xmrig | 3a2ce3a3443a314732f248f5a7898c0199f00ee5f2bb1f1770fecaacd6df746b

Analysis

max time kernel
146s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
Size

1.2MB
MD5

0fa829435e425b2a8882c96f8e0e9a68
SHA1

3d4e0605ad188f81d2eaea7e9fff680fd13683e9
SHA256

3a2ce3a3443a314732f248f5a7898c0199f00ee5f2bb1f1770fecaacd6df746b
SHA512

662457c5a183eeeb81df4263f699eecbe97ae1ff4366152dcb0b86178d273701a6504ab8c262d7bb7cd888ffdf337f1a39582d8f8ad4c847e2bb3ed168d73e09
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI14YP:knw9oUUEEDl37jcq4nP3k

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/4420-49-0x00007FF71DF70000-0x00007FF71E361000-memory.dmp	xmrig
behavioral2/memory/3696-405-0x00007FF6BF5E0000-0x00007FF6BF9D1000-memory.dmp	xmrig
behavioral2/memory/1280-413-0x00007FF76B380000-0x00007FF76B771000-memory.dmp	xmrig
behavioral2/memory/1656-66-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp	xmrig
behavioral2/memory/4244-61-0x00007FF7FA870000-0x00007FF7FAC61000-memory.dmp	xmrig
behavioral2/memory/4076-53-0x00007FF76C810000-0x00007FF76CC01000-memory.dmp	xmrig
behavioral2/memory/3448-45-0x00007FF601D40000-0x00007FF602131000-memory.dmp	xmrig
behavioral2/memory/5056-38-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp	xmrig
behavioral2/memory/2008-424-0x00007FF7A3190000-0x00007FF7A3581000-memory.dmp	xmrig
behavioral2/memory/1220-423-0x00007FF6C2DE0000-0x00007FF6C31D1000-memory.dmp	xmrig
behavioral2/memory/2892-427-0x00007FF658840000-0x00007FF658C31000-memory.dmp	xmrig
behavioral2/memory/2356-457-0x00007FF78D610000-0x00007FF78DA01000-memory.dmp	xmrig
behavioral2/memory/3240-454-0x00007FF6BC310000-0x00007FF6BC701000-memory.dmp	xmrig
behavioral2/memory/5116-466-0x00007FF7173A0000-0x00007FF717791000-memory.dmp	xmrig
behavioral2/memory/2276-470-0x00007FF71EB70000-0x00007FF71EF61000-memory.dmp	xmrig
behavioral2/memory/4576-475-0x00007FF6DF010000-0x00007FF6DF401000-memory.dmp	xmrig
behavioral2/memory/4864-487-0x00007FF7B4700000-0x00007FF7B4AF1000-memory.dmp	xmrig
behavioral2/memory/4796-485-0x00007FF7B27F0000-0x00007FF7B2BE1000-memory.dmp	xmrig
behavioral2/memory/4460-483-0x00007FF60C4A0000-0x00007FF60C891000-memory.dmp	xmrig
behavioral2/memory/3368-469-0x00007FF799F50000-0x00007FF79A341000-memory.dmp	xmrig
behavioral2/memory/3924-1985-0x00007FF667230000-0x00007FF667621000-memory.dmp	xmrig
behavioral2/memory/3448-1986-0x00007FF601D40000-0x00007FF602131000-memory.dmp	xmrig
behavioral2/memory/5056-1987-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp	xmrig
behavioral2/memory/1436-1988-0x00007FF68DAB0000-0x00007FF68DEA1000-memory.dmp	xmrig
behavioral2/memory/3172-2003-0x00007FF669350000-0x00007FF669741000-memory.dmp	xmrig
behavioral2/memory/1656-2004-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp	xmrig
behavioral2/memory/4776-2028-0x00007FF6570E0000-0x00007FF6574D1000-memory.dmp	xmrig
behavioral2/memory/3924-2030-0x00007FF667230000-0x00007FF667621000-memory.dmp	xmrig
behavioral2/memory/3448-2058-0x00007FF601D40000-0x00007FF602131000-memory.dmp	xmrig
behavioral2/memory/4244-2062-0x00007FF7FA870000-0x00007FF7FAC61000-memory.dmp	xmrig
behavioral2/memory/1436-2060-0x00007FF68DAB0000-0x00007FF68DEA1000-memory.dmp	xmrig
behavioral2/memory/3172-2064-0x00007FF669350000-0x00007FF669741000-memory.dmp	xmrig
behavioral2/memory/5056-2056-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp	xmrig
behavioral2/memory/4076-2054-0x00007FF76C810000-0x00007FF76CC01000-memory.dmp	xmrig
behavioral2/memory/4420-2052-0x00007FF71DF70000-0x00007FF71E361000-memory.dmp	xmrig
behavioral2/memory/3240-2076-0x00007FF6BC310000-0x00007FF6BC701000-memory.dmp	xmrig
behavioral2/memory/1220-2080-0x00007FF6C2DE0000-0x00007FF6C31D1000-memory.dmp	xmrig
behavioral2/memory/5116-2084-0x00007FF7173A0000-0x00007FF717791000-memory.dmp	xmrig
behavioral2/memory/3696-2078-0x00007FF6BF5E0000-0x00007FF6BF9D1000-memory.dmp	xmrig
behavioral2/memory/2356-2074-0x00007FF78D610000-0x00007FF78DA01000-memory.dmp	xmrig
behavioral2/memory/2008-2082-0x00007FF7A3190000-0x00007FF7A3581000-memory.dmp	xmrig
behavioral2/memory/4864-2072-0x00007FF7B4700000-0x00007FF7B4AF1000-memory.dmp	xmrig
behavioral2/memory/1656-2068-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp	xmrig
behavioral2/memory/1280-2066-0x00007FF76B380000-0x00007FF76B771000-memory.dmp	xmrig
behavioral2/memory/2892-2070-0x00007FF658840000-0x00007FF658C31000-memory.dmp	xmrig
behavioral2/memory/4460-2090-0x00007FF60C4A0000-0x00007FF60C891000-memory.dmp	xmrig
behavioral2/memory/4576-2089-0x00007FF6DF010000-0x00007FF6DF401000-memory.dmp	xmrig
behavioral2/memory/3368-2095-0x00007FF799F50000-0x00007FF79A341000-memory.dmp	xmrig
behavioral2/memory/2276-2094-0x00007FF71EB70000-0x00007FF71EF61000-memory.dmp	xmrig
behavioral2/memory/4796-2092-0x00007FF7B27F0000-0x00007FF7B2BE1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4776	WIrIzcN.exe
3924	VXmiOjT.exe
4076	bcNLWOk.exe
5056	YouwUdX.exe
3448	tPKBRXA.exe
1436	flvEULM.exe
4420	dlWAtgI.exe
3172	uBkBZUE.exe
4244	AfjFFOd.exe
1656	FjqZeWc.exe
3696	bTuvYyo.exe
4864	EsAbKGc.exe
1280	bfxjOEx.exe
1220	ycAuZJe.exe
2008	hlCbHYm.exe
2892	QnBpBGG.exe
3240	MFINeHJ.exe
2356	tqAfoME.exe
5116	sCGuknG.exe
3368	vckbwLg.exe
2276	WipbNRI.exe
4576	VDimPdv.exe
4460	iGPNECD.exe
4796	PwjbkMM.exe
1572	kKhtJnN.exe
5112	iAkHwXw.exe
692	bZTIdBP.exe
1428	ynayafj.exe
4832	JFVrdxc.exe
2736	dxXosvX.exe
4884	ddjatoh.exe
3404	wanDoTy.exe
2064	WBrXpLQ.exe
5048	ldRnuLh.exe
4572	HBamVcJ.exe
2228	PfuPBRK.exe
4020	pzqGkfF.exe
4152	JBRUEOM.exe
2724	kCitfMU.exe
3028	LmABnpH.exe
3356	TJpxagY.exe
1308	wcgQIgR.exe
2088	YpkXlvw.exe
944	vRCwZqi.exe
4472	sNEDaON.exe
624	SWmFhBw.exe
2188	QvVhjKr.exe
2956	LqdJchh.exe
2080	gsgxSOF.exe
4664	DkzUotV.exe
4300	erZUCyg.exe
4296	DLGClDH.exe
1068	drBBmQr.exe
2680	JzqLsKY.exe
2564	PcxOCfK.exe
924	etDHJvP.exe
4000	amTcgMk.exe
3252	fITEGQG.exe
3140	NOSTSKg.exe
908	RxcEHqh.exe
3764	EDEmNIh.exe
2344	fOXtAHE.exe
1976	kCOlJGK.exe
4312	udkCUCD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x00007FF607010000-0x00007FF607401000-memory.dmp	upx
behavioral2/files/0x000c000000023ba8-5.dat	upx
behavioral2/memory/4776-11-0x00007FF6570E0000-0x00007FF6574D1000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-8.dat	upx
behavioral2/files/0x000a000000023baf-7.dat	upx
behavioral2/files/0x000a000000023bb5-41.dat	upx
behavioral2/memory/1436-46-0x00007FF68DAB0000-0x00007FF68DEA1000-memory.dmp	upx
behavioral2/memory/4420-49-0x00007FF71DF70000-0x00007FF71E361000-memory.dmp	upx
behavioral2/files/0x0031000000023bb6-55.dat	upx
behavioral2/files/0x0031000000023bb7-62.dat	upx
behavioral2/files/0x000a000000023bb9-71.dat	upx
behavioral2/files/0x000a000000023bbb-79.dat	upx
behavioral2/files/0x000a000000023bbc-86.dat	upx
behavioral2/files/0x000a000000023bbd-91.dat	upx
behavioral2/files/0x000a000000023bbf-99.dat	upx
behavioral2/files/0x000a000000023bc2-117.dat	upx
behavioral2/files/0x000a000000023bc5-129.dat	upx
behavioral2/files/0x000a000000023bc8-146.dat	upx
behavioral2/files/0x000a000000023bcc-164.dat	upx
behavioral2/memory/3696-405-0x00007FF6BF5E0000-0x00007FF6BF9D1000-memory.dmp	upx
behavioral2/memory/1280-413-0x00007FF76B380000-0x00007FF76B771000-memory.dmp	upx
behavioral2/files/0x000a000000023bcd-172.dat	upx
behavioral2/files/0x000a000000023bcb-161.dat	upx
behavioral2/files/0x000a000000023bca-157.dat	upx
behavioral2/files/0x000a000000023bc9-151.dat	upx
behavioral2/files/0x000a000000023bc7-141.dat	upx
behavioral2/files/0x000a000000023bc6-136.dat	upx
behavioral2/files/0x000a000000023bc4-126.dat	upx
behavioral2/files/0x000a000000023bc3-122.dat	upx
behavioral2/files/0x000a000000023bc1-111.dat	upx
behavioral2/files/0x000a000000023bc0-106.dat	upx
behavioral2/files/0x000a000000023bbe-96.dat	upx
behavioral2/files/0x000a000000023bba-76.dat	upx
behavioral2/memory/1656-66-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp	upx
behavioral2/files/0x0031000000023bb8-65.dat	upx
behavioral2/memory/4244-61-0x00007FF7FA870000-0x00007FF7FAC61000-memory.dmp	upx
behavioral2/memory/3172-60-0x00007FF669350000-0x00007FF669741000-memory.dmp	upx
behavioral2/memory/4076-53-0x00007FF76C810000-0x00007FF76CC01000-memory.dmp	upx
behavioral2/memory/3448-45-0x00007FF601D40000-0x00007FF602131000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-42.dat	upx
behavioral2/memory/5056-38-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp	upx
behavioral2/files/0x000a000000023bb4-37.dat	upx
behavioral2/memory/3924-33-0x00007FF667230000-0x00007FF667621000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-29.dat	upx
behavioral2/files/0x000a000000023bb3-34.dat	upx
behavioral2/memory/2008-424-0x00007FF7A3190000-0x00007FF7A3581000-memory.dmp	upx
behavioral2/memory/1220-423-0x00007FF6C2DE0000-0x00007FF6C31D1000-memory.dmp	upx
behavioral2/memory/2892-427-0x00007FF658840000-0x00007FF658C31000-memory.dmp	upx
behavioral2/memory/2356-457-0x00007FF78D610000-0x00007FF78DA01000-memory.dmp	upx
behavioral2/memory/3240-454-0x00007FF6BC310000-0x00007FF6BC701000-memory.dmp	upx
behavioral2/memory/5116-466-0x00007FF7173A0000-0x00007FF717791000-memory.dmp	upx
behavioral2/memory/2276-470-0x00007FF71EB70000-0x00007FF71EF61000-memory.dmp	upx
behavioral2/memory/4576-475-0x00007FF6DF010000-0x00007FF6DF401000-memory.dmp	upx
behavioral2/memory/4864-487-0x00007FF7B4700000-0x00007FF7B4AF1000-memory.dmp	upx
behavioral2/memory/4796-485-0x00007FF7B27F0000-0x00007FF7B2BE1000-memory.dmp	upx
behavioral2/memory/4460-483-0x00007FF60C4A0000-0x00007FF60C891000-memory.dmp	upx
behavioral2/memory/3368-469-0x00007FF799F50000-0x00007FF79A341000-memory.dmp	upx
behavioral2/memory/3924-1985-0x00007FF667230000-0x00007FF667621000-memory.dmp	upx
behavioral2/memory/3448-1986-0x00007FF601D40000-0x00007FF602131000-memory.dmp	upx
behavioral2/memory/5056-1987-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp	upx
behavioral2/memory/1436-1988-0x00007FF68DAB0000-0x00007FF68DEA1000-memory.dmp	upx
behavioral2/memory/3172-2003-0x00007FF669350000-0x00007FF669741000-memory.dmp	upx
behavioral2/memory/1656-2004-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp	upx
behavioral2/memory/4776-2028-0x00007FF6570E0000-0x00007FF6574D1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\awthOKk.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\vLUUIeG.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\rPCppQX.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\gsgxSOF.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\VOUwLHH.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\ALjlbfW.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\nwrTZkQ.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\EISiqTa.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\mYGMnsq.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\ChdmvkD.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\WtbgIXC.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\OBDDRqF.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\MVeDmNW.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\SSzEkDJ.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\xDAIJog.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\FxYLqqj.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\SvvDsTv.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\FtVdhJS.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\nlMRFsY.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\gUoYbES.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\UnNwnkG.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\xoMWqwp.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\cJCfbMg.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\WIrIzcN.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\DIpxyyl.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\uZDhbBz.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\JxfHZiy.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\cilAGwc.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\xqRxxUh.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\NRoErdJ.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\JLkGNBM.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\XojtRla.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\HsMYwBH.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\OYZKtfG.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\BUfPKkT.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\ookDWEL.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\dxXosvX.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\zghWDra.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\ZlHbbee.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\MlRhjmM.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\orjXROM.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\ilZjlZU.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\MtWHRlF.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\OCvcBwa.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\KiUVSJV.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\uRAngnN.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\uynODbb.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\UJgnqLl.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\swJdMTX.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\QfFtJHs.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\HWgOwOA.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\uBkBZUE.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\UHcHMEV.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\PYXeiMH.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\SFhTrfV.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\BHYKfOY.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\MNQIMDo.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\tzCDUQB.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\GJWpyCl.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\JTEuQuP.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\BUUEZkY.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\NOSTSKg.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\hVzTbIl.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
File created	C:\Windows\System32\ZJdBThm.exe	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12808	dwm.exe
Token: SeChangeNotifyPrivilege	12808	dwm.exe
Token: 33	12808	dwm.exe
Token: SeIncBasePriorityPrivilege	12808	dwm.exe
Token: SeShutdownPrivilege	12808	dwm.exe
Token: SeCreatePagefilePrivilege	12808	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 4776	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	84
PID 116 wrote to memory of 4776	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	84
PID 116 wrote to memory of 3924	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	85
PID 116 wrote to memory of 3924	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	85
PID 116 wrote to memory of 1436	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	86
PID 116 wrote to memory of 1436	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	86
PID 116 wrote to memory of 4076	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	87
PID 116 wrote to memory of 4076	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	87
PID 116 wrote to memory of 4420	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	88
PID 116 wrote to memory of 4420	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	88
PID 116 wrote to memory of 5056	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	89
PID 116 wrote to memory of 5056	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	89
PID 116 wrote to memory of 3448	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	90
PID 116 wrote to memory of 3448	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	90
PID 116 wrote to memory of 3172	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	91
PID 116 wrote to memory of 3172	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	91
PID 116 wrote to memory of 4244	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	92
PID 116 wrote to memory of 4244	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	92
PID 116 wrote to memory of 1656	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	93
PID 116 wrote to memory of 1656	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	93
PID 116 wrote to memory of 3696	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	94
PID 116 wrote to memory of 3696	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	94
PID 116 wrote to memory of 4864	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	95
PID 116 wrote to memory of 4864	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	95
PID 116 wrote to memory of 1280	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	96
PID 116 wrote to memory of 1280	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	96
PID 116 wrote to memory of 1220	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	97
PID 116 wrote to memory of 1220	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	97
PID 116 wrote to memory of 2008	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	98
PID 116 wrote to memory of 2008	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	98
PID 116 wrote to memory of 2892	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	99
PID 116 wrote to memory of 2892	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	99
PID 116 wrote to memory of 3240	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	100
PID 116 wrote to memory of 3240	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	100
PID 116 wrote to memory of 2356	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	101
PID 116 wrote to memory of 2356	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	101
PID 116 wrote to memory of 5116	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	102
PID 116 wrote to memory of 5116	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	102
PID 116 wrote to memory of 3368	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	103
PID 116 wrote to memory of 3368	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	103
PID 116 wrote to memory of 2276	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	104
PID 116 wrote to memory of 2276	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	104
PID 116 wrote to memory of 4576	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	105
PID 116 wrote to memory of 4576	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	105
PID 116 wrote to memory of 4460	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	106
PID 116 wrote to memory of 4460	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	106
PID 116 wrote to memory of 4796	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	107
PID 116 wrote to memory of 4796	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	107
PID 116 wrote to memory of 1572	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	108
PID 116 wrote to memory of 1572	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	108
PID 116 wrote to memory of 5112	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	109
PID 116 wrote to memory of 5112	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	109
PID 116 wrote to memory of 692	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	110
PID 116 wrote to memory of 692	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	110
PID 116 wrote to memory of 1428	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	111
PID 116 wrote to memory of 1428	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	111
PID 116 wrote to memory of 4832	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	112
PID 116 wrote to memory of 4832	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	112
PID 116 wrote to memory of 2736	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	113
PID 116 wrote to memory of 2736	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	113
PID 116 wrote to memory of 4884	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	114
PID 116 wrote to memory of 4884	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	114
PID 116 wrote to memory of 3404	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	115
PID 116 wrote to memory of 3404	116	0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fa829435e425b2a8882c96f8e0e9a68_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\System32\WIrIzcN.exe
  C:\Windows\System32\WIrIzcN.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\VXmiOjT.exe
  C:\Windows\System32\VXmiOjT.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\flvEULM.exe
  C:\Windows\System32\flvEULM.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System32\bcNLWOk.exe
  C:\Windows\System32\bcNLWOk.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System32\dlWAtgI.exe
  C:\Windows\System32\dlWAtgI.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System32\YouwUdX.exe
  C:\Windows\System32\YouwUdX.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\tPKBRXA.exe
  C:\Windows\System32\tPKBRXA.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\uBkBZUE.exe
  C:\Windows\System32\uBkBZUE.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\AfjFFOd.exe
  C:\Windows\System32\AfjFFOd.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\FjqZeWc.exe
  C:\Windows\System32\FjqZeWc.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System32\bTuvYyo.exe
  C:\Windows\System32\bTuvYyo.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\EsAbKGc.exe
  C:\Windows\System32\EsAbKGc.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\bfxjOEx.exe
  C:\Windows\System32\bfxjOEx.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System32\ycAuZJe.exe
  C:\Windows\System32\ycAuZJe.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System32\hlCbHYm.exe
  C:\Windows\System32\hlCbHYm.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System32\QnBpBGG.exe
  C:\Windows\System32\QnBpBGG.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\MFINeHJ.exe
  C:\Windows\System32\MFINeHJ.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System32\tqAfoME.exe
  C:\Windows\System32\tqAfoME.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System32\sCGuknG.exe
  C:\Windows\System32\sCGuknG.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System32\vckbwLg.exe
  C:\Windows\System32\vckbwLg.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System32\WipbNRI.exe
  C:\Windows\System32\WipbNRI.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System32\VDimPdv.exe
  C:\Windows\System32\VDimPdv.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System32\iGPNECD.exe
  C:\Windows\System32\iGPNECD.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System32\PwjbkMM.exe
  C:\Windows\System32\PwjbkMM.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\kKhtJnN.exe
  C:\Windows\System32\kKhtJnN.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\iAkHwXw.exe
  C:\Windows\System32\iAkHwXw.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\bZTIdBP.exe
  C:\Windows\System32\bZTIdBP.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System32\ynayafj.exe
  C:\Windows\System32\ynayafj.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\JFVrdxc.exe
  C:\Windows\System32\JFVrdxc.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System32\dxXosvX.exe
  C:\Windows\System32\dxXosvX.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System32\ddjatoh.exe
  C:\Windows\System32\ddjatoh.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\wanDoTy.exe
  C:\Windows\System32\wanDoTy.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System32\WBrXpLQ.exe
  C:\Windows\System32\WBrXpLQ.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\ldRnuLh.exe
  C:\Windows\System32\ldRnuLh.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\HBamVcJ.exe
  C:\Windows\System32\HBamVcJ.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System32\PfuPBRK.exe
  C:\Windows\System32\PfuPBRK.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System32\pzqGkfF.exe
  C:\Windows\System32\pzqGkfF.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System32\JBRUEOM.exe
  C:\Windows\System32\JBRUEOM.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\kCitfMU.exe
  C:\Windows\System32\kCitfMU.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System32\LmABnpH.exe
  C:\Windows\System32\LmABnpH.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System32\TJpxagY.exe
  C:\Windows\System32\TJpxagY.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System32\wcgQIgR.exe
  C:\Windows\System32\wcgQIgR.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\YpkXlvw.exe
  C:\Windows\System32\YpkXlvw.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System32\vRCwZqi.exe
  C:\Windows\System32\vRCwZqi.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System32\sNEDaON.exe
  C:\Windows\System32\sNEDaON.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System32\SWmFhBw.exe
  C:\Windows\System32\SWmFhBw.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\QvVhjKr.exe
  C:\Windows\System32\QvVhjKr.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System32\LqdJchh.exe
  C:\Windows\System32\LqdJchh.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System32\gsgxSOF.exe
  C:\Windows\System32\gsgxSOF.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System32\DkzUotV.exe
  C:\Windows\System32\DkzUotV.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System32\erZUCyg.exe
  C:\Windows\System32\erZUCyg.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System32\DLGClDH.exe
  C:\Windows\System32\DLGClDH.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System32\drBBmQr.exe
  C:\Windows\System32\drBBmQr.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\JzqLsKY.exe
  C:\Windows\System32\JzqLsKY.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\PcxOCfK.exe
  C:\Windows\System32\PcxOCfK.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System32\etDHJvP.exe
  C:\Windows\System32\etDHJvP.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System32\amTcgMk.exe
  C:\Windows\System32\amTcgMk.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System32\fITEGQG.exe
  C:\Windows\System32\fITEGQG.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\NOSTSKg.exe
  C:\Windows\System32\NOSTSKg.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\RxcEHqh.exe
  C:\Windows\System32\RxcEHqh.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System32\EDEmNIh.exe
  C:\Windows\System32\EDEmNIh.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\fOXtAHE.exe
  C:\Windows\System32\fOXtAHE.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\kCOlJGK.exe
  C:\Windows\System32\kCOlJGK.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\udkCUCD.exe
  C:\Windows\System32\udkCUCD.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\WPwAXEd.exe
  C:\Windows\System32\WPwAXEd.exe
  2⤵
  PID:1060
- C:\Windows\System32\awthOKk.exe
  C:\Windows\System32\awthOKk.exe
  2⤵
  PID:2492
- C:\Windows\System32\beasmoz.exe
  C:\Windows\System32\beasmoz.exe
  2⤵
  PID:2608
- C:\Windows\System32\hVzTbIl.exe
  C:\Windows\System32\hVzTbIl.exe
  2⤵
  PID:3736
- C:\Windows\System32\QtVVbYa.exe
  C:\Windows\System32\QtVVbYa.exe
  2⤵
  PID:5108
- C:\Windows\System32\ZsZCnkv.exe
  C:\Windows\System32\ZsZCnkv.exe
  2⤵
  PID:2164
- C:\Windows\System32\WCRGMds.exe
  C:\Windows\System32\WCRGMds.exe
  2⤵
  PID:3668
- C:\Windows\System32\yubgWwK.exe
  C:\Windows\System32\yubgWwK.exe
  2⤵
  PID:4424
- C:\Windows\System32\eLoIUEI.exe
  C:\Windows\System32\eLoIUEI.exe
  2⤵
  PID:3396
- C:\Windows\System32\VTRRvRl.exe
  C:\Windows\System32\VTRRvRl.exe
  2⤵
  PID:1892
- C:\Windows\System32\MHCAlDw.exe
  C:\Windows\System32\MHCAlDw.exe
  2⤵
  PID:744
- C:\Windows\System32\VOUwLHH.exe
  C:\Windows\System32\VOUwLHH.exe
  2⤵
  PID:4684
- C:\Windows\System32\pNkICDf.exe
  C:\Windows\System32\pNkICDf.exe
  2⤵
  PID:4504
- C:\Windows\System32\DIpxyyl.exe
  C:\Windows\System32\DIpxyyl.exe
  2⤵
  PID:712
- C:\Windows\System32\kzSvknb.exe
  C:\Windows\System32\kzSvknb.exe
  2⤵
  PID:2820
- C:\Windows\System32\bUnnrcL.exe
  C:\Windows\System32\bUnnrcL.exe
  2⤵
  PID:1236
- C:\Windows\System32\gDaKLgv.exe
  C:\Windows\System32\gDaKLgv.exe
  2⤵
  PID:4332
- C:\Windows\System32\vVdUFDr.exe
  C:\Windows\System32\vVdUFDr.exe
  2⤵
  PID:2284
- C:\Windows\System32\OQIWqfR.exe
  C:\Windows\System32\OQIWqfR.exe
  2⤵
  PID:2256
- C:\Windows\System32\sHemLRK.exe
  C:\Windows\System32\sHemLRK.exe
  2⤵
  PID:2160
- C:\Windows\System32\xLMhYUc.exe
  C:\Windows\System32\xLMhYUc.exe
  2⤵
  PID:1744
- C:\Windows\System32\uuXceud.exe
  C:\Windows\System32\uuXceud.exe
  2⤵
  PID:4496
- C:\Windows\System32\UVsvRjO.exe
  C:\Windows\System32\UVsvRjO.exe
  2⤵
  PID:1352
- C:\Windows\System32\UvDkqhn.exe
  C:\Windows\System32\UvDkqhn.exe
  2⤵
  PID:2092
- C:\Windows\System32\zDQIClr.exe
  C:\Windows\System32\zDQIClr.exe
  2⤵
  PID:5092
- C:\Windows\System32\XfFiTsN.exe
  C:\Windows\System32\XfFiTsN.exe
  2⤵
  PID:1624
- C:\Windows\System32\pYSoMYn.exe
  C:\Windows\System32\pYSoMYn.exe
  2⤵
  PID:1856
- C:\Windows\System32\QGzxdHl.exe
  C:\Windows\System32\QGzxdHl.exe
  2⤵
  PID:2704
- C:\Windows\System32\gMhFLJB.exe
  C:\Windows\System32\gMhFLJB.exe
  2⤵
  PID:2872
- C:\Windows\System32\rNPrTvx.exe
  C:\Windows\System32\rNPrTvx.exe
  2⤵
  PID:5132
- C:\Windows\System32\NaAuyhk.exe
  C:\Windows\System32\NaAuyhk.exe
  2⤵
  PID:5164
- C:\Windows\System32\jwWNCMc.exe
  C:\Windows\System32\jwWNCMc.exe
  2⤵
  PID:5184
- C:\Windows\System32\FtVdhJS.exe
  C:\Windows\System32\FtVdhJS.exe
  2⤵
  PID:5216
- C:\Windows\System32\SMqlTVU.exe
  C:\Windows\System32\SMqlTVU.exe
  2⤵
  PID:5244
- C:\Windows\System32\mYGMnsq.exe
  C:\Windows\System32\mYGMnsq.exe
  2⤵
  PID:5272
- C:\Windows\System32\HRFFwRZ.exe
  C:\Windows\System32\HRFFwRZ.exe
  2⤵
  PID:5300
- C:\Windows\System32\xDAIJog.exe
  C:\Windows\System32\xDAIJog.exe
  2⤵
  PID:5332
- C:\Windows\System32\BFNcSbe.exe
  C:\Windows\System32\BFNcSbe.exe
  2⤵
  PID:5352
- C:\Windows\System32\VUzKwWP.exe
  C:\Windows\System32\VUzKwWP.exe
  2⤵
  PID:5384
- C:\Windows\System32\jNILQAL.exe
  C:\Windows\System32\jNILQAL.exe
  2⤵
  PID:5416
- C:\Windows\System32\kJBbnqT.exe
  C:\Windows\System32\kJBbnqT.exe
  2⤵
  PID:5436
- C:\Windows\System32\ukfRsIP.exe
  C:\Windows\System32\ukfRsIP.exe
  2⤵
  PID:5472
- C:\Windows\System32\elYwFBR.exe
  C:\Windows\System32\elYwFBR.exe
  2⤵
  PID:5504
- C:\Windows\System32\MuEOTPY.exe
  C:\Windows\System32\MuEOTPY.exe
  2⤵
  PID:5520
- C:\Windows\System32\ChdmvkD.exe
  C:\Windows\System32\ChdmvkD.exe
  2⤵
  PID:5552
- C:\Windows\System32\EZmgXiL.exe
  C:\Windows\System32\EZmgXiL.exe
  2⤵
  PID:5576
- C:\Windows\System32\mvhziPm.exe
  C:\Windows\System32\mvhziPm.exe
  2⤵
  PID:5656
- C:\Windows\System32\ITrbAXD.exe
  C:\Windows\System32\ITrbAXD.exe
  2⤵
  PID:5696
- C:\Windows\System32\rUjrOaY.exe
  C:\Windows\System32\rUjrOaY.exe
  2⤵
  PID:5712
- C:\Windows\System32\kFmgFPD.exe
  C:\Windows\System32\kFmgFPD.exe
  2⤵
  PID:5764
- C:\Windows\System32\UXunIti.exe
  C:\Windows\System32\UXunIti.exe
  2⤵
  PID:5788
- C:\Windows\System32\BDxiTjb.exe
  C:\Windows\System32\BDxiTjb.exe
  2⤵
  PID:5824
- C:\Windows\System32\NklkjBz.exe
  C:\Windows\System32\NklkjBz.exe
  2⤵
  PID:5856
- C:\Windows\System32\tjnfGes.exe
  C:\Windows\System32\tjnfGes.exe
  2⤵
  PID:5884
- C:\Windows\System32\JKFEMFQ.exe
  C:\Windows\System32\JKFEMFQ.exe
  2⤵
  PID:5904
- C:\Windows\System32\ruFmTyF.exe
  C:\Windows\System32\ruFmTyF.exe
  2⤵
  PID:5920
- C:\Windows\System32\VGxPOtq.exe
  C:\Windows\System32\VGxPOtq.exe
  2⤵
  PID:5936
- C:\Windows\System32\miosQub.exe
  C:\Windows\System32\miosQub.exe
  2⤵
  PID:5952
- C:\Windows\System32\RUYLUxg.exe
  C:\Windows\System32\RUYLUxg.exe
  2⤵
  PID:5976
- C:\Windows\System32\fqQGbWn.exe
  C:\Windows\System32\fqQGbWn.exe
  2⤵
  PID:5992
- C:\Windows\System32\WsOMLat.exe
  C:\Windows\System32\WsOMLat.exe
  2⤵
  PID:6016
- C:\Windows\System32\tiKwEXi.exe
  C:\Windows\System32\tiKwEXi.exe
  2⤵
  PID:6040
- C:\Windows\System32\FxYLqqj.exe
  C:\Windows\System32\FxYLqqj.exe
  2⤵
  PID:6104
- C:\Windows\System32\GXftIIC.exe
  C:\Windows\System32\GXftIIC.exe
  2⤵
  PID:2976
- C:\Windows\System32\nNjcmzI.exe
  C:\Windows\System32\nNjcmzI.exe
  2⤵
  PID:2100
- C:\Windows\System32\lNghHza.exe
  C:\Windows\System32\lNghHza.exe
  2⤵
  PID:1224
- C:\Windows\System32\JLMZVob.exe
  C:\Windows\System32\JLMZVob.exe
  2⤵
  PID:5152
- C:\Windows\System32\wcvPifP.exe
  C:\Windows\System32\wcvPifP.exe
  2⤵
  PID:5200
- C:\Windows\System32\ZlHbbee.exe
  C:\Windows\System32\ZlHbbee.exe
  2⤵
  PID:5224
- C:\Windows\System32\nJdUIPX.exe
  C:\Windows\System32\nJdUIPX.exe
  2⤵
  PID:5340
- C:\Windows\System32\zLRXeIn.exe
  C:\Windows\System32\zLRXeIn.exe
  2⤵
  PID:5392
- C:\Windows\System32\aTRgwCB.exe
  C:\Windows\System32\aTRgwCB.exe
  2⤵
  PID:5424
- C:\Windows\System32\MyypaHk.exe
  C:\Windows\System32\MyypaHk.exe
  2⤵
  PID:2288
- C:\Windows\System32\PPjGSmz.exe
  C:\Windows\System32\PPjGSmz.exe
  2⤵
  PID:2308
- C:\Windows\System32\TiBhLhy.exe
  C:\Windows\System32\TiBhLhy.exe
  2⤵
  PID:2240
- C:\Windows\System32\GjlZmMh.exe
  C:\Windows\System32\GjlZmMh.exe
  2⤵
  PID:5540
- C:\Windows\System32\euSxAAs.exe
  C:\Windows\System32\euSxAAs.exe
  2⤵
  PID:5624
- C:\Windows\System32\hKMzifb.exe
  C:\Windows\System32\hKMzifb.exe
  2⤵
  PID:5672
- C:\Windows\System32\kfbTzeM.exe
  C:\Windows\System32\kfbTzeM.exe
  2⤵
  PID:5780
- C:\Windows\System32\NVphqjR.exe
  C:\Windows\System32\NVphqjR.exe
  2⤵
  PID:2016
- C:\Windows\System32\mAXNfSR.exe
  C:\Windows\System32\mAXNfSR.exe
  2⤵
  PID:3376
- C:\Windows\System32\DMxnfRY.exe
  C:\Windows\System32\DMxnfRY.exe
  2⤵
  PID:432
- C:\Windows\System32\TdTbQdu.exe
  C:\Windows\System32\TdTbQdu.exe
  2⤵
  PID:5876
- C:\Windows\System32\pgRLBgD.exe
  C:\Windows\System32\pgRLBgD.exe
  2⤵
  PID:5948
- C:\Windows\System32\GgTRgeR.exe
  C:\Windows\System32\GgTRgeR.exe
  2⤵
  PID:6088
- C:\Windows\System32\xzpWwQL.exe
  C:\Windows\System32\xzpWwQL.exe
  2⤵
  PID:2580
- C:\Windows\System32\SvbcQRE.exe
  C:\Windows\System32\SvbcQRE.exe
  2⤵
  PID:2376
- C:\Windows\System32\liYelkd.exe
  C:\Windows\System32\liYelkd.exe
  2⤵
  PID:5192
- C:\Windows\System32\KuNPNyt.exe
  C:\Windows\System32\KuNPNyt.exe
  2⤵
  PID:5288
- C:\Windows\System32\TiKrEyS.exe
  C:\Windows\System32\TiKrEyS.exe
  2⤵
  PID:5432
- C:\Windows\System32\ZLVBcsI.exe
  C:\Windows\System32\ZLVBcsI.exe
  2⤵
  PID:5468
- C:\Windows\System32\SqPaavm.exe
  C:\Windows\System32\SqPaavm.exe
  2⤵
  PID:3788
- C:\Windows\System32\igVlNCo.exe
  C:\Windows\System32\igVlNCo.exe
  2⤵
  PID:5584
- C:\Windows\System32\uwNSkHH.exe
  C:\Windows\System32\uwNSkHH.exe
  2⤵
  PID:5744
- C:\Windows\System32\daXGJbD.exe
  C:\Windows\System32\daXGJbD.exe
  2⤵
  PID:3980
- C:\Windows\System32\pGQJdLc.exe
  C:\Windows\System32\pGQJdLc.exe
  2⤵
  PID:5832
- C:\Windows\System32\NzhGPbs.exe
  C:\Windows\System32\NzhGPbs.exe
  2⤵
  PID:5292
- C:\Windows\System32\EHGnsRi.exe
  C:\Windows\System32\EHGnsRi.exe
  2⤵
  PID:436
- C:\Windows\System32\QXbUDjp.exe
  C:\Windows\System32\QXbUDjp.exe
  2⤵
  PID:3772
- C:\Windows\System32\gJiWXud.exe
  C:\Windows\System32\gJiWXud.exe
  2⤵
  PID:5512
- C:\Windows\System32\obyXnTl.exe
  C:\Windows\System32\obyXnTl.exe
  2⤵
  PID:5536
- C:\Windows\System32\NYuzzpU.exe
  C:\Windows\System32\NYuzzpU.exe
  2⤵
  PID:4264
- C:\Windows\System32\DjmdTpi.exe
  C:\Windows\System32\DjmdTpi.exe
  2⤵
  PID:5816
- C:\Windows\System32\uAddGZB.exe
  C:\Windows\System32\uAddGZB.exe
  2⤵
  PID:5172
- C:\Windows\System32\DbaIaFa.exe
  C:\Windows\System32\DbaIaFa.exe
  2⤵
  PID:2952
- C:\Windows\System32\JkFyAaK.exe
  C:\Windows\System32\JkFyAaK.exe
  2⤵
  PID:5616
- C:\Windows\System32\iMXexlY.exe
  C:\Windows\System32\iMXexlY.exe
  2⤵
  PID:6160
- C:\Windows\System32\NNsuUwL.exe
  C:\Windows\System32\NNsuUwL.exe
  2⤵
  PID:6180
- C:\Windows\System32\OYZKtfG.exe
  C:\Windows\System32\OYZKtfG.exe
  2⤵
  PID:6196
- C:\Windows\System32\GaAlcvd.exe
  C:\Windows\System32\GaAlcvd.exe
  2⤵
  PID:6220
- C:\Windows\System32\EoMwNYB.exe
  C:\Windows\System32\EoMwNYB.exe
  2⤵
  PID:6252
- C:\Windows\System32\rdpiVgu.exe
  C:\Windows\System32\rdpiVgu.exe
  2⤵
  PID:6272
- C:\Windows\System32\WxgQpZI.exe
  C:\Windows\System32\WxgQpZI.exe
  2⤵
  PID:6288
- C:\Windows\System32\YqUpkIb.exe
  C:\Windows\System32\YqUpkIb.exe
  2⤵
  PID:6312
- C:\Windows\System32\keiTbGi.exe
  C:\Windows\System32\keiTbGi.exe
  2⤵
  PID:6372
- C:\Windows\System32\lFZxYwy.exe
  C:\Windows\System32\lFZxYwy.exe
  2⤵
  PID:6432
- C:\Windows\System32\LKHMlAt.exe
  C:\Windows\System32\LKHMlAt.exe
  2⤵
  PID:6468
- C:\Windows\System32\pVaxEVM.exe
  C:\Windows\System32\pVaxEVM.exe
  2⤵
  PID:6516
- C:\Windows\System32\onKwtGa.exe
  C:\Windows\System32\onKwtGa.exe
  2⤵
  PID:6556
- C:\Windows\System32\qzPrHki.exe
  C:\Windows\System32\qzPrHki.exe
  2⤵
  PID:6580
- C:\Windows\System32\lowhDHc.exe
  C:\Windows\System32\lowhDHc.exe
  2⤵
  PID:6600
- C:\Windows\System32\EZlhKdS.exe
  C:\Windows\System32\EZlhKdS.exe
  2⤵
  PID:6620
- C:\Windows\System32\jLDBSrC.exe
  C:\Windows\System32\jLDBSrC.exe
  2⤵
  PID:6640
- C:\Windows\System32\VWiLqSU.exe
  C:\Windows\System32\VWiLqSU.exe
  2⤵
  PID:6680
- C:\Windows\System32\PCAKCji.exe
  C:\Windows\System32\PCAKCji.exe
  2⤵
  PID:6712
- C:\Windows\System32\BvzGbHD.exe
  C:\Windows\System32\BvzGbHD.exe
  2⤵
  PID:6740
- C:\Windows\System32\EuMcVRr.exe
  C:\Windows\System32\EuMcVRr.exe
  2⤵
  PID:6760
- C:\Windows\System32\ZGZhZcX.exe
  C:\Windows\System32\ZGZhZcX.exe
  2⤵
  PID:6780
- C:\Windows\System32\xUwfonM.exe
  C:\Windows\System32\xUwfonM.exe
  2⤵
  PID:6824
- C:\Windows\System32\bbunBGy.exe
  C:\Windows\System32\bbunBGy.exe
  2⤵
  PID:6868
- C:\Windows\System32\ahaopRh.exe
  C:\Windows\System32\ahaopRh.exe
  2⤵
  PID:6916
- C:\Windows\System32\MlRhjmM.exe
  C:\Windows\System32\MlRhjmM.exe
  2⤵
  PID:6940
- C:\Windows\System32\ZKQjjis.exe
  C:\Windows\System32\ZKQjjis.exe
  2⤵
  PID:6960
- C:\Windows\System32\iREMsTy.exe
  C:\Windows\System32\iREMsTy.exe
  2⤵
  PID:6988
- C:\Windows\System32\tOeaXaS.exe
  C:\Windows\System32\tOeaXaS.exe
  2⤵
  PID:7008
- C:\Windows\System32\AUvdWaV.exe
  C:\Windows\System32\AUvdWaV.exe
  2⤵
  PID:7036
- C:\Windows\System32\GHGyHFa.exe
  C:\Windows\System32\GHGyHFa.exe
  2⤵
  PID:7060
- C:\Windows\System32\UXAMMKU.exe
  C:\Windows\System32\UXAMMKU.exe
  2⤵
  PID:7080
- C:\Windows\System32\AyRAyWh.exe
  C:\Windows\System32\AyRAyWh.exe
  2⤵
  PID:7128
- C:\Windows\System32\bNzdMJg.exe
  C:\Windows\System32\bNzdMJg.exe
  2⤵
  PID:7156
- C:\Windows\System32\ejooWXG.exe
  C:\Windows\System32\ejooWXG.exe
  2⤵
  PID:428
- C:\Windows\System32\fuxgwYF.exe
  C:\Windows\System32\fuxgwYF.exe
  2⤵
  PID:6156
- C:\Windows\System32\JODixSl.exe
  C:\Windows\System32\JODixSl.exe
  2⤵
  PID:6192
- C:\Windows\System32\quygBpV.exe
  C:\Windows\System32\quygBpV.exe
  2⤵
  PID:6244
- C:\Windows\System32\MfJgNgy.exe
  C:\Windows\System32\MfJgNgy.exe
  2⤵
  PID:6284
- C:\Windows\System32\mftuKdO.exe
  C:\Windows\System32\mftuKdO.exe
  2⤵
  PID:6280
- C:\Windows\System32\LGNCrhx.exe
  C:\Windows\System32\LGNCrhx.exe
  2⤵
  PID:6332
- C:\Windows\System32\OeePdjo.exe
  C:\Windows\System32\OeePdjo.exe
  2⤵
  PID:6484
- C:\Windows\System32\aBaJUKI.exe
  C:\Windows\System32\aBaJUKI.exe
  2⤵
  PID:6576
- C:\Windows\System32\XTJexBw.exe
  C:\Windows\System32\XTJexBw.exe
  2⤵
  PID:6608
- C:\Windows\System32\VWLUTCC.exe
  C:\Windows\System32\VWLUTCC.exe
  2⤵
  PID:6652
- C:\Windows\System32\nlMRFsY.exe
  C:\Windows\System32\nlMRFsY.exe
  2⤵
  PID:6864
- C:\Windows\System32\asvkogb.exe
  C:\Windows\System32\asvkogb.exe
  2⤵
  PID:6936
- C:\Windows\System32\WtbgIXC.exe
  C:\Windows\System32\WtbgIXC.exe
  2⤵
  PID:6948
- C:\Windows\System32\dpLLNyv.exe
  C:\Windows\System32\dpLLNyv.exe
  2⤵
  PID:7004
- C:\Windows\System32\dpgPaXf.exe
  C:\Windows\System32\dpgPaXf.exe
  2⤵
  PID:7052
- C:\Windows\System32\abBjMVU.exe
  C:\Windows\System32\abBjMVU.exe
  2⤵
  PID:7116
- C:\Windows\System32\BEIAgrA.exe
  C:\Windows\System32\BEIAgrA.exe
  2⤵
  PID:7140
- C:\Windows\System32\GkUQEYR.exe
  C:\Windows\System32\GkUQEYR.exe
  2⤵
  PID:5368
- C:\Windows\System32\thbJUku.exe
  C:\Windows\System32\thbJUku.exe
  2⤵
  PID:5708
- C:\Windows\System32\tzCDUQB.exe
  C:\Windows\System32\tzCDUQB.exe
  2⤵
  PID:6460
- C:\Windows\System32\CPyXiDx.exe
  C:\Windows\System32\CPyXiDx.exe
  2⤵
  PID:6804
- C:\Windows\System32\ALjlbfW.exe
  C:\Windows\System32\ALjlbfW.exe
  2⤵
  PID:6956
- C:\Windows\System32\WEUXnXz.exe
  C:\Windows\System32\WEUXnXz.exe
  2⤵
  PID:7016
- C:\Windows\System32\BUfPKkT.exe
  C:\Windows\System32\BUfPKkT.exe
  2⤵
  PID:6384
- C:\Windows\System32\GJWpyCl.exe
  C:\Windows\System32\GJWpyCl.exe
  2⤵
  PID:6756
- C:\Windows\System32\lZWsVgR.exe
  C:\Windows\System32\lZWsVgR.exe
  2⤵
  PID:6660
- C:\Windows\System32\AvFhZxp.exe
  C:\Windows\System32\AvFhZxp.exe
  2⤵
  PID:6664
- C:\Windows\System32\SbsgYPN.exe
  C:\Windows\System32\SbsgYPN.exe
  2⤵
  PID:7192
- C:\Windows\System32\YUqZNWT.exe
  C:\Windows\System32\YUqZNWT.exe
  2⤵
  PID:7212
- C:\Windows\System32\FcyGSvM.exe
  C:\Windows\System32\FcyGSvM.exe
  2⤵
  PID:7228
- C:\Windows\System32\cGVtHBx.exe
  C:\Windows\System32\cGVtHBx.exe
  2⤵
  PID:7248
- C:\Windows\System32\tossnpX.exe
  C:\Windows\System32\tossnpX.exe
  2⤵
  PID:7276
- C:\Windows\System32\kJYuQcr.exe
  C:\Windows\System32\kJYuQcr.exe
  2⤵
  PID:7304
- C:\Windows\System32\zoUpimj.exe
  C:\Windows\System32\zoUpimj.exe
  2⤵
  PID:7324
- C:\Windows\System32\dCyZeLL.exe
  C:\Windows\System32\dCyZeLL.exe
  2⤵
  PID:7340
- C:\Windows\System32\uZDhbBz.exe
  C:\Windows\System32\uZDhbBz.exe
  2⤵
  PID:7388
- C:\Windows\System32\iTWnOHI.exe
  C:\Windows\System32\iTWnOHI.exe
  2⤵
  PID:7432
- C:\Windows\System32\jiSseJz.exe
  C:\Windows\System32\jiSseJz.exe
  2⤵
  PID:7456
- C:\Windows\System32\ZZDHIZo.exe
  C:\Windows\System32\ZZDHIZo.exe
  2⤵
  PID:7476
- C:\Windows\System32\kLelQlN.exe
  C:\Windows\System32\kLelQlN.exe
  2⤵
  PID:7496
- C:\Windows\System32\ydefYIz.exe
  C:\Windows\System32\ydefYIz.exe
  2⤵
  PID:7548
- C:\Windows\System32\ThRUxIM.exe
  C:\Windows\System32\ThRUxIM.exe
  2⤵
  PID:7568
- C:\Windows\System32\scJhzwz.exe
  C:\Windows\System32\scJhzwz.exe
  2⤵
  PID:7600
- C:\Windows\System32\ZJdBThm.exe
  C:\Windows\System32\ZJdBThm.exe
  2⤵
  PID:7628
- C:\Windows\System32\gQFPuLq.exe
  C:\Windows\System32\gQFPuLq.exe
  2⤵
  PID:7648
- C:\Windows\System32\TWZvxzu.exe
  C:\Windows\System32\TWZvxzu.exe
  2⤵
  PID:7672
- C:\Windows\System32\ZAmjXiN.exe
  C:\Windows\System32\ZAmjXiN.exe
  2⤵
  PID:7704
- C:\Windows\System32\TEBShdB.exe
  C:\Windows\System32\TEBShdB.exe
  2⤵
  PID:7732
- C:\Windows\System32\wjxggQc.exe
  C:\Windows\System32\wjxggQc.exe
  2⤵
  PID:7760
- C:\Windows\System32\nBloiUI.exe
  C:\Windows\System32\nBloiUI.exe
  2⤵
  PID:7784
- C:\Windows\System32\nIjevnZ.exe
  C:\Windows\System32\nIjevnZ.exe
  2⤵
  PID:7812
- C:\Windows\System32\HtCZMvO.exe
  C:\Windows\System32\HtCZMvO.exe
  2⤵
  PID:7832
- C:\Windows\System32\wwTlbUM.exe
  C:\Windows\System32\wwTlbUM.exe
  2⤵
  PID:7856
- C:\Windows\System32\uWEHxdR.exe
  C:\Windows\System32\uWEHxdR.exe
  2⤵
  PID:7876
- C:\Windows\System32\UdYbvJo.exe
  C:\Windows\System32\UdYbvJo.exe
  2⤵
  PID:7892
- C:\Windows\System32\QCifblX.exe
  C:\Windows\System32\QCifblX.exe
  2⤵
  PID:7920
- C:\Windows\System32\hTcEHid.exe
  C:\Windows\System32\hTcEHid.exe
  2⤵
  PID:7940
- C:\Windows\System32\PjSYypE.exe
  C:\Windows\System32\PjSYypE.exe
  2⤵
  PID:7984
- C:\Windows\System32\lBJbhwU.exe
  C:\Windows\System32\lBJbhwU.exe
  2⤵
  PID:8032
- C:\Windows\System32\VaQOiEJ.exe
  C:\Windows\System32\VaQOiEJ.exe
  2⤵
  PID:8052
- C:\Windows\System32\YHeYALJ.exe
  C:\Windows\System32\YHeYALJ.exe
  2⤵
  PID:8076
- C:\Windows\System32\kCoIxeL.exe
  C:\Windows\System32\kCoIxeL.exe
  2⤵
  PID:8092
- C:\Windows\System32\OBDDRqF.exe
  C:\Windows\System32\OBDDRqF.exe
  2⤵
  PID:8112
- C:\Windows\System32\UZdccUJ.exe
  C:\Windows\System32\UZdccUJ.exe
  2⤵
  PID:8168
- C:\Windows\System32\qcTsUdT.exe
  C:\Windows\System32\qcTsUdT.exe
  2⤵
  PID:8188
- C:\Windows\System32\OSDQNhN.exe
  C:\Windows\System32\OSDQNhN.exe
  2⤵
  PID:7204
- C:\Windows\System32\JAXphxb.exe
  C:\Windows\System32\JAXphxb.exe
  2⤵
  PID:7348
- C:\Windows\System32\CIQmWaq.exe
  C:\Windows\System32\CIQmWaq.exe
  2⤵
  PID:7448
- C:\Windows\System32\HipPpHC.exe
  C:\Windows\System32\HipPpHC.exe
  2⤵
  PID:7508
- C:\Windows\System32\BgyCyzF.exe
  C:\Windows\System32\BgyCyzF.exe
  2⤵
  PID:7536
- C:\Windows\System32\cXBHMKs.exe
  C:\Windows\System32\cXBHMKs.exe
  2⤵
  PID:7584
- C:\Windows\System32\cHcDtsN.exe
  C:\Windows\System32\cHcDtsN.exe
  2⤵
  PID:7668
- C:\Windows\System32\zUWlMHF.exe
  C:\Windows\System32\zUWlMHF.exe
  2⤵
  PID:7752
- C:\Windows\System32\pEkrssT.exe
  C:\Windows\System32\pEkrssT.exe
  2⤵
  PID:7740
- C:\Windows\System32\JYwmtDY.exe
  C:\Windows\System32\JYwmtDY.exe
  2⤵
  PID:7840
- C:\Windows\System32\SLPlxFR.exe
  C:\Windows\System32\SLPlxFR.exe
  2⤵
  PID:7956
- C:\Windows\System32\gELzGCb.exe
  C:\Windows\System32\gELzGCb.exe
  2⤵
  PID:7868
- C:\Windows\System32\mMdCWLH.exe
  C:\Windows\System32\mMdCWLH.exe
  2⤵
  PID:8012
- C:\Windows\System32\kCWvAss.exe
  C:\Windows\System32\kCWvAss.exe
  2⤵
  PID:8040
- C:\Windows\System32\hPdRoHq.exe
  C:\Windows\System32\hPdRoHq.exe
  2⤵
  PID:8184
- C:\Windows\System32\GHRxyod.exe
  C:\Windows\System32\GHRxyod.exe
  2⤵
  PID:7320
- C:\Windows\System32\PomGNpH.exe
  C:\Windows\System32\PomGNpH.exe
  2⤵
  PID:7408
- C:\Windows\System32\UHcHMEV.exe
  C:\Windows\System32\UHcHMEV.exe
  2⤵
  PID:7468
- C:\Windows\System32\pmtnUeB.exe
  C:\Windows\System32\pmtnUeB.exe
  2⤵
  PID:7656
- C:\Windows\System32\eOJQwkF.exe
  C:\Windows\System32\eOJQwkF.exe
  2⤵
  PID:7724
- C:\Windows\System32\HPqHLex.exe
  C:\Windows\System32\HPqHLex.exe
  2⤵
  PID:8048
- C:\Windows\System32\kkcOPEi.exe
  C:\Windows\System32\kkcOPEi.exe
  2⤵
  PID:7824
- C:\Windows\System32\tQUUZIT.exe
  C:\Windows\System32\tQUUZIT.exe
  2⤵
  PID:7260
- C:\Windows\System32\QsGqEQS.exe
  C:\Windows\System32\QsGqEQS.exe
  2⤵
  PID:7612
- C:\Windows\System32\wmRumOb.exe
  C:\Windows\System32\wmRumOb.exe
  2⤵
  PID:8104
- C:\Windows\System32\cmIVgmW.exe
  C:\Windows\System32\cmIVgmW.exe
  2⤵
  PID:8200
- C:\Windows\System32\FdhbZWj.exe
  C:\Windows\System32\FdhbZWj.exe
  2⤵
  PID:8224
- C:\Windows\System32\ZcTRnsm.exe
  C:\Windows\System32\ZcTRnsm.exe
  2⤵
  PID:8248
- C:\Windows\System32\zghWDra.exe
  C:\Windows\System32\zghWDra.exe
  2⤵
  PID:8272
- C:\Windows\System32\mOwYdbe.exe
  C:\Windows\System32\mOwYdbe.exe
  2⤵
  PID:8308
- C:\Windows\System32\LcYGyBl.exe
  C:\Windows\System32\LcYGyBl.exe
  2⤵
  PID:8332
- C:\Windows\System32\QnVmmVB.exe
  C:\Windows\System32\QnVmmVB.exe
  2⤵
  PID:8348
- C:\Windows\System32\PNZASPl.exe
  C:\Windows\System32\PNZASPl.exe
  2⤵
  PID:8412
- C:\Windows\System32\eMPXZQG.exe
  C:\Windows\System32\eMPXZQG.exe
  2⤵
  PID:8436
- C:\Windows\System32\rrokDht.exe
  C:\Windows\System32\rrokDht.exe
  2⤵
  PID:8460
- C:\Windows\System32\PYXeiMH.exe
  C:\Windows\System32\PYXeiMH.exe
  2⤵
  PID:8476
- C:\Windows\System32\ZJBuFaO.exe
  C:\Windows\System32\ZJBuFaO.exe
  2⤵
  PID:8492
- C:\Windows\System32\BzCYuCr.exe
  C:\Windows\System32\BzCYuCr.exe
  2⤵
  PID:8544
- C:\Windows\System32\IVIIPYS.exe
  C:\Windows\System32\IVIIPYS.exe
  2⤵
  PID:8584
- C:\Windows\System32\gUoYbES.exe
  C:\Windows\System32\gUoYbES.exe
  2⤵
  PID:8604
- C:\Windows\System32\bmxrvKp.exe
  C:\Windows\System32\bmxrvKp.exe
  2⤵
  PID:8632
- C:\Windows\System32\Jxfwruj.exe
  C:\Windows\System32\Jxfwruj.exe
  2⤵
  PID:8676
- C:\Windows\System32\NTQSdCf.exe
  C:\Windows\System32\NTQSdCf.exe
  2⤵
  PID:8700
- C:\Windows\System32\KHhXCjY.exe
  C:\Windows\System32\KHhXCjY.exe
  2⤵
  PID:8716
- C:\Windows\System32\uturJcf.exe
  C:\Windows\System32\uturJcf.exe
  2⤵
  PID:8740
- C:\Windows\System32\gIYGmrV.exe
  C:\Windows\System32\gIYGmrV.exe
  2⤵
  PID:8756
- C:\Windows\System32\JxfHZiy.exe
  C:\Windows\System32\JxfHZiy.exe
  2⤵
  PID:8796
- C:\Windows\System32\xpEUfMl.exe
  C:\Windows\System32\xpEUfMl.exe
  2⤵
  PID:8816
- C:\Windows\System32\vWMfrUD.exe
  C:\Windows\System32\vWMfrUD.exe
  2⤵
  PID:8848
- C:\Windows\System32\XvhRBHJ.exe
  C:\Windows\System32\XvhRBHJ.exe
  2⤵
  PID:8880
- C:\Windows\System32\SFhTrfV.exe
  C:\Windows\System32\SFhTrfV.exe
  2⤵
  PID:8900
- C:\Windows\System32\DRtVZfP.exe
  C:\Windows\System32\DRtVZfP.exe
  2⤵
  PID:8920
- C:\Windows\System32\UMRIqTC.exe
  C:\Windows\System32\UMRIqTC.exe
  2⤵
  PID:8944
- C:\Windows\System32\cilAGwc.exe
  C:\Windows\System32\cilAGwc.exe
  2⤵
  PID:9004
- C:\Windows\System32\FCHBtNP.exe
  C:\Windows\System32\FCHBtNP.exe
  2⤵
  PID:9028
- C:\Windows\System32\pflHMqs.exe
  C:\Windows\System32\pflHMqs.exe
  2⤵
  PID:9056
- C:\Windows\System32\eyrqwwG.exe
  C:\Windows\System32\eyrqwwG.exe
  2⤵
  PID:9072
- C:\Windows\System32\oCivppb.exe
  C:\Windows\System32\oCivppb.exe
  2⤵
  PID:9088
- C:\Windows\System32\tLrQUDH.exe
  C:\Windows\System32\tLrQUDH.exe
  2⤵
  PID:9108
- C:\Windows\System32\jHDMAyM.exe
  C:\Windows\System32\jHDMAyM.exe
  2⤵
  PID:9132
- C:\Windows\System32\bSiBljF.exe
  C:\Windows\System32\bSiBljF.exe
  2⤵
  PID:9148
- C:\Windows\System32\VElFEff.exe
  C:\Windows\System32\VElFEff.exe
  2⤵
  PID:9176
- C:\Windows\System32\BrLNPLG.exe
  C:\Windows\System32\BrLNPLG.exe
  2⤵
  PID:9192
- C:\Windows\System32\uRAngnN.exe
  C:\Windows\System32\uRAngnN.exe
  2⤵
  PID:7792
- C:\Windows\System32\MZmBkZd.exe
  C:\Windows\System32\MZmBkZd.exe
  2⤵
  PID:8344
- C:\Windows\System32\XaAfZnu.exe
  C:\Windows\System32\XaAfZnu.exe
  2⤵
  PID:8404
- C:\Windows\System32\pLBPWQD.exe
  C:\Windows\System32\pLBPWQD.exe
  2⤵
  PID:8448
- C:\Windows\System32\DZMZlSQ.exe
  C:\Windows\System32\DZMZlSQ.exe
  2⤵
  PID:8532
- C:\Windows\System32\uynODbb.exe
  C:\Windows\System32\uynODbb.exe
  2⤵
  PID:8600
- C:\Windows\System32\fKRulpQ.exe
  C:\Windows\System32\fKRulpQ.exe
  2⤵
  PID:8652
- C:\Windows\System32\dYmOyUj.exe
  C:\Windows\System32\dYmOyUj.exe
  2⤵
  PID:8672
- C:\Windows\System32\rkdsGwG.exe
  C:\Windows\System32\rkdsGwG.exe
  2⤵
  PID:8788
- C:\Windows\System32\BHYKfOY.exe
  C:\Windows\System32\BHYKfOY.exe
  2⤵
  PID:8828
- C:\Windows\System32\dHrnygb.exe
  C:\Windows\System32\dHrnygb.exe
  2⤵
  PID:8956
- C:\Windows\System32\btpQQTK.exe
  C:\Windows\System32\btpQQTK.exe
  2⤵
  PID:9040
- C:\Windows\System32\wXbjUzq.exe
  C:\Windows\System32\wXbjUzq.exe
  2⤵
  PID:9164
- C:\Windows\System32\bbGmAOy.exe
  C:\Windows\System32\bbGmAOy.exe
  2⤵
  PID:9156
- C:\Windows\System32\dBehhwM.exe
  C:\Windows\System32\dBehhwM.exe
  2⤵
  PID:7532
- C:\Windows\System32\vLUUIeG.exe
  C:\Windows\System32\vLUUIeG.exe
  2⤵
  PID:8380
- C:\Windows\System32\WcXhbEZ.exe
  C:\Windows\System32\WcXhbEZ.exe
  2⤵
  PID:8472
- C:\Windows\System32\ejuXErZ.exe
  C:\Windows\System32\ejuXErZ.exe
  2⤵
  PID:8528
- C:\Windows\System32\WmyiFBG.exe
  C:\Windows\System32\WmyiFBG.exe
  2⤵
  PID:8628
- C:\Windows\System32\iiGFSwd.exe
  C:\Windows\System32\iiGFSwd.exe
  2⤵
  PID:3856
- C:\Windows\System32\htJrzCL.exe
  C:\Windows\System32\htJrzCL.exe
  2⤵
  PID:9080
- C:\Windows\System32\VqZGFzR.exe
  C:\Windows\System32\VqZGFzR.exe
  2⤵
  PID:9140
- C:\Windows\System32\vLuwJVo.exe
  C:\Windows\System32\vLuwJVo.exe
  2⤵
  PID:8220
- C:\Windows\System32\clleIeg.exe
  C:\Windows\System32\clleIeg.exe
  2⤵
  PID:8688
- C:\Windows\System32\WhlKBhL.exe
  C:\Windows\System32\WhlKBhL.exe
  2⤵
  PID:8908
- C:\Windows\System32\HcgfhtJ.exe
  C:\Windows\System32\HcgfhtJ.exe
  2⤵
  PID:8288
- C:\Windows\System32\uWYHgWw.exe
  C:\Windows\System32\uWYHgWw.exe
  2⤵
  PID:8876
- C:\Windows\System32\RFLicBx.exe
  C:\Windows\System32\RFLicBx.exe
  2⤵
  PID:9256
- C:\Windows\System32\NwsahJO.exe
  C:\Windows\System32\NwsahJO.exe
  2⤵
  PID:9288
- C:\Windows\System32\bcnHlhJ.exe
  C:\Windows\System32\bcnHlhJ.exe
  2⤵
  PID:9332
- C:\Windows\System32\JvNNCcH.exe
  C:\Windows\System32\JvNNCcH.exe
  2⤵
  PID:9352
- C:\Windows\System32\nPvyxnd.exe
  C:\Windows\System32\nPvyxnd.exe
  2⤵
  PID:9468
- C:\Windows\System32\AiARWCy.exe
  C:\Windows\System32\AiARWCy.exe
  2⤵
  PID:9484
- C:\Windows\System32\fNZbMFr.exe
  C:\Windows\System32\fNZbMFr.exe
  2⤵
  PID:9500
- C:\Windows\System32\xpDVTbO.exe
  C:\Windows\System32\xpDVTbO.exe
  2⤵
  PID:9516
- C:\Windows\System32\RvyfixX.exe
  C:\Windows\System32\RvyfixX.exe
  2⤵
  PID:9532
- C:\Windows\System32\KGYfOXs.exe
  C:\Windows\System32\KGYfOXs.exe
  2⤵
  PID:9548
- C:\Windows\System32\xRMmOlf.exe
  C:\Windows\System32\xRMmOlf.exe
  2⤵
  PID:9564
- C:\Windows\System32\azrsDjJ.exe
  C:\Windows\System32\azrsDjJ.exe
  2⤵
  PID:9580
- C:\Windows\System32\OaRfDNt.exe
  C:\Windows\System32\OaRfDNt.exe
  2⤵
  PID:9596
- C:\Windows\System32\OsIoAMU.exe
  C:\Windows\System32\OsIoAMU.exe
  2⤵
  PID:9612
- C:\Windows\System32\cFAkggR.exe
  C:\Windows\System32\cFAkggR.exe
  2⤵
  PID:9628
- C:\Windows\System32\AfkgkOU.exe
  C:\Windows\System32\AfkgkOU.exe
  2⤵
  PID:9644
- C:\Windows\System32\TMRtaso.exe
  C:\Windows\System32\TMRtaso.exe
  2⤵
  PID:9660
- C:\Windows\System32\AXxTmlL.exe
  C:\Windows\System32\AXxTmlL.exe
  2⤵
  PID:9676
- C:\Windows\System32\AscAtgm.exe
  C:\Windows\System32\AscAtgm.exe
  2⤵
  PID:9692
- C:\Windows\System32\BqXshDJ.exe
  C:\Windows\System32\BqXshDJ.exe
  2⤵
  PID:9708
- C:\Windows\System32\KHMxWcF.exe
  C:\Windows\System32\KHMxWcF.exe
  2⤵
  PID:9724
- C:\Windows\System32\apxMiwh.exe
  C:\Windows\System32\apxMiwh.exe
  2⤵
  PID:9740
- C:\Windows\System32\LJZSmvn.exe
  C:\Windows\System32\LJZSmvn.exe
  2⤵
  PID:9756
- C:\Windows\System32\yFPEYyj.exe
  C:\Windows\System32\yFPEYyj.exe
  2⤵
  PID:9772
- C:\Windows\System32\SvvDsTv.exe
  C:\Windows\System32\SvvDsTv.exe
  2⤵
  PID:9788
- C:\Windows\System32\pvBCNRI.exe
  C:\Windows\System32\pvBCNRI.exe
  2⤵
  PID:9804
- C:\Windows\System32\pWetIWJ.exe
  C:\Windows\System32\pWetIWJ.exe
  2⤵
  PID:9820
- C:\Windows\System32\hKDIcnc.exe
  C:\Windows\System32\hKDIcnc.exe
  2⤵
  PID:9856
- C:\Windows\System32\pbDkjQi.exe
  C:\Windows\System32\pbDkjQi.exe
  2⤵
  PID:9888
- C:\Windows\System32\WddYQiW.exe
  C:\Windows\System32\WddYQiW.exe
  2⤵
  PID:9904
- C:\Windows\System32\iLVyQrg.exe
  C:\Windows\System32\iLVyQrg.exe
  2⤵
  PID:9984
- C:\Windows\System32\KMUHRch.exe
  C:\Windows\System32\KMUHRch.exe
  2⤵
  PID:10188
- C:\Windows\System32\dmcuZZN.exe
  C:\Windows\System32\dmcuZZN.exe
  2⤵
  PID:10208
- C:\Windows\System32\YbTyQUl.exe
  C:\Windows\System32\YbTyQUl.exe
  2⤵
  PID:10232
- C:\Windows\System32\NqMnVim.exe
  C:\Windows\System32\NqMnVim.exe
  2⤵
  PID:9392
- C:\Windows\System32\INlXSxw.exe
  C:\Windows\System32\INlXSxw.exe
  2⤵
  PID:9528
- C:\Windows\System32\AdDMjYp.exe
  C:\Windows\System32\AdDMjYp.exe
  2⤵
  PID:9440
- C:\Windows\System32\SHxemMS.exe
  C:\Windows\System32\SHxemMS.exe
  2⤵
  PID:9800
- C:\Windows\System32\DiuGiUQ.exe
  C:\Windows\System32\DiuGiUQ.exe
  2⤵
  PID:9388
- C:\Windows\System32\MbkhjHb.exe
  C:\Windows\System32\MbkhjHb.exe
  2⤵
  PID:9636
- C:\Windows\System32\lwUXUqn.exe
  C:\Windows\System32\lwUXUqn.exe
  2⤵
  PID:9424
- C:\Windows\System32\mRTktkz.exe
  C:\Windows\System32\mRTktkz.exe
  2⤵
  PID:9496
- C:\Windows\System32\ecgQbRi.exe
  C:\Windows\System32\ecgQbRi.exe
  2⤵
  PID:9656
- C:\Windows\System32\nwrTZkQ.exe
  C:\Windows\System32\nwrTZkQ.exe
  2⤵
  PID:9864
- C:\Windows\System32\wePDUOW.exe
  C:\Windows\System32\wePDUOW.exe
  2⤵
  PID:9812
- C:\Windows\System32\LNeVDyC.exe
  C:\Windows\System32\LNeVDyC.exe
  2⤵
  PID:9540
- C:\Windows\System32\KZVftcN.exe
  C:\Windows\System32\KZVftcN.exe
  2⤵
  PID:10024
- C:\Windows\System32\IHGCvsT.exe
  C:\Windows\System32\IHGCvsT.exe
  2⤵
  PID:10140
- C:\Windows\System32\MFsbCNW.exe
  C:\Windows\System32\MFsbCNW.exe
  2⤵
  PID:10036
- C:\Windows\System32\LmXbryW.exe
  C:\Windows\System32\LmXbryW.exe
  2⤵
  PID:10200
- C:\Windows\System32\iGbgPzR.exe
  C:\Windows\System32\iGbgPzR.exe
  2⤵
  PID:4652
- C:\Windows\System32\xeIrZJw.exe
  C:\Windows\System32\xeIrZJw.exe
  2⤵
  PID:9372
- C:\Windows\System32\rPCppQX.exe
  C:\Windows\System32\rPCppQX.exe
  2⤵
  PID:9432
- C:\Windows\System32\EfTtbBZ.exe
  C:\Windows\System32\EfTtbBZ.exe
  2⤵
  PID:9384
- C:\Windows\System32\ArgTvZq.exe
  C:\Windows\System32\ArgTvZq.exe
  2⤵
  PID:9464
- C:\Windows\System32\SFvmmZI.exe
  C:\Windows\System32\SFvmmZI.exe
  2⤵
  PID:9512
- C:\Windows\System32\UJgnqLl.exe
  C:\Windows\System32\UJgnqLl.exe
  2⤵
  PID:9684
- C:\Windows\System32\GpnGjHz.exe
  C:\Windows\System32\GpnGjHz.exe
  2⤵
  PID:10012
- C:\Windows\System32\xOoavSb.exe
  C:\Windows\System32\xOoavSb.exe
  2⤵
  PID:9300
- C:\Windows\System32\zzdWmSF.exe
  C:\Windows\System32\zzdWmSF.exe
  2⤵
  PID:9868
- C:\Windows\System32\NNVOshc.exe
  C:\Windows\System32\NNVOshc.exe
  2⤵
  PID:9608
- C:\Windows\System32\swJdMTX.exe
  C:\Windows\System32\swJdMTX.exe
  2⤵
  PID:9852
- C:\Windows\System32\LoOnTkb.exe
  C:\Windows\System32\LoOnTkb.exe
  2⤵
  PID:9360
- C:\Windows\System32\MdqiZTJ.exe
  C:\Windows\System32\MdqiZTJ.exe
  2⤵
  PID:10264
- C:\Windows\System32\KTnXeEX.exe
  C:\Windows\System32\KTnXeEX.exe
  2⤵
  PID:10300
- C:\Windows\System32\TwdUUvn.exe
  C:\Windows\System32\TwdUUvn.exe
  2⤵
  PID:10320
- C:\Windows\System32\hMhyMCr.exe
  C:\Windows\System32\hMhyMCr.exe
  2⤵
  PID:10356
- C:\Windows\System32\ZbXSNuI.exe
  C:\Windows\System32\ZbXSNuI.exe
  2⤵
  PID:10376
- C:\Windows\System32\GfljdQv.exe
  C:\Windows\System32\GfljdQv.exe
  2⤵
  PID:10416
- C:\Windows\System32\ookDWEL.exe
  C:\Windows\System32\ookDWEL.exe
  2⤵
  PID:10436
- C:\Windows\System32\QfFtJHs.exe
  C:\Windows\System32\QfFtJHs.exe
  2⤵
  PID:10452
- C:\Windows\System32\rjHYHYb.exe
  C:\Windows\System32\rjHYHYb.exe
  2⤵
  PID:10484
- C:\Windows\System32\vOBEzSd.exe
  C:\Windows\System32\vOBEzSd.exe
  2⤵
  PID:10532
- C:\Windows\System32\UnNwnkG.exe
  C:\Windows\System32\UnNwnkG.exe
  2⤵
  PID:10560
- C:\Windows\System32\otPGLbN.exe
  C:\Windows\System32\otPGLbN.exe
  2⤵
  PID:10588
- C:\Windows\System32\MVeDmNW.exe
  C:\Windows\System32\MVeDmNW.exe
  2⤵
  PID:10604
- C:\Windows\System32\XknoLMi.exe
  C:\Windows\System32\XknoLMi.exe
  2⤵
  PID:10632
- C:\Windows\System32\tzaDkDa.exe
  C:\Windows\System32\tzaDkDa.exe
  2⤵
  PID:10660
- C:\Windows\System32\hJfZLCu.exe
  C:\Windows\System32\hJfZLCu.exe
  2⤵
  PID:10684
- C:\Windows\System32\aUFBWQX.exe
  C:\Windows\System32\aUFBWQX.exe
  2⤵
  PID:10708
- C:\Windows\System32\orjXROM.exe
  C:\Windows\System32\orjXROM.exe
  2⤵
  PID:10764
- C:\Windows\System32\UOUovxR.exe
  C:\Windows\System32\UOUovxR.exe
  2⤵
  PID:10784
- C:\Windows\System32\BzMOOOn.exe
  C:\Windows\System32\BzMOOOn.exe
  2⤵
  PID:10808
- C:\Windows\System32\eGjKiUl.exe
  C:\Windows\System32\eGjKiUl.exe
  2⤵
  PID:10828
- C:\Windows\System32\NRoErdJ.exe
  C:\Windows\System32\NRoErdJ.exe
  2⤵
  PID:10856
- C:\Windows\System32\oXULjJh.exe
  C:\Windows\System32\oXULjJh.exe
  2⤵
  PID:10872
- C:\Windows\System32\gzfIrja.exe
  C:\Windows\System32\gzfIrja.exe
  2⤵
  PID:10888
- C:\Windows\System32\wgrtgXe.exe
  C:\Windows\System32\wgrtgXe.exe
  2⤵
  PID:10908
- C:\Windows\System32\KCuOwDh.exe
  C:\Windows\System32\KCuOwDh.exe
  2⤵
  PID:10952
- C:\Windows\System32\OMKbZAT.exe
  C:\Windows\System32\OMKbZAT.exe
  2⤵
  PID:11000
- C:\Windows\System32\BcDoeYC.exe
  C:\Windows\System32\BcDoeYC.exe
  2⤵
  PID:11016
- C:\Windows\System32\ngTncDI.exe
  C:\Windows\System32\ngTncDI.exe
  2⤵
  PID:11040
- C:\Windows\System32\IEjshxu.exe
  C:\Windows\System32\IEjshxu.exe
  2⤵
  PID:11080
- C:\Windows\System32\PZphPFw.exe
  C:\Windows\System32\PZphPFw.exe
  2⤵
  PID:11096
- C:\Windows\System32\SXmKgSV.exe
  C:\Windows\System32\SXmKgSV.exe
  2⤵
  PID:11112
- C:\Windows\System32\nKQhOJw.exe
  C:\Windows\System32\nKQhOJw.exe
  2⤵
  PID:11160
- C:\Windows\System32\DoqIsFu.exe
  C:\Windows\System32\DoqIsFu.exe
  2⤵
  PID:11208
- C:\Windows\System32\zkMtuvA.exe
  C:\Windows\System32\zkMtuvA.exe
  2⤵
  PID:11228
- C:\Windows\System32\FqqmGwo.exe
  C:\Windows\System32\FqqmGwo.exe
  2⤵
  PID:11248
- C:\Windows\System32\NPWjrzB.exe
  C:\Windows\System32\NPWjrzB.exe
  2⤵
  PID:9940
- C:\Windows\System32\GLczbjJ.exe
  C:\Windows\System32\GLczbjJ.exe
  2⤵
  PID:10276
- C:\Windows\System32\zoczyKW.exe
  C:\Windows\System32\zoczyKW.exe
  2⤵
  PID:10372
- C:\Windows\System32\SNUBmID.exe
  C:\Windows\System32\SNUBmID.exe
  2⤵
  PID:10468
- C:\Windows\System32\TVgFgmO.exe
  C:\Windows\System32\TVgFgmO.exe
  2⤵
  PID:10444
- C:\Windows\System32\hUZmEka.exe
  C:\Windows\System32\hUZmEka.exe
  2⤵
  PID:10516
- C:\Windows\System32\ndVcXpY.exe
  C:\Windows\System32\ndVcXpY.exe
  2⤵
  PID:10580
- C:\Windows\System32\AuZjdqD.exe
  C:\Windows\System32\AuZjdqD.exe
  2⤵
  PID:10644
- C:\Windows\System32\nvrQsMD.exe
  C:\Windows\System32\nvrQsMD.exe
  2⤵
  PID:10776
- C:\Windows\System32\nkcsjDc.exe
  C:\Windows\System32\nkcsjDc.exe
  2⤵
  PID:10792
- C:\Windows\System32\pZIKuIi.exe
  C:\Windows\System32\pZIKuIi.exe
  2⤵
  PID:10820
- C:\Windows\System32\sZkkaih.exe
  C:\Windows\System32\sZkkaih.exe
  2⤵
  PID:10932
- C:\Windows\System32\JLkGNBM.exe
  C:\Windows\System32\JLkGNBM.exe
  2⤵
  PID:10880
- C:\Windows\System32\DGZJXbe.exe
  C:\Windows\System32\DGZJXbe.exe
  2⤵
  PID:11076
- C:\Windows\System32\ACmymzE.exe
  C:\Windows\System32\ACmymzE.exe
  2⤵
  PID:11172
- C:\Windows\System32\YGIaKqv.exe
  C:\Windows\System32\YGIaKqv.exe
  2⤵
  PID:11244
- C:\Windows\System32\fCwYLxQ.exe
  C:\Windows\System32\fCwYLxQ.exe
  2⤵
  PID:10080
- C:\Windows\System32\ubtKnca.exe
  C:\Windows\System32\ubtKnca.exe
  2⤵
  PID:10552
- C:\Windows\System32\ilZjlZU.exe
  C:\Windows\System32\ilZjlZU.exe
  2⤵
  PID:10620
- C:\Windows\System32\oxjfYTH.exe
  C:\Windows\System32\oxjfYTH.exe
  2⤵
  PID:10500
- C:\Windows\System32\BIsrYbg.exe
  C:\Windows\System32\BIsrYbg.exe
  2⤵
  PID:10844
- C:\Windows\System32\vegoilx.exe
  C:\Windows\System32\vegoilx.exe
  2⤵
  PID:640
- C:\Windows\System32\idCWrVY.exe
  C:\Windows\System32\idCWrVY.exe
  2⤵
  PID:11104
- C:\Windows\System32\QWKLFrS.exe
  C:\Windows\System32\QWKLFrS.exe
  2⤵
  PID:10336
- C:\Windows\System32\HaiXVor.exe
  C:\Windows\System32\HaiXVor.exe
  2⤵
  PID:10460
- C:\Windows\System32\tCRytfo.exe
  C:\Windows\System32\tCRytfo.exe
  2⤵
  PID:10600
- C:\Windows\System32\URKcGhr.exe
  C:\Windows\System32\URKcGhr.exe
  2⤵
  PID:10816
- C:\Windows\System32\AbJnvXg.exe
  C:\Windows\System32\AbJnvXg.exe
  2⤵
  PID:10524
- C:\Windows\System32\cpteCrf.exe
  C:\Windows\System32\cpteCrf.exe
  2⤵
  PID:11272
- C:\Windows\System32\PMcEabU.exe
  C:\Windows\System32\PMcEabU.exe
  2⤵
  PID:11292
- C:\Windows\System32\kxtfcUD.exe
  C:\Windows\System32\kxtfcUD.exe
  2⤵
  PID:11316
- C:\Windows\System32\PNPGDgt.exe
  C:\Windows\System32\PNPGDgt.exe
  2⤵
  PID:11348
- C:\Windows\System32\WJrKLLV.exe
  C:\Windows\System32\WJrKLLV.exe
  2⤵
  PID:11376
- C:\Windows\System32\TzftCya.exe
  C:\Windows\System32\TzftCya.exe
  2⤵
  PID:11400
- C:\Windows\System32\egSoQqY.exe
  C:\Windows\System32\egSoQqY.exe
  2⤵
  PID:11420
- C:\Windows\System32\dbImMwJ.exe
  C:\Windows\System32\dbImMwJ.exe
  2⤵
  PID:11444
- C:\Windows\System32\wNHFzwT.exe
  C:\Windows\System32\wNHFzwT.exe
  2⤵
  PID:11472
- C:\Windows\System32\VaOpnqe.exe
  C:\Windows\System32\VaOpnqe.exe
  2⤵
  PID:11512
- C:\Windows\System32\kBRjEvC.exe
  C:\Windows\System32\kBRjEvC.exe
  2⤵
  PID:11552
- C:\Windows\System32\yVlwUWA.exe
  C:\Windows\System32\yVlwUWA.exe
  2⤵
  PID:11572
- C:\Windows\System32\WRyuoSP.exe
  C:\Windows\System32\WRyuoSP.exe
  2⤵
  PID:11608
- C:\Windows\System32\HWgOwOA.exe
  C:\Windows\System32\HWgOwOA.exe
  2⤵
  PID:11632
- C:\Windows\System32\NsVKCHI.exe
  C:\Windows\System32\NsVKCHI.exe
  2⤵
  PID:11652
- C:\Windows\System32\bsVGOQO.exe
  C:\Windows\System32\bsVGOQO.exe
  2⤵
  PID:11668
- C:\Windows\System32\bWBEgxz.exe
  C:\Windows\System32\bWBEgxz.exe
  2⤵
  PID:11692
- C:\Windows\System32\fkWxsoE.exe
  C:\Windows\System32\fkWxsoE.exe
  2⤵
  PID:11720
- C:\Windows\System32\DdXnZfT.exe
  C:\Windows\System32\DdXnZfT.exe
  2⤵
  PID:11760
- C:\Windows\System32\MixRLKd.exe
  C:\Windows\System32\MixRLKd.exe
  2⤵
  PID:11784
- C:\Windows\System32\MtWHRlF.exe
  C:\Windows\System32\MtWHRlF.exe
  2⤵
  PID:11820
- C:\Windows\System32\DrkgBAe.exe
  C:\Windows\System32\DrkgBAe.exe
  2⤵
  PID:11852
- C:\Windows\System32\CEplamQ.exe
  C:\Windows\System32\CEplamQ.exe
  2⤵
  PID:11888
- C:\Windows\System32\SSzEkDJ.exe
  C:\Windows\System32\SSzEkDJ.exe
  2⤵
  PID:11904
- C:\Windows\System32\InIekii.exe
  C:\Windows\System32\InIekii.exe
  2⤵
  PID:11924
- C:\Windows\System32\PUitPgi.exe
  C:\Windows\System32\PUitPgi.exe
  2⤵
  PID:11964
- C:\Windows\System32\tGemJOD.exe
  C:\Windows\System32\tGemJOD.exe
  2⤵
  PID:11996
- C:\Windows\System32\jenkspA.exe
  C:\Windows\System32\jenkspA.exe
  2⤵
  PID:12012
- C:\Windows\System32\OwtVyGH.exe
  C:\Windows\System32\OwtVyGH.exe
  2⤵
  PID:12028
- C:\Windows\System32\tlnNckz.exe
  C:\Windows\System32\tlnNckz.exe
  2⤵
  PID:12060
- C:\Windows\System32\UrMFsxa.exe
  C:\Windows\System32\UrMFsxa.exe
  2⤵
  PID:12092
- C:\Windows\System32\XojtRla.exe
  C:\Windows\System32\XojtRla.exe
  2⤵
  PID:12108
- C:\Windows\System32\SbMrAHF.exe
  C:\Windows\System32\SbMrAHF.exe
  2⤵
  PID:12136
- C:\Windows\System32\AvHcuQb.exe
  C:\Windows\System32\AvHcuQb.exe
  2⤵
  PID:12180
- C:\Windows\System32\OYEFwFM.exe
  C:\Windows\System32\OYEFwFM.exe
  2⤵
  PID:12200
- C:\Windows\System32\svPmkzX.exe
  C:\Windows\System32\svPmkzX.exe
  2⤵
  PID:12220
- C:\Windows\System32\xoMWqwp.exe
  C:\Windows\System32\xoMWqwp.exe
  2⤵
  PID:12256
- C:\Windows\System32\jtgsYpP.exe
  C:\Windows\System32\jtgsYpP.exe
  2⤵
  PID:12276
- C:\Windows\System32\kLhsSoz.exe
  C:\Windows\System32\kLhsSoz.exe
  2⤵
  PID:11284
- C:\Windows\System32\OCvcBwa.exe
  C:\Windows\System32\OCvcBwa.exe
  2⤵
  PID:11432
- C:\Windows\System32\NPnWLqC.exe
  C:\Windows\System32\NPnWLqC.exe
  2⤵
  PID:11456
- C:\Windows\System32\WdHtovS.exe
  C:\Windows\System32\WdHtovS.exe
  2⤵
  PID:11500
- C:\Windows\System32\vZUBcHD.exe
  C:\Windows\System32\vZUBcHD.exe
  2⤵
  PID:11548
- C:\Windows\System32\hIBAzpR.exe
  C:\Windows\System32\hIBAzpR.exe
  2⤵
  PID:11640
- C:\Windows\System32\bosctfu.exe
  C:\Windows\System32\bosctfu.exe
  2⤵
  PID:11732
- C:\Windows\System32\AShmWtf.exe
  C:\Windows\System32\AShmWtf.exe
  2⤵
  PID:11728
- C:\Windows\System32\GPsOEGt.exe
  C:\Windows\System32\GPsOEGt.exe
  2⤵
  PID:11812
- C:\Windows\System32\OXwjGol.exe
  C:\Windows\System32\OXwjGol.exe
  2⤵
  PID:11844
- C:\Windows\System32\xejXQQz.exe
  C:\Windows\System32\xejXQQz.exe
  2⤵
  PID:11900
- C:\Windows\System32\pWTyXCe.exe
  C:\Windows\System32\pWTyXCe.exe
  2⤵
  PID:12020
- C:\Windows\System32\klVljSb.exe
  C:\Windows\System32\klVljSb.exe
  2⤵
  PID:12044
- C:\Windows\System32\EVAimbS.exe
  C:\Windows\System32\EVAimbS.exe
  2⤵
  PID:12144
- C:\Windows\System32\pntBcuP.exe
  C:\Windows\System32\pntBcuP.exe
  2⤵
  PID:12172
- C:\Windows\System32\LnPNJam.exe
  C:\Windows\System32\LnPNJam.exe
  2⤵
  PID:12192
- C:\Windows\System32\xgQoCiQ.exe
  C:\Windows\System32\xgQoCiQ.exe
  2⤵
  PID:4192
- C:\Windows\System32\wGjNLpQ.exe
  C:\Windows\System32\wGjNLpQ.exe
  2⤵
  PID:12212
- C:\Windows\System32\OHcKzLd.exe
  C:\Windows\System32\OHcKzLd.exe
  2⤵
  PID:11340
- C:\Windows\System32\KNdZAzE.exe
  C:\Windows\System32\KNdZAzE.exe
  2⤵
  PID:11600
- C:\Windows\System32\AJckIav.exe
  C:\Windows\System32\AJckIav.exe
  2⤵
  PID:2728
- C:\Windows\System32\JTEuQuP.exe
  C:\Windows\System32\JTEuQuP.exe
  2⤵
  PID:11796
- C:\Windows\System32\ETMjXlQ.exe
  C:\Windows\System32\ETMjXlQ.exe
  2⤵
  PID:11804
- C:\Windows\System32\LXpovrj.exe
  C:\Windows\System32\LXpovrj.exe
  2⤵
  PID:12004
- C:\Windows\System32\EISiqTa.exe
  C:\Windows\System32\EISiqTa.exe
  2⤵
  PID:12168
- C:\Windows\System32\BvNFKCF.exe
  C:\Windows\System32\BvNFKCF.exe
  2⤵
  PID:11460
- C:\Windows\System32\CNDvEdG.exe
  C:\Windows\System32\CNDvEdG.exe
  2⤵
  PID:11540
- C:\Windows\System32\BebAlSF.exe
  C:\Windows\System32\BebAlSF.exe
  2⤵
  PID:11920
- C:\Windows\System32\MNQIMDo.exe
  C:\Windows\System32\MNQIMDo.exe
  2⤵
  PID:3676
- C:\Windows\System32\vNsvTZu.exe
  C:\Windows\System32\vNsvTZu.exe
  2⤵
  PID:12228
- C:\Windows\System32\TtNNkJR.exe
  C:\Windows\System32\TtNNkJR.exe
  2⤵
  PID:4392
- C:\Windows\System32\nkdcrDL.exe
  C:\Windows\System32\nkdcrDL.exe
  2⤵
  PID:12104
- C:\Windows\System32\LqGgQfE.exe
  C:\Windows\System32\LqGgQfE.exe
  2⤵
  PID:12296
- C:\Windows\System32\nJMGzOK.exe
  C:\Windows\System32\nJMGzOK.exe
  2⤵
  PID:12316
- C:\Windows\System32\HXOSMBU.exe
  C:\Windows\System32\HXOSMBU.exe
  2⤵
  PID:12332
- C:\Windows\System32\tBVROmP.exe
  C:\Windows\System32\tBVROmP.exe
  2⤵
  PID:12368
- C:\Windows\System32\kPBXuYX.exe
  C:\Windows\System32\kPBXuYX.exe
  2⤵
  PID:12388
- C:\Windows\System32\CRbbbYu.exe
  C:\Windows\System32\CRbbbYu.exe
  2⤵
  PID:12404
- C:\Windows\System32\BUUEZkY.exe
  C:\Windows\System32\BUUEZkY.exe
  2⤵
  PID:12428
- C:\Windows\System32\JkQheBk.exe
  C:\Windows\System32\JkQheBk.exe
  2⤵
  PID:12444
- C:\Windows\System32\dvhnjbV.exe
  C:\Windows\System32\dvhnjbV.exe
  2⤵
  PID:12468
- C:\Windows\System32\dSkhmyS.exe
  C:\Windows\System32\dSkhmyS.exe
  2⤵
  PID:12484
- C:\Windows\System32\igVvvbN.exe
  C:\Windows\System32\igVvvbN.exe
  2⤵
  PID:12508
- C:\Windows\System32\unYtgHM.exe
  C:\Windows\System32\unYtgHM.exe
  2⤵
  PID:12544
- C:\Windows\System32\cJCfbMg.exe
  C:\Windows\System32\cJCfbMg.exe
  2⤵
  PID:12596
- C:\Windows\System32\xqRxxUh.exe
  C:\Windows\System32\xqRxxUh.exe
  2⤵
  PID:12672
- C:\Windows\System32\KtOqjto.exe
  C:\Windows\System32\KtOqjto.exe
  2⤵
  PID:12704
- C:\Windows\System32\EKgmPBl.exe
  C:\Windows\System32\EKgmPBl.exe
  2⤵
  PID:12732
- C:\Windows\System32\BujOpOH.exe
  C:\Windows\System32\BujOpOH.exe
  2⤵
  PID:12752
- C:\Windows\System32\AMgECzf.exe
  C:\Windows\System32\AMgECzf.exe
  2⤵
  PID:12768
- C:\Windows\System32\DSwVlLZ.exe
  C:\Windows\System32\DSwVlLZ.exe
  2⤵
  PID:12840
- C:\Windows\System32\QcNDIsX.exe
  C:\Windows\System32\QcNDIsX.exe
  2⤵
  PID:12860
- C:\Windows\System32\PwaKDCJ.exe
  C:\Windows\System32\PwaKDCJ.exe
  2⤵
  PID:12880
- C:\Windows\System32\UAftYzM.exe
  C:\Windows\System32\UAftYzM.exe
  2⤵
  PID:12928
- C:\Windows\System32\BWsvIaZ.exe
  C:\Windows\System32\BWsvIaZ.exe
  2⤵
  PID:12948
- C:\Windows\System32\RuHjcxP.exe
  C:\Windows\System32\RuHjcxP.exe
  2⤵
  PID:12972
- C:\Windows\System32\TQIBoBX.exe
  C:\Windows\System32\TQIBoBX.exe
  2⤵
  PID:12996
- C:\Windows\System32\hILHGAn.exe
  C:\Windows\System32\hILHGAn.exe
  2⤵
  PID:13024
- C:\Windows\System32\kNwbqQz.exe
  C:\Windows\System32\kNwbqQz.exe
  2⤵
  PID:13048
- C:\Windows\System32\vNQDqLY.exe
  C:\Windows\System32\vNQDqLY.exe
  2⤵
  PID:13080
- C:\Windows\System32\XBPauhS.exe
  C:\Windows\System32\XBPauhS.exe
  2⤵
  PID:13096
- C:\Windows\System32\xLdLKBZ.exe
  C:\Windows\System32\xLdLKBZ.exe
  2⤵
  PID:13132
- C:\Windows\System32\vHZJEyx.exe
  C:\Windows\System32\vHZJEyx.exe
  2⤵
  PID:13160
- C:\Windows\System32\LDXJysL.exe
  C:\Windows\System32\LDXJysL.exe
  2⤵
  PID:13176
- C:\Windows\System32\HsMYwBH.exe
  C:\Windows\System32\HsMYwBH.exe
  2⤵
  PID:13204
- C:\Windows\System32\GJIBiMs.exe
  C:\Windows\System32\GJIBiMs.exe
  2⤵
  PID:13232
- C:\Windows\System32\htPRaBY.exe
  C:\Windows\System32\htPRaBY.exe
  2⤵
  PID:13272
- C:\Windows\System32\cNuSihY.exe
  C:\Windows\System32\cNuSihY.exe
  2⤵
  PID:12308

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AfjFFOd.exe

Filesize
1.2MB

MD5
531476ede0b5a28dc1a2a824c906cd36

SHA1
edeb7f95bb1752b019681ea070f498b9c54e9c1a

SHA256
b72b6c4c9d75c07c0202eb8caba3f01616f75a93c8949d499b893b1432a407b9

SHA512
fb25379d0131e3ba8c83324ba1c544b3d100211b7b45ea0cb2d6b203c62aa2fef3801cbb94469e828ae9593c89726949faced8737f4c18e58e9763617d2ace8a

Download Submit
C:\Windows\System32\EsAbKGc.exe

Filesize
1.2MB

MD5
c8444e433122040ce2bacc3d45984d30

SHA1
d5e13d67e91d58dab51fc7358c0f80d7242dcb60

SHA256
9084bb0c702bae9f4aa3b39d8acc35b456357625206580f0ffb81ba73c48356b

SHA512
48aceeae5135afaaf2b2388dd5251648a367d4eb794cd924e739f540847450304dba79e3c71562b377f67491effb60214b4bc626e1a7251e9074d107cfa0ac6e

Download Submit
C:\Windows\System32\FjqZeWc.exe

Filesize
1.2MB

MD5
001c3679a8b2f12528521db8622d44d4

SHA1
9a21513bf484b5f71119551760ce4aba19e86200

SHA256
a9d904d756b502186b91420e8d86eed1007cde4feda195c7ab758e5782de2e00

SHA512
ec9cba2ec139fec8a84bc465533325ec2df36196241d35792910d19ba385551b5fa67c330fd1cbe7025192907435e038b113f58b19ac28cec312c6483e66dedd

Download Submit
C:\Windows\System32\JFVrdxc.exe

Filesize
1.2MB

MD5
ed63df5a1fb5b76293a9347e65969cc3

SHA1
48a63f684ae390531639f350d5d6985b96a34413

SHA256
4a61bb2edd1912f6d68ae2e03be30fa28a305988bbf28dd723e2ae32db3a7650

SHA512
1ef904fdfd4e431cef2ce36212bd2f3c9d20459e523b1092613734a8eb7fa8bf0f9b0771686a8e543c7886cc4e38f31006f3af9906a835292ce4163dba46e23e

Download Submit
C:\Windows\System32\MFINeHJ.exe

Filesize
1.2MB

MD5
9e7b98a628b395e2d6c06dac742bc994

SHA1
9248eb2e48d1845de2b1bd10c21a45e664e612a8

SHA256
eca4ce146ee743006620d6b29b5e900ab22904c4027f8c1a74becbec1bf5371e

SHA512
56574219e96ecc0d548b7c0ae5a2855031c46364eccf3c310815025fbb3e4bf498852c516e0f3c60737c8330c8665e65b900a0922a25dc70912c0f6b860897ce

Download Submit
C:\Windows\System32\PwjbkMM.exe

Filesize
1.2MB

MD5
c4fac0fb900acb71abb343ab5b29c948

SHA1
3ab3f98de9802da9b7dfe1a89720b7f5c328fc82

SHA256
b1da247eae9c04f527b949ab925976a45654462e8cd8105dbc5ed4d53b521f88

SHA512
4d208ec291133eef8b8e75ac4e2434732235da7033a00d427e061fc947ccf9e25fab93bdb5634ca581c2c4e6ff6123fd6adbe1c2fb5b9653d9a1e22f001f9e7f

Download Submit
C:\Windows\System32\QnBpBGG.exe

Filesize
1.2MB

MD5
b1151c90cf541c0713c5aab5eff15cfe

SHA1
38ccfea47f9d7d3e5cee066f74041c41d8cbab01

SHA256
42d121c686f52af1db4d3436171d530e3e3689b81ef56d63172e86017ca44da5

SHA512
9403d4857818b3649b2c46a3450a0f2303fdd6c3427410235f284f8140b26bf7223296baaeb6817ae0196db47a8458ee17b2d495a06909f2fb8a13457694f73c

Download Submit
C:\Windows\System32\VDimPdv.exe

Filesize
1.2MB

MD5
0855d4ea88f84b456a9d4beb66cf63ee

SHA1
a9462c9199b45fed71c703ed62fc1263669c3d5b

SHA256
e5548313f2d1c36a68234bdaed0ba287426d18b33b323fb948c81d385e5fc778

SHA512
3267e78511696aeef356c3151d8581a9a246b50fe9a109c94e85c5a8eb65ba076f7153fb7aa1aa1ab5cad28e317b6bf4e53507b0285881b44ea715fe1ca877ce

Download Submit
C:\Windows\System32\VXmiOjT.exe

Filesize
1.2MB

MD5
4e5a8bd880be6b7b641bd8300d1bfe8b

SHA1
283598d8413cf748b4d77f2df6d6bb93fe6cb33b

SHA256
1a0e1350cc77fce7584964a785a55a342facbf19b46656fa52b5fa497444e895

SHA512
a6fcc8ef22688643d25ca9fe258250a00d6cb2a94961b8e97a6e3aad9486f909c8bba42b0a711ba3fec68346d3a5655f30de6af4321b79416c5ee445c1c4b88f

Download Submit
C:\Windows\System32\WIrIzcN.exe

Filesize
1.2MB

MD5
6e9777008d6e091999d56e7dc6a55bf0

SHA1
7340bcd0c05118fea6af01d59de6c2f4e448e3e7

SHA256
51a5e0edee38554dfdc45982b73715127fcd4d2b24fe0fef924a1d8b20cfaa8f

SHA512
99df10f960d5b3c7c327b900fb5df516545a92aa3f1403d633daccd0d19aa6a8426c4e9f2535d59e6ecf42b566e9e82db1bd3235a4cd022da2c0f4709855d9bb

Download Submit
C:\Windows\System32\WipbNRI.exe

Filesize
1.2MB

MD5
7f498efee16c9dcc9afb5625c034e47b

SHA1
1c0c3b1506ebd8f8cced004bddb97993e1efc3a4

SHA256
f56b51e58762b8f40f9eb324b81e2d79966095991c210f451c828cffbfcf81be

SHA512
25a05495873bc20bd55f9bb0de3fccb2bb06e10b27839e227c58f569a066855ccf7482f3e217793bb78d59caebbe79b8bf79eff63561bb380496f6995d020f0f

Download Submit
C:\Windows\System32\YouwUdX.exe

Filesize
1.2MB

MD5
5dfab4256c0875492be362b5d3f2f64a

SHA1
c9e5f1afec4b4ef27369ba00b2f6f5d7a3a8e3d4

SHA256
c02785061ef2c6a7756bf5519f15e01f8d58af8204f7af9d24123a489cbc2665

SHA512
4a519a992ef8eaef5ca0d4e7957e7509dbb447a18ffb13bdb6eaece3798ac4e99866875de5ee373e581df749ceb78ad4cbb9d82d558f11eef2fb59cb8e390eec

Download Submit
C:\Windows\System32\bTuvYyo.exe

Filesize
1.2MB

MD5
294dae9861bb82cbf05a242e93153b21

SHA1
cce3c2710b22f68e3590fe8b30797ebf53006986

SHA256
e2ee37a6702f727a421e30669bcff5467a8b8a940cd0582fa1fb9f135c8921e2

SHA512
37ac8887388c0e08362d1d404d763f86d63e9bce6e9d1b57fa90238fc1eb2d39e8f767465821f93d5bc7ede5585d1f5a9a29f9728182b9808a685329dc62f12c

Download Submit
C:\Windows\System32\bZTIdBP.exe

Filesize
1.2MB

MD5
4a449fed6f28777c2f5a1ece84fa724a

SHA1
cba7df26494678874b40ba83233871bbad809e2e

SHA256
bb64124d56fd2f5edd4ad59e44e8f7d295a09f740cd3537bba5a26337b5b86c5

SHA512
9aa34d714c9ecb790647c95288afca091142d1be5da359c3750660ffd3b3f46bb67bdb2e61749ca40abf01676452f85c0323ffef31dba77208a1fcdea448776a

Download Submit
C:\Windows\System32\bcNLWOk.exe

Filesize
1.2MB

MD5
0c091e2e73488f1c03bc8bfb1f6ab217

SHA1
811f446f4044e6015012118559c39bfce0e23452

SHA256
50c87a2d307c58f237fabb83aa9a62356e95a01ceea71fbb0bd9a932f7f8bb09

SHA512
e06e51c80c2e5e1f80f4fd8191bb3c8d1449862edb86775aa76ce053b183347e97925aab1edbac2282bbe0e471cfe368899812f6a5bd31a07fb54595945f3862

Download Submit
C:\Windows\System32\bfxjOEx.exe

Filesize
1.2MB

MD5
d092e3d3ab836c129a58ab4758bd791f

SHA1
b24924aa2e17f2597f0cd848d39f3ceeef3162b2

SHA256
2162b60580aedca9c1c3cf627145723b7c6a8151c5bd8da13355c54baef03675

SHA512
dc23325a247465ca6eac182d378bc6837515001c1eee7a2675b15ad2cf6894726c8a35b8afe9bee10aa59a77e4e76c136bb6de4f43c5a5146e77d52a246bc7ce

Download Submit
C:\Windows\System32\ddjatoh.exe

Filesize
1.2MB

MD5
3b3031ec9f25d4671b954312388ba171

SHA1
a808021a1c5bb4c2314bb1b7e7d11b60b30179d9

SHA256
9076781a2d5997753d7fe8709cc94406917ea9d19e7ffb8fb9a0c62c36cc7ee4

SHA512
bdd4d98e9fa812aabd859abf8dfadbce13d3bcb96897e26bd78245e2edef2844b820770264e63f79dff7557254de3ae93f366a22da45bf8a11f9151c2d1614eb

Download Submit
C:\Windows\System32\dlWAtgI.exe

Filesize
1.2MB

MD5
df14cf1a657efe464e737cd7f8a34f8e

SHA1
eac5da1abdc2f2a1d0256ced2673215dc17a7ecd

SHA256
5925faf4946a4b187dad7860910d918b76fa4235e7caba157fe3e311af832e81

SHA512
7c597c6ec5ba71784a82cfabe53c246fb43d9723818cec792d6c3fde61181b20520ff65ac26e6ef83872d92c7d1b79707c66c12801a2dfbcadc89cfd8e5d7cf9

Download Submit
C:\Windows\System32\dxXosvX.exe

Filesize
1.2MB

MD5
0ade448bca6e8304c8c71e2af51020c0

SHA1
413615be856a3de682ba64674542d697717ab0e1

SHA256
d7c63cf3192fb973f9c7f2766d0075bc43234b799fd27ff5b72517fbe43f0407

SHA512
814406109eae35c76ada34048810168e5711144d739f90a9342f40e14a1e8f831a5d6bd0b8994f5804c5e55b0471b25693b3011034094a0fc56ecb2c2f5e647a

Download Submit
C:\Windows\System32\flvEULM.exe

Filesize
1.2MB

MD5
036389af11fbec3e41cc0ea78d4e0506

SHA1
fa089fbf631332b5fd8b8e395a1e0197b694d467

SHA256
b294e366195634e6f154c6629ed2c4977004911aaa7c3da2b82d9564d4201397

SHA512
755695525e1bc6aa74978ddb197f47f87f02e7f1a13b3b3ffe26d8ea50ab43798e11507b9927510147ee8e095072b50240700d0659ac95750f3b2444221ff966

Download Submit
C:\Windows\System32\hlCbHYm.exe

Filesize
1.2MB

MD5
bba23bbf4f2c0178dfca09418b8ff0c6

SHA1
4189694587c849c6ec058c285858f874f95a1f04

SHA256
309656df6669b413a3869aa51fdfc126b97f2c6b9f62c5d4a1288b64b0cd79ea

SHA512
bfc859b1c266da2d5810ce73b059efd290aafcb175e02725dac902fe12f658b72cdf9f0194f6c7787c2c429a66a87cd961403bf9473bf4903774605469b29eaf

Download Submit
C:\Windows\System32\iAkHwXw.exe

Filesize
1.2MB

MD5
85b15d12e5f862c920075893097a7746

SHA1
85af7e25af3d01d56a88eaa08cefe5681f48eae7

SHA256
7ab194105bc906d958f3ec2f04bf6b299f55c7d62c9940a722c1e8bc7be4e706

SHA512
016b34e8140ff471be6bc81e468f4af4346e7665e68308ee6217612843523ac3e2723cf12940cfec12652d3c4abb65bb176c4e508a4dd2bbd5ab672cac33467c

Download Submit
C:\Windows\System32\iGPNECD.exe

Filesize
1.2MB

MD5
90e363fa8f9ec4d466cd07eedbae1792

SHA1
3d45d4eb3fa488ffe10643bd237a779d2c141609

SHA256
9ebbeecdccee12d15717fa2584a980e0d39df88a40db707e587f5de3b2acf522

SHA512
895ef284297a772d491d917f3302af10739dddd6690c9c2db34960b127eb9cbf56c7c1f6abae9f15373306b38e98f4f131846c7e10244ef01e8f1d8ac10ad460

Download Submit
C:\Windows\System32\kKhtJnN.exe

Filesize
1.2MB

MD5
1eddce82c3ba4e9f6e3d7049da2a6f89

SHA1
10893443b5a49cca521421433bb9695b61832dc0

SHA256
6e28d610903f37d218840b3d19ed05baee58cb396a216c821b0f4169ce6c2480

SHA512
54c7b4671eebc466caf1f9ffa6ebbdd9b7c4b17b44ff9655b94d30b4373c99f7bcedef84d65fb348916015b00170e3495908b63d459db8cb3515290656ed79ca

Download Submit
C:\Windows\System32\sCGuknG.exe

Filesize
1.2MB

MD5
5971aed84b8ba62974517ae6ede1eed1

SHA1
cfb2b22549bcdad9cb17990efd7f63791dd5d6c4

SHA256
2ccf9e7d6bbd7fb028d0e0cdae652c43158842bb021989ef4e5f2f347d0f5f14

SHA512
bfb9d97a5110fefe14fbbb06f2a659b25eb78844b94e80f3c1782546059f7582f44e8cd28985e52f2e4b93d5bfdd225f59f1154e2921756e03f6961177069953

Download Submit
C:\Windows\System32\tPKBRXA.exe

Filesize
1.2MB

MD5
d7e3cdfec67303bda176d74ff1e71523

SHA1
9bbcd3f735f5afb5a80dad6f8c5dfe2c5a8fac12

SHA256
c8e0d271cddbb0d4eb674538ddcdec5ceb36224b4df6cd3a9fa987220ff59856

SHA512
10623500b34b501585a54eb877287f57d934d25327f75bfe487c8abb3172b19ade984c712d524b7caafd49838f7a2d113717a00f4efb380ec778acfd3e2ae993

Download Submit
C:\Windows\System32\tqAfoME.exe

Filesize
1.2MB

MD5
d2579629817c813fc1c99521ae5600e0

SHA1
7e721bef647d997deabb092fff3e3d429f567d85

SHA256
dc60f68beff88f4e5d039ec05c14804a0028932832bd79d1690618ed180caccc

SHA512
57af9ebce3bfe634553a453ea1434e11dd630c588a61575a59f3a5927aaa8d0771189431f44726f0ea5e2321ecf68a6fc77f3846353df5e04ebe123af3b13b9d

Download Submit
C:\Windows\System32\uBkBZUE.exe

Filesize
1.2MB

MD5
d39cf1dbcd1757a944e27ff83e95213d

SHA1
521bee9a67a0c0348109134c1f1a964ec9ea36db

SHA256
5f8505ecb5dc8a687d8cc86bd78b63f11a87b6b51367db7ff55e68e2a41c4404

SHA512
23857d759ec3905dc2d3f505ced6b6be9f4abc38fec6aae6e56098e7fe5d49a3ddd1b165f18371beed588e5898f91d0551c470ba186729bc1db8df19d33d2676

Download Submit
C:\Windows\System32\vckbwLg.exe

Filesize
1.2MB

MD5
1a4d0dec77fc2ebc7ca09fbf61b11fdb

SHA1
8b23b2a0b383d2c017b601b38552a104004fec17

SHA256
f0222daf194447de2a51d783058584d591f22b261f4e8bf3f0fb3c89c2798f58

SHA512
14e97fb707df5af56ff1e34fcf24b21e9d1e084954300b6f8ba758e626c3790dc9040e8f1df4395b2b0aa84c4f97e8f383f1e8cb35671f0de69f30f7b3adffa6

Download Submit
C:\Windows\System32\wanDoTy.exe

Filesize
1.2MB

MD5
0acc78bef9c56b73b0cffebe66940c68

SHA1
321bd031346668ec7f54acf53742f79b64f09304

SHA256
62dbe86f71c00b125cfd69b335cd1b286dc92fa000640fa8ada304a6a8be4e55

SHA512
9019f6b22a35dadd0a9ccac4c23605efc3f3224685c5774b083189080a99647669c0c7d57b73eb20b7f8334ce1015543a894b08aa1ae0ac14540f7007ed5fb80

Download Submit
C:\Windows\System32\ycAuZJe.exe

Filesize
1.2MB

MD5
240d249bd9d9fa66ff031e15c2806111

SHA1
969644fabb967d34f25dfba7b1e3d9f10ae0ae93

SHA256
8a87b35fcb760922982587bc4798e464a050c893845158f14d683882f2cab889

SHA512
0f5e83d4d2026ec51016c48e317d9b2fdaa25bd900e304aa4616538ab35800b21e9f098713877d0ec082a089f1b0a85109d725efde6b564a1e7ca7903764983f

Download Submit
C:\Windows\System32\ynayafj.exe

Filesize
1.2MB

MD5
c873934798c80b227674239bfa86e3af

SHA1
f569df39de646771735d779b1d01e1fafbd32d7d

SHA256
932afb3e3ab77d173a0e4e0b1ef262c84aa479805e58441bb6d0f4feee4f15e0

SHA512
ff271aaee3c7f8789156e4b97b59900b296f06e7e3ddcebd1368fe96e795cb31684bf0cc9a58f90faa9ebd392bfeaa58dcc1b55b0ec45b5ad874a616c25da51a

Download Submit
memory/116-0-0x00007FF607010000-0x00007FF607401000-memory.dmp

Filesize
3.9MB

Download
memory/116-1-0x000001BBECD90000-0x000001BBECDA0000-memory.dmp

Filesize
64KB

Download
memory/1220-2080-0x00007FF6C2DE0000-0x00007FF6C31D1000-memory.dmp

Filesize
3.9MB

Download
memory/1220-423-0x00007FF6C2DE0000-0x00007FF6C31D1000-memory.dmp

Filesize
3.9MB

Download
memory/1280-2066-0x00007FF76B380000-0x00007FF76B771000-memory.dmp

Filesize
3.9MB

Download
memory/1280-413-0x00007FF76B380000-0x00007FF76B771000-memory.dmp

Filesize
3.9MB

Download
memory/1436-2060-0x00007FF68DAB0000-0x00007FF68DEA1000-memory.dmp

Filesize
3.9MB

Download
memory/1436-46-0x00007FF68DAB0000-0x00007FF68DEA1000-memory.dmp

Filesize
3.9MB

Download
memory/1436-1988-0x00007FF68DAB0000-0x00007FF68DEA1000-memory.dmp

Filesize
3.9MB

Download
memory/1656-66-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp

Filesize
3.9MB

Download
memory/1656-2068-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp

Filesize
3.9MB

Download
memory/1656-2004-0x00007FF7EFD60000-0x00007FF7F0151000-memory.dmp

Filesize
3.9MB

Download
memory/2008-2082-0x00007FF7A3190000-0x00007FF7A3581000-memory.dmp

Filesize
3.9MB

Download
memory/2008-424-0x00007FF7A3190000-0x00007FF7A3581000-memory.dmp

Filesize
3.9MB

Download
memory/2276-2094-0x00007FF71EB70000-0x00007FF71EF61000-memory.dmp

Filesize
3.9MB

Download
memory/2276-470-0x00007FF71EB70000-0x00007FF71EF61000-memory.dmp

Filesize
3.9MB

Download
memory/2356-457-0x00007FF78D610000-0x00007FF78DA01000-memory.dmp

Filesize
3.9MB

Download
memory/2356-2074-0x00007FF78D610000-0x00007FF78DA01000-memory.dmp

Filesize
3.9MB

Download
memory/2892-2070-0x00007FF658840000-0x00007FF658C31000-memory.dmp

Filesize
3.9MB

Download
memory/2892-427-0x00007FF658840000-0x00007FF658C31000-memory.dmp

Filesize
3.9MB

Download
memory/3172-2003-0x00007FF669350000-0x00007FF669741000-memory.dmp

Filesize
3.9MB

Download
memory/3172-60-0x00007FF669350000-0x00007FF669741000-memory.dmp

Filesize
3.9MB

Download
memory/3172-2064-0x00007FF669350000-0x00007FF669741000-memory.dmp

Filesize
3.9MB

Download
memory/3240-454-0x00007FF6BC310000-0x00007FF6BC701000-memory.dmp

Filesize
3.9MB

Download
memory/3240-2076-0x00007FF6BC310000-0x00007FF6BC701000-memory.dmp

Filesize
3.9MB

Download
memory/3368-2095-0x00007FF799F50000-0x00007FF79A341000-memory.dmp

Filesize
3.9MB

Download
memory/3368-469-0x00007FF799F50000-0x00007FF79A341000-memory.dmp

Filesize
3.9MB

Download
memory/3448-1986-0x00007FF601D40000-0x00007FF602131000-memory.dmp

Filesize
3.9MB

Download
memory/3448-45-0x00007FF601D40000-0x00007FF602131000-memory.dmp

Filesize
3.9MB

Download
memory/3448-2058-0x00007FF601D40000-0x00007FF602131000-memory.dmp

Filesize
3.9MB

Download
memory/3696-2078-0x00007FF6BF5E0000-0x00007FF6BF9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3696-405-0x00007FF6BF5E0000-0x00007FF6BF9D1000-memory.dmp

Filesize
3.9MB

Download
memory/3924-33-0x00007FF667230000-0x00007FF667621000-memory.dmp

Filesize
3.9MB

Download
memory/3924-1985-0x00007FF667230000-0x00007FF667621000-memory.dmp

Filesize
3.9MB

Download
memory/3924-2030-0x00007FF667230000-0x00007FF667621000-memory.dmp

Filesize
3.9MB

Download
memory/4076-53-0x00007FF76C810000-0x00007FF76CC01000-memory.dmp

Filesize
3.9MB

Download
memory/4076-2054-0x00007FF76C810000-0x00007FF76CC01000-memory.dmp

Filesize
3.9MB

Download
memory/4244-61-0x00007FF7FA870000-0x00007FF7FAC61000-memory.dmp

Filesize
3.9MB

Download
memory/4244-2062-0x00007FF7FA870000-0x00007FF7FAC61000-memory.dmp

Filesize
3.9MB

Download
memory/4420-49-0x00007FF71DF70000-0x00007FF71E361000-memory.dmp

Filesize
3.9MB

Download
memory/4420-2052-0x00007FF71DF70000-0x00007FF71E361000-memory.dmp

Filesize
3.9MB

Download
memory/4460-483-0x00007FF60C4A0000-0x00007FF60C891000-memory.dmp

Filesize
3.9MB

Download
memory/4460-2090-0x00007FF60C4A0000-0x00007FF60C891000-memory.dmp

Filesize
3.9MB

Download
memory/4576-475-0x00007FF6DF010000-0x00007FF6DF401000-memory.dmp

Filesize
3.9MB

Download
memory/4576-2089-0x00007FF6DF010000-0x00007FF6DF401000-memory.dmp

Filesize
3.9MB

Download
memory/4776-11-0x00007FF6570E0000-0x00007FF6574D1000-memory.dmp

Filesize
3.9MB

Download
memory/4776-2028-0x00007FF6570E0000-0x00007FF6574D1000-memory.dmp

Filesize
3.9MB

Download
memory/4796-485-0x00007FF7B27F0000-0x00007FF7B2BE1000-memory.dmp

Filesize
3.9MB

Download
memory/4796-2092-0x00007FF7B27F0000-0x00007FF7B2BE1000-memory.dmp

Filesize
3.9MB

Download
memory/4864-487-0x00007FF7B4700000-0x00007FF7B4AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4864-2072-0x00007FF7B4700000-0x00007FF7B4AF1000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2056-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp

Filesize
3.9MB

Download
memory/5056-38-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp

Filesize
3.9MB

Download
memory/5056-1987-0x00007FF69B670000-0x00007FF69BA61000-memory.dmp

Filesize
3.9MB

Download
memory/5116-466-0x00007FF7173A0000-0x00007FF717791000-memory.dmp

Filesize
3.9MB

Download
memory/5116-2084-0x00007FF7173A0000-0x00007FF717791000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads