422cca2b4e3c6d5b5fa4

SHA1
eb1e1a2c7c7d17fd50ea9b4ea5f872ff72c9cdda

SHA256
1f4a86a4e449077ad72c4cfd775828edc219e0bd8e8d7648defc5e134d1f801c

SHA512
0d738735497e65f03a95ce6dbe9800c813353744236f37b73c8f36c3b8898cbcabd0e542e7da56f8e5facea5ab7ecf5815ca33528d4f15c2defed3d6cf93de66

Download Submit
C:\Windows\System32\RvHJItl.exe

Filesize
1.3MB

MD5
6b7b972a5975969506d83c5c0c4369bd

SHA1
03de1b7f3a49283a7a097e856f5f519892de6974

SHA256
1ad7b7544f0438acdd2f78a146e1026e213ef6a47ffd824c799c6cbf715c7415

SHA512
144db9cd6de736c88de78f85af2a602a5b42aa4fc33ecbfe2a02974e72f6f89c3604329e00c4ccf3eef58634539dafb803c2fa5bb7b2069e785c13adf3531c42

Download Submit
C:\Windows\System32\UdKiaAn.exe

Filesize
1.3MB

MD5
4dd3a7532b11fdaabf6712c063a3637d

SHA1
fe8ca4d9f2be67e143be9ae3f2d8eca417764cc5

SHA256
2e428fec1b194ba0ba6c1151cb6ca4459017f8048297b354dc5f9cf789646b99

SHA512
810e02f96777c54ab5fce1e92c70e8815827140b5e6cce861ed185b365df9bfd6501831d8212f2b10cb81edb90816bc0bc25f28735566da445336f824afdaae4

Download Submit
C:\Windows\System32\WdjadfN.exe

Filesize
1.3MB

MD5
7b3247041603cfd35d08f1fccaca29c0

SHA1
f402a5d593db8490faa388eb9ac35362f155dfd2

SHA256
84c759aed0a1dc128d3cf1ad074b16b4ce59c3265896546a218f6d2fe8976c62

SHA512
f362e9b5ebac0d383f66966ee05d575aaf7ca5272cab5c00208fb80c50315f553871318519c3d9b16ff1ff8a68d3ee9542df021b93c1a5664505fcbe6647f4e6

Download Submit
C:\Windows\System32\YfdBlAW.exe

Filesize
1.3MB

MD5
70bfd2148c201591acb17642c374e190

SHA1
2210bc46272eab0c759585af672a6b77cc47db9e

SHA256
10f7d1611d444792a201945f76eb6d64e2d7a207934fd090ff04748b15bba4ff

SHA512
a89b26d7c3b3574525a2d98a56805b2575389275db0f0a092d1c36db1c4c987780aa5d813f6ac0b463e651e6e9528532d6175d813de783af791afbf23e9a701c

Download Submit
C:\Windows\System32\Zpbonwy.exe

Filesize
1.3MB

MD5
3ad67add01b28ccacfd2ed1dc8256443

SHA1
5ac661059136f6ae6881cef3320420a227e2a6fe

SHA256
176fa09e89a40ce2e2d9385c1001594a5a5ca8046e74729c06baebcfd50cc75a

SHA512
699232e50679c74880c5cc6db720325dcd825d3fe061496aaa274d8cfc381c431a867e685491bff641d5893a0f793345b4f5c808aad0f84a2a4db958dc55f2b9

Download Submit
C:\Windows\System32\aZBUxbD.exe

Filesize
1.3MB

MD5
757f2c3d83b3ffee0690718b8be40651

SHA1
c14d2af36f6558d4ace0a18fdecd4db1e6e8b622

SHA256
5893bd6330ec13a5d2c849a5cd7e108f5d8b055471567ea5e08c347acef2d191

SHA512
02df39d875cde75f0959d3830c563684938c4ded55381e42eea0fc904ab82111ed74c6843241f4fb64f6fcbef941b693ed023fc023590cca29c6ed69135c5249

Download Submit
C:\Windows\System32\bSyNYJR.exe

Filesize
1.3MB

MD5
4aacd401094114ef1daece0d2d9bec51

SHA1
f8630da1bc6554eb4e9d4e3c9928e6977b2991c3

SHA256
acc7982ca804b0f24a2f04e0761fa219f963c9375cf066eb7f8cca3711dfa026

SHA512
7b3b7b18e5ca7071a6990c207002a5ef4ad29959b2571f6e08e3a26fd44af6e22cf7b9810844c7cce3d53028240b5874c8648dc94805438d55a9ad4923f0f330

Download Submit
C:\Windows\System32\dJgEEIO.exe

Filesize
1.3MB

MD5
e11a849f7d076eba16eafd246bfe589d

SHA1
2f298f18dd09804d03871e7f4853a8bb9c17d03d

SHA256
64c84cf414d26ddf8a7c2134bbadf9a8db4e15cc0735ca67028834095b6c4a0e

SHA512
378a535b0e8495e7b561e1a1e435620e012fb93f7b37ee2f27d892953903a819061e2d6699ef9858e150d778d37b86c91531afa6b2056ddd2c8e2b53dbab3540

Download Submit
C:\Windows\System32\eIERjJX.exe

Filesize
1.3MB

MD5
5ff975cc4106e13ed379d79661c29767

SHA1
0f801a93b1c55be55cdf81cbfeda3753c276457e

SHA256
74a6552c4be50e67845016844c2039a54834f78b30bb94c66e1ab1f815117450

SHA512
b840953fa0ec98f42616c2bab25119d3185a7833e05dca045ae964709328111bc15a6ff886d400114f8e72fb63b01a508e463e8013e35c760c9642eb29e44c12

Download Submit
C:\Windows\System32\etnESRb.exe

Filesize
1.3MB

MD5
4d4ae738c5d37acfd1b0b6110e6f6de9

SHA1
89b71cedc5856ef50d648a570c4682e6298859a5

SHA256
b0a779bac4942486e28e79e8d920dcba157897ff6d457ef1a56c455eb7644fa8

SHA512
f1cabcc8f8a1c04c0d6234ad0c65cc58ad30f0f8d33780d9ccab1e5769a77fefba4f317281fb53357c747b37dc172ac5f625e8ac7b00df57fca3f7f3f9301282

Download Submit
C:\Windows\System32\gwkGAOq.exe

Filesize
1.3MB

MD5
3370c0977dc4f54eb59bb70e811d798f

SHA1
877cf1877668981e7d969193c82cafdd7ce2950b

SHA256
08a64fc81ded97de2cf2c518594374a6348784bd54d3c64da5f784e6ae4a1b98

SHA512
6adcc466102df46d4927c7cae6c8587a34f7866cd52e13f60e137808267d81291565f5f3a818495ca509208c2aefe9afd728e848d7ad7f9b6195822a41b27364

Download Submit
C:\Windows\System32\hTbzaAX.exe

Filesize
1.3MB

MD5
1290b93688f8b974a99ac27efec8674a

SHA1
6c4ee5ca48d33279bcadd9e1e0835bb101a89eb8

SHA256
002f110a56ac8c8c14883c13adddf1b9a386a054c530eba260ebd04beea2a371

SHA512
e3ebda1a17d7ce6097bf35a94288611fc1ed71639215a8dd56d5d3c0785c7aee9289b1c7009ffc0312c94c06d724cd72c63ea926d3132de130cb052a6c4fa096

Download Submit
C:\Windows\System32\jVsIOyg.exe

Filesize
1.3MB

MD5
c24ab4e268dd4926608aefab67eae8ff

SHA1
9bc8049658604df08665318d6ed82e56ec6a2094

SHA256
7d6c30f8d754372e5699cc2d5da09fa41a94cab48ae9b7eadb6942dc45b3984b

SHA512
25feddc3c7bb0444e745e346efd827e6419ca273000c6f460d7d776b86a891edfd1198371ffb372d4a3b4dd12a54f8339442619d4ec775312df5f10e0eabface

Download Submit
C:\Windows\System32\kXPuDVr.exe

Filesize
1.3MB

MD5
5f1d1fd71cecd4770e3eae2fea8585e0

SHA1
9bb933c276ab5b7184f983efc8233a83427a3267

SHA256
dec46343113280bf02ccfa51ffd31356496923fecb1e1321fff375c0a3c2544f

SHA512
08c6b699aa8d5e0abd18bd6b130d885c19b4bfc52b55b68f17402fcf51fb80ca9f7fda27f9f95b9a2e9d50963378c4b30d2efe265339f4f4111d674ef7638650

Download Submit
C:\Windows\System32\oFGvpHc.exe

Filesize
1.3MB

MD5
c77c352b78b97b7626c75beaea497139

SHA1
c78f882839f1708a249c379e666ffc2382ca7563

SHA256
5205063b3fd8434a287a802bc9cc7456daf2af62a1b5584cab80c61ce15be7dd

SHA512
1b009c5fb098eeceddc3d1bb8dca9905b4a2f6907ac5c745360767f85fb8de69d6d44ba928d6d80abd381e8bf5f60e2b0c2a29472befc21017cc494c7cf7d433

Download Submit
C:\Windows\System32\rNAwEEu.exe

Filesize
1.3MB

MD5
478ec61ce56089977d83ce4cafb0d6b4

SHA1
c99855d65e2dc162a9a7e0481d358212e2991b3b

SHA256
f1e65586b5e4be8741f68142e497e36df54c5e406143e7c3c7cea64db0400569

SHA512
3b64b280934bdcf57cf33ae3e6f5afe4609cf475f35c8132aa32b26052f2bca1dfa6e0a5f66d1583ea3c24f09fa85efb36b8019388dadf4478673db61c1d6f2b

Download Submit
C:\Windows\System32\rmlNOgL.exe

Filesize
1.3MB

MD5
58eeb790b2cb0fa8dc879981b4366db9

SHA1
1959e7409dd6fd0d7960d91d59dfc5712489d2ae

SHA256
2e5b127b5e3c9c66021de82c7783a20cbf7922ecd5e0cb178b0554963d4dc5a3

SHA512
3026eba4c4bac72b26dd974702fe16b214f7a3cad5788d9fb6e562f7bd7fd21425b40716a07335c6328dc715e6b898b5e939dc4199d78a567f9860014f3e8385

Download Submit
C:\Windows\System32\uTzWeWi.exe

Filesize
1.3MB

MD5
695683fea7245f57617b1f23695932b2

SHA1
5d70c802327e70aa889926623ce7936a671b3d03

SHA256
b9d642339fa3aa157479e186419ea11e6e676f2a8523848a9fe479289cf79610

SHA512
e12960c79376a9541697c14083060fd70a8b2b26e8fcab10ff8bd6145fc61efbcef1653a974af44fc0d03d13b28c046026de14b3f9de7c2039e6d194f96b0394

Download Submit
C:\Windows\System32\vnblsfA.exe

Filesize
1.3MB

MD5
d7b423b8d801ddcc724e88002fbbd40d

SHA1
95615806c55d9eb9b30d14b66d7b1a4c9402a97a

SHA256
0b9c81771a997cb2e5edf35a5c6be255e7c2150a251528983134aaed889d9f39

SHA512
177005c2755f73034e39e5ee10d23091834e7f3e0ae72c9b815497a45145ba26412b6f25531a047da213524ec923eb69d9ad1f4492b1c86cdad480463d6070e1

Download Submit
C:\Windows\System32\wNyGCRt.exe

Filesize
1.3MB

MD5
f12f011f5a27dc378d6b8f3d2b8a4e2a

SHA1
81c49c7a4cdf8c8067cc2129f22bc841ba731481

SHA256
cf51270c91abc1d54658426d1f06614bedd6d65a826a52a0646d041aa8424e58

SHA512
61c5d5ebd7620874faec77a7a3ae27f9ab241a496d3d23461bf6520b0c9df3d9f43d3879e6bed0cc0c9524993486276f6deb91a0dd62cf51b6bbb18de215d472

Download Submit
C:\Windows\System32\xFNmXdF.exe

Filesize
1.3MB

MD5
44bd2143ec5d04363ded2572eb2be434

SHA1
a8deecc0391bccd4b7c15f8e0d7d74ba9e997911

SHA256
22cbc91937fdb922e4e13ff379d60b5b2021b0e115706eaf690e807e5ff885a5

SHA512
16e75975d70035ec45cd32d7f11d35ebc68f4191fac24fe11713b8a5ca6e170bc775d92dc9a9d0100da05b6430356d8900fab2bb56b170970c7304079e5a046f

Download Submit
C:\Windows\System32\yJSCTlC.exe

Filesize
1.3MB

MD5
f59a76600b08e3fa4eb9d92dcfd027f1

SHA1
4bad457850edd5e8b626a060492aa6a4254beb53

SHA256
c029b63a4fd05c208418dddea7c38ca101ed9962131cfbaec06d9d5ed7ba7772

SHA512
9f07a93bfe34cf1dba92d1cedf0d816c20cc2215130f6a796e8983d9766f90bc90b417e6a61532a6b853efc9b9acf871b37c4efcf3cda660d692c09cd01fd848

Download Submit
C:\Windows\System32\zBDeggv.exe

Filesize
1.3MB

MD5
a82dc4a60281814a99984bce97333d4c

SHA1
f57a69c542382deec94fb3550f96c638aa4de35d

SHA256
91f704ca1efe43ba1957984a9561b267898bd2b5c7e9bf63d5f4bd6d624f5063

SHA512
beb08162becbb4f6d5faa1c4df6c842f05c578543d2e18ef1285bd4e4b6ba4926125db9410186ca07cf3b7ac980aaff15088289fc0e8d294d70b973864fadbe8

Download Submit
memory/940-2021-0x00007FF729EB0000-0x00007FF72A2A1000-memory.dmp

Filesize
3.9MB

Download
memory/940-48-0x00007FF729EB0000-0x00007FF72A2A1000-memory.dmp

Filesize
3.9MB

Download
memory/1076-443-0x00007FF6E9980000-0x00007FF6E9D71000-memory.dmp

Filesize
3.9MB

Download
memory/1076-2040-0x00007FF6E9980000-0x00007FF6E9D71000-memory.dmp

Filesize
3.9MB

Download
memory/1128-2015-0x00007FF7999B0000-0x00007FF799DA1000-memory.dmp

Filesize
3.9MB

Download
memory/1128-59-0x00007FF7999B0000-0x00007FF799DA1000-memory.dmp

Filesize
3.9MB

Download
memory/1512-2054-0x00007FF78A4E0000-0x00007FF78A8D1000-memory.dmp

Filesize
3.9MB

Download
memory/1512-449-0x00007FF78A4E0000-0x00007FF78A8D1000-memory.dmp

Filesize
3.9MB

Download
memory/1548-455-0x00007FF60E2F0000-0x00007FF60E6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1548-2050-0x00007FF60E2F0000-0x00007FF60E6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1684-16-0x00007FF7CB790000-0x00007FF7CBB81000-memory.dmp

Filesize
3.9MB

Download
memory/1684-2009-0x00007FF7CB790000-0x00007FF7CBB81000-memory.dmp

Filesize
3.9MB

Download
memory/1860-427-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp

Filesize
3.9MB

Download
memory/1860-2031-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp

Filesize
3.9MB

Download
memory/1860-1989-0x00007FF688FD0000-0x00007FF6893C1000-memory.dmp

Filesize
3.9MB

Download
memory/1968-458-0x00007FF79EA40000-0x00007FF79EE31000-memory.dmp

Filesize
3.9MB

Download
memory/1968-2048-0x00007FF79EA40000-0x00007FF79EE31000-memory.dmp

Filesize
3.9MB

Download
memory/2100-2035-0x00007FF796990000-0x00007FF796D81000-memory.dmp

Filesize
3.9MB

Download
memory/2100-438-0x00007FF796990000-0x00007FF796D81000-memory.dmp

Filesize
3.9MB

Download
memory/2136-2025-0x00007FF7363B0000-0x00007FF7367A1000-memory.dmp

Filesize
3.9MB

Download
memory/2136-58-0x00007FF7363B0000-0x00007FF7367A1000-memory.dmp

Filesize
3.9MB

Download
memory/2172-9-0x00007FF6678C0000-0x00007FF667CB1000-memory.dmp

Filesize
3.9MB

Download
memory/2172-2011-0x00007FF6678C0000-0x00007FF667CB1000-memory.dmp

Filesize
3.9MB

Download
memory/2184-2029-0x00007FF679E90000-0x00007FF67A281000-memory.dmp

Filesize
3.9MB

Download
memory/2184-429-0x00007FF679E90000-0x00007FF67A281000-memory.dmp

Filesize
3.9MB

Download
memory/2212-2027-0x00007FF7F96D0000-0x00007FF7F9AC1000-memory.dmp

Filesize
3.9MB

Download
memory/2212-460-0x00007FF7F96D0000-0x00007FF7F9AC1000-memory.dmp

Filesize
3.9MB

Download
memory/2332-2052-0x00007FF7AEDF0000-0x00007FF7AF1E1000-memory.dmp

Filesize
3.9MB

Download
memory/2332-452-0x00007FF7AEDF0000-0x00007FF7AF1E1000-memory.dmp

Filesize
3.9MB

Download
memory/2712-451-0x00007FF6708C0000-0x00007FF670CB1000-memory.dmp

Filesize
3.9MB

Download
memory/2712-2056-0x00007FF6708C0000-0x00007FF670CB1000-memory.dmp

Filesize
3.9MB

Download
memory/2824-2013-0x00007FF7108A0000-0x00007FF710C91000-memory.dmp

Filesize
3.9MB

Download
memory/2824-1988-0x00007FF7108A0000-0x00007FF710C91000-memory.dmp

Filesize
3.9MB

Download
memory/2824-50-0x00007FF7108A0000-0x00007FF710C91000-memory.dmp

Filesize
3.9MB

Download
memory/2852-2044-0x00007FF7B90C0000-0x00007FF7B94B1000-memory.dmp

Filesize
3.9MB

Download
memory/2852-446-0x00007FF7B90C0000-0x00007FF7B94B1000-memory.dmp

Filesize
3.9MB

Download
memory/2916-57-0x00007FF616F40000-0x00007FF617331000-memory.dmp

Filesize
3.9MB

Download
memory/2916-2017-0x00007FF616F40000-0x00007FF617331000-memory.dmp

Filesize
3.9MB

Download
memory/3012-430-0x00007FF705D60000-0x00007FF706151000-memory.dmp

Filesize
3.9MB

Download
memory/3012-2033-0x00007FF705D60000-0x00007FF706151000-memory.dmp

Filesize
3.9MB

Download
memory/3244-2023-0x00007FF6C4FB0000-0x00007FF6C53A1000-memory.dmp

Filesize
3.9MB

Download
memory/3244-32-0x00007FF6C4FB0000-0x00007FF6C53A1000-memory.dmp

Filesize
3.9MB

Download
memory/3380-0-0x00007FF660750000-0x00007FF660B41000-memory.dmp

Filesize
3.9MB

Download
memory/3380-1-0x000002D2EE110000-0x000002D2EE120000-memory.dmp

Filesize
64KB

Download
memory/4168-441-0x00007FF616180000-0x00007FF616571000-memory.dmp

Filesize
3.9MB

Download
memory/4168-2042-0x00007FF616180000-0x00007FF616571000-memory.dmp

Filesize
3.9MB

Download
memory/4752-439-0x00007FF766F40000-0x00007FF767331000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2038-0x00007FF766F40000-0x00007FF767331000-memory.dmp

Filesize
3.9MB

Download
memory/4884-2066-0x00007FF792600000-0x00007FF7929F1000-memory.dmp

Filesize
3.9MB

Download
memory/4884-457-0x00007FF792600000-0x00007FF7929F1000-memory.dmp

Filesize
3.9MB

Download
memory/4904-2019-0x00007FF700890000-0x00007FF700C81000-memory.dmp

Filesize
3.9MB

Download
memory/4904-54-0x00007FF700890000-0x00007FF700C81000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads