xmrig | 0ed4ab650f47748dc55bfd557fbb5692fa9cda552e9b8ecfcd1efa67f51305ce

Analysis

max time kernel
124s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
Size

1.6MB
MD5

0bda6d3c9d2e376e3b7820d388bc9ab3
SHA1

c8fb172282b6577a95f7bb2900a5f28706a5b14b
SHA256

0ed4ab650f47748dc55bfd557fbb5692fa9cda552e9b8ecfcd1efa67f51305ce
SHA512

44846c109e21607feff80d590aed670c1accf09f01e4055a546213a7f694bc3a9db13cbdaed98e4cabc7fec1ef9c86ef8bbf0b86f778c8ab68bb3b805092b9ee
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO9C1MKTbcMfHhGjw2Do+BRrCfUgSgCIE:knw9oUUEEDlGUjc2HhG82DinE

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1876-17-0x00007FF67DB90000-0x00007FF67DF81000-memory.dmp	xmrig
behavioral2/memory/2196-41-0x00007FF6918D0000-0x00007FF691CC1000-memory.dmp	xmrig
behavioral2/memory/1204-61-0x00007FF68A860000-0x00007FF68AC51000-memory.dmp	xmrig
behavioral2/memory/3204-64-0x00007FF78DF50000-0x00007FF78E341000-memory.dmp	xmrig
behavioral2/memory/1160-69-0x00007FF6FBE20000-0x00007FF6FC211000-memory.dmp	xmrig
behavioral2/memory/2924-68-0x00007FF767530000-0x00007FF767921000-memory.dmp	xmrig
behavioral2/memory/1544-407-0x00007FF729E80000-0x00007FF72A271000-memory.dmp	xmrig
behavioral2/memory/3060-71-0x00007FF7A75C0000-0x00007FF7A79B1000-memory.dmp	xmrig
behavioral2/memory/4600-408-0x00007FF755950000-0x00007FF755D41000-memory.dmp	xmrig
behavioral2/memory/4548-409-0x00007FF7A4070000-0x00007FF7A4461000-memory.dmp	xmrig
behavioral2/memory/4220-410-0x00007FF69C0B0000-0x00007FF69C4A1000-memory.dmp	xmrig
behavioral2/memory/536-411-0x00007FF6B0790000-0x00007FF6B0B81000-memory.dmp	xmrig
behavioral2/memory/2052-424-0x00007FF778210000-0x00007FF778601000-memory.dmp	xmrig
behavioral2/memory/4768-423-0x00007FF7F0660000-0x00007FF7F0A51000-memory.dmp	xmrig
behavioral2/memory/3104-420-0x00007FF665890000-0x00007FF665C81000-memory.dmp	xmrig
behavioral2/memory/4612-415-0x00007FF7E5630000-0x00007FF7E5A21000-memory.dmp	xmrig
behavioral2/memory/1528-427-0x00007FF6E6C80000-0x00007FF6E7071000-memory.dmp	xmrig
behavioral2/memory/3932-432-0x00007FF6B2CB0000-0x00007FF6B30A1000-memory.dmp	xmrig
behavioral2/memory/4804-436-0x00007FF7D6500000-0x00007FF7D68F1000-memory.dmp	xmrig
behavioral2/memory/1436-435-0x00007FF6876D0000-0x00007FF687AC1000-memory.dmp	xmrig
behavioral2/memory/4464-998-0x00007FF7DA840000-0x00007FF7DAC31000-memory.dmp	xmrig
behavioral2/memory/2380-1431-0x00007FF73E220000-0x00007FF73E611000-memory.dmp	xmrig
behavioral2/memory/3196-1983-0x00007FF7CA3E0000-0x00007FF7CA7D1000-memory.dmp	xmrig
behavioral2/memory/5064-1984-0x00007FF680C70000-0x00007FF681061000-memory.dmp	xmrig
behavioral2/memory/2924-2018-0x00007FF767530000-0x00007FF767921000-memory.dmp	xmrig
behavioral2/memory/1876-2023-0x00007FF67DB90000-0x00007FF67DF81000-memory.dmp	xmrig
behavioral2/memory/1160-2025-0x00007FF6FBE20000-0x00007FF6FC211000-memory.dmp	xmrig
behavioral2/memory/4464-2027-0x00007FF7DA840000-0x00007FF7DAC31000-memory.dmp	xmrig
behavioral2/memory/2380-2033-0x00007FF73E220000-0x00007FF73E611000-memory.dmp	xmrig
behavioral2/memory/2196-2032-0x00007FF6918D0000-0x00007FF691CC1000-memory.dmp	xmrig
behavioral2/memory/2292-2029-0x00007FF61ADC0000-0x00007FF61B1B1000-memory.dmp	xmrig
behavioral2/memory/3196-2035-0x00007FF7CA3E0000-0x00007FF7CA7D1000-memory.dmp	xmrig
behavioral2/memory/5064-2037-0x00007FF680C70000-0x00007FF681061000-memory.dmp	xmrig
behavioral2/memory/1544-2069-0x00007FF729E80000-0x00007FF72A271000-memory.dmp	xmrig
behavioral2/memory/3060-2067-0x00007FF7A75C0000-0x00007FF7A79B1000-memory.dmp	xmrig
behavioral2/memory/3204-2065-0x00007FF78DF50000-0x00007FF78E341000-memory.dmp	xmrig
behavioral2/memory/1204-2058-0x00007FF68A860000-0x00007FF68AC51000-memory.dmp	xmrig
behavioral2/memory/4600-2073-0x00007FF755950000-0x00007FF755D41000-memory.dmp	xmrig
behavioral2/memory/536-2077-0x00007FF6B0790000-0x00007FF6B0B81000-memory.dmp	xmrig
behavioral2/memory/4548-2075-0x00007FF7A4070000-0x00007FF7A4461000-memory.dmp	xmrig
behavioral2/memory/4612-2079-0x00007FF7E5630000-0x00007FF7E5A21000-memory.dmp	xmrig
behavioral2/memory/4220-2071-0x00007FF69C0B0000-0x00007FF69C4A1000-memory.dmp	xmrig
behavioral2/memory/4804-2085-0x00007FF7D6500000-0x00007FF7D68F1000-memory.dmp	xmrig
behavioral2/memory/1528-2089-0x00007FF6E6C80000-0x00007FF6E7071000-memory.dmp	xmrig
behavioral2/memory/1436-2093-0x00007FF6876D0000-0x00007FF687AC1000-memory.dmp	xmrig
behavioral2/memory/3932-2091-0x00007FF6B2CB0000-0x00007FF6B30A1000-memory.dmp	xmrig
behavioral2/memory/2052-2087-0x00007FF778210000-0x00007FF778601000-memory.dmp	xmrig
behavioral2/memory/4768-2083-0x00007FF7F0660000-0x00007FF7F0A51000-memory.dmp	xmrig
behavioral2/memory/3104-2081-0x00007FF665890000-0x00007FF665C81000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1160	NiyXhQt.exe
1876	KQfsmNM.exe
4464	IudSEJE.exe
2380	XmcNbWT.exe
2292	MDCMmVC.exe
2196	lJHBJjD.exe
3196	TWjQtZf.exe
5064	jtuoXLi.exe
1204	ocTOvJb.exe
3204	LncCzUd.exe
3060	FJKPtXD.exe
1544	gtDjVsb.exe
4600	OdqrpRZ.exe
4548	wbnYKoR.exe
4220	AYZDvZp.exe
536	WueSfGE.exe
4612	zFkHqbE.exe
3104	vsXIqwT.exe
4768	CSsjVDQ.exe
2052	TRMcgDU.exe
1528	jobDIsu.exe
3932	lFkfVWJ.exe
1436	LFWNjwd.exe
4804	JtaZFMF.exe
1908	UFmFGxJ.exe
4584	hEcMpiG.exe
4820	gOlchfU.exe
888	ElzVUSQ.exe
2000	uezFKmt.exe
3556	mzOOXND.exe
3604	QZiCKwn.exe
3348	IbNQwtw.exe
4204	JMmeQcc.exe
4144	YSNzWdf.exe
2928	Qfwmcqs.exe
4376	qDrNGdi.exe
1756	JnZGzKT.exe
408	cbrDNpc.exe
860	FEUDAvY.exe
1644	RvlVQqT.exe
4288	ySJOifU.exe
3952	puwTYLw.exe
4360	jHDQUao.exe
4340	rrtyKvN.exe
2124	sfimwFc.exe
1552	pHZWJIv.exe
3176	VQqSEni.exe
4860	XBwBoBq.exe
3700	MZJzjKW.exe
2108	rdKHSKO.exe
3172	cTIJJPp.exe
640	XiEPilM.exe
808	CxRezCh.exe
2520	lFgjqWO.exe
3420	CgEZgMr.exe
1292	oCYThKd.exe
4708	gmIDsxI.exe
2236	jSnuoYH.exe
3972	uvhORxa.exe
4200	OyYbxJE.exe
3120	GqvXoVA.exe
3068	jAJEYqm.exe
4152	yEEzYxU.exe
4876	DnaBYld.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2924-0-0x00007FF767530000-0x00007FF767921000-memory.dmp	upx
behavioral2/files/0x000b000000023b69-4.dat	upx
behavioral2/files/0x000a000000023b6d-8.dat	upx
behavioral2/files/0x000a000000023b6e-7.dat	upx
behavioral2/memory/1160-13-0x00007FF6FBE20000-0x00007FF6FC211000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-26.dat	upx
behavioral2/memory/4464-22-0x00007FF7DA840000-0x00007FF7DAC31000-memory.dmp	upx
behavioral2/memory/2380-28-0x00007FF73E220000-0x00007FF73E611000-memory.dmp	upx
behavioral2/files/0x000a000000023b70-31.dat	upx
behavioral2/files/0x000a000000023b71-36.dat	upx
behavioral2/memory/2292-30-0x00007FF61ADC0000-0x00007FF61B1B1000-memory.dmp	upx
behavioral2/memory/1876-17-0x00007FF67DB90000-0x00007FF67DF81000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-40.dat	upx
behavioral2/memory/2196-41-0x00007FF6918D0000-0x00007FF691CC1000-memory.dmp	upx
behavioral2/files/0x000b000000023b6a-46.dat	upx
behavioral2/files/0x000a000000023b73-49.dat	upx
behavioral2/files/0x000a000000023b74-52.dat	upx
behavioral2/memory/5064-58-0x00007FF680C70000-0x00007FF681061000-memory.dmp	upx
behavioral2/memory/1204-61-0x00007FF68A860000-0x00007FF68AC51000-memory.dmp	upx
behavioral2/memory/3204-64-0x00007FF78DF50000-0x00007FF78E341000-memory.dmp	upx
behavioral2/files/0x000a000000023b75-66.dat	upx
behavioral2/memory/1160-69-0x00007FF6FBE20000-0x00007FF6FC211000-memory.dmp	upx
behavioral2/memory/2924-68-0x00007FF767530000-0x00007FF767921000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-73.dat	upx
behavioral2/files/0x000a000000023b78-77.dat	upx
behavioral2/files/0x000a000000023b79-84.dat	upx
behavioral2/files/0x000a000000023b7a-89.dat	upx
behavioral2/files/0x000a000000023b7b-94.dat	upx
behavioral2/files/0x000a000000023b7d-104.dat	upx
behavioral2/files/0x000a000000023b7e-109.dat	upx
behavioral2/files/0x000a000000023b81-124.dat	upx
behavioral2/files/0x000a000000023b83-132.dat	upx
behavioral2/files/0x000a000000023b84-139.dat	upx
behavioral2/files/0x000a000000023b86-149.dat	upx
behavioral2/files/0x000a000000023b8b-174.dat	upx
behavioral2/memory/1544-407-0x00007FF729E80000-0x00007FF72A271000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-169.dat	upx
behavioral2/files/0x000a000000023b89-164.dat	upx
behavioral2/files/0x000a000000023b88-159.dat	upx
behavioral2/files/0x000a000000023b87-154.dat	upx
behavioral2/files/0x000a000000023b85-144.dat	upx
behavioral2/files/0x000a000000023b82-129.dat	upx
behavioral2/files/0x000a000000023b80-119.dat	upx
behavioral2/files/0x000a000000023b7f-114.dat	upx
behavioral2/files/0x000a000000023b7c-99.dat	upx
behavioral2/memory/3060-71-0x00007FF7A75C0000-0x00007FF7A79B1000-memory.dmp	upx
behavioral2/memory/3196-48-0x00007FF7CA3E0000-0x00007FF7CA7D1000-memory.dmp	upx
behavioral2/memory/4600-408-0x00007FF755950000-0x00007FF755D41000-memory.dmp	upx
behavioral2/memory/4548-409-0x00007FF7A4070000-0x00007FF7A4461000-memory.dmp	upx
behavioral2/memory/4220-410-0x00007FF69C0B0000-0x00007FF69C4A1000-memory.dmp	upx
behavioral2/memory/536-411-0x00007FF6B0790000-0x00007FF6B0B81000-memory.dmp	upx
behavioral2/memory/2052-424-0x00007FF778210000-0x00007FF778601000-memory.dmp	upx
behavioral2/memory/4768-423-0x00007FF7F0660000-0x00007FF7F0A51000-memory.dmp	upx
behavioral2/memory/3104-420-0x00007FF665890000-0x00007FF665C81000-memory.dmp	upx
behavioral2/memory/4612-415-0x00007FF7E5630000-0x00007FF7E5A21000-memory.dmp	upx
behavioral2/memory/1528-427-0x00007FF6E6C80000-0x00007FF6E7071000-memory.dmp	upx
behavioral2/memory/3932-432-0x00007FF6B2CB0000-0x00007FF6B30A1000-memory.dmp	upx
behavioral2/memory/4804-436-0x00007FF7D6500000-0x00007FF7D68F1000-memory.dmp	upx
behavioral2/memory/1436-435-0x00007FF6876D0000-0x00007FF687AC1000-memory.dmp	upx
behavioral2/memory/4464-998-0x00007FF7DA840000-0x00007FF7DAC31000-memory.dmp	upx
behavioral2/memory/2380-1431-0x00007FF73E220000-0x00007FF73E611000-memory.dmp	upx
behavioral2/memory/3196-1983-0x00007FF7CA3E0000-0x00007FF7CA7D1000-memory.dmp	upx
behavioral2/memory/5064-1984-0x00007FF680C70000-0x00007FF681061000-memory.dmp	upx
behavioral2/memory/2924-2018-0x00007FF767530000-0x00007FF767921000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\BtsTOae.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\noZcAcG.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ZGhotty.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\dcQbEvu.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\MZJzjKW.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\dxOASvJ.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\qKubXOo.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\riKkexl.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\yLSrvUQ.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\YEfxNYt.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\KQfsmNM.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\oExxCmM.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\kHzpVxr.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\BenAZpF.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\uKPaelA.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\NRFHarM.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\QwMBEUT.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\iMjkgxP.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\JILrMiY.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\aNjsyfk.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\nahdNLG.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\xjHADHG.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\Huttflx.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\smQnUuc.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\yMxWZrw.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\lFVHaTG.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\stIUflb.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\RLjrsks.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\JIMPojT.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\PdcKtLO.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\NAsRuzj.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\gKQKvDZ.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\pGDMowh.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ZdpDZUt.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\PHHjHdE.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\RZeMhUn.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\LeByEDm.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ClysmPA.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\vpmwsZS.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\nMAxWJF.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ygGHlwB.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\EcUPGcR.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\WcxnEmg.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\SADQBeN.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\OTHsSDy.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ItxUbaI.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\lAarpvO.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ZXvXBUc.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\aoGXSFW.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ombiXQb.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\jtuoXLi.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\qDrNGdi.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\ALxEJDx.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\jGbUeba.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\jWjlDYV.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\NVDFshT.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\fuxJclA.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\KHkBobU.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\uThzoeY.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\jleWceW.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\YDlMkdj.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\BUDaUSL.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\UxwrLji.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
File created	C:\Windows\System32\DMoAXGh.exe	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14036	dwm.exe
Token: SeChangeNotifyPrivilege	14036	dwm.exe
Token: 33	14036	dwm.exe
Token: SeIncBasePriorityPrivilege	14036	dwm.exe
Token: SeShutdownPrivilege	14036	dwm.exe
Token: SeCreatePagefilePrivilege	14036	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1160	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	84
PID 2924 wrote to memory of 1160	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	84
PID 2924 wrote to memory of 1876	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	85
PID 2924 wrote to memory of 1876	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	85
PID 2924 wrote to memory of 4464	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	86
PID 2924 wrote to memory of 4464	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	86
PID 2924 wrote to memory of 2380	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	87
PID 2924 wrote to memory of 2380	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	87
PID 2924 wrote to memory of 2292	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	88
PID 2924 wrote to memory of 2292	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	88
PID 2924 wrote to memory of 2196	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	89
PID 2924 wrote to memory of 2196	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	89
PID 2924 wrote to memory of 3196	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	90
PID 2924 wrote to memory of 3196	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	90
PID 2924 wrote to memory of 5064	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	91
PID 2924 wrote to memory of 5064	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	91
PID 2924 wrote to memory of 1204	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	92
PID 2924 wrote to memory of 1204	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	92
PID 2924 wrote to memory of 3204	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	93
PID 2924 wrote to memory of 3204	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	93
PID 2924 wrote to memory of 3060	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	95
PID 2924 wrote to memory of 3060	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	95
PID 2924 wrote to memory of 1544	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	96
PID 2924 wrote to memory of 1544	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	96
PID 2924 wrote to memory of 4600	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	97
PID 2924 wrote to memory of 4600	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	97
PID 2924 wrote to memory of 4548	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	98
PID 2924 wrote to memory of 4548	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	98
PID 2924 wrote to memory of 4220	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	99
PID 2924 wrote to memory of 4220	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	99
PID 2924 wrote to memory of 536	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	100
PID 2924 wrote to memory of 536	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	100
PID 2924 wrote to memory of 4612	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	101
PID 2924 wrote to memory of 4612	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	101
PID 2924 wrote to memory of 3104	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	102
PID 2924 wrote to memory of 3104	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	102
PID 2924 wrote to memory of 4768	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	103
PID 2924 wrote to memory of 4768	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	103
PID 2924 wrote to memory of 2052	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	104
PID 2924 wrote to memory of 2052	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	104
PID 2924 wrote to memory of 1528	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	105
PID 2924 wrote to memory of 1528	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	105
PID 2924 wrote to memory of 3932	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	106
PID 2924 wrote to memory of 3932	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	106
PID 2924 wrote to memory of 1436	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	107
PID 2924 wrote to memory of 1436	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	107
PID 2924 wrote to memory of 4804	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	108
PID 2924 wrote to memory of 4804	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	108
PID 2924 wrote to memory of 1908	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	110
PID 2924 wrote to memory of 1908	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	110
PID 2924 wrote to memory of 4584	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	111
PID 2924 wrote to memory of 4584	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	111
PID 2924 wrote to memory of 4820	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	112
PID 2924 wrote to memory of 4820	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	112
PID 2924 wrote to memory of 888	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	113
PID 2924 wrote to memory of 888	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	113
PID 2924 wrote to memory of 2000	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	114
PID 2924 wrote to memory of 2000	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	114
PID 2924 wrote to memory of 3556	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	115
PID 2924 wrote to memory of 3556	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	115
PID 2924 wrote to memory of 3604	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	116
PID 2924 wrote to memory of 3604	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	116
PID 2924 wrote to memory of 3348	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	117
PID 2924 wrote to memory of 3348	2924	0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bda6d3c9d2e376e3b7820d388bc9ab3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\System32\NiyXhQt.exe
  C:\Windows\System32\NiyXhQt.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\KQfsmNM.exe
  C:\Windows\System32\KQfsmNM.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System32\IudSEJE.exe
  C:\Windows\System32\IudSEJE.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\XmcNbWT.exe
  C:\Windows\System32\XmcNbWT.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System32\MDCMmVC.exe
  C:\Windows\System32\MDCMmVC.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\lJHBJjD.exe
  C:\Windows\System32\lJHBJjD.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System32\TWjQtZf.exe
  C:\Windows\System32\TWjQtZf.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System32\jtuoXLi.exe
  C:\Windows\System32\jtuoXLi.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System32\ocTOvJb.exe
  C:\Windows\System32\ocTOvJb.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System32\LncCzUd.exe
  C:\Windows\System32\LncCzUd.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\FJKPtXD.exe
  C:\Windows\System32\FJKPtXD.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System32\gtDjVsb.exe
  C:\Windows\System32\gtDjVsb.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\OdqrpRZ.exe
  C:\Windows\System32\OdqrpRZ.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System32\wbnYKoR.exe
  C:\Windows\System32\wbnYKoR.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System32\AYZDvZp.exe
  C:\Windows\System32\AYZDvZp.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System32\WueSfGE.exe
  C:\Windows\System32\WueSfGE.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System32\zFkHqbE.exe
  C:\Windows\System32\zFkHqbE.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\vsXIqwT.exe
  C:\Windows\System32\vsXIqwT.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System32\CSsjVDQ.exe
  C:\Windows\System32\CSsjVDQ.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\TRMcgDU.exe
  C:\Windows\System32\TRMcgDU.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System32\jobDIsu.exe
  C:\Windows\System32\jobDIsu.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\lFkfVWJ.exe
  C:\Windows\System32\lFkfVWJ.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\LFWNjwd.exe
  C:\Windows\System32\LFWNjwd.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\JtaZFMF.exe
  C:\Windows\System32\JtaZFMF.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\UFmFGxJ.exe
  C:\Windows\System32\UFmFGxJ.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System32\hEcMpiG.exe
  C:\Windows\System32\hEcMpiG.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\gOlchfU.exe
  C:\Windows\System32\gOlchfU.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System32\ElzVUSQ.exe
  C:\Windows\System32\ElzVUSQ.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System32\uezFKmt.exe
  C:\Windows\System32\uezFKmt.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System32\mzOOXND.exe
  C:\Windows\System32\mzOOXND.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\QZiCKwn.exe
  C:\Windows\System32\QZiCKwn.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System32\IbNQwtw.exe
  C:\Windows\System32\IbNQwtw.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System32\JMmeQcc.exe
  C:\Windows\System32\JMmeQcc.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System32\YSNzWdf.exe
  C:\Windows\System32\YSNzWdf.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System32\Qfwmcqs.exe
  C:\Windows\System32\Qfwmcqs.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\qDrNGdi.exe
  C:\Windows\System32\qDrNGdi.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\JnZGzKT.exe
  C:\Windows\System32\JnZGzKT.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\cbrDNpc.exe
  C:\Windows\System32\cbrDNpc.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System32\FEUDAvY.exe
  C:\Windows\System32\FEUDAvY.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\RvlVQqT.exe
  C:\Windows\System32\RvlVQqT.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\ySJOifU.exe
  C:\Windows\System32\ySJOifU.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\puwTYLw.exe
  C:\Windows\System32\puwTYLw.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\jHDQUao.exe
  C:\Windows\System32\jHDQUao.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\rrtyKvN.exe
  C:\Windows\System32\rrtyKvN.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\sfimwFc.exe
  C:\Windows\System32\sfimwFc.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\pHZWJIv.exe
  C:\Windows\System32\pHZWJIv.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System32\VQqSEni.exe
  C:\Windows\System32\VQqSEni.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\XBwBoBq.exe
  C:\Windows\System32\XBwBoBq.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\MZJzjKW.exe
  C:\Windows\System32\MZJzjKW.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System32\rdKHSKO.exe
  C:\Windows\System32\rdKHSKO.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\cTIJJPp.exe
  C:\Windows\System32\cTIJJPp.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\XiEPilM.exe
  C:\Windows\System32\XiEPilM.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\CxRezCh.exe
  C:\Windows\System32\CxRezCh.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System32\lFgjqWO.exe
  C:\Windows\System32\lFgjqWO.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System32\CgEZgMr.exe
  C:\Windows\System32\CgEZgMr.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Windows\System32\oCYThKd.exe
  C:\Windows\System32\oCYThKd.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\gmIDsxI.exe
  C:\Windows\System32\gmIDsxI.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\jSnuoYH.exe
  C:\Windows\System32\jSnuoYH.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System32\uvhORxa.exe
  C:\Windows\System32\uvhORxa.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System32\OyYbxJE.exe
  C:\Windows\System32\OyYbxJE.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System32\GqvXoVA.exe
  C:\Windows\System32\GqvXoVA.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\jAJEYqm.exe
  C:\Windows\System32\jAJEYqm.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\yEEzYxU.exe
  C:\Windows\System32\yEEzYxU.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\DnaBYld.exe
  C:\Windows\System32\DnaBYld.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\zjElzjL.exe
  C:\Windows\System32\zjElzjL.exe
  2⤵
  PID:4416
- C:\Windows\System32\XDVPuju.exe
  C:\Windows\System32\XDVPuju.exe
  2⤵
  PID:4180
- C:\Windows\System32\UanMHtY.exe
  C:\Windows\System32\UanMHtY.exe
  2⤵
  PID:712
- C:\Windows\System32\jDIyhyO.exe
  C:\Windows\System32\jDIyhyO.exe
  2⤵
  PID:732
- C:\Windows\System32\alIkDRO.exe
  C:\Windows\System32\alIkDRO.exe
  2⤵
  PID:4348
- C:\Windows\System32\WLCfhBW.exe
  C:\Windows\System32\WLCfhBW.exe
  2⤵
  PID:4112
- C:\Windows\System32\kaGPmIq.exe
  C:\Windows\System32\kaGPmIq.exe
  2⤵
  PID:3140
- C:\Windows\System32\VlGSyzi.exe
  C:\Windows\System32\VlGSyzi.exe
  2⤵
  PID:5112
- C:\Windows\System32\OTHsSDy.exe
  C:\Windows\System32\OTHsSDy.exe
  2⤵
  PID:212
- C:\Windows\System32\cdvLdZH.exe
  C:\Windows\System32\cdvLdZH.exe
  2⤵
  PID:368
- C:\Windows\System32\RulNczP.exe
  C:\Windows\System32\RulNczP.exe
  2⤵
  PID:4784
- C:\Windows\System32\HpQtLkG.exe
  C:\Windows\System32\HpQtLkG.exe
  2⤵
  PID:5036
- C:\Windows\System32\jezOiZn.exe
  C:\Windows\System32\jezOiZn.exe
  2⤵
  PID:2024
- C:\Windows\System32\oequFvb.exe
  C:\Windows\System32\oequFvb.exe
  2⤵
  PID:380
- C:\Windows\System32\mojMHBX.exe
  C:\Windows\System32\mojMHBX.exe
  2⤵
  PID:4476
- C:\Windows\System32\WIffVgZ.exe
  C:\Windows\System32\WIffVgZ.exe
  2⤵
  PID:4436
- C:\Windows\System32\glunGuD.exe
  C:\Windows\System32\glunGuD.exe
  2⤵
  PID:3828
- C:\Windows\System32\VXHZuNO.exe
  C:\Windows\System32\VXHZuNO.exe
  2⤵
  PID:3892
- C:\Windows\System32\xgeyFlP.exe
  C:\Windows\System32\xgeyFlP.exe
  2⤵
  PID:4944
- C:\Windows\System32\AHlteIb.exe
  C:\Windows\System32\AHlteIb.exe
  2⤵
  PID:760
- C:\Windows\System32\iFRcbrJ.exe
  C:\Windows\System32\iFRcbrJ.exe
  2⤵
  PID:5148
- C:\Windows\System32\lFVHaTG.exe
  C:\Windows\System32\lFVHaTG.exe
  2⤵
  PID:5176
- C:\Windows\System32\QqxzvLj.exe
  C:\Windows\System32\QqxzvLj.exe
  2⤵
  PID:5204
- C:\Windows\System32\ItTHoAR.exe
  C:\Windows\System32\ItTHoAR.exe
  2⤵
  PID:5236
- C:\Windows\System32\ywrenLu.exe
  C:\Windows\System32\ywrenLu.exe
  2⤵
  PID:5260
- C:\Windows\System32\smhQIUO.exe
  C:\Windows\System32\smhQIUO.exe
  2⤵
  PID:5288
- C:\Windows\System32\qvjuZQd.exe
  C:\Windows\System32\qvjuZQd.exe
  2⤵
  PID:5316
- C:\Windows\System32\LeByEDm.exe
  C:\Windows\System32\LeByEDm.exe
  2⤵
  PID:5340
- C:\Windows\System32\NbKiTJI.exe
  C:\Windows\System32\NbKiTJI.exe
  2⤵
  PID:5372
- C:\Windows\System32\ZdpDZUt.exe
  C:\Windows\System32\ZdpDZUt.exe
  2⤵
  PID:5404
- C:\Windows\System32\RVbkrLz.exe
  C:\Windows\System32\RVbkrLz.exe
  2⤵
  PID:5428
- C:\Windows\System32\xAcWRfE.exe
  C:\Windows\System32\xAcWRfE.exe
  2⤵
  PID:5456
- C:\Windows\System32\nsxiXxv.exe
  C:\Windows\System32\nsxiXxv.exe
  2⤵
  PID:5484
- C:\Windows\System32\OSFJgMc.exe
  C:\Windows\System32\OSFJgMc.exe
  2⤵
  PID:5508
- C:\Windows\System32\MkQgAIU.exe
  C:\Windows\System32\MkQgAIU.exe
  2⤵
  PID:5544
- C:\Windows\System32\iMjkgxP.exe
  C:\Windows\System32\iMjkgxP.exe
  2⤵
  PID:5568
- C:\Windows\System32\zYTngyD.exe
  C:\Windows\System32\zYTngyD.exe
  2⤵
  PID:5600
- C:\Windows\System32\dxOASvJ.exe
  C:\Windows\System32\dxOASvJ.exe
  2⤵
  PID:5624
- C:\Windows\System32\oOduIxT.exe
  C:\Windows\System32\oOduIxT.exe
  2⤵
  PID:5652
- C:\Windows\System32\QYKfpIR.exe
  C:\Windows\System32\QYKfpIR.exe
  2⤵
  PID:5700
- C:\Windows\System32\pPYUInW.exe
  C:\Windows\System32\pPYUInW.exe
  2⤵
  PID:5716
- C:\Windows\System32\hrDxubv.exe
  C:\Windows\System32\hrDxubv.exe
  2⤵
  PID:5744
- C:\Windows\System32\qKubXOo.exe
  C:\Windows\System32\qKubXOo.exe
  2⤵
  PID:5772
- C:\Windows\System32\ItxUbaI.exe
  C:\Windows\System32\ItxUbaI.exe
  2⤵
  PID:5800
- C:\Windows\System32\rIJjnrt.exe
  C:\Windows\System32\rIJjnrt.exe
  2⤵
  PID:5828
- C:\Windows\System32\akuMQit.exe
  C:\Windows\System32\akuMQit.exe
  2⤵
  PID:5856
- C:\Windows\System32\TVdghTC.exe
  C:\Windows\System32\TVdghTC.exe
  2⤵
  PID:5928
- C:\Windows\System32\KuRzCnH.exe
  C:\Windows\System32\KuRzCnH.exe
  2⤵
  PID:5960
- C:\Windows\System32\BUDaUSL.exe
  C:\Windows\System32\BUDaUSL.exe
  2⤵
  PID:5980
- C:\Windows\System32\WsDjwin.exe
  C:\Windows\System32\WsDjwin.exe
  2⤵
  PID:6004
- C:\Windows\System32\UxwrLji.exe
  C:\Windows\System32\UxwrLji.exe
  2⤵
  PID:6020
- C:\Windows\System32\tAeOUHV.exe
  C:\Windows\System32\tAeOUHV.exe
  2⤵
  PID:6052
- C:\Windows\System32\YoYJjVt.exe
  C:\Windows\System32\YoYJjVt.exe
  2⤵
  PID:6112
- C:\Windows\System32\JNbWJkV.exe
  C:\Windows\System32\JNbWJkV.exe
  2⤵
  PID:4236
- C:\Windows\System32\xSZHHKw.exe
  C:\Windows\System32\xSZHHKw.exe
  2⤵
  PID:3816
- C:\Windows\System32\ZangKMg.exe
  C:\Windows\System32\ZangKMg.exe
  2⤵
  PID:5140
- C:\Windows\System32\QWvNhHA.exe
  C:\Windows\System32\QWvNhHA.exe
  2⤵
  PID:5196
- C:\Windows\System32\ynoAaVD.exe
  C:\Windows\System32\ynoAaVD.exe
  2⤵
  PID:5248
- C:\Windows\System32\LreQRiQ.exe
  C:\Windows\System32\LreQRiQ.exe
  2⤵
  PID:2548
- C:\Windows\System32\PZsoRca.exe
  C:\Windows\System32\PZsoRca.exe
  2⤵
  PID:5328
- C:\Windows\System32\DMoAXGh.exe
  C:\Windows\System32\DMoAXGh.exe
  2⤵
  PID:5352
- C:\Windows\System32\BsjVNMX.exe
  C:\Windows\System32\BsjVNMX.exe
  2⤵
  PID:5448
- C:\Windows\System32\PTRrmcW.exe
  C:\Windows\System32\PTRrmcW.exe
  2⤵
  PID:5496
- C:\Windows\System32\micIpGh.exe
  C:\Windows\System32\micIpGh.exe
  2⤵
  PID:2256
- C:\Windows\System32\ZXYEoYk.exe
  C:\Windows\System32\ZXYEoYk.exe
  2⤵
  PID:4560
- C:\Windows\System32\agWIewS.exe
  C:\Windows\System32\agWIewS.exe
  2⤵
  PID:5644
- C:\Windows\System32\BVNhJlu.exe
  C:\Windows\System32\BVNhJlu.exe
  2⤵
  PID:4400
- C:\Windows\System32\fkdTRvl.exe
  C:\Windows\System32\fkdTRvl.exe
  2⤵
  PID:5732
- C:\Windows\System32\fFiLfhD.exe
  C:\Windows\System32\fFiLfhD.exe
  2⤵
  PID:1416
- C:\Windows\System32\TUVaPMc.exe
  C:\Windows\System32\TUVaPMc.exe
  2⤵
  PID:4592
- C:\Windows\System32\lHeCBMw.exe
  C:\Windows\System32\lHeCBMw.exe
  2⤵
  PID:5084
- C:\Windows\System32\VrYgtOC.exe
  C:\Windows\System32\VrYgtOC.exe
  2⤵
  PID:5868
- C:\Windows\System32\ThUbzDX.exe
  C:\Windows\System32\ThUbzDX.exe
  2⤵
  PID:2164
- C:\Windows\System32\bgRWXND.exe
  C:\Windows\System32\bgRWXND.exe
  2⤵
  PID:3016
- C:\Windows\System32\KEntYfk.exe
  C:\Windows\System32\KEntYfk.exe
  2⤵
  PID:2312
- C:\Windows\System32\aOvnbWF.exe
  C:\Windows\System32\aOvnbWF.exe
  2⤵
  PID:456
- C:\Windows\System32\zJYrfYe.exe
  C:\Windows\System32\zJYrfYe.exe
  2⤵
  PID:5696
- C:\Windows\System32\owWkzst.exe
  C:\Windows\System32\owWkzst.exe
  2⤵
  PID:5972
- C:\Windows\System32\YVXYdCM.exe
  C:\Windows\System32\YVXYdCM.exe
  2⤵
  PID:6032
- C:\Windows\System32\cTUeTaK.exe
  C:\Windows\System32\cTUeTaK.exe
  2⤵
  PID:6044
- C:\Windows\System32\VYdQIOO.exe
  C:\Windows\System32\VYdQIOO.exe
  2⤵
  PID:6128
- C:\Windows\System32\CfyZizF.exe
  C:\Windows\System32\CfyZizF.exe
  2⤵
  PID:5188
- C:\Windows\System32\ujsLaiH.exe
  C:\Windows\System32\ujsLaiH.exe
  2⤵
  PID:5276
- C:\Windows\System32\xxEeRzm.exe
  C:\Windows\System32\xxEeRzm.exe
  2⤵
  PID:5392
- C:\Windows\System32\bXYNXSN.exe
  C:\Windows\System32\bXYNXSN.exe
  2⤵
  PID:5476
- C:\Windows\System32\OmMtqFC.exe
  C:\Windows\System32\OmMtqFC.exe
  2⤵
  PID:5400
- C:\Windows\System32\xWhBNQs.exe
  C:\Windows\System32\xWhBNQs.exe
  2⤵
  PID:4512
- C:\Windows\System32\GqQfjTm.exe
  C:\Windows\System32\GqQfjTm.exe
  2⤵
  PID:5816
- C:\Windows\System32\jOIwaDe.exe
  C:\Windows\System32\jOIwaDe.exe
  2⤵
  PID:5840
- C:\Windows\System32\mpCPrJi.exe
  C:\Windows\System32\mpCPrJi.exe
  2⤵
  PID:4900
- C:\Windows\System32\uKPaelA.exe
  C:\Windows\System32\uKPaelA.exe
  2⤵
  PID:4080
- C:\Windows\System32\OSTcbdM.exe
  C:\Windows\System32\OSTcbdM.exe
  2⤵
  PID:6136
- C:\Windows\System32\PxopMoD.exe
  C:\Windows\System32\PxopMoD.exe
  2⤵
  PID:4292
- C:\Windows\System32\Jsxsldx.exe
  C:\Windows\System32\Jsxsldx.exe
  2⤵
  PID:5232
- C:\Windows\System32\CQOrOYF.exe
  C:\Windows\System32\CQOrOYF.exe
  2⤵
  PID:5760
- C:\Windows\System32\bFhzfHB.exe
  C:\Windows\System32\bFhzfHB.exe
  2⤵
  PID:5032
- C:\Windows\System32\lAarpvO.exe
  C:\Windows\System32\lAarpvO.exe
  2⤵
  PID:2252
- C:\Windows\System32\WowdGju.exe
  C:\Windows\System32\WowdGju.exe
  2⤵
  PID:5992
- C:\Windows\System32\rncgtBs.exe
  C:\Windows\System32\rncgtBs.exe
  2⤵
  PID:5852
- C:\Windows\System32\KdNPFgb.exe
  C:\Windows\System32\KdNPFgb.exe
  2⤵
  PID:6152
- C:\Windows\System32\vngfFix.exe
  C:\Windows\System32\vngfFix.exe
  2⤵
  PID:6168
- C:\Windows\System32\zGGiNzl.exe
  C:\Windows\System32\zGGiNzl.exe
  2⤵
  PID:6188
- C:\Windows\System32\nMAxWJF.exe
  C:\Windows\System32\nMAxWJF.exe
  2⤵
  PID:6212
- C:\Windows\System32\BiisGKs.exe
  C:\Windows\System32\BiisGKs.exe
  2⤵
  PID:6248
- C:\Windows\System32\ATsbkyj.exe
  C:\Windows\System32\ATsbkyj.exe
  2⤵
  PID:6268
- C:\Windows\System32\fJdeEDj.exe
  C:\Windows\System32\fJdeEDj.exe
  2⤵
  PID:6308
- C:\Windows\System32\GfMwTlC.exe
  C:\Windows\System32\GfMwTlC.exe
  2⤵
  PID:6328
- C:\Windows\System32\VryXaLG.exe
  C:\Windows\System32\VryXaLG.exe
  2⤵
  PID:6348
- C:\Windows\System32\oEfsqoT.exe
  C:\Windows\System32\oEfsqoT.exe
  2⤵
  PID:6364
- C:\Windows\System32\ssgqAtX.exe
  C:\Windows\System32\ssgqAtX.exe
  2⤵
  PID:6392
- C:\Windows\System32\FxFAMJE.exe
  C:\Windows\System32\FxFAMJE.exe
  2⤵
  PID:6444
- C:\Windows\System32\PMRvdxS.exe
  C:\Windows\System32\PMRvdxS.exe
  2⤵
  PID:6464
- C:\Windows\System32\SfDdHLj.exe
  C:\Windows\System32\SfDdHLj.exe
  2⤵
  PID:6528
- C:\Windows\System32\wpcfuJh.exe
  C:\Windows\System32\wpcfuJh.exe
  2⤵
  PID:6548
- C:\Windows\System32\uyDYVOB.exe
  C:\Windows\System32\uyDYVOB.exe
  2⤵
  PID:6576
- C:\Windows\System32\aNGVtLt.exe
  C:\Windows\System32\aNGVtLt.exe
  2⤵
  PID:6592
- C:\Windows\System32\ghNnbjR.exe
  C:\Windows\System32\ghNnbjR.exe
  2⤵
  PID:6644
- C:\Windows\System32\aiqCSfe.exe
  C:\Windows\System32\aiqCSfe.exe
  2⤵
  PID:6684
- C:\Windows\System32\EkMCUyR.exe
  C:\Windows\System32\EkMCUyR.exe
  2⤵
  PID:6720
- C:\Windows\System32\XoZbEBn.exe
  C:\Windows\System32\XoZbEBn.exe
  2⤵
  PID:6736
- C:\Windows\System32\PHHjHdE.exe
  C:\Windows\System32\PHHjHdE.exe
  2⤵
  PID:6752
- C:\Windows\System32\bBIURCI.exe
  C:\Windows\System32\bBIURCI.exe
  2⤵
  PID:6800
- C:\Windows\System32\uczeavv.exe
  C:\Windows\System32\uczeavv.exe
  2⤵
  PID:6820
- C:\Windows\System32\Ibhmulv.exe
  C:\Windows\System32\Ibhmulv.exe
  2⤵
  PID:6844
- C:\Windows\System32\JngjXDj.exe
  C:\Windows\System32\JngjXDj.exe
  2⤵
  PID:6864
- C:\Windows\System32\rJtvwsv.exe
  C:\Windows\System32\rJtvwsv.exe
  2⤵
  PID:6888
- C:\Windows\System32\MrxJTKq.exe
  C:\Windows\System32\MrxJTKq.exe
  2⤵
  PID:6916
- C:\Windows\System32\cTSWTXD.exe
  C:\Windows\System32\cTSWTXD.exe
  2⤵
  PID:6940
- C:\Windows\System32\cjBfWzg.exe
  C:\Windows\System32\cjBfWzg.exe
  2⤵
  PID:6956
- C:\Windows\System32\bOLYydi.exe
  C:\Windows\System32\bOLYydi.exe
  2⤵
  PID:6980
- C:\Windows\System32\ZAqMfoN.exe
  C:\Windows\System32\ZAqMfoN.exe
  2⤵
  PID:7000
- C:\Windows\System32\ookZXzn.exe
  C:\Windows\System32\ookZXzn.exe
  2⤵
  PID:7028
- C:\Windows\System32\OuassoB.exe
  C:\Windows\System32\OuassoB.exe
  2⤵
  PID:7092
- C:\Windows\System32\RlaeTpS.exe
  C:\Windows\System32\RlaeTpS.exe
  2⤵
  PID:7132
- C:\Windows\System32\iCnhDHG.exe
  C:\Windows\System32\iCnhDHG.exe
  2⤵
  PID:7164
- C:\Windows\System32\DuqAxeA.exe
  C:\Windows\System32\DuqAxeA.exe
  2⤵
  PID:6240
- C:\Windows\System32\FPruykA.exe
  C:\Windows\System32\FPruykA.exe
  2⤵
  PID:6280
- C:\Windows\System32\RZeMhUn.exe
  C:\Windows\System32\RZeMhUn.exe
  2⤵
  PID:6300
- C:\Windows\System32\eXcwISD.exe
  C:\Windows\System32\eXcwISD.exe
  2⤵
  PID:6388
- C:\Windows\System32\tqmDlhn.exe
  C:\Windows\System32\tqmDlhn.exe
  2⤵
  PID:6460
- C:\Windows\System32\RNrzUWj.exe
  C:\Windows\System32\RNrzUWj.exe
  2⤵
  PID:6588
- C:\Windows\System32\HGTCTSS.exe
  C:\Windows\System32\HGTCTSS.exe
  2⤵
  PID:6604
- C:\Windows\System32\eZDKZhg.exe
  C:\Windows\System32\eZDKZhg.exe
  2⤵
  PID:6656
- C:\Windows\System32\IAcfOMx.exe
  C:\Windows\System32\IAcfOMx.exe
  2⤵
  PID:6780
- C:\Windows\System32\fuxJclA.exe
  C:\Windows\System32\fuxJclA.exe
  2⤵
  PID:6808
- C:\Windows\System32\ZIhwDkO.exe
  C:\Windows\System32\ZIhwDkO.exe
  2⤵
  PID:6836
- C:\Windows\System32\NRFHarM.exe
  C:\Windows\System32\NRFHarM.exe
  2⤵
  PID:6924
- C:\Windows\System32\vygMPkz.exe
  C:\Windows\System32\vygMPkz.exe
  2⤵
  PID:6976
- C:\Windows\System32\fvVrfxK.exe
  C:\Windows\System32\fvVrfxK.exe
  2⤵
  PID:7036
- C:\Windows\System32\CJEjQJh.exe
  C:\Windows\System32\CJEjQJh.exe
  2⤵
  PID:7128
- C:\Windows\System32\WmaQxHg.exe
  C:\Windows\System32\WmaQxHg.exe
  2⤵
  PID:7144
- C:\Windows\System32\KoXJven.exe
  C:\Windows\System32\KoXJven.exe
  2⤵
  PID:6164
- C:\Windows\System32\dIfmURi.exe
  C:\Windows\System32\dIfmURi.exe
  2⤵
  PID:6288
- C:\Windows\System32\PaWxaFw.exe
  C:\Windows\System32\PaWxaFw.exe
  2⤵
  PID:6560
- C:\Windows\System32\IaPAHpv.exe
  C:\Windows\System32\IaPAHpv.exe
  2⤵
  PID:6776
- C:\Windows\System32\VGzqnMY.exe
  C:\Windows\System32\VGzqnMY.exe
  2⤵
  PID:6952
- C:\Windows\System32\ClysmPA.exe
  C:\Windows\System32\ClysmPA.exe
  2⤵
  PID:7124
- C:\Windows\System32\NaTZvwd.exe
  C:\Windows\System32\NaTZvwd.exe
  2⤵
  PID:6412
- C:\Windows\System32\gPtvYqj.exe
  C:\Windows\System32\gPtvYqj.exe
  2⤵
  PID:6704
- C:\Windows\System32\UJOWBUb.exe
  C:\Windows\System32\UJOWBUb.exe
  2⤵
  PID:6340
- C:\Windows\System32\QszRgmH.exe
  C:\Windows\System32\QszRgmH.exe
  2⤵
  PID:6832
- C:\Windows\System32\EfywRey.exe
  C:\Windows\System32\EfywRey.exe
  2⤵
  PID:6320
- C:\Windows\System32\PomTNqa.exe
  C:\Windows\System32\PomTNqa.exe
  2⤵
  PID:7204
- C:\Windows\System32\DFRMVEr.exe
  C:\Windows\System32\DFRMVEr.exe
  2⤵
  PID:7220
- C:\Windows\System32\lzMWahD.exe
  C:\Windows\System32\lzMWahD.exe
  2⤵
  PID:7256
- C:\Windows\System32\AvLUuVP.exe
  C:\Windows\System32\AvLUuVP.exe
  2⤵
  PID:7272
- C:\Windows\System32\GivxXiy.exe
  C:\Windows\System32\GivxXiy.exe
  2⤵
  PID:7300
- C:\Windows\System32\oCNbojo.exe
  C:\Windows\System32\oCNbojo.exe
  2⤵
  PID:7360
- C:\Windows\System32\UvFSuSr.exe
  C:\Windows\System32\UvFSuSr.exe
  2⤵
  PID:7384
- C:\Windows\System32\oExxCmM.exe
  C:\Windows\System32\oExxCmM.exe
  2⤵
  PID:7400
- C:\Windows\System32\BJwAGZB.exe
  C:\Windows\System32\BJwAGZB.exe
  2⤵
  PID:7420
- C:\Windows\System32\OFwCkNI.exe
  C:\Windows\System32\OFwCkNI.exe
  2⤵
  PID:7460
- C:\Windows\System32\LhAPVcG.exe
  C:\Windows\System32\LhAPVcG.exe
  2⤵
  PID:7480
- C:\Windows\System32\ewMpvWf.exe
  C:\Windows\System32\ewMpvWf.exe
  2⤵
  PID:7504
- C:\Windows\System32\vpmwsZS.exe
  C:\Windows\System32\vpmwsZS.exe
  2⤵
  PID:7532
- C:\Windows\System32\qAFyYWt.exe
  C:\Windows\System32\qAFyYWt.exe
  2⤵
  PID:7556
- C:\Windows\System32\TOcJUSD.exe
  C:\Windows\System32\TOcJUSD.exe
  2⤵
  PID:7600
- C:\Windows\System32\sIscUbp.exe
  C:\Windows\System32\sIscUbp.exe
  2⤵
  PID:7648
- C:\Windows\System32\uUWbMJt.exe
  C:\Windows\System32\uUWbMJt.exe
  2⤵
  PID:7664
- C:\Windows\System32\TeiOjBk.exe
  C:\Windows\System32\TeiOjBk.exe
  2⤵
  PID:7680
- C:\Windows\System32\Tgijrif.exe
  C:\Windows\System32\Tgijrif.exe
  2⤵
  PID:7720
- C:\Windows\System32\ixmidgv.exe
  C:\Windows\System32\ixmidgv.exe
  2⤵
  PID:7736
- C:\Windows\System32\naMdvHl.exe
  C:\Windows\System32\naMdvHl.exe
  2⤵
  PID:7752
- C:\Windows\System32\wPuZByr.exe
  C:\Windows\System32\wPuZByr.exe
  2⤵
  PID:7796
- C:\Windows\System32\zqYZcSv.exe
  C:\Windows\System32\zqYZcSv.exe
  2⤵
  PID:7820
- C:\Windows\System32\uBUrwyD.exe
  C:\Windows\System32\uBUrwyD.exe
  2⤵
  PID:7860
- C:\Windows\System32\HvOCbDc.exe
  C:\Windows\System32\HvOCbDc.exe
  2⤵
  PID:7884
- C:\Windows\System32\NAsRuzj.exe
  C:\Windows\System32\NAsRuzj.exe
  2⤵
  PID:7908
- C:\Windows\System32\SnGNaXi.exe
  C:\Windows\System32\SnGNaXi.exe
  2⤵
  PID:7932
- C:\Windows\System32\EchVtpr.exe
  C:\Windows\System32\EchVtpr.exe
  2⤵
  PID:7960
- C:\Windows\System32\dZtjhhJ.exe
  C:\Windows\System32\dZtjhhJ.exe
  2⤵
  PID:7984
- C:\Windows\System32\wBOXMnC.exe
  C:\Windows\System32\wBOXMnC.exe
  2⤵
  PID:8028
- C:\Windows\System32\iWcjjMP.exe
  C:\Windows\System32\iWcjjMP.exe
  2⤵
  PID:8056
- C:\Windows\System32\iyTCiKY.exe
  C:\Windows\System32\iyTCiKY.exe
  2⤵
  PID:8084
- C:\Windows\System32\GOfeSnl.exe
  C:\Windows\System32\GOfeSnl.exe
  2⤵
  PID:8112
- C:\Windows\System32\MQIXLEX.exe
  C:\Windows\System32\MQIXLEX.exe
  2⤵
  PID:8136
- C:\Windows\System32\XRGEOTk.exe
  C:\Windows\System32\XRGEOTk.exe
  2⤵
  PID:8156
- C:\Windows\System32\ySPzaHC.exe
  C:\Windows\System32\ySPzaHC.exe
  2⤵
  PID:8184
- C:\Windows\System32\HCRWava.exe
  C:\Windows\System32\HCRWava.exe
  2⤵
  PID:7196
- C:\Windows\System32\njnSYxm.exe
  C:\Windows\System32\njnSYxm.exe
  2⤵
  PID:7268
- C:\Windows\System32\eZGlLXg.exe
  C:\Windows\System32\eZGlLXg.exe
  2⤵
  PID:7316
- C:\Windows\System32\dvycfcV.exe
  C:\Windows\System32\dvycfcV.exe
  2⤵
  PID:7416
- C:\Windows\System32\LRcCvFy.exe
  C:\Windows\System32\LRcCvFy.exe
  2⤵
  PID:7472
- C:\Windows\System32\IhPepSo.exe
  C:\Windows\System32\IhPepSo.exe
  2⤵
  PID:7540
- C:\Windows\System32\ujilitg.exe
  C:\Windows\System32\ujilitg.exe
  2⤵
  PID:7592
- C:\Windows\System32\zAVlhuG.exe
  C:\Windows\System32\zAVlhuG.exe
  2⤵
  PID:7656
- C:\Windows\System32\stIUflb.exe
  C:\Windows\System32\stIUflb.exe
  2⤵
  PID:7808
- C:\Windows\System32\CrXkRJK.exe
  C:\Windows\System32\CrXkRJK.exe
  2⤵
  PID:7788
- C:\Windows\System32\wxfryVV.exe
  C:\Windows\System32\wxfryVV.exe
  2⤵
  PID:7868
- C:\Windows\System32\NIClvYE.exe
  C:\Windows\System32\NIClvYE.exe
  2⤵
  PID:7944
- C:\Windows\System32\SEVyboj.exe
  C:\Windows\System32\SEVyboj.exe
  2⤵
  PID:7980
- C:\Windows\System32\YHBqnSY.exe
  C:\Windows\System32\YHBqnSY.exe
  2⤵
  PID:8004
- C:\Windows\System32\BUZFDPY.exe
  C:\Windows\System32\BUZFDPY.exe
  2⤵
  PID:8144
- C:\Windows\System32\jBZxobT.exe
  C:\Windows\System32\jBZxobT.exe
  2⤵
  PID:7228
- C:\Windows\System32\nZMsPHA.exe
  C:\Windows\System32\nZMsPHA.exe
  2⤵
  PID:7380
- C:\Windows\System32\jhanCRi.exe
  C:\Windows\System32\jhanCRi.exe
  2⤵
  PID:7488
- C:\Windows\System32\SFrNQkg.exe
  C:\Windows\System32\SFrNQkg.exe
  2⤵
  PID:7636
- C:\Windows\System32\FRtBBBb.exe
  C:\Windows\System32\FRtBBBb.exe
  2⤵
  PID:7792
- C:\Windows\System32\MICOrxw.exe
  C:\Windows\System32\MICOrxw.exe
  2⤵
  PID:7920
- C:\Windows\System32\AaQFSKA.exe
  C:\Windows\System32\AaQFSKA.exe
  2⤵
  PID:8096
- C:\Windows\System32\wuCZDhC.exe
  C:\Windows\System32\wuCZDhC.exe
  2⤵
  PID:8168
- C:\Windows\System32\BUNwDgU.exe
  C:\Windows\System32\BUNwDgU.exe
  2⤵
  PID:7440
- C:\Windows\System32\lmiPvWM.exe
  C:\Windows\System32\lmiPvWM.exe
  2⤵
  PID:7696
- C:\Windows\System32\HaKwWYq.exe
  C:\Windows\System32\HaKwWYq.exe
  2⤵
  PID:8264
- C:\Windows\System32\iTSrWAY.exe
  C:\Windows\System32\iTSrWAY.exe
  2⤵
  PID:8280
- C:\Windows\System32\lHcKnsy.exe
  C:\Windows\System32\lHcKnsy.exe
  2⤵
  PID:8296
- C:\Windows\System32\aSMYizU.exe
  C:\Windows\System32\aSMYizU.exe
  2⤵
  PID:8340
- C:\Windows\System32\HpRoqiB.exe
  C:\Windows\System32\HpRoqiB.exe
  2⤵
  PID:8360
- C:\Windows\System32\RBbTbEX.exe
  C:\Windows\System32\RBbTbEX.exe
  2⤵
  PID:8376
- C:\Windows\System32\WXemmUF.exe
  C:\Windows\System32\WXemmUF.exe
  2⤵
  PID:8484
- C:\Windows\System32\lLMShpW.exe
  C:\Windows\System32\lLMShpW.exe
  2⤵
  PID:8504
- C:\Windows\System32\lIMFtsd.exe
  C:\Windows\System32\lIMFtsd.exe
  2⤵
  PID:8540
- C:\Windows\System32\TmjTeQu.exe
  C:\Windows\System32\TmjTeQu.exe
  2⤵
  PID:8564
- C:\Windows\System32\zZBrsBW.exe
  C:\Windows\System32\zZBrsBW.exe
  2⤵
  PID:8600
- C:\Windows\System32\JCwTCnt.exe
  C:\Windows\System32\JCwTCnt.exe
  2⤵
  PID:8636
- C:\Windows\System32\EXDOTUw.exe
  C:\Windows\System32\EXDOTUw.exe
  2⤵
  PID:8660
- C:\Windows\System32\EgVpBoq.exe
  C:\Windows\System32\EgVpBoq.exe
  2⤵
  PID:8676
- C:\Windows\System32\QrBccxj.exe
  C:\Windows\System32\QrBccxj.exe
  2⤵
  PID:8716
- C:\Windows\System32\JgMEgGr.exe
  C:\Windows\System32\JgMEgGr.exe
  2⤵
  PID:8744
- C:\Windows\System32\jGbUeba.exe
  C:\Windows\System32\jGbUeba.exe
  2⤵
  PID:8772
- C:\Windows\System32\tEuhvTV.exe
  C:\Windows\System32\tEuhvTV.exe
  2⤵
  PID:8800
- C:\Windows\System32\ZondjOV.exe
  C:\Windows\System32\ZondjOV.exe
  2⤵
  PID:8828
- C:\Windows\System32\tIvpPcS.exe
  C:\Windows\System32\tIvpPcS.exe
  2⤵
  PID:8848
- C:\Windows\System32\FLMOcEq.exe
  C:\Windows\System32\FLMOcEq.exe
  2⤵
  PID:8876
- C:\Windows\System32\QoaeEUe.exe
  C:\Windows\System32\QoaeEUe.exe
  2⤵
  PID:8900
- C:\Windows\System32\DNILVvD.exe
  C:\Windows\System32\DNILVvD.exe
  2⤵
  PID:8924
- C:\Windows\System32\KHkBobU.exe
  C:\Windows\System32\KHkBobU.exe
  2⤵
  PID:8940
- C:\Windows\System32\HcaiznZ.exe
  C:\Windows\System32\HcaiznZ.exe
  2⤵
  PID:8996
- C:\Windows\System32\jWjlDYV.exe
  C:\Windows\System32\jWjlDYV.exe
  2⤵
  PID:9016
- C:\Windows\System32\nbXwoWm.exe
  C:\Windows\System32\nbXwoWm.exe
  2⤵
  PID:9060
- C:\Windows\System32\zUZkEvJ.exe
  C:\Windows\System32\zUZkEvJ.exe
  2⤵
  PID:9084
- C:\Windows\System32\ayrogvT.exe
  C:\Windows\System32\ayrogvT.exe
  2⤵
  PID:9104
- C:\Windows\System32\tNpJtTX.exe
  C:\Windows\System32\tNpJtTX.exe
  2⤵
  PID:9120
- C:\Windows\System32\ygGHlwB.exe
  C:\Windows\System32\ygGHlwB.exe
  2⤵
  PID:9140
- C:\Windows\System32\nomNGFY.exe
  C:\Windows\System32\nomNGFY.exe
  2⤵
  PID:9160
- C:\Windows\System32\RVJeSfO.exe
  C:\Windows\System32\RVJeSfO.exe
  2⤵
  PID:9212
- C:\Windows\System32\QKfYSWt.exe
  C:\Windows\System32\QKfYSWt.exe
  2⤵
  PID:8200
- C:\Windows\System32\sztPXCD.exe
  C:\Windows\System32\sztPXCD.exe
  2⤵
  PID:8312
- C:\Windows\System32\GpGDVdr.exe
  C:\Windows\System32\GpGDVdr.exe
  2⤵
  PID:8244
- C:\Windows\System32\NbwKRin.exe
  C:\Windows\System32\NbwKRin.exe
  2⤵
  PID:8392
- C:\Windows\System32\XmQuryM.exe
  C:\Windows\System32\XmQuryM.exe
  2⤵
  PID:8348
- C:\Windows\System32\AGGMiPu.exe
  C:\Windows\System32\AGGMiPu.exe
  2⤵
  PID:8448
- C:\Windows\System32\clwPIgC.exe
  C:\Windows\System32\clwPIgC.exe
  2⤵
  PID:8552
- C:\Windows\System32\OpzwYfG.exe
  C:\Windows\System32\OpzwYfG.exe
  2⤵
  PID:8584
- C:\Windows\System32\sWzeugq.exe
  C:\Windows\System32\sWzeugq.exe
  2⤵
  PID:8672
- C:\Windows\System32\zHKYFTM.exe
  C:\Windows\System32\zHKYFTM.exe
  2⤵
  PID:8736
- C:\Windows\System32\fMgivoj.exe
  C:\Windows\System32\fMgivoj.exe
  2⤵
  PID:8784
- C:\Windows\System32\EVQjUEI.exe
  C:\Windows\System32\EVQjUEI.exe
  2⤵
  PID:8892
- C:\Windows\System32\YHwGjrb.exe
  C:\Windows\System32\YHwGjrb.exe
  2⤵
  PID:8916
- C:\Windows\System32\PGMtNLZ.exe
  C:\Windows\System32\PGMtNLZ.exe
  2⤵
  PID:9008
- C:\Windows\System32\GwjPzbt.exe
  C:\Windows\System32\GwjPzbt.exe
  2⤵
  PID:9112
- C:\Windows\System32\OUVXQuX.exe
  C:\Windows\System32\OUVXQuX.exe
  2⤵
  PID:9092
- C:\Windows\System32\JvdWuqo.exe
  C:\Windows\System32\JvdWuqo.exe
  2⤵
  PID:8248
- C:\Windows\System32\AprYDIc.exe
  C:\Windows\System32\AprYDIc.exe
  2⤵
  PID:7244
- C:\Windows\System32\iEALbEu.exe
  C:\Windows\System32\iEALbEu.exe
  2⤵
  PID:8232
- C:\Windows\System32\mPXSYur.exe
  C:\Windows\System32\mPXSYur.exe
  2⤵
  PID:8412
- C:\Windows\System32\FfFRUAs.exe
  C:\Windows\System32\FfFRUAs.exe
  2⤵
  PID:8596
- C:\Windows\System32\YwzgSat.exe
  C:\Windows\System32\YwzgSat.exe
  2⤵
  PID:8728
- C:\Windows\System32\AIgMHNO.exe
  C:\Windows\System32\AIgMHNO.exe
  2⤵
  PID:8936
- C:\Windows\System32\fuoLCYn.exe
  C:\Windows\System32\fuoLCYn.exe
  2⤵
  PID:9136
- C:\Windows\System32\EnUlqFW.exe
  C:\Windows\System32\EnUlqFW.exe
  2⤵
  PID:8012
- C:\Windows\System32\FKsAslP.exe
  C:\Windows\System32\FKsAslP.exe
  2⤵
  PID:8428
- C:\Windows\System32\vDRNcIu.exe
  C:\Windows\System32\vDRNcIu.exe
  2⤵
  PID:8648
- C:\Windows\System32\wBytDcv.exe
  C:\Windows\System32\wBytDcv.exe
  2⤵
  PID:8356
- C:\Windows\System32\sFqhtTd.exe
  C:\Windows\System32\sFqhtTd.exe
  2⤵
  PID:8224
- C:\Windows\System32\BtsTOae.exe
  C:\Windows\System32\BtsTOae.exe
  2⤵
  PID:9224
- C:\Windows\System32\GsEQRHd.exe
  C:\Windows\System32\GsEQRHd.exe
  2⤵
  PID:9240
- C:\Windows\System32\EBptcIv.exe
  C:\Windows\System32\EBptcIv.exe
  2⤵
  PID:9268
- C:\Windows\System32\taCiCef.exe
  C:\Windows\System32\taCiCef.exe
  2⤵
  PID:9304
- C:\Windows\System32\LqQqtTj.exe
  C:\Windows\System32\LqQqtTj.exe
  2⤵
  PID:9340
- C:\Windows\System32\XCpEHfk.exe
  C:\Windows\System32\XCpEHfk.exe
  2⤵
  PID:9360
- C:\Windows\System32\gAeClpy.exe
  C:\Windows\System32\gAeClpy.exe
  2⤵
  PID:9396
- C:\Windows\System32\UAJGFOA.exe
  C:\Windows\System32\UAJGFOA.exe
  2⤵
  PID:9412
- C:\Windows\System32\UnZiHBu.exe
  C:\Windows\System32\UnZiHBu.exe
  2⤵
  PID:9452
- C:\Windows\System32\EYRrmJW.exe
  C:\Windows\System32\EYRrmJW.exe
  2⤵
  PID:9476
- C:\Windows\System32\trVeXMY.exe
  C:\Windows\System32\trVeXMY.exe
  2⤵
  PID:9492
- C:\Windows\System32\fxKjofc.exe
  C:\Windows\System32\fxKjofc.exe
  2⤵
  PID:9524
- C:\Windows\System32\EcUPGcR.exe
  C:\Windows\System32\EcUPGcR.exe
  2⤵
  PID:9548
- C:\Windows\System32\gAzZmua.exe
  C:\Windows\System32\gAzZmua.exe
  2⤵
  PID:9572
- C:\Windows\System32\JILrMiY.exe
  C:\Windows\System32\JILrMiY.exe
  2⤵
  PID:9592
- C:\Windows\System32\QwMBEUT.exe
  C:\Windows\System32\QwMBEUT.exe
  2⤵
  PID:9636
- C:\Windows\System32\mneUHtN.exe
  C:\Windows\System32\mneUHtN.exe
  2⤵
  PID:9688
- C:\Windows\System32\kHzpVxr.exe
  C:\Windows\System32\kHzpVxr.exe
  2⤵
  PID:9704
- C:\Windows\System32\rFJwpsM.exe
  C:\Windows\System32\rFJwpsM.exe
  2⤵
  PID:9724
- C:\Windows\System32\Sqtektz.exe
  C:\Windows\System32\Sqtektz.exe
  2⤵
  PID:9744
- C:\Windows\System32\JOdAhsP.exe
  C:\Windows\System32\JOdAhsP.exe
  2⤵
  PID:9772
- C:\Windows\System32\dFQNZWE.exe
  C:\Windows\System32\dFQNZWE.exe
  2⤵
  PID:9796
- C:\Windows\System32\jvigDNQ.exe
  C:\Windows\System32\jvigDNQ.exe
  2⤵
  PID:9836
- C:\Windows\System32\HOVPUVi.exe
  C:\Windows\System32\HOVPUVi.exe
  2⤵
  PID:9884
- C:\Windows\System32\wLnBxfV.exe
  C:\Windows\System32\wLnBxfV.exe
  2⤵
  PID:9904
- C:\Windows\System32\ZIKZfbq.exe
  C:\Windows\System32\ZIKZfbq.exe
  2⤵
  PID:9952
- C:\Windows\System32\snOBUbc.exe
  C:\Windows\System32\snOBUbc.exe
  2⤵
  PID:9968
- C:\Windows\System32\edCFsYG.exe
  C:\Windows\System32\edCFsYG.exe
  2⤵
  PID:9992
- C:\Windows\System32\HKMIHef.exe
  C:\Windows\System32\HKMIHef.exe
  2⤵
  PID:10020
- C:\Windows\System32\MizlZqb.exe
  C:\Windows\System32\MizlZqb.exe
  2⤵
  PID:10044
- C:\Windows\System32\QnAgsNJ.exe
  C:\Windows\System32\QnAgsNJ.exe
  2⤵
  PID:10072
- C:\Windows\System32\eVyQJjE.exe
  C:\Windows\System32\eVyQJjE.exe
  2⤵
  PID:10088
- C:\Windows\System32\VjEHXNi.exe
  C:\Windows\System32\VjEHXNi.exe
  2⤵
  PID:10108
- C:\Windows\System32\QmIhsUS.exe
  C:\Windows\System32\QmIhsUS.exe
  2⤵
  PID:10200
- C:\Windows\System32\NfQMIiT.exe
  C:\Windows\System32\NfQMIiT.exe
  2⤵
  PID:10224
- C:\Windows\System32\DgzNjSb.exe
  C:\Windows\System32\DgzNjSb.exe
  2⤵
  PID:9248
- C:\Windows\System32\jrfLbGj.exe
  C:\Windows\System32\jrfLbGj.exe
  2⤵
  PID:9336
- C:\Windows\System32\gKQKvDZ.exe
  C:\Windows\System32\gKQKvDZ.exe
  2⤵
  PID:9380
- C:\Windows\System32\eDqamOm.exe
  C:\Windows\System32\eDqamOm.exe
  2⤵
  PID:9404
- C:\Windows\System32\IMKjApK.exe
  C:\Windows\System32\IMKjApK.exe
  2⤵
  PID:9520
- C:\Windows\System32\uuOhxNI.exe
  C:\Windows\System32\uuOhxNI.exe
  2⤵
  PID:9608
- C:\Windows\System32\VcAEYTh.exe
  C:\Windows\System32\VcAEYTh.exe
  2⤵
  PID:9168
- C:\Windows\System32\iZqYEVD.exe
  C:\Windows\System32\iZqYEVD.exe
  2⤵
  PID:9756
- C:\Windows\System32\uThzoeY.exe
  C:\Windows\System32\uThzoeY.exe
  2⤵
  PID:9844
- C:\Windows\System32\ipRBTBA.exe
  C:\Windows\System32\ipRBTBA.exe
  2⤵
  PID:9852
- C:\Windows\System32\VZyNDCV.exe
  C:\Windows\System32\VZyNDCV.exe
  2⤵
  PID:10028
- C:\Windows\System32\joHUYgX.exe
  C:\Windows\System32\joHUYgX.exe
  2⤵
  PID:10008
- C:\Windows\System32\MwtqhMy.exe
  C:\Windows\System32\MwtqhMy.exe
  2⤵
  PID:10180
- C:\Windows\System32\frcyvaT.exe
  C:\Windows\System32\frcyvaT.exe
  2⤵
  PID:9316
- C:\Windows\System32\FTHexrT.exe
  C:\Windows\System32\FTHexrT.exe
  2⤵
  PID:9540
- C:\Windows\System32\hujgruJ.exe
  C:\Windows\System32\hujgruJ.exe
  2⤵
  PID:9696
- C:\Windows\System32\rQpRlFI.exe
  C:\Windows\System32\rQpRlFI.exe
  2⤵
  PID:9868
- C:\Windows\System32\RLjrsks.exe
  C:\Windows\System32\RLjrsks.exe
  2⤵
  PID:10236
- C:\Windows\System32\LuCPkIn.exe
  C:\Windows\System32\LuCPkIn.exe
  2⤵
  PID:9676
- C:\Windows\System32\sretoIO.exe
  C:\Windows\System32\sretoIO.exe
  2⤵
  PID:9812
- C:\Windows\System32\jcDEQeZ.exe
  C:\Windows\System32\jcDEQeZ.exe
  2⤵
  PID:10252
- C:\Windows\System32\wzuwmvJ.exe
  C:\Windows\System32\wzuwmvJ.exe
  2⤵
  PID:10276
- C:\Windows\System32\ZLEIlhE.exe
  C:\Windows\System32\ZLEIlhE.exe
  2⤵
  PID:10300
- C:\Windows\System32\hCJRSOE.exe
  C:\Windows\System32\hCJRSOE.exe
  2⤵
  PID:10320
- C:\Windows\System32\CbaxZsX.exe
  C:\Windows\System32\CbaxZsX.exe
  2⤵
  PID:10340
- C:\Windows\System32\sURRoBQ.exe
  C:\Windows\System32\sURRoBQ.exe
  2⤵
  PID:10364
- C:\Windows\System32\jcyAuLJ.exe
  C:\Windows\System32\jcyAuLJ.exe
  2⤵
  PID:10380
- C:\Windows\System32\TMNlGtd.exe
  C:\Windows\System32\TMNlGtd.exe
  2⤵
  PID:10412
- C:\Windows\System32\euMnCQJ.exe
  C:\Windows\System32\euMnCQJ.exe
  2⤵
  PID:10432
- C:\Windows\System32\tSRWfdf.exe
  C:\Windows\System32\tSRWfdf.exe
  2⤵
  PID:10456
- C:\Windows\System32\QeDuRqo.exe
  C:\Windows\System32\QeDuRqo.exe
  2⤵
  PID:10576
- C:\Windows\System32\jqbACTt.exe
  C:\Windows\System32\jqbACTt.exe
  2⤵
  PID:10592
- C:\Windows\System32\XsrNwzS.exe
  C:\Windows\System32\XsrNwzS.exe
  2⤵
  PID:10608
- C:\Windows\System32\kCkVskO.exe
  C:\Windows\System32\kCkVskO.exe
  2⤵
  PID:10636
- C:\Windows\System32\uYRivHF.exe
  C:\Windows\System32\uYRivHF.exe
  2⤵
  PID:10664
- C:\Windows\System32\VPNMHWj.exe
  C:\Windows\System32\VPNMHWj.exe
  2⤵
  PID:10696
- C:\Windows\System32\IdTpeJG.exe
  C:\Windows\System32\IdTpeJG.exe
  2⤵
  PID:10728
- C:\Windows\System32\yTCyTLv.exe
  C:\Windows\System32\yTCyTLv.exe
  2⤵
  PID:10760
- C:\Windows\System32\PYUdhLQ.exe
  C:\Windows\System32\PYUdhLQ.exe
  2⤵
  PID:10780
- C:\Windows\System32\CkuRxkD.exe
  C:\Windows\System32\CkuRxkD.exe
  2⤵
  PID:10808
- C:\Windows\System32\LIzdBcS.exe
  C:\Windows\System32\LIzdBcS.exe
  2⤵
  PID:10840
- C:\Windows\System32\jleWceW.exe
  C:\Windows\System32\jleWceW.exe
  2⤵
  PID:10860
- C:\Windows\System32\pbxxzEB.exe
  C:\Windows\System32\pbxxzEB.exe
  2⤵
  PID:10888
- C:\Windows\System32\noZcAcG.exe
  C:\Windows\System32\noZcAcG.exe
  2⤵
  PID:10928
- C:\Windows\System32\pGDMowh.exe
  C:\Windows\System32\pGDMowh.exe
  2⤵
  PID:10980
- C:\Windows\System32\MOlVQTX.exe
  C:\Windows\System32\MOlVQTX.exe
  2⤵
  PID:10996
- C:\Windows\System32\emTfMxG.exe
  C:\Windows\System32\emTfMxG.exe
  2⤵
  PID:11032
- C:\Windows\System32\saqvggr.exe
  C:\Windows\System32\saqvggr.exe
  2⤵
  PID:11064
- C:\Windows\System32\YDlMkdj.exe
  C:\Windows\System32\YDlMkdj.exe
  2⤵
  PID:11088
- C:\Windows\System32\zBjdspG.exe
  C:\Windows\System32\zBjdspG.exe
  2⤵
  PID:11120
- C:\Windows\System32\EAXVUcr.exe
  C:\Windows\System32\EAXVUcr.exe
  2⤵
  PID:11148
- C:\Windows\System32\driKgjo.exe
  C:\Windows\System32\driKgjo.exe
  2⤵
  PID:11176
- C:\Windows\System32\IFDLgeP.exe
  C:\Windows\System32\IFDLgeP.exe
  2⤵
  PID:11196
- C:\Windows\System32\FyyjSVf.exe
  C:\Windows\System32\FyyjSVf.exe
  2⤵
  PID:11212
- C:\Windows\System32\gwuGVin.exe
  C:\Windows\System32\gwuGVin.exe
  2⤵
  PID:10268
- C:\Windows\System32\HPkbmnP.exe
  C:\Windows\System32\HPkbmnP.exe
  2⤵
  PID:10260
- C:\Windows\System32\uDvdHdH.exe
  C:\Windows\System32\uDvdHdH.exe
  2⤵
  PID:10356
- C:\Windows\System32\oTVrOhc.exe
  C:\Windows\System32\oTVrOhc.exe
  2⤵
  PID:10424
- C:\Windows\System32\cKbxCNb.exe
  C:\Windows\System32\cKbxCNb.exe
  2⤵
  PID:10504
- C:\Windows\System32\xflImYD.exe
  C:\Windows\System32\xflImYD.exe
  2⤵
  PID:10532
- C:\Windows\System32\RiGlBKf.exe
  C:\Windows\System32\RiGlBKf.exe
  2⤵
  PID:10584
- C:\Windows\System32\HCnOefT.exe
  C:\Windows\System32\HCnOefT.exe
  2⤵
  PID:10692
- C:\Windows\System32\SHUMRDb.exe
  C:\Windows\System32\SHUMRDb.exe
  2⤵
  PID:10772
- C:\Windows\System32\riKkexl.exe
  C:\Windows\System32\riKkexl.exe
  2⤵
  PID:10804
- C:\Windows\System32\CHtbqrD.exe
  C:\Windows\System32\CHtbqrD.exe
  2⤵
  PID:10908
- C:\Windows\System32\BPABohM.exe
  C:\Windows\System32\BPABohM.exe
  2⤵
  PID:10992
- C:\Windows\System32\UoawCdA.exe
  C:\Windows\System32\UoawCdA.exe
  2⤵
  PID:11016
- C:\Windows\System32\edpKoAt.exe
  C:\Windows\System32\edpKoAt.exe
  2⤵
  PID:11096
- C:\Windows\System32\wgXviHc.exe
  C:\Windows\System32\wgXviHc.exe
  2⤵
  PID:11140
- C:\Windows\System32\oRzHNAC.exe
  C:\Windows\System32\oRzHNAC.exe
  2⤵
  PID:11192
- C:\Windows\System32\CaqmOwz.exe
  C:\Windows\System32\CaqmOwz.exe
  2⤵
  PID:11220
- C:\Windows\System32\tPhqPLN.exe
  C:\Windows\System32\tPhqPLN.exe
  2⤵
  PID:10332
- C:\Windows\System32\MIYNjyF.exe
  C:\Windows\System32\MIYNjyF.exe
  2⤵
  PID:10496
- C:\Windows\System32\ZoiCyLt.exe
  C:\Windows\System32\ZoiCyLt.exe
  2⤵
  PID:10716
- C:\Windows\System32\BPwGYMP.exe
  C:\Windows\System32\BPwGYMP.exe
  2⤵
  PID:10972
- C:\Windows\System32\LyvZjqR.exe
  C:\Windows\System32\LyvZjqR.exe
  2⤵
  PID:11060
- C:\Windows\System32\vrhojyn.exe
  C:\Windows\System32\vrhojyn.exe
  2⤵
  PID:10292
- C:\Windows\System32\sbKjzDt.exe
  C:\Windows\System32\sbKjzDt.exe
  2⤵
  PID:10564
- C:\Windows\System32\cdLKSEs.exe
  C:\Windows\System32\cdLKSEs.exe
  2⤵
  PID:10848
- C:\Windows\System32\tZTwaqR.exe
  C:\Windows\System32\tZTwaqR.exe
  2⤵
  PID:11132
- C:\Windows\System32\hWKRWaK.exe
  C:\Windows\System32\hWKRWaK.exe
  2⤵
  PID:10588
- C:\Windows\System32\ALxEJDx.exe
  C:\Windows\System32\ALxEJDx.exe
  2⤵
  PID:1568
- C:\Windows\System32\PSDOZIJ.exe
  C:\Windows\System32\PSDOZIJ.exe
  2⤵
  PID:11284
- C:\Windows\System32\KbGKXjI.exe
  C:\Windows\System32\KbGKXjI.exe
  2⤵
  PID:11308
- C:\Windows\System32\nahdNLG.exe
  C:\Windows\System32\nahdNLG.exe
  2⤵
  PID:11364
- C:\Windows\System32\KVzQIql.exe
  C:\Windows\System32\KVzQIql.exe
  2⤵
  PID:11388
- C:\Windows\System32\bpCyiep.exe
  C:\Windows\System32\bpCyiep.exe
  2⤵
  PID:11416
- C:\Windows\System32\xrBqOUa.exe
  C:\Windows\System32\xrBqOUa.exe
  2⤵
  PID:11440
- C:\Windows\System32\wAdOwgn.exe
  C:\Windows\System32\wAdOwgn.exe
  2⤵
  PID:11460
- C:\Windows\System32\sjWJHEv.exe
  C:\Windows\System32\sjWJHEv.exe
  2⤵
  PID:11496
- C:\Windows\System32\GLjJPqV.exe
  C:\Windows\System32\GLjJPqV.exe
  2⤵
  PID:11520
- C:\Windows\System32\vWhCHDm.exe
  C:\Windows\System32\vWhCHDm.exe
  2⤵
  PID:11560
- C:\Windows\System32\uEGkEpy.exe
  C:\Windows\System32\uEGkEpy.exe
  2⤵
  PID:11592
- C:\Windows\System32\JDjTtSL.exe
  C:\Windows\System32\JDjTtSL.exe
  2⤵
  PID:11620
- C:\Windows\System32\xjHADHG.exe
  C:\Windows\System32\xjHADHG.exe
  2⤵
  PID:11644
- C:\Windows\System32\EUgahSz.exe
  C:\Windows\System32\EUgahSz.exe
  2⤵
  PID:11672
- C:\Windows\System32\SPtOglo.exe
  C:\Windows\System32\SPtOglo.exe
  2⤵
  PID:11700
- C:\Windows\System32\yvGXfNG.exe
  C:\Windows\System32\yvGXfNG.exe
  2⤵
  PID:11724
- C:\Windows\System32\XzkDcSb.exe
  C:\Windows\System32\XzkDcSb.exe
  2⤵
  PID:11756
- C:\Windows\System32\KGouWpj.exe
  C:\Windows\System32\KGouWpj.exe
  2⤵
  PID:11788
- C:\Windows\System32\HYXSgjd.exe
  C:\Windows\System32\HYXSgjd.exe
  2⤵
  PID:11808
- C:\Windows\System32\Uqzydni.exe
  C:\Windows\System32\Uqzydni.exe
  2⤵
  PID:11832
- C:\Windows\System32\TpcoiTi.exe
  C:\Windows\System32\TpcoiTi.exe
  2⤵
  PID:11876
- C:\Windows\System32\yLSrvUQ.exe
  C:\Windows\System32\yLSrvUQ.exe
  2⤵
  PID:11892
- C:\Windows\System32\bSQDYTj.exe
  C:\Windows\System32\bSQDYTj.exe
  2⤵
  PID:11912
- C:\Windows\System32\UrskjgL.exe
  C:\Windows\System32\UrskjgL.exe
  2⤵
  PID:11936
- C:\Windows\System32\ggvgHCE.exe
  C:\Windows\System32\ggvgHCE.exe
  2⤵
  PID:11960
- C:\Windows\System32\kFDmBto.exe
  C:\Windows\System32\kFDmBto.exe
  2⤵
  PID:11988
- C:\Windows\System32\RKgRwDx.exe
  C:\Windows\System32\RKgRwDx.exe
  2⤵
  PID:12032
- C:\Windows\System32\WcxnEmg.exe
  C:\Windows\System32\WcxnEmg.exe
  2⤵
  PID:12060
- C:\Windows\System32\VoUZabg.exe
  C:\Windows\System32\VoUZabg.exe
  2⤵
  PID:12100
- C:\Windows\System32\UgycgEz.exe
  C:\Windows\System32\UgycgEz.exe
  2⤵
  PID:12128
- C:\Windows\System32\mULyOLP.exe
  C:\Windows\System32\mULyOLP.exe
  2⤵
  PID:12156
- C:\Windows\System32\rirZPye.exe
  C:\Windows\System32\rirZPye.exe
  2⤵
  PID:12184
- C:\Windows\System32\wMmLjZP.exe
  C:\Windows\System32\wMmLjZP.exe
  2⤵
  PID:12212
- C:\Windows\System32\XLvVbXr.exe
  C:\Windows\System32\XLvVbXr.exe
  2⤵
  PID:12264
- C:\Windows\System32\DeoyxLu.exe
  C:\Windows\System32\DeoyxLu.exe
  2⤵
  PID:10572
- C:\Windows\System32\ecnJdIF.exe
  C:\Windows\System32\ecnJdIF.exe
  2⤵
  PID:11292
- C:\Windows\System32\YkusEug.exe
  C:\Windows\System32\YkusEug.exe
  2⤵
  PID:11384
- C:\Windows\System32\YJWvgLQ.exe
  C:\Windows\System32\YJWvgLQ.exe
  2⤵
  PID:11448
- C:\Windows\System32\KJlaYEC.exe
  C:\Windows\System32\KJlaYEC.exe
  2⤵
  PID:11484
- C:\Windows\System32\QVpEOYf.exe
  C:\Windows\System32\QVpEOYf.exe
  2⤵
  PID:11572
- C:\Windows\System32\pDHnzHo.exe
  C:\Windows\System32\pDHnzHo.exe
  2⤵
  PID:11664
- C:\Windows\System32\jcMduND.exe
  C:\Windows\System32\jcMduND.exe
  2⤵
  PID:11752
- C:\Windows\System32\qFJuBde.exe
  C:\Windows\System32\qFJuBde.exe
  2⤵
  PID:11800
- C:\Windows\System32\JIMPojT.exe
  C:\Windows\System32\JIMPojT.exe
  2⤵
  PID:11908
- C:\Windows\System32\HFxRUFH.exe
  C:\Windows\System32\HFxRUFH.exe
  2⤵
  PID:11952
- C:\Windows\System32\EfurxUo.exe
  C:\Windows\System32\EfurxUo.exe
  2⤵
  PID:12016
- C:\Windows\System32\ZAsZTWL.exe
  C:\Windows\System32\ZAsZTWL.exe
  2⤵
  PID:12088
- C:\Windows\System32\cKdyBgC.exe
  C:\Windows\System32\cKdyBgC.exe
  2⤵
  PID:12152
- C:\Windows\System32\SADQBeN.exe
  C:\Windows\System32\SADQBeN.exe
  2⤵
  PID:12236
- C:\Windows\System32\PYCrVfm.exe
  C:\Windows\System32\PYCrVfm.exe
  2⤵
  PID:11380
- C:\Windows\System32\BFjdfIM.exe
  C:\Windows\System32\BFjdfIM.exe
  2⤵
  PID:11456
- C:\Windows\System32\KIZmoNP.exe
  C:\Windows\System32\KIZmoNP.exe
  2⤵
  PID:11576
- C:\Windows\System32\oMkpaDo.exe
  C:\Windows\System32\oMkpaDo.exe
  2⤵
  PID:11740
- C:\Windows\System32\SDmTHpQ.exe
  C:\Windows\System32\SDmTHpQ.exe
  2⤵
  PID:11804
- C:\Windows\System32\ugcbFLq.exe
  C:\Windows\System32\ugcbFLq.exe
  2⤵
  PID:11924
- C:\Windows\System32\NVDFshT.exe
  C:\Windows\System32\NVDFshT.exe
  2⤵
  PID:12200
- C:\Windows\System32\XTpOgBL.exe
  C:\Windows\System32\XTpOgBL.exe
  2⤵
  PID:11184
- C:\Windows\System32\PgwkMZL.exe
  C:\Windows\System32\PgwkMZL.exe
  2⤵
  PID:11688
- C:\Windows\System32\IvAFoyJ.exe
  C:\Windows\System32\IvAFoyJ.exe
  2⤵
  PID:12056
- C:\Windows\System32\IIEYyBp.exe
  C:\Windows\System32\IIEYyBp.exe
  2⤵
  PID:12272
- C:\Windows\System32\mwxbELf.exe
  C:\Windows\System32\mwxbELf.exe
  2⤵
  PID:12300
- C:\Windows\System32\QbHfxOR.exe
  C:\Windows\System32\QbHfxOR.exe
  2⤵
  PID:12348
- C:\Windows\System32\fakWMwn.exe
  C:\Windows\System32\fakWMwn.exe
  2⤵
  PID:12372
- C:\Windows\System32\lxzjGuc.exe
  C:\Windows\System32\lxzjGuc.exe
  2⤵
  PID:12396
- C:\Windows\System32\UjADyXo.exe
  C:\Windows\System32\UjADyXo.exe
  2⤵
  PID:12436
- C:\Windows\System32\YiYzzUJ.exe
  C:\Windows\System32\YiYzzUJ.exe
  2⤵
  PID:12464
- C:\Windows\System32\JOaxhPh.exe
  C:\Windows\System32\JOaxhPh.exe
  2⤵
  PID:12492
- C:\Windows\System32\THslFqH.exe
  C:\Windows\System32\THslFqH.exe
  2⤵
  PID:12508
- C:\Windows\System32\ADBIgVZ.exe
  C:\Windows\System32\ADBIgVZ.exe
  2⤵
  PID:12536
- C:\Windows\System32\oCMmWty.exe
  C:\Windows\System32\oCMmWty.exe
  2⤵
  PID:12564
- C:\Windows\System32\uwiHMaq.exe
  C:\Windows\System32\uwiHMaq.exe
  2⤵
  PID:12592
- C:\Windows\System32\HxtkLeC.exe
  C:\Windows\System32\HxtkLeC.exe
  2⤵
  PID:12628
- C:\Windows\System32\SnuZItn.exe
  C:\Windows\System32\SnuZItn.exe
  2⤵
  PID:12652
- C:\Windows\System32\HozbKni.exe
  C:\Windows\System32\HozbKni.exe
  2⤵
  PID:12688
- C:\Windows\System32\ckrjWWU.exe
  C:\Windows\System32\ckrjWWU.exe
  2⤵
  PID:12704
- C:\Windows\System32\SLiQili.exe
  C:\Windows\System32\SLiQili.exe
  2⤵
  PID:12728
- C:\Windows\System32\HMsfDZs.exe
  C:\Windows\System32\HMsfDZs.exe
  2⤵
  PID:12748
- C:\Windows\System32\zvVujwf.exe
  C:\Windows\System32\zvVujwf.exe
  2⤵
  PID:12796
- C:\Windows\System32\NsYKWBR.exe
  C:\Windows\System32\NsYKWBR.exe
  2⤵
  PID:12840
- C:\Windows\System32\vPQDKaP.exe
  C:\Windows\System32\vPQDKaP.exe
  2⤵
  PID:12856
- C:\Windows\System32\aoGXSFW.exe
  C:\Windows\System32\aoGXSFW.exe
  2⤵
  PID:12872
- C:\Windows\System32\vglSQlS.exe
  C:\Windows\System32\vglSQlS.exe
  2⤵
  PID:12892
- C:\Windows\System32\YEfxNYt.exe
  C:\Windows\System32\YEfxNYt.exe
  2⤵
  PID:12928
- C:\Windows\System32\apCDlVs.exe
  C:\Windows\System32\apCDlVs.exe
  2⤵
  PID:12944
- C:\Windows\System32\yYVfxUm.exe
  C:\Windows\System32\yYVfxUm.exe
  2⤵
  PID:12988
- C:\Windows\System32\YndbJDS.exe
  C:\Windows\System32\YndbJDS.exe
  2⤵
  PID:13004
- C:\Windows\System32\TgTlIHC.exe
  C:\Windows\System32\TgTlIHC.exe
  2⤵
  PID:13052
- C:\Windows\System32\fSYsiKO.exe
  C:\Windows\System32\fSYsiKO.exe
  2⤵
  PID:13068
- C:\Windows\System32\CXfhvzN.exe
  C:\Windows\System32\CXfhvzN.exe
  2⤵
  PID:13120
- C:\Windows\System32\CVTJJnZ.exe
  C:\Windows\System32\CVTJJnZ.exe
  2⤵
  PID:13140
- C:\Windows\System32\TPBKkFh.exe
  C:\Windows\System32\TPBKkFh.exe
  2⤵
  PID:13164
- C:\Windows\System32\JezBpIg.exe
  C:\Windows\System32\JezBpIg.exe
  2⤵
  PID:13184
- C:\Windows\System32\MSLcNTB.exe
  C:\Windows\System32\MSLcNTB.exe
  2⤵
  PID:13208
- C:\Windows\System32\KEpwHLI.exe
  C:\Windows\System32\KEpwHLI.exe
  2⤵
  PID:13228
- C:\Windows\System32\QBFZBee.exe
  C:\Windows\System32\QBFZBee.exe
  2⤵
  PID:13256
- C:\Windows\System32\WNbsOnH.exe
  C:\Windows\System32\WNbsOnH.exe
  2⤵
  PID:13296
- C:\Windows\System32\jOobSGt.exe
  C:\Windows\System32\jOobSGt.exe
  2⤵
  PID:11824
- C:\Windows\System32\ZGhotty.exe
  C:\Windows\System32\ZGhotty.exe
  2⤵
  PID:12344
- C:\Windows\System32\cxpjCnN.exe
  C:\Windows\System32\cxpjCnN.exe
  2⤵
  PID:12364
- C:\Windows\System32\Huttflx.exe
  C:\Windows\System32\Huttflx.exe
  2⤵
  PID:12488
- C:\Windows\System32\fUzSebv.exe
  C:\Windows\System32\fUzSebv.exe
  2⤵
  PID:12532
- C:\Windows\System32\fVjvKWu.exe
  C:\Windows\System32\fVjvKWu.exe
  2⤵
  PID:12548
- C:\Windows\System32\TjIgvdp.exe
  C:\Windows\System32\TjIgvdp.exe
  2⤵
  PID:12684
- C:\Windows\System32\GpxMFyH.exe
  C:\Windows\System32\GpxMFyH.exe
  2⤵
  PID:12744
- C:\Windows\System32\VnbBVyq.exe
  C:\Windows\System32\VnbBVyq.exe
  2⤵
  PID:12784
- C:\Windows\System32\pLgnAUH.exe
  C:\Windows\System32\pLgnAUH.exe
  2⤵
  PID:12888
- C:\Windows\System32\VqYYhMn.exe
  C:\Windows\System32\VqYYhMn.exe
  2⤵
  PID:12940
- C:\Windows\System32\YuhoItu.exe
  C:\Windows\System32\YuhoItu.exe
  2⤵
  PID:1252
- C:\Windows\System32\VCiaNgy.exe
  C:\Windows\System32\VCiaNgy.exe
  2⤵
  PID:12996
- C:\Windows\System32\ydqtjep.exe
  C:\Windows\System32\ydqtjep.exe
  2⤵
  PID:13064
- C:\Windows\System32\cWvUSuh.exe
  C:\Windows\System32\cWvUSuh.exe
  2⤵
  PID:13152
- C:\Windows\System32\OmgWmrS.exe
  C:\Windows\System32\OmgWmrS.exe
  2⤵
  PID:13180
- C:\Windows\System32\LmSQxfz.exe
  C:\Windows\System32\LmSQxfz.exe
  2⤵
  PID:13284
- C:\Windows\System32\piLlkgy.exe
  C:\Windows\System32\piLlkgy.exe
  2⤵
  PID:12476
- C:\Windows\System32\ZEWStaM.exe
  C:\Windows\System32\ZEWStaM.exe
  2⤵
  PID:12556
- C:\Windows\System32\EXZSdjr.exe
  C:\Windows\System32\EXZSdjr.exe
  2⤵
  PID:12636
- C:\Windows\System32\ZWclgTQ.exe
  C:\Windows\System32\ZWclgTQ.exe
  2⤵
  PID:12672
- C:\Windows\System32\sUDDImp.exe
  C:\Windows\System32\sUDDImp.exe
  2⤵
  PID:12864
- C:\Windows\System32\osFClmN.exe
  C:\Windows\System32\osFClmN.exe
  2⤵
  PID:13044
- C:\Windows\System32\PXfqTrO.exe
  C:\Windows\System32\PXfqTrO.exe
  2⤵
  PID:12520
- C:\Windows\System32\AwhBUeN.exe
  C:\Windows\System32\AwhBUeN.exe
  2⤵
  PID:12324
- C:\Windows\System32\PuSquWP.exe
  C:\Windows\System32\PuSquWP.exe
  2⤵
  PID:12624
- C:\Windows\System32\aNjsyfk.exe
  C:\Windows\System32\aNjsyfk.exe
  2⤵
  PID:12912
- C:\Windows\System32\NwAfGVJ.exe
  C:\Windows\System32\NwAfGVJ.exe
  2⤵
  PID:13196
- C:\Windows\System32\VhxAxUO.exe
  C:\Windows\System32\VhxAxUO.exe
  2⤵
  PID:13240
- C:\Windows\System32\duNEJBr.exe
  C:\Windows\System32\duNEJBr.exe
  2⤵
  PID:13320
- C:\Windows\System32\IncJGlr.exe
  C:\Windows\System32\IncJGlr.exe
  2⤵
  PID:13396
- C:\Windows\System32\txFPund.exe
  C:\Windows\System32\txFPund.exe
  2⤵
  PID:13412
- C:\Windows\System32\QapYPSy.exe
  C:\Windows\System32\QapYPSy.exe
  2⤵
  PID:13464

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AYZDvZp.exe

Filesize
1.6MB

MD5
4437a52b75faa84548c10e6256b39644

SHA1
8f90a2f9c06ab3c876279a812be6d17a49823da0

SHA256
83dea5a902d83cb9618c4ec23f5560764a4322bf4c81da4177cedb19e9e412c6

SHA512
b0795c9dacc12008f4231d2ad5239f948c4500b77b138edc5079e2396d5f09c6a149330b120a86f7040cddf1c0286b6124fee898c3d622126a3c1b446376983f

Download Submit
C:\Windows\System32\CSsjVDQ.exe

Filesize
1.6MB

MD5
5db15f1c6392a40e897bf66464cbab67

SHA1
18cc6ea132c1b9273054dfccee9a7387ad4e77bc

SHA256
cab478f25857648492863aa6364108e15eb8aea396ed5e7aae24356d8762630f

SHA512
26b66f8db39662f2abce84123cae63fb8645ce5bafb0524137cd066484eec32c514a1d52676dc483c85fe026e0777cab2ec59451cd33c73f092d0946584777d8

Download Submit
C:\Windows\System32\ElzVUSQ.exe

Filesize
1.6MB

MD5
488cc0decd0cf4398b2d21f6aebac077

SHA1
cb3d992cf564ed8e7918b38d8ac416d1db93a115

SHA256
5c028eeacf905b9a320ff7299d208b17b716221d49b3b198f6e3560a26b81dab

SHA512
b9be81f49cd9d1263ba64622d5e6f7d9581e26066e266805ab2b082e2297814139091bb2563b6508c70386c6f544a9c3cbd75db30a0890f7c10d9aa93594a56c

Download Submit
C:\Windows\System32\FJKPtXD.exe

Filesize
1.6MB

MD5
83c689be0a3b7d5aacd2f49aaf640d25

SHA1
7974be3d00c0aca2b8a2a81297961f1a5e433ea8

SHA256
a58519718d9110a94c48d0e27a2d7b657fb2a1fedc91b2b874fcce6bd5c4b9f0

SHA512
133c16601665c5990a75fa762210ec3ef6a4c567be0a913c180977b9c9c12fb3f3147e85e9e974a61fb32d71d7751a3e3dbc9991a3a4f40b26eacb460672062b

Download Submit
C:\Windows\System32\IbNQwtw.exe

Filesize
1.6MB

MD5
5c1c59251846b1bd98526965eb4aff20

SHA1
4a08b5b012bd7ed4756d5f8715f10e4ef9ceff69

SHA256
9ee2518743593d865127093cbf9bc066b77936545f683afbae917a8b9a7b6756

SHA512
193f3be8a42cfe148254f748943f6f454710859e3d612a1a2e74d60c5a086c81478cb70d4e8ea8e5cfff2b374e5132fbb3923eb2eecc19332decfb51243e9513

Download Submit
C:\Windows\System32\IudSEJE.exe

Filesize
1.6MB

MD5
3fa23d6656781e30e9866bbfcd15552e

SHA1
5c086fdcb0c28270339af8ff6b69229b4c5d7bcb

SHA256
80a43d3b4b4cf4955f837ef16727938c14a270ef1551910a8a16ad16d308531b

SHA512
415af305e20680519ac1574607c1bab17e0fcc4ab80358da3a8a17abd984c755e24866b2d3f59b3a8a15f5a7ceb0050b651a89951df317dbad4c287d1e6956d3

Download Submit
C:\Windows\System32\JtaZFMF.exe

Filesize
1.6MB

MD5
db48e2f726a30293ab7d03a9c3791b24

SHA1
9f5178ea791bf9476544c51f033e13a3ba67f11f

SHA256
0e29ce1dc75d848a5df474134341c8f71cb85ed84523ee38c3608a1708306f52

SHA512
03f5b4bf917c03d85df8b03c274390e905238689f832decba80b3aac6ac0c312997191b2ff8e244b6629e8c9c17cd48ddbb663cda23ffb8903af5ac54d5ea2c4

Download Submit
C:\Windows\System32\KQfsmNM.exe

Filesize
1.6MB

MD5
0a02d29367d5c72595b5980053f74217

SHA1
d1b5c1cda6b2762470821f2fe6789ef5d614e1f0

SHA256
45cc9147de3f98c515fdde4679adc399a7eb74a441202cd147747a57cb3a4bb5

SHA512
0a65721bd78750fcfa4432c852151bf3289f11a2f98e34e5751eca34b7bad535014d9421bd4d01b6f9b9cd0991005286bc0ee9342b4779b5207992a891118faf

Download Submit
C:\Windows\System32\LFWNjwd.exe

Filesize
1.6MB

MD5
8e89efe0f584a07b949b66aaf945348b

SHA1
ac4d19dc2b86718188dfafaedaf3b9c86b3f84c5

SHA256
7835902dfcab6099bd655af4aadf83d84e1b6d1b9ee2c8c7413a48c52bf76ebe

SHA512
1b0cfa8ca28a950d07d42238103ed5610fdc85b48ee1198c568a7ca4a761bea4a073ab03321626979fcccc2603904983b5304b21e10965bace5c707842a687f4

Download Submit
C:\Windows\System32\LncCzUd.exe

Filesize
1.6MB

MD5
97782797d22035e58b098da41e3e38ea

SHA1
cd1d2c6f5f6db125a1d82a2a47f4eb509c2b363f

SHA256
0d117a117c55623acee56b995065ad96ac24ae145a89587e223221e5d6ded9ad

SHA512
27d76bec539d7ad9aa24c58c8f7afe4269dab4084696bdae7d400f72ba44714f94a67e2f0af6e2aafd11505d437e316321e3c57c6469e5ca9c212dc65dfb5163

Download Submit
C:\Windows\System32\MDCMmVC.exe

Filesize
1.6MB

MD5
bcdd97bb2916025ccc8d40715ee35496

SHA1
1fdcd54796d711af294010ac41db94f136dc4581

SHA256
98701ae9c8460f8f425b54c8e6aade5ef7729be9f6144e5c3a2a8938869f231e

SHA512
34a539765a4bbf77d08ec6b5ab2c3965c71c9f3411a9d89665aa9f1d515dc3b5a8e3e6fc2e5c4cc0b0ece845cee8dca1e8fcb1954ed4acbe705f78ed3c8ca9ce

Download Submit
C:\Windows\System32\NiyXhQt.exe

Filesize
1.6MB

MD5
935ef3e18db0d1a10dcc9a5bdf5d2d6f

SHA1
1cd0aea83dbaaa19a061bbe117b68bb03a0de644

SHA256
99b65f4f4462b513e5d3a920bbc82bfe20babf907d388d87b0d43cca6c376771

SHA512
03673de01210cb866d192df23c1a27676d9579c3b058047975fa10e2e494933bf595fd8f927be1588a8a3d4cff99de7ae337ff2a7cc9d7a23a373b6065622771

Download Submit
C:\Windows\System32\OdqrpRZ.exe

Filesize
1.6MB

MD5
bc71b27637a2d18e271d1feb119de0bd

SHA1
0bee3eb648624d0dd88f10a6926b3049688724c6

SHA256
dba3126782c6cb0cb520a1cbfbe71e81b4b1015127958d2c4671393113e9a36f

SHA512
d6d782ac5b256a1c48b8190b1753d38aee8a8cf9df8550a30e152ccdeaf7876bd6d28aba689aa4e05250caa2018aa637d54abbdd46ca721497fcda03096346ec

Download Submit
C:\Windows\System32\QZiCKwn.exe

Filesize
1.6MB

MD5
baa5d80be589d99de86f1b58e76ce1db

SHA1
7acfac7c768120e5b08af293eca1e2b4c5235958

SHA256
aaf36b1408ebea220b464d00ec93e6d88242f22e7ed4d8137ce85f43216aa324

SHA512
48aaa5ee38c10b6cfd9ec379b360d6152a21fbfc3642434dca1772d11007057693f74f5540845e3ff0ffdbc30dc3b8d81e9bc5e7cc7956d82132b399e4a3395a

Download Submit
C:\Windows\System32\TRMcgDU.exe

Filesize
1.6MB

MD5
fd9c418f2a20147c14f292d02b2d06dd

SHA1
0fa796bd98d16082adb0435b322937aa5745ecd1

SHA256
b2e15e7c389defa73e063bdfa1a4323e0e30a2737f1020bff81a0684a9e3ace1

SHA512
3baf90dda64741684e09645c37cb98988dbc586481defdccff938d7357e00d264e06b2be2e418c0600ddda8cf30a0db645b0f73ad019226cdc4ef48f441d98e5

Download Submit
C:\Windows\System32\TWjQtZf.exe

Filesize
1.6MB

MD5
09f11e9f5f39c5dba99efa982b99d8dc

SHA1
d2b3c3d1cce4e2fd83b32e8c4a295ec3fd911036

SHA256
9deed7241055241541f31298df3f6b95eccea6cb427b0af1ad64dfd67e80b7c2

SHA512
5cd74949f923a0f8fac3dcaf047de463866440adec7cfcfd458029b659ba61ac4a40d54e37725868a21c4c8e5201a0bfed6f3f401e25cdc4f1a37cc2a682e3fa

Download Submit
C:\Windows\System32\UFmFGxJ.exe

Filesize
1.6MB

MD5
adaf31e0ae3c12321091ed0df8cef3b1

SHA1
584861ed76b9d1428352f3b6e7d29ada42c00e93

SHA256
39f92fe795eb345eba4ebc8e8dbaae71e9d7c227e20847360144a6cfdcdff9fb

SHA512
160aebe3dddb47e97a32118483417a93b1bf7cd3120c007f9c4f6da33b13e34677c5cf16e79604b54a760856c249863a550c8b2936122dbce1302625d5de12ba

Download Submit
C:\Windows\System32\WueSfGE.exe

Filesize
1.6MB

MD5
eb67bc90d13424dadd8c1ce04576fec4

SHA1
d2d11a016e324098590897c1ee5ca069dd7db785

SHA256
b92bda4ea569c76eae6245cc2df22c9eff28cc15f46259268fcd423cf2241a36

SHA512
9f47e72803788378bd30af4155ce9434abfe7616ed9d5418bb2a7d74559625165413cfb3afa6fbe186724a35dd01467f02306121f29d13286779f41303468650

Download Submit
C:\Windows\System32\XmcNbWT.exe

Filesize
1.6MB

MD5
6bddd2a9a97c78415114772ef67c6bc5

SHA1
b40ea801ae3b9bfe0b1f480fed1cfe2050931d76

SHA256
bfa31ffc0abe8450651051061ced69900119a66cd5b2e85cebea38c1de101d98

SHA512
800851f5200d35c1aaccd40f6d5a7072835a58abd18e3f43b7cb0449982b6d407b5c058c225e00d4dd66a83e5d80e7b09018f5797c41f74c9a72fb3d9beb51c8

Download Submit
C:\Windows\System32\gOlchfU.exe

Filesize
1.6MB

MD5
23e4e01f085d44c19f5b676bad24b81e

SHA1
36dbef64e1ada0a58a5af6c4e680bb0ae21fc353

SHA256
6a82c51278797883858694fdf9a847c79733c33b1769650f2f6dee514a16b428

SHA512
3fea92b19deafaeb87750ee6580cbc68be300a0b8b400d6d88f3736962f23747f11311c4dfc0853e718b20259a91505125299802c2a15358e88a28e90ad1bae2

Download Submit
C:\Windows\System32\gtDjVsb.exe

Filesize
1.6MB

MD5
136593df3d3659cac75a78543c1e58f8

SHA1
6bb21cd56a328a38b4275060d27ff8bfe63066bb

SHA256
32e6337d550f7d136005aa91caf5d8a79909829423e8560fe54174aa053f318d

SHA512
4c4429d037ad9958e44fc3141dade976dbcb54aad403ebfbe6bb28248a1461ef8e1d197a83ce1468a13c3135839256a071c0a6877437d0be9824b6e6dfbc6578

Download Submit
C:\Windows\System32\hEcMpiG.exe

Filesize
1.6MB

MD5
a3a7508399d684491c6f2f18ea90cf2c

SHA1
65b5d6932b5ef2750bfdbded1536350447d02458

SHA256
cb2af894e55e33d4b29191cba1536415fa26102962c4756a5c7dfee83f4d0c70

SHA512
576f8831628ced8285027e45cd0018568b4c0cbf8e3fb1eaf21d80b8e067c43adabe842d6a37146cb5622ebeec610765d2cedfde8572c1999cf84ea2c50f79d5

Download Submit
C:\Windows\System32\jobDIsu.exe

Filesize
1.6MB

MD5
12fc657e02e40972c8cbad99ce1c131e

SHA1
a62a9d16a6b4b1a1d224a83fd22bbd9ec8d7140a

SHA256
81bb6bdd99514a028ba06ba4b91114b5dcae5994c6fae12dd3a01eca49fbc0a6

SHA512
114daa8673036e1afacc740d24db35a765ee8e42baf87741b03c817b4135ba2a9461b92cfa992ec1f3bb86031099914ee752d844e5783cc648700f76abe3bc7f

Download Submit
C:\Windows\System32\jtuoXLi.exe

Filesize
1.6MB

MD5
66523ca2ba6c3b9ea7952f211534346c

SHA1
99ce06c0c3e3eedf81534d87de6cbf840c543a50

SHA256
76466b7883fc7811ddb92e4c9861c1478bbef351b3c238cdbd05bbf9bdcf78c9

SHA512
497295dcfa3d6cf851f19d0c95fe24637d948b830b44827403889965450c8accf760d7b88bceab762d906c797186f22868ce8e6ecd9c1f8c2609c56b369d8f7d

Download Submit
C:\Windows\System32\lFkfVWJ.exe

Filesize
1.6MB

MD5
cbb215c0e80cf7a51d9092a2d7c38c14

SHA1
5ecaa5c4e16548207eb8aca04c5d2a0c28d49d10

SHA256
f02d52c5fe7dce560cd30fb5332d8a8aeabb10e911a6f8abcf17e12c11f854fa

SHA512
6ef07b4be078dd39d459c78f3a937cdfc0b3a6f80373ceff9171587c8b7816f7f2f6f1cdf9c2ff9bb4fadd867c5982db59356d135d489201231fe6960f4dd384

Download Submit
C:\Windows\System32\lJHBJjD.exe

Filesize
1.6MB

MD5
0d172da2d6ef625835b77367b09bcea1

SHA1
bdedb891a212c316f042994403ea825ea11e567b

SHA256
f3766138fc7f1c12ef6449235be52ce6b54437c60e58d532025dff7778c536d5

SHA512
e24df30a9a73574ff8a53998b88cda1cab5320a7ee29c1888edca7da518daccc2fe1cf2718ecf2235c3a67dd6959e0086a3677d5702e170add8d930dc09ed9d5

Download Submit
C:\Windows\System32\mzOOXND.exe

Filesize
1.6MB

MD5
76b8cd816c756f81db3f8941a7e53ecd

SHA1
c3bf6db6b1ee2db3e5a9d716123bbfe5b8dbe96e

SHA256
9e30814d42134c42e8d7904851f57a83a26dccf7b3ed6b4d3fff78f4837ba191

SHA512
f5145eb4c7b432fe0199eca1c449c0f0a990b727d9e0a957d0c27e2f5823104ac11c0eb9d6c840b1c9da2b39e8cbf9d964234789174eedcadff41f123a0d376a

Download Submit
C:\Windows\System32\ocTOvJb.exe

Filesize
1.6MB

MD5
c2d2c9a3499619030e48b96653c03013

SHA1
388fe60d7faa77864ba54391a3e7af0bb5b2db1c

SHA256
d3fbd97df33b094c0ff9b384f29b44207184af539c823f7af219ff2a7528c93f

SHA512
982f20d5c1da74883d8bc7d9be47e52c82821c11a49f2439a7a38e66f618e97ce769b73e025a2fc58e21febcf5e38deb78f6f87462f85422c23459b9f89ddeb0

Download Submit
C:\Windows\System32\uezFKmt.exe

Filesize
1.6MB

MD5
b13be143173498e65049f924abe12d45

SHA1
6da3d2eba33c0512a3bcb362883642fde32a5c32

SHA256
6dd637aff05cd65fe09597340e734856151527069ce339a7c1ae256ecd767044

SHA512
a69cc842fdcb8f8756ffba68cccf3afb6da67074b082dd4c4b5e89b225d28cedca3c42d22ff58eacdfa0930c796e6d27113c0ebe171f184c9a7b52464a7fbbf0

Download Submit
C:\Windows\System32\vsXIqwT.exe

Filesize
1.6MB

MD5
f4e03a5aa85174d0d70d128e7b37b63b

SHA1
28607d6ec21d2b3cce46a3e42145a9d76fc2dd27

SHA256
fb0c99f5bd5ac18d941cbba14a2b9b34e544621e8948c21bd2580c960da7d995

SHA512
57e7366658966c34eb8d33341fba7a15ebe0c5f3c721ca676523d154933454c1b1e03941435f58e4ed87c4264f3ed270d312e6e2481c8bfa213f39b1e49bf5b1

Download Submit
C:\Windows\System32\wbnYKoR.exe

Filesize
1.6MB

MD5
cc54dab1ac958a88393c7cf6240547d9

SHA1
af3c603559f72e5e96c095e0cfeb1c5d9fe103c7

SHA256
a5e85ba0576697b9a9193f7cda063033057cf04ac86a3a3e99a49933f3b49bd2

SHA512
69888647006b249b0b0ec3aed3d5ea921005a925d720e87bcac06e69e3174e0c84498a994d9a91c2e53f1be6d793aebe52890aa3660e51caf38b100ac4e560d4

Download Submit
C:\Windows\System32\zFkHqbE.exe

Filesize
1.6MB

MD5
e607d9284f5a3171b099b89ab7d7acb6

SHA1
be7a7e625132cd2449144f33034306dc2a5ca2c2

SHA256
b1f5c1b917899f68888d943e1b9e96799377660621543a05459684166585d6f2

SHA512
3830f5980780064698b4aea016f9f2eabc13f9dce8d6da312a562be9737d5523d48eba7099d71e9cfcf4131536174b685c3d3f244e8d281ed4913315de8385a2

Download Submit
memory/536-411-0x00007FF6B0790000-0x00007FF6B0B81000-memory.dmp

Filesize
3.9MB

Download
memory/536-2077-0x00007FF6B0790000-0x00007FF6B0B81000-memory.dmp

Filesize
3.9MB

Download
memory/1160-69-0x00007FF6FBE20000-0x00007FF6FC211000-memory.dmp

Filesize
3.9MB

Download
memory/1160-2025-0x00007FF6FBE20000-0x00007FF6FC211000-memory.dmp

Filesize
3.9MB

Download
memory/1160-13-0x00007FF6FBE20000-0x00007FF6FC211000-memory.dmp

Filesize
3.9MB

Download
memory/1204-61-0x00007FF68A860000-0x00007FF68AC51000-memory.dmp

Filesize
3.9MB

Download
memory/1204-2058-0x00007FF68A860000-0x00007FF68AC51000-memory.dmp

Filesize
3.9MB

Download
memory/1436-2093-0x00007FF6876D0000-0x00007FF687AC1000-memory.dmp

Filesize
3.9MB

Download
memory/1436-435-0x00007FF6876D0000-0x00007FF687AC1000-memory.dmp

Filesize
3.9MB

Download
memory/1528-427-0x00007FF6E6C80000-0x00007FF6E7071000-memory.dmp

Filesize
3.9MB

Download
memory/1528-2089-0x00007FF6E6C80000-0x00007FF6E7071000-memory.dmp

Filesize
3.9MB

Download
memory/1544-407-0x00007FF729E80000-0x00007FF72A271000-memory.dmp

Filesize
3.9MB

Download
memory/1544-2069-0x00007FF729E80000-0x00007FF72A271000-memory.dmp

Filesize
3.9MB

Download
memory/1876-2023-0x00007FF67DB90000-0x00007FF67DF81000-memory.dmp

Filesize
3.9MB

Download
memory/1876-17-0x00007FF67DB90000-0x00007FF67DF81000-memory.dmp

Filesize
3.9MB

Download
memory/2052-424-0x00007FF778210000-0x00007FF778601000-memory.dmp

Filesize
3.9MB

Download
memory/2052-2087-0x00007FF778210000-0x00007FF778601000-memory.dmp

Filesize
3.9MB

Download
memory/2196-2032-0x00007FF6918D0000-0x00007FF691CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2196-41-0x00007FF6918D0000-0x00007FF691CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2292-30-0x00007FF61ADC0000-0x00007FF61B1B1000-memory.dmp

Filesize
3.9MB

Download
memory/2292-2029-0x00007FF61ADC0000-0x00007FF61B1B1000-memory.dmp

Filesize
3.9MB

Download
memory/2380-1431-0x00007FF73E220000-0x00007FF73E611000-memory.dmp

Filesize
3.9MB

Download
memory/2380-28-0x00007FF73E220000-0x00007FF73E611000-memory.dmp

Filesize
3.9MB

Download
memory/2380-2033-0x00007FF73E220000-0x00007FF73E611000-memory.dmp

Filesize
3.9MB

Download
memory/2924-2018-0x00007FF767530000-0x00007FF767921000-memory.dmp

Filesize
3.9MB

Download
memory/2924-1-0x000001A2DAD60000-0x000001A2DAD70000-memory.dmp

Filesize
64KB

Download
memory/2924-0-0x00007FF767530000-0x00007FF767921000-memory.dmp

Filesize
3.9MB

Download
memory/2924-68-0x00007FF767530000-0x00007FF767921000-memory.dmp

Filesize
3.9MB

Download
memory/3060-71-0x00007FF7A75C0000-0x00007FF7A79B1000-memory.dmp

Filesize
3.9MB

Download
memory/3060-2067-0x00007FF7A75C0000-0x00007FF7A79B1000-memory.dmp

Filesize
3.9MB

Download
memory/3104-420-0x00007FF665890000-0x00007FF665C81000-memory.dmp

Filesize
3.9MB

Download
memory/3104-2081-0x00007FF665890000-0x00007FF665C81000-memory.dmp

Filesize
3.9MB

Download
memory/3196-1983-0x00007FF7CA3E0000-0x00007FF7CA7D1000-memory.dmp

Filesize
3.9MB

Download
memory/3196-48-0x00007FF7CA3E0000-0x00007FF7CA7D1000-memory.dmp

Filesize
3.9MB

Download
memory/3196-2035-0x00007FF7CA3E0000-0x00007FF7CA7D1000-memory.dmp

Filesize
3.9MB

Download
memory/3204-64-0x00007FF78DF50000-0x00007FF78E341000-memory.dmp

Filesize
3.9MB

Download
memory/3204-2065-0x00007FF78DF50000-0x00007FF78E341000-memory.dmp

Filesize
3.9MB

Download
memory/3932-432-0x00007FF6B2CB0000-0x00007FF6B30A1000-memory.dmp

Filesize
3.9MB

Download
memory/3932-2091-0x00007FF6B2CB0000-0x00007FF6B30A1000-memory.dmp

Filesize
3.9MB

Download
memory/4220-410-0x00007FF69C0B0000-0x00007FF69C4A1000-memory.dmp

Filesize
3.9MB

Download
memory/4220-2071-0x00007FF69C0B0000-0x00007FF69C4A1000-memory.dmp

Filesize
3.9MB

Download
memory/4464-998-0x00007FF7DA840000-0x00007FF7DAC31000-memory.dmp

Filesize
3.9MB

Download
memory/4464-22-0x00007FF7DA840000-0x00007FF7DAC31000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2027-0x00007FF7DA840000-0x00007FF7DAC31000-memory.dmp

Filesize
3.9MB

Download
memory/4548-409-0x00007FF7A4070000-0x00007FF7A4461000-memory.dmp

Filesize
3.9MB

Download
memory/4548-2075-0x00007FF7A4070000-0x00007FF7A4461000-memory.dmp

Filesize
3.9MB

Download
memory/4600-2073-0x00007FF755950000-0x00007FF755D41000-memory.dmp

Filesize
3.9MB

Download
memory/4600-408-0x00007FF755950000-0x00007FF755D41000-memory.dmp

Filesize
3.9MB

Download
memory/4612-2079-0x00007FF7E5630000-0x00007FF7E5A21000-memory.dmp

Filesize
3.9MB

Download
memory/4612-415-0x00007FF7E5630000-0x00007FF7E5A21000-memory.dmp

Filesize
3.9MB

Download
memory/4768-423-0x00007FF7F0660000-0x00007FF7F0A51000-memory.dmp

Filesize
3.9MB

Download
memory/4768-2083-0x00007FF7F0660000-0x00007FF7F0A51000-memory.dmp

Filesize
3.9MB

Download
memory/4804-2085-0x00007FF7D6500000-0x00007FF7D68F1000-memory.dmp

Filesize
3.9MB

Download
memory/4804-436-0x00007FF7D6500000-0x00007FF7D68F1000-memory.dmp

Filesize
3.9MB

Download
memory/5064-1984-0x00007FF680C70000-0x00007FF681061000-memory.dmp

Filesize
3.9MB

Download
memory/5064-58-0x00007FF680C70000-0x00007FF681061000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2037-0x00007FF680C70000-0x00007FF681061000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads