xmrig | d081d644b623bc985f07febe9417050cd18f197d5cf5540caa095257ab43f2dd

Analysis

max time kernel
141s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
Size

1.3MB
MD5

13d693749103620df40574a34d0b17b5
SHA1

d38ab09270a0e213c273d73961be63251f08384c
SHA256

d081d644b623bc985f07febe9417050cd18f197d5cf5540caa095257ab43f2dd
SHA512

dfe22062cdafdb592e8ffe215602c4ca8452e5dc24e63271aa1beb50de71bab8fdd6447687c7a8a4af93d50a32ec969ae2d48169e9ee2ab94ce66284d5130e76
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOj1Uu:knw9oUUEEDlGUh+hNj9

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/980-393-0x00007FF74B6C0000-0x00007FF74BAB1000-memory.dmp	xmrig
behavioral2/memory/3272-392-0x00007FF646840000-0x00007FF646C31000-memory.dmp	xmrig
behavioral2/memory/2568-410-0x00007FF626E20000-0x00007FF627211000-memory.dmp	xmrig
behavioral2/memory/3616-430-0x00007FF6852F0000-0x00007FF6856E1000-memory.dmp	xmrig
behavioral2/memory/4180-449-0x00007FF761660000-0x00007FF761A51000-memory.dmp	xmrig
behavioral2/memory/5044-440-0x00007FF664D20000-0x00007FF665111000-memory.dmp	xmrig
behavioral2/memory/3016-432-0x00007FF6D3290000-0x00007FF6D3681000-memory.dmp	xmrig
behavioral2/memory/4796-471-0x00007FF670CE0000-0x00007FF6710D1000-memory.dmp	xmrig
behavioral2/memory/3568-485-0x00007FF760E10000-0x00007FF761201000-memory.dmp	xmrig
behavioral2/memory/4056-493-0x00007FF630F40000-0x00007FF631331000-memory.dmp	xmrig
behavioral2/memory/2888-494-0x00007FF6A0BC0000-0x00007FF6A0FB1000-memory.dmp	xmrig
behavioral2/memory/704-484-0x00007FF6273F0000-0x00007FF6277E1000-memory.dmp	xmrig
behavioral2/memory/2784-479-0x00007FF63B3A0000-0x00007FF63B791000-memory.dmp	xmrig
behavioral2/memory/4924-427-0x00007FF6930E0000-0x00007FF6934D1000-memory.dmp	xmrig
behavioral2/memory/1648-424-0x00007FF7CBFB0000-0x00007FF7CC3A1000-memory.dmp	xmrig
behavioral2/memory/3944-407-0x00007FF6CBEB0000-0x00007FF6CC2A1000-memory.dmp	xmrig
behavioral2/memory/3632-399-0x00007FF68EF30000-0x00007FF68F321000-memory.dmp	xmrig
behavioral2/memory/2020-41-0x00007FF76C560000-0x00007FF76C951000-memory.dmp	xmrig
behavioral2/memory/1328-37-0x00007FF6543F0000-0x00007FF6547E1000-memory.dmp	xmrig
behavioral2/memory/1952-33-0x00007FF676E30000-0x00007FF677221000-memory.dmp	xmrig
behavioral2/memory/1428-1963-0x00007FF760F50000-0x00007FF761341000-memory.dmp	xmrig
behavioral2/memory/1952-1980-0x00007FF676E30000-0x00007FF677221000-memory.dmp	xmrig
behavioral2/memory/1984-1997-0x00007FF6E1780000-0x00007FF6E1B71000-memory.dmp	xmrig
behavioral2/memory/1296-1998-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp	xmrig
behavioral2/memory/5088-2004-0x00007FF713750000-0x00007FF713B41000-memory.dmp	xmrig
behavioral2/memory/1428-2006-0x00007FF760F50000-0x00007FF761341000-memory.dmp	xmrig
behavioral2/memory/1296-2012-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp	xmrig
behavioral2/memory/1984-2014-0x00007FF6E1780000-0x00007FF6E1B71000-memory.dmp	xmrig
behavioral2/memory/3632-2055-0x00007FF68EF30000-0x00007FF68F321000-memory.dmp	xmrig
behavioral2/memory/3616-2067-0x00007FF6852F0000-0x00007FF6856E1000-memory.dmp	xmrig
behavioral2/memory/5044-2069-0x00007FF664D20000-0x00007FF665111000-memory.dmp	xmrig
behavioral2/memory/4180-2063-0x00007FF761660000-0x00007FF761A51000-memory.dmp	xmrig
behavioral2/memory/3944-2061-0x00007FF6CBEB0000-0x00007FF6CC2A1000-memory.dmp	xmrig
behavioral2/memory/4924-2059-0x00007FF6930E0000-0x00007FF6934D1000-memory.dmp	xmrig
behavioral2/memory/3016-2057-0x00007FF6D3290000-0x00007FF6D3681000-memory.dmp	xmrig
behavioral2/memory/980-2053-0x00007FF74B6C0000-0x00007FF74BAB1000-memory.dmp	xmrig
behavioral2/memory/2568-2065-0x00007FF626E20000-0x00007FF627211000-memory.dmp	xmrig
behavioral2/memory/1648-2051-0x00007FF7CBFB0000-0x00007FF7CC3A1000-memory.dmp	xmrig
behavioral2/memory/3272-2049-0x00007FF646840000-0x00007FF646C31000-memory.dmp	xmrig
behavioral2/memory/2888-2043-0x00007FF6A0BC0000-0x00007FF6A0FB1000-memory.dmp	xmrig
behavioral2/memory/1952-2016-0x00007FF676E30000-0x00007FF677221000-memory.dmp	xmrig
behavioral2/memory/1328-2010-0x00007FF6543F0000-0x00007FF6547E1000-memory.dmp	xmrig
behavioral2/memory/2020-2008-0x00007FF76C560000-0x00007FF76C951000-memory.dmp	xmrig
behavioral2/memory/4056-2137-0x00007FF630F40000-0x00007FF631331000-memory.dmp	xmrig
behavioral2/memory/4796-2071-0x00007FF670CE0000-0x00007FF6710D1000-memory.dmp	xmrig
behavioral2/memory/704-2083-0x00007FF6273F0000-0x00007FF6277E1000-memory.dmp	xmrig
behavioral2/memory/2784-2080-0x00007FF63B3A0000-0x00007FF63B791000-memory.dmp	xmrig
behavioral2/memory/3568-2078-0x00007FF760E10000-0x00007FF761201000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
5088	iKXPYhz.exe
1952	QzyKCEm.exe
1428	ZYKbiHO.exe
1328	yBGGXXg.exe
2020	myzOMNp.exe
1984	wAuwuYN.exe
1296	sdJfgna.exe
2888	MjJIrGX.exe
3272	pyofUJx.exe
980	hHjcMiZ.exe
3632	FiIlLxh.exe
3944	ikTwzxb.exe
2568	cmivrWA.exe
1648	TVgsfWj.exe
4924	jDQQIRK.exe
3616	IYgjEoZ.exe
3016	OiLauwX.exe
5044	ekKRhoA.exe
4180	tdaMjkZ.exe
4796	exbhBwQ.exe
2784	UFfLpJv.exe
704	gBgxjnC.exe
3568	NXjNbdw.exe
4056	CFMHphe.exe
4188	lHtLrHF.exe
548	BbjIrki.exe
4716	wWGJwjI.exe
4444	phsbvBU.exe
3276	WbUJMgY.exe
2296	QHOTaYc.exe
1032	PLeaMya.exe
2516	VVYZSEb.exe
712	SamRZrh.exe
3292	avwDYtF.exe
2992	KVXegNT.exe
1432	doJOeLB.exe
4016	ZHVHBct.exe
1900	IfLupss.exe
3092	bENZafR.exe
1800	tNkqAnU.exe
4072	lvboEot.exe
2900	KsHsjaE.exe
736	ahQajTc.exe
3188	oqYmVjH.exe
2404	xRBHsnH.exe
228	fHZiOpl.exe
2288	gVbTgUh.exe
1392	JAnEHZl.exe
2448	PVyToXz.exe
4292	ZjSPrvb.exe
5072	tRixDRs.exe
1968	HQzWxjg.exe
3936	bZnrGCt.exe
3848	PFoNovX.exe
932	rBrHlnE.exe
4864	vplqzoA.exe
3704	mqtexKT.exe
1628	gtSIMgC.exe
1088	zWQpGQI.exe
1528	ovKXuvT.exe
2652	XPKqGaA.exe
4884	DUepHtH.exe
1596	FzZktWT.exe
1668	snnmEmO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4940-0-0x00007FF74C1F0000-0x00007FF74C5E1000-memory.dmp	upx
behavioral2/files/0x000b000000023b78-11.dat	upx
behavioral2/files/0x000a000000023b7d-16.dat	upx
behavioral2/files/0x000a000000023b7c-12.dat	upx
behavioral2/files/0x000a000000023b7e-29.dat	upx
behavioral2/files/0x000a000000023b80-35.dat	upx
behavioral2/files/0x000a000000023b81-45.dat	upx
behavioral2/files/0x000a000000023b85-67.dat	upx
behavioral2/files/0x000a000000023b89-87.dat	upx
behavioral2/files/0x000a000000023b8b-97.dat	upx
behavioral2/files/0x000a000000023b8d-105.dat	upx
behavioral2/files/0x000a000000023b8e-112.dat	upx
behavioral2/files/0x000a000000023b92-132.dat	upx
behavioral2/files/0x000a000000023b95-147.dat	upx
behavioral2/memory/1296-390-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp	upx
behavioral2/memory/980-393-0x00007FF74B6C0000-0x00007FF74BAB1000-memory.dmp	upx
behavioral2/memory/3272-392-0x00007FF646840000-0x00007FF646C31000-memory.dmp	upx
behavioral2/memory/2568-410-0x00007FF626E20000-0x00007FF627211000-memory.dmp	upx
behavioral2/memory/3616-430-0x00007FF6852F0000-0x00007FF6856E1000-memory.dmp	upx
behavioral2/memory/4180-449-0x00007FF761660000-0x00007FF761A51000-memory.dmp	upx
behavioral2/memory/5044-440-0x00007FF664D20000-0x00007FF665111000-memory.dmp	upx
behavioral2/memory/3016-432-0x00007FF6D3290000-0x00007FF6D3681000-memory.dmp	upx
behavioral2/memory/4796-471-0x00007FF670CE0000-0x00007FF6710D1000-memory.dmp	upx
behavioral2/memory/3568-485-0x00007FF760E10000-0x00007FF761201000-memory.dmp	upx
behavioral2/memory/4056-493-0x00007FF630F40000-0x00007FF631331000-memory.dmp	upx
behavioral2/memory/2888-494-0x00007FF6A0BC0000-0x00007FF6A0FB1000-memory.dmp	upx
behavioral2/memory/704-484-0x00007FF6273F0000-0x00007FF6277E1000-memory.dmp	upx
behavioral2/memory/2784-479-0x00007FF63B3A0000-0x00007FF63B791000-memory.dmp	upx
behavioral2/memory/4924-427-0x00007FF6930E0000-0x00007FF6934D1000-memory.dmp	upx
behavioral2/memory/1648-424-0x00007FF7CBFB0000-0x00007FF7CC3A1000-memory.dmp	upx
behavioral2/memory/3944-407-0x00007FF6CBEB0000-0x00007FF6CC2A1000-memory.dmp	upx
behavioral2/memory/3632-399-0x00007FF68EF30000-0x00007FF68F321000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-167.dat	upx
behavioral2/files/0x000a000000023b98-162.dat	upx
behavioral2/files/0x000a000000023b97-157.dat	upx
behavioral2/files/0x000a000000023b96-153.dat	upx
behavioral2/files/0x000a000000023b94-142.dat	upx
behavioral2/files/0x000a000000023b93-137.dat	upx
behavioral2/files/0x000a000000023b91-127.dat	upx
behavioral2/files/0x000a000000023b90-122.dat	upx
behavioral2/files/0x000a000000023b8f-117.dat	upx
behavioral2/files/0x000a000000023b8c-102.dat	upx
behavioral2/files/0x000a000000023b8a-92.dat	upx
behavioral2/files/0x000a000000023b88-82.dat	upx
behavioral2/files/0x000a000000023b87-77.dat	upx
behavioral2/files/0x000a000000023b86-72.dat	upx
behavioral2/files/0x000a000000023b84-62.dat	upx
behavioral2/files/0x000a000000023b83-57.dat	upx
behavioral2/files/0x000a000000023b82-52.dat	upx
behavioral2/memory/2020-41-0x00007FF76C560000-0x00007FF76C951000-memory.dmp	upx
behavioral2/memory/1984-38-0x00007FF6E1780000-0x00007FF6E1B71000-memory.dmp	upx
behavioral2/memory/1328-37-0x00007FF6543F0000-0x00007FF6547E1000-memory.dmp	upx
behavioral2/memory/1952-33-0x00007FF676E30000-0x00007FF677221000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-32.dat	upx
behavioral2/memory/1428-24-0x00007FF760F50000-0x00007FF761341000-memory.dmp	upx
behavioral2/memory/5088-15-0x00007FF713750000-0x00007FF713B41000-memory.dmp	upx
behavioral2/files/0x0009000000023b08-8.dat	upx
behavioral2/memory/1428-1963-0x00007FF760F50000-0x00007FF761341000-memory.dmp	upx
behavioral2/memory/1952-1980-0x00007FF676E30000-0x00007FF677221000-memory.dmp	upx
behavioral2/memory/1984-1997-0x00007FF6E1780000-0x00007FF6E1B71000-memory.dmp	upx
behavioral2/memory/1296-1998-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp	upx
behavioral2/memory/5088-2004-0x00007FF713750000-0x00007FF713B41000-memory.dmp	upx
behavioral2/memory/1428-2006-0x00007FF760F50000-0x00007FF761341000-memory.dmp	upx
behavioral2/memory/1296-2012-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZpugAAX.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\xkYjZxF.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\ZwFgIGd.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\bUmDBuw.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\GRmzIMk.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\jxsDpLd.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\TcsxlKA.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\XULgYYr.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\CjRnjoN.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\CvkKstQ.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\DnIrTsI.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\CTKQsRX.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\PFrMYNU.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\IryObmI.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\hrfCuYX.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\zdQOQdw.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\oWBmKNn.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\SvsUejE.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\SYloFXe.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\sIKDauE.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\vgzAsWY.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\wDdQsvo.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\LKXZgyl.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\smMBtRx.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\IYgjEoZ.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\OiLauwX.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\udqUWbD.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\OnPUPdn.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\wONQpcZ.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\pQPbIFV.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\phWCnZC.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\ULEHNry.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\kZosALl.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\MHiXDsX.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\ApPfgrV.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\tjsViYy.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\rBUSfmH.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\gSjRoPd.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\YUdbHyN.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\mwuEnkt.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\YFMFHRQ.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\opIDTCF.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\vMKCLMJ.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\KeSMYoU.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\Qjqbezq.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\aacBLJh.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\AVGQtuv.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\hOcjSjs.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\fHZiOpl.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\jYCxTOD.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\SIvvMFL.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\rJTQexg.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\WStjfbz.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\iURyLia.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\pEYbMxH.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\AhttjRq.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\ESgEXhJ.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\JJDdmpc.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\nWgjAHo.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\WATxdKd.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\yNZMdgZ.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\hqpMCvC.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\xRBHsnH.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
File created	C:\Windows\System32\WUmIYqs.exe	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	12804	dwm.exe
Token: SeChangeNotifyPrivilege	12804	dwm.exe
Token: 33	12804	dwm.exe
Token: SeIncBasePriorityPrivilege	12804	dwm.exe
Token: SeShutdownPrivilege	12804	dwm.exe
Token: SeCreatePagefilePrivilege	12804	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 5088	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	85
PID 4940 wrote to memory of 5088	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	85
PID 4940 wrote to memory of 1952	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	86
PID 4940 wrote to memory of 1952	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	86
PID 4940 wrote to memory of 1428	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	87
PID 4940 wrote to memory of 1428	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	87
PID 4940 wrote to memory of 1328	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	88
PID 4940 wrote to memory of 1328	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	88
PID 4940 wrote to memory of 1984	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	89
PID 4940 wrote to memory of 1984	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	89
PID 4940 wrote to memory of 2020	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	90
PID 4940 wrote to memory of 2020	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	90
PID 4940 wrote to memory of 1296	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	91
PID 4940 wrote to memory of 1296	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	91
PID 4940 wrote to memory of 2888	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	92
PID 4940 wrote to memory of 2888	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	92
PID 4940 wrote to memory of 3272	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	93
PID 4940 wrote to memory of 3272	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	93
PID 4940 wrote to memory of 980	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	94
PID 4940 wrote to memory of 980	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	94
PID 4940 wrote to memory of 3632	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	95
PID 4940 wrote to memory of 3632	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	95
PID 4940 wrote to memory of 3944	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	96
PID 4940 wrote to memory of 3944	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	96
PID 4940 wrote to memory of 2568	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	97
PID 4940 wrote to memory of 2568	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	97
PID 4940 wrote to memory of 1648	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	98
PID 4940 wrote to memory of 1648	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	98
PID 4940 wrote to memory of 4924	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	99
PID 4940 wrote to memory of 4924	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	99
PID 4940 wrote to memory of 3616	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	100
PID 4940 wrote to memory of 3616	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	100
PID 4940 wrote to memory of 3016	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	101
PID 4940 wrote to memory of 3016	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	101
PID 4940 wrote to memory of 5044	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	102
PID 4940 wrote to memory of 5044	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	102
PID 4940 wrote to memory of 4180	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	103
PID 4940 wrote to memory of 4180	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	103
PID 4940 wrote to memory of 4796	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	104
PID 4940 wrote to memory of 4796	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	104
PID 4940 wrote to memory of 2784	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	105
PID 4940 wrote to memory of 2784	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	105
PID 4940 wrote to memory of 704	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	106
PID 4940 wrote to memory of 704	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	106
PID 4940 wrote to memory of 3568	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	107
PID 4940 wrote to memory of 3568	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	107
PID 4940 wrote to memory of 4056	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	108
PID 4940 wrote to memory of 4056	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	108
PID 4940 wrote to memory of 4188	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	109
PID 4940 wrote to memory of 4188	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	109
PID 4940 wrote to memory of 548	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	110
PID 4940 wrote to memory of 548	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	110
PID 4940 wrote to memory of 4716	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	111
PID 4940 wrote to memory of 4716	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	111
PID 4940 wrote to memory of 4444	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	112
PID 4940 wrote to memory of 4444	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	112
PID 4940 wrote to memory of 3276	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	113
PID 4940 wrote to memory of 3276	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	113
PID 4940 wrote to memory of 2296	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	114
PID 4940 wrote to memory of 2296	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	114
PID 4940 wrote to memory of 1032	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	115
PID 4940 wrote to memory of 1032	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	115
PID 4940 wrote to memory of 2516	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	116
PID 4940 wrote to memory of 2516	4940	13d693749103620df40574a34d0b17b5_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\13d693749103620df40574a34d0b17b5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13d693749103620df40574a34d0b17b5_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\System32\iKXPYhz.exe
  C:\Windows\System32\iKXPYhz.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\QzyKCEm.exe
  C:\Windows\System32\QzyKCEm.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System32\ZYKbiHO.exe
  C:\Windows\System32\ZYKbiHO.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\yBGGXXg.exe
  C:\Windows\System32\yBGGXXg.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System32\wAuwuYN.exe
  C:\Windows\System32\wAuwuYN.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System32\myzOMNp.exe
  C:\Windows\System32\myzOMNp.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\sdJfgna.exe
  C:\Windows\System32\sdJfgna.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\MjJIrGX.exe
  C:\Windows\System32\MjJIrGX.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System32\pyofUJx.exe
  C:\Windows\System32\pyofUJx.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System32\hHjcMiZ.exe
  C:\Windows\System32\hHjcMiZ.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System32\FiIlLxh.exe
  C:\Windows\System32\FiIlLxh.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\ikTwzxb.exe
  C:\Windows\System32\ikTwzxb.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\cmivrWA.exe
  C:\Windows\System32\cmivrWA.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\TVgsfWj.exe
  C:\Windows\System32\TVgsfWj.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\jDQQIRK.exe
  C:\Windows\System32\jDQQIRK.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\IYgjEoZ.exe
  C:\Windows\System32\IYgjEoZ.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\OiLauwX.exe
  C:\Windows\System32\OiLauwX.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System32\ekKRhoA.exe
  C:\Windows\System32\ekKRhoA.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System32\tdaMjkZ.exe
  C:\Windows\System32\tdaMjkZ.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System32\exbhBwQ.exe
  C:\Windows\System32\exbhBwQ.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System32\UFfLpJv.exe
  C:\Windows\System32\UFfLpJv.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\gBgxjnC.exe
  C:\Windows\System32\gBgxjnC.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System32\NXjNbdw.exe
  C:\Windows\System32\NXjNbdw.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\CFMHphe.exe
  C:\Windows\System32\CFMHphe.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System32\lHtLrHF.exe
  C:\Windows\System32\lHtLrHF.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System32\BbjIrki.exe
  C:\Windows\System32\BbjIrki.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\wWGJwjI.exe
  C:\Windows\System32\wWGJwjI.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System32\phsbvBU.exe
  C:\Windows\System32\phsbvBU.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System32\WbUJMgY.exe
  C:\Windows\System32\WbUJMgY.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\QHOTaYc.exe
  C:\Windows\System32\QHOTaYc.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\PLeaMya.exe
  C:\Windows\System32\PLeaMya.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\VVYZSEb.exe
  C:\Windows\System32\VVYZSEb.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System32\SamRZrh.exe
  C:\Windows\System32\SamRZrh.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System32\avwDYtF.exe
  C:\Windows\System32\avwDYtF.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System32\KVXegNT.exe
  C:\Windows\System32\KVXegNT.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\doJOeLB.exe
  C:\Windows\System32\doJOeLB.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System32\ZHVHBct.exe
  C:\Windows\System32\ZHVHBct.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System32\IfLupss.exe
  C:\Windows\System32\IfLupss.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\bENZafR.exe
  C:\Windows\System32\bENZafR.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\tNkqAnU.exe
  C:\Windows\System32\tNkqAnU.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System32\lvboEot.exe
  C:\Windows\System32\lvboEot.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System32\KsHsjaE.exe
  C:\Windows\System32\KsHsjaE.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System32\ahQajTc.exe
  C:\Windows\System32\ahQajTc.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System32\oqYmVjH.exe
  C:\Windows\System32\oqYmVjH.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\xRBHsnH.exe
  C:\Windows\System32\xRBHsnH.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System32\fHZiOpl.exe
  C:\Windows\System32\fHZiOpl.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\gVbTgUh.exe
  C:\Windows\System32\gVbTgUh.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System32\JAnEHZl.exe
  C:\Windows\System32\JAnEHZl.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System32\PVyToXz.exe
  C:\Windows\System32\PVyToXz.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\ZjSPrvb.exe
  C:\Windows\System32\ZjSPrvb.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\tRixDRs.exe
  C:\Windows\System32\tRixDRs.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System32\HQzWxjg.exe
  C:\Windows\System32\HQzWxjg.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System32\bZnrGCt.exe
  C:\Windows\System32\bZnrGCt.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System32\PFoNovX.exe
  C:\Windows\System32\PFoNovX.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System32\rBrHlnE.exe
  C:\Windows\System32\rBrHlnE.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\vplqzoA.exe
  C:\Windows\System32\vplqzoA.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System32\mqtexKT.exe
  C:\Windows\System32\mqtexKT.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\gtSIMgC.exe
  C:\Windows\System32\gtSIMgC.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System32\zWQpGQI.exe
  C:\Windows\System32\zWQpGQI.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\ovKXuvT.exe
  C:\Windows\System32\ovKXuvT.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System32\XPKqGaA.exe
  C:\Windows\System32\XPKqGaA.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System32\DUepHtH.exe
  C:\Windows\System32\DUepHtH.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\FzZktWT.exe
  C:\Windows\System32\FzZktWT.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System32\snnmEmO.exe
  C:\Windows\System32\snnmEmO.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System32\gEiDgSU.exe
  C:\Windows\System32\gEiDgSU.exe
  2⤵
  PID:1808
- C:\Windows\System32\CcwnYKN.exe
  C:\Windows\System32\CcwnYKN.exe
  2⤵
  PID:4012
- C:\Windows\System32\SYloFXe.exe
  C:\Windows\System32\SYloFXe.exe
  2⤵
  PID:4732
- C:\Windows\System32\qdmbvQz.exe
  C:\Windows\System32\qdmbvQz.exe
  2⤵
  PID:3508
- C:\Windows\System32\HNxpCuv.exe
  C:\Windows\System32\HNxpCuv.exe
  2⤵
  PID:2676
- C:\Windows\System32\taUXlHR.exe
  C:\Windows\System32\taUXlHR.exe
  2⤵
  PID:4476
- C:\Windows\System32\kcGyeCR.exe
  C:\Windows\System32\kcGyeCR.exe
  2⤵
  PID:4632
- C:\Windows\System32\iOipidV.exe
  C:\Windows\System32\iOipidV.exe
  2⤵
  PID:3732
- C:\Windows\System32\TcZZwEL.exe
  C:\Windows\System32\TcZZwEL.exe
  2⤵
  PID:3840
- C:\Windows\System32\PyppSyi.exe
  C:\Windows\System32\PyppSyi.exe
  2⤵
  PID:4728
- C:\Windows\System32\QEAdRHN.exe
  C:\Windows\System32\QEAdRHN.exe
  2⤵
  PID:5100
- C:\Windows\System32\LoJrcsP.exe
  C:\Windows\System32\LoJrcsP.exe
  2⤵
  PID:1656
- C:\Windows\System32\cQmeAMd.exe
  C:\Windows\System32\cQmeAMd.exe
  2⤵
  PID:3828
- C:\Windows\System32\iURyLia.exe
  C:\Windows\System32\iURyLia.exe
  2⤵
  PID:3304
- C:\Windows\System32\CTKQsRX.exe
  C:\Windows\System32\CTKQsRX.exe
  2⤵
  PID:4244
- C:\Windows\System32\irZxzzV.exe
  C:\Windows\System32\irZxzzV.exe
  2⤵
  PID:2928
- C:\Windows\System32\XYQvBOT.exe
  C:\Windows\System32\XYQvBOT.exe
  2⤵
  PID:2068
- C:\Windows\System32\Qjqbezq.exe
  C:\Windows\System32\Qjqbezq.exe
  2⤵
  PID:4708
- C:\Windows\System32\gUtbYYa.exe
  C:\Windows\System32\gUtbYYa.exe
  2⤵
  PID:5128
- C:\Windows\System32\THPFmEY.exe
  C:\Windows\System32\THPFmEY.exe
  2⤵
  PID:5160
- C:\Windows\System32\ZOFbnav.exe
  C:\Windows\System32\ZOFbnav.exe
  2⤵
  PID:5188
- C:\Windows\System32\rZXzOCc.exe
  C:\Windows\System32\rZXzOCc.exe
  2⤵
  PID:5212
- C:\Windows\System32\VKIXGuP.exe
  C:\Windows\System32\VKIXGuP.exe
  2⤵
  PID:5244
- C:\Windows\System32\PFrMYNU.exe
  C:\Windows\System32\PFrMYNU.exe
  2⤵
  PID:5272
- C:\Windows\System32\bGZIYAW.exe
  C:\Windows\System32\bGZIYAW.exe
  2⤵
  PID:5296
- C:\Windows\System32\oWBmKNn.exe
  C:\Windows\System32\oWBmKNn.exe
  2⤵
  PID:5328
- C:\Windows\System32\wnRuTGD.exe
  C:\Windows\System32\wnRuTGD.exe
  2⤵
  PID:5356
- C:\Windows\System32\WATxdKd.exe
  C:\Windows\System32\WATxdKd.exe
  2⤵
  PID:5380
- C:\Windows\System32\cLvAJao.exe
  C:\Windows\System32\cLvAJao.exe
  2⤵
  PID:5412
- C:\Windows\System32\zarDqSH.exe
  C:\Windows\System32\zarDqSH.exe
  2⤵
  PID:5440
- C:\Windows\System32\xmJzIfe.exe
  C:\Windows\System32\xmJzIfe.exe
  2⤵
  PID:5464
- C:\Windows\System32\ZljWQia.exe
  C:\Windows\System32\ZljWQia.exe
  2⤵
  PID:5496
- C:\Windows\System32\wFLhSRW.exe
  C:\Windows\System32\wFLhSRW.exe
  2⤵
  PID:5524
- C:\Windows\System32\BChyzKI.exe
  C:\Windows\System32\BChyzKI.exe
  2⤵
  PID:5548
- C:\Windows\System32\ZHxJmBb.exe
  C:\Windows\System32\ZHxJmBb.exe
  2⤵
  PID:5584
- C:\Windows\System32\UNvcGWT.exe
  C:\Windows\System32\UNvcGWT.exe
  2⤵
  PID:5608
- C:\Windows\System32\aDmEQqO.exe
  C:\Windows\System32\aDmEQqO.exe
  2⤵
  PID:5632
- C:\Windows\System32\sjGcOLj.exe
  C:\Windows\System32\sjGcOLj.exe
  2⤵
  PID:5680
- C:\Windows\System32\epczbVl.exe
  C:\Windows\System32\epczbVl.exe
  2⤵
  PID:5696
- C:\Windows\System32\HZEJdZf.exe
  C:\Windows\System32\HZEJdZf.exe
  2⤵
  PID:5724
- C:\Windows\System32\pEAtImc.exe
  C:\Windows\System32\pEAtImc.exe
  2⤵
  PID:5752
- C:\Windows\System32\oPWhyGE.exe
  C:\Windows\System32\oPWhyGE.exe
  2⤵
  PID:5780
- C:\Windows\System32\gjFyRCa.exe
  C:\Windows\System32\gjFyRCa.exe
  2⤵
  PID:5808
- C:\Windows\System32\fcHohdl.exe
  C:\Windows\System32\fcHohdl.exe
  2⤵
  PID:5892
- C:\Windows\System32\xFlIyLl.exe
  C:\Windows\System32\xFlIyLl.exe
  2⤵
  PID:5940
- C:\Windows\System32\MIYvFki.exe
  C:\Windows\System32\MIYvFki.exe
  2⤵
  PID:5968
- C:\Windows\System32\rqrLtIN.exe
  C:\Windows\System32\rqrLtIN.exe
  2⤵
  PID:5992
- C:\Windows\System32\aDdyytY.exe
  C:\Windows\System32\aDdyytY.exe
  2⤵
  PID:6012
- C:\Windows\System32\vTmJQbT.exe
  C:\Windows\System32\vTmJQbT.exe
  2⤵
  PID:6056
- C:\Windows\System32\LjGjisZ.exe
  C:\Windows\System32\LjGjisZ.exe
  2⤵
  PID:6072
- C:\Windows\System32\wzsKDvx.exe
  C:\Windows\System32\wzsKDvx.exe
  2⤵
  PID:6092
- C:\Windows\System32\PmBXXlj.exe
  C:\Windows\System32\PmBXXlj.exe
  2⤵
  PID:6112
- C:\Windows\System32\uWyvVrE.exe
  C:\Windows\System32\uWyvVrE.exe
  2⤵
  PID:6128
- C:\Windows\System32\yNZMdgZ.exe
  C:\Windows\System32\yNZMdgZ.exe
  2⤵
  PID:3080
- C:\Windows\System32\SvsUejE.exe
  C:\Windows\System32\SvsUejE.exe
  2⤵
  PID:3628
- C:\Windows\System32\lfndESe.exe
  C:\Windows\System32\lfndESe.exe
  2⤵
  PID:464
- C:\Windows\System32\ujFZdHO.exe
  C:\Windows\System32\ujFZdHO.exe
  2⤵
  PID:5288
- C:\Windows\System32\qLlmPty.exe
  C:\Windows\System32\qLlmPty.exe
  2⤵
  PID:5292
- C:\Windows\System32\BSBGZoC.exe
  C:\Windows\System32\BSBGZoC.exe
  2⤵
  PID:5344
- C:\Windows\System32\zRhoPQZ.exe
  C:\Windows\System32\zRhoPQZ.exe
  2⤵
  PID:5388
- C:\Windows\System32\eRcUVTw.exe
  C:\Windows\System32\eRcUVTw.exe
  2⤵
  PID:1920
- C:\Windows\System32\HJUMjjr.exe
  C:\Windows\System32\HJUMjjr.exe
  2⤵
  PID:5480
- C:\Windows\System32\vnLSGpa.exe
  C:\Windows\System32\vnLSGpa.exe
  2⤵
  PID:5540
- C:\Windows\System32\nWrMpZT.exe
  C:\Windows\System32\nWrMpZT.exe
  2⤵
  PID:1916
- C:\Windows\System32\poGsWxk.exe
  C:\Windows\System32\poGsWxk.exe
  2⤵
  PID:5624
- C:\Windows\System32\agYImdR.exe
  C:\Windows\System32\agYImdR.exe
  2⤵
  PID:2612
- C:\Windows\System32\pfeJNGa.exe
  C:\Windows\System32\pfeJNGa.exe
  2⤵
  PID:3744
- C:\Windows\System32\xPeakkp.exe
  C:\Windows\System32\xPeakkp.exe
  2⤵
  PID:1624
- C:\Windows\System32\LVoOtUe.exe
  C:\Windows\System32\LVoOtUe.exe
  2⤵
  PID:5740
- C:\Windows\System32\NLpZLcD.exe
  C:\Windows\System32\NLpZLcD.exe
  2⤵
  PID:1632
- C:\Windows\System32\golfiDj.exe
  C:\Windows\System32\golfiDj.exe
  2⤵
  PID:5860
- C:\Windows\System32\ZkxqoKN.exe
  C:\Windows\System32\ZkxqoKN.exe
  2⤵
  PID:4596
- C:\Windows\System32\xbWWaiD.exe
  C:\Windows\System32\xbWWaiD.exe
  2⤵
  PID:5920
- C:\Windows\System32\wNeKVDw.exe
  C:\Windows\System32\wNeKVDw.exe
  2⤵
  PID:6032
- C:\Windows\System32\dtLKHCl.exe
  C:\Windows\System32\dtLKHCl.exe
  2⤵
  PID:6068
- C:\Windows\System32\gJRIvuH.exe
  C:\Windows\System32\gJRIvuH.exe
  2⤵
  PID:1200
- C:\Windows\System32\xCFVwuT.exe
  C:\Windows\System32\xCFVwuT.exe
  2⤵
  PID:6104
- C:\Windows\System32\tHAaZwA.exe
  C:\Windows\System32\tHAaZwA.exe
  2⤵
  PID:5168
- C:\Windows\System32\AlgJKDD.exe
  C:\Windows\System32\AlgJKDD.exe
  2⤵
  PID:5316
- C:\Windows\System32\tFkolfa.exe
  C:\Windows\System32\tFkolfa.exe
  2⤵
  PID:5420
- C:\Windows\System32\YDuCvPy.exe
  C:\Windows\System32\YDuCvPy.exe
  2⤵
  PID:5568
- C:\Windows\System32\rxusQqB.exe
  C:\Windows\System32\rxusQqB.exe
  2⤵
  PID:5628
- C:\Windows\System32\drTyGUE.exe
  C:\Windows\System32\drTyGUE.exe
  2⤵
  PID:4600
- C:\Windows\System32\POjLIka.exe
  C:\Windows\System32\POjLIka.exe
  2⤵
  PID:4052
- C:\Windows\System32\jfZTuEI.exe
  C:\Windows\System32\jfZTuEI.exe
  2⤵
  PID:5912
- C:\Windows\System32\xdrjIBa.exe
  C:\Windows\System32\xdrjIBa.exe
  2⤵
  PID:3312
- C:\Windows\System32\teSaePE.exe
  C:\Windows\System32\teSaePE.exe
  2⤵
  PID:3604
- C:\Windows\System32\GxNpeOq.exe
  C:\Windows\System32\GxNpeOq.exe
  2⤵
  PID:5396
- C:\Windows\System32\phWCnZC.exe
  C:\Windows\System32\phWCnZC.exe
  2⤵
  PID:5592
- C:\Windows\System32\NXpMlot.exe
  C:\Windows\System32\NXpMlot.exe
  2⤵
  PID:8
- C:\Windows\System32\qHofOzc.exe
  C:\Windows\System32\qHofOzc.exe
  2⤵
  PID:5948
- C:\Windows\System32\vZpQQDw.exe
  C:\Windows\System32\vZpQQDw.exe
  2⤵
  PID:5512
- C:\Windows\System32\dWRMFNp.exe
  C:\Windows\System32\dWRMFNp.exe
  2⤵
  PID:6160
- C:\Windows\System32\pKdaErg.exe
  C:\Windows\System32\pKdaErg.exe
  2⤵
  PID:6188
- C:\Windows\System32\SPmSuLs.exe
  C:\Windows\System32\SPmSuLs.exe
  2⤵
  PID:6216
- C:\Windows\System32\DsvPNJB.exe
  C:\Windows\System32\DsvPNJB.exe
  2⤵
  PID:6244
- C:\Windows\System32\VJFgcKJ.exe
  C:\Windows\System32\VJFgcKJ.exe
  2⤵
  PID:6272
- C:\Windows\System32\NDtCTQE.exe
  C:\Windows\System32\NDtCTQE.exe
  2⤵
  PID:6308
- C:\Windows\System32\xoNQrFn.exe
  C:\Windows\System32\xoNQrFn.exe
  2⤵
  PID:6340
- C:\Windows\System32\PLKMwvx.exe
  C:\Windows\System32\PLKMwvx.exe
  2⤵
  PID:6364
- C:\Windows\System32\ZXmOTBT.exe
  C:\Windows\System32\ZXmOTBT.exe
  2⤵
  PID:6492
- C:\Windows\System32\nFKjVSN.exe
  C:\Windows\System32\nFKjVSN.exe
  2⤵
  PID:6508
- C:\Windows\System32\sIKDauE.exe
  C:\Windows\System32\sIKDauE.exe
  2⤵
  PID:6524
- C:\Windows\System32\DFXYpsP.exe
  C:\Windows\System32\DFXYpsP.exe
  2⤵
  PID:6584
- C:\Windows\System32\UpuwRwh.exe
  C:\Windows\System32\UpuwRwh.exe
  2⤵
  PID:6604
- C:\Windows\System32\fShjHUE.exe
  C:\Windows\System32\fShjHUE.exe
  2⤵
  PID:6620
- C:\Windows\System32\YUdbHyN.exe
  C:\Windows\System32\YUdbHyN.exe
  2⤵
  PID:6640
- C:\Windows\System32\ajHfnfe.exe
  C:\Windows\System32\ajHfnfe.exe
  2⤵
  PID:6664
- C:\Windows\System32\XfPytJf.exe
  C:\Windows\System32\XfPytJf.exe
  2⤵
  PID:6692
- C:\Windows\System32\ceeOVOF.exe
  C:\Windows\System32\ceeOVOF.exe
  2⤵
  PID:6744
- C:\Windows\System32\FEMSEsV.exe
  C:\Windows\System32\FEMSEsV.exe
  2⤵
  PID:6772
- C:\Windows\System32\soZhQNX.exe
  C:\Windows\System32\soZhQNX.exe
  2⤵
  PID:6800
- C:\Windows\System32\QbumCaM.exe
  C:\Windows\System32\QbumCaM.exe
  2⤵
  PID:6820
- C:\Windows\System32\nvBeCSc.exe
  C:\Windows\System32\nvBeCSc.exe
  2⤵
  PID:6864
- C:\Windows\System32\ePJbmSj.exe
  C:\Windows\System32\ePJbmSj.exe
  2⤵
  PID:6888
- C:\Windows\System32\PqIKuiN.exe
  C:\Windows\System32\PqIKuiN.exe
  2⤵
  PID:6904
- C:\Windows\System32\oGXXvdU.exe
  C:\Windows\System32\oGXXvdU.exe
  2⤵
  PID:6924
- C:\Windows\System32\sewRzYy.exe
  C:\Windows\System32\sewRzYy.exe
  2⤵
  PID:6940
- C:\Windows\System32\cdymdvD.exe
  C:\Windows\System32\cdymdvD.exe
  2⤵
  PID:6968
- C:\Windows\System32\ZwFgIGd.exe
  C:\Windows\System32\ZwFgIGd.exe
  2⤵
  PID:6984
- C:\Windows\System32\FkGXynn.exe
  C:\Windows\System32\FkGXynn.exe
  2⤵
  PID:7032
- C:\Windows\System32\RYqhWky.exe
  C:\Windows\System32\RYqhWky.exe
  2⤵
  PID:7084
- C:\Windows\System32\qWZwHqN.exe
  C:\Windows\System32\qWZwHqN.exe
  2⤵
  PID:7112
- C:\Windows\System32\aVYmpQJ.exe
  C:\Windows\System32\aVYmpQJ.exe
  2⤵
  PID:7128
- C:\Windows\System32\AhttjRq.exe
  C:\Windows\System32\AhttjRq.exe
  2⤵
  PID:7148
- C:\Windows\System32\gLmCoAK.exe
  C:\Windows\System32\gLmCoAK.exe
  2⤵
  PID:5652
- C:\Windows\System32\MpWGcSg.exe
  C:\Windows\System32\MpWGcSg.exe
  2⤵
  PID:6148
- C:\Windows\System32\XFJlDhc.exe
  C:\Windows\System32\XFJlDhc.exe
  2⤵
  PID:6180
- C:\Windows\System32\DUCcpAr.exe
  C:\Windows\System32\DUCcpAr.exe
  2⤵
  PID:5876
- C:\Windows\System32\HzoqriN.exe
  C:\Windows\System32\HzoqriN.exe
  2⤵
  PID:1492
- C:\Windows\System32\GNCHkZP.exe
  C:\Windows\System32\GNCHkZP.exe
  2⤵
  PID:6296
- C:\Windows\System32\MWbqLnK.exe
  C:\Windows\System32\MWbqLnK.exe
  2⤵
  PID:6372
- C:\Windows\System32\ZEhPMwq.exe
  C:\Windows\System32\ZEhPMwq.exe
  2⤵
  PID:5916
- C:\Windows\System32\EiYyXsw.exe
  C:\Windows\System32\EiYyXsw.exe
  2⤵
  PID:6408
- C:\Windows\System32\sZoaHcX.exe
  C:\Windows\System32\sZoaHcX.exe
  2⤵
  PID:6504
- C:\Windows\System32\qJXrOIp.exe
  C:\Windows\System32\qJXrOIp.exe
  2⤵
  PID:6532
- C:\Windows\System32\ercEiAS.exe
  C:\Windows\System32\ercEiAS.exe
  2⤵
  PID:6616
- C:\Windows\System32\ZPOzipf.exe
  C:\Windows\System32\ZPOzipf.exe
  2⤵
  PID:6628
- C:\Windows\System32\kuUuMTV.exe
  C:\Windows\System32\kuUuMTV.exe
  2⤵
  PID:6704
- C:\Windows\System32\NeRnMrl.exe
  C:\Windows\System32\NeRnMrl.exe
  2⤵
  PID:6768
- C:\Windows\System32\wiXtAzl.exe
  C:\Windows\System32\wiXtAzl.exe
  2⤵
  PID:6848
- C:\Windows\System32\vgzAsWY.exe
  C:\Windows\System32\vgzAsWY.exe
  2⤵
  PID:6884
- C:\Windows\System32\afnxKUW.exe
  C:\Windows\System32\afnxKUW.exe
  2⤵
  PID:6992
- C:\Windows\System32\SeJursI.exe
  C:\Windows\System32\SeJursI.exe
  2⤵
  PID:7072
- C:\Windows\System32\sLEgRcf.exe
  C:\Windows\System32\sLEgRcf.exe
  2⤵
  PID:7124
- C:\Windows\System32\kHYhMfE.exe
  C:\Windows\System32\kHYhMfE.exe
  2⤵
  PID:7156
- C:\Windows\System32\HpMNLhW.exe
  C:\Windows\System32\HpMNLhW.exe
  2⤵
  PID:5988
- C:\Windows\System32\zmoksbk.exe
  C:\Windows\System32\zmoksbk.exe
  2⤵
  PID:6292
- C:\Windows\System32\QfkvMfe.exe
  C:\Windows\System32\QfkvMfe.exe
  2⤵
  PID:6320
- C:\Windows\System32\fzDtvPO.exe
  C:\Windows\System32\fzDtvPO.exe
  2⤵
  PID:5900
- C:\Windows\System32\ZQEUPWY.exe
  C:\Windows\System32\ZQEUPWY.exe
  2⤵
  PID:6404
- C:\Windows\System32\iweOQAN.exe
  C:\Windows\System32\iweOQAN.exe
  2⤵
  PID:6612
- C:\Windows\System32\ihPPPho.exe
  C:\Windows\System32\ihPPPho.exe
  2⤵
  PID:6872
- C:\Windows\System32\HcofoLU.exe
  C:\Windows\System32\HcofoLU.exe
  2⤵
  PID:6876
- C:\Windows\System32\pCVRgVN.exe
  C:\Windows\System32\pCVRgVN.exe
  2⤵
  PID:5884
- C:\Windows\System32\sfVBNne.exe
  C:\Windows\System32\sfVBNne.exe
  2⤵
  PID:6304
- C:\Windows\System32\zARLtJT.exe
  C:\Windows\System32\zARLtJT.exe
  2⤵
  PID:6672
- C:\Windows\System32\jHLWkYU.exe
  C:\Windows\System32\jHLWkYU.exe
  2⤵
  PID:6812
- C:\Windows\System32\jdvvhSZ.exe
  C:\Windows\System32\jdvvhSZ.exe
  2⤵
  PID:6916
- C:\Windows\System32\uSXpGqh.exe
  C:\Windows\System32\uSXpGqh.exe
  2⤵
  PID:7200
- C:\Windows\System32\emwRMCT.exe
  C:\Windows\System32\emwRMCT.exe
  2⤵
  PID:7252
- C:\Windows\System32\DYkBmfs.exe
  C:\Windows\System32\DYkBmfs.exe
  2⤵
  PID:7268
- C:\Windows\System32\WbcEArh.exe
  C:\Windows\System32\WbcEArh.exe
  2⤵
  PID:7308
- C:\Windows\System32\KnBiogw.exe
  C:\Windows\System32\KnBiogw.exe
  2⤵
  PID:7336
- C:\Windows\System32\CyUTOdB.exe
  C:\Windows\System32\CyUTOdB.exe
  2⤵
  PID:7352
- C:\Windows\System32\esvtqri.exe
  C:\Windows\System32\esvtqri.exe
  2⤵
  PID:7372
- C:\Windows\System32\FPeRueu.exe
  C:\Windows\System32\FPeRueu.exe
  2⤵
  PID:7404
- C:\Windows\System32\pEYbMxH.exe
  C:\Windows\System32\pEYbMxH.exe
  2⤵
  PID:7432
- C:\Windows\System32\HEZZDdZ.exe
  C:\Windows\System32\HEZZDdZ.exe
  2⤵
  PID:7452
- C:\Windows\System32\PfFQZzJ.exe
  C:\Windows\System32\PfFQZzJ.exe
  2⤵
  PID:7472
- C:\Windows\System32\uUQfMTw.exe
  C:\Windows\System32\uUQfMTw.exe
  2⤵
  PID:7488
- C:\Windows\System32\tzwVbbd.exe
  C:\Windows\System32\tzwVbbd.exe
  2⤵
  PID:7544
- C:\Windows\System32\PNUfbbG.exe
  C:\Windows\System32\PNUfbbG.exe
  2⤵
  PID:7568
- C:\Windows\System32\VVWTvbW.exe
  C:\Windows\System32\VVWTvbW.exe
  2⤵
  PID:7584
- C:\Windows\System32\DLhmAjC.exe
  C:\Windows\System32\DLhmAjC.exe
  2⤵
  PID:7604
- C:\Windows\System32\fBIfiTz.exe
  C:\Windows\System32\fBIfiTz.exe
  2⤵
  PID:7628
- C:\Windows\System32\MfmMpsF.exe
  C:\Windows\System32\MfmMpsF.exe
  2⤵
  PID:7656
- C:\Windows\System32\BxSmkZg.exe
  C:\Windows\System32\BxSmkZg.exe
  2⤵
  PID:7688
- C:\Windows\System32\hnpBBCp.exe
  C:\Windows\System32\hnpBBCp.exe
  2⤵
  PID:7752
- C:\Windows\System32\jPvMrqy.exe
  C:\Windows\System32\jPvMrqy.exe
  2⤵
  PID:7776
- C:\Windows\System32\nazwwNg.exe
  C:\Windows\System32\nazwwNg.exe
  2⤵
  PID:7796
- C:\Windows\System32\mwuEnkt.exe
  C:\Windows\System32\mwuEnkt.exe
  2⤵
  PID:7820
- C:\Windows\System32\dZJnJyk.exe
  C:\Windows\System32\dZJnJyk.exe
  2⤵
  PID:7848
- C:\Windows\System32\yNVXLuA.exe
  C:\Windows\System32\yNVXLuA.exe
  2⤵
  PID:7884
- C:\Windows\System32\ULEHNry.exe
  C:\Windows\System32\ULEHNry.exe
  2⤵
  PID:7900
- C:\Windows\System32\SIvvMFL.exe
  C:\Windows\System32\SIvvMFL.exe
  2⤵
  PID:7952
- C:\Windows\System32\IBjRRMc.exe
  C:\Windows\System32\IBjRRMc.exe
  2⤵
  PID:7976
- C:\Windows\System32\olACFcB.exe
  C:\Windows\System32\olACFcB.exe
  2⤵
  PID:8000
- C:\Windows\System32\fFZjpDY.exe
  C:\Windows\System32\fFZjpDY.exe
  2⤵
  PID:8028
- C:\Windows\System32\YHAuqMz.exe
  C:\Windows\System32\YHAuqMz.exe
  2⤵
  PID:8072
- C:\Windows\System32\wDdQsvo.exe
  C:\Windows\System32\wDdQsvo.exe
  2⤵
  PID:8096
- C:\Windows\System32\tSBzrqH.exe
  C:\Windows\System32\tSBzrqH.exe
  2⤵
  PID:8124
- C:\Windows\System32\vGXWeBY.exe
  C:\Windows\System32\vGXWeBY.exe
  2⤵
  PID:8140
- C:\Windows\System32\SaGcbXK.exe
  C:\Windows\System32\SaGcbXK.exe
  2⤵
  PID:8160
- C:\Windows\System32\ESgEXhJ.exe
  C:\Windows\System32\ESgEXhJ.exe
  2⤵
  PID:8184
- C:\Windows\System32\aacBLJh.exe
  C:\Windows\System32\aacBLJh.exe
  2⤵
  PID:6936
- C:\Windows\System32\sjlQGJC.exe
  C:\Windows\System32\sjlQGJC.exe
  2⤵
  PID:7220
- C:\Windows\System32\mFngwPg.exe
  C:\Windows\System32\mFngwPg.exe
  2⤵
  PID:7284
- C:\Windows\System32\wLEvegS.exe
  C:\Windows\System32\wLEvegS.exe
  2⤵
  PID:7324
- C:\Windows\System32\kZosALl.exe
  C:\Windows\System32\kZosALl.exe
  2⤵
  PID:7384
- C:\Windows\System32\XULgYYr.exe
  C:\Windows\System32\XULgYYr.exe
  2⤵
  PID:7412
- C:\Windows\System32\xhclENy.exe
  C:\Windows\System32\xhclENy.exe
  2⤵
  PID:7516
- C:\Windows\System32\cRseRRX.exe
  C:\Windows\System32\cRseRRX.exe
  2⤵
  PID:7612
- C:\Windows\System32\BVucSfu.exe
  C:\Windows\System32\BVucSfu.exe
  2⤵
  PID:7680
- C:\Windows\System32\UdrsMcY.exe
  C:\Windows\System32\UdrsMcY.exe
  2⤵
  PID:7720
- C:\Windows\System32\lufQlXj.exe
  C:\Windows\System32\lufQlXj.exe
  2⤵
  PID:7764
- C:\Windows\System32\srbzbpH.exe
  C:\Windows\System32\srbzbpH.exe
  2⤵
  PID:7832
- C:\Windows\System32\gaexRTm.exe
  C:\Windows\System32\gaexRTm.exe
  2⤵
  PID:7864
- C:\Windows\System32\sUwbujb.exe
  C:\Windows\System32\sUwbujb.exe
  2⤵
  PID:7908
- C:\Windows\System32\irozpBw.exe
  C:\Windows\System32\irozpBw.exe
  2⤵
  PID:8040
- C:\Windows\System32\XXrlHMt.exe
  C:\Windows\System32\XXrlHMt.exe
  2⤵
  PID:8180
- C:\Windows\System32\KzOCCYT.exe
  C:\Windows\System32\KzOCCYT.exe
  2⤵
  PID:8168
- C:\Windows\System32\ZKlMdbN.exe
  C:\Windows\System32\ZKlMdbN.exe
  2⤵
  PID:7104
- C:\Windows\System32\lyEhksQ.exe
  C:\Windows\System32\lyEhksQ.exe
  2⤵
  PID:7332
- C:\Windows\System32\YKzDrlL.exe
  C:\Windows\System32\YKzDrlL.exe
  2⤵
  PID:7644
- C:\Windows\System32\wONQpcZ.exe
  C:\Windows\System32\wONQpcZ.exe
  2⤵
  PID:7080
- C:\Windows\System32\HDpmxxh.exe
  C:\Windows\System32\HDpmxxh.exe
  2⤵
  PID:7836
- C:\Windows\System32\vAStaYj.exe
  C:\Windows\System32\vAStaYj.exe
  2⤵
  PID:7920
- C:\Windows\System32\mpESagi.exe
  C:\Windows\System32\mpESagi.exe
  2⤵
  PID:8084
- C:\Windows\System32\cnBdAeK.exe
  C:\Windows\System32\cnBdAeK.exe
  2⤵
  PID:7060
- C:\Windows\System32\jxsDpLd.exe
  C:\Windows\System32\jxsDpLd.exe
  2⤵
  PID:7212
- C:\Windows\System32\llqJtLX.exe
  C:\Windows\System32\llqJtLX.exe
  2⤵
  PID:8020
- C:\Windows\System32\wkVauNd.exe
  C:\Windows\System32\wkVauNd.exe
  2⤵
  PID:7788
- C:\Windows\System32\CjRnjoN.exe
  C:\Windows\System32\CjRnjoN.exe
  2⤵
  PID:8112
- C:\Windows\System32\XpjgeZf.exe
  C:\Windows\System32\XpjgeZf.exe
  2⤵
  PID:8224
- C:\Windows\System32\DgJlQjp.exe
  C:\Windows\System32\DgJlQjp.exe
  2⤵
  PID:8244
- C:\Windows\System32\NuOTcmv.exe
  C:\Windows\System32\NuOTcmv.exe
  2⤵
  PID:8272
- C:\Windows\System32\ULdKNXD.exe
  C:\Windows\System32\ULdKNXD.exe
  2⤵
  PID:8308
- C:\Windows\System32\ErOMNeo.exe
  C:\Windows\System32\ErOMNeo.exe
  2⤵
  PID:8328
- C:\Windows\System32\NMQNwAB.exe
  C:\Windows\System32\NMQNwAB.exe
  2⤵
  PID:8372
- C:\Windows\System32\jYCxTOD.exe
  C:\Windows\System32\jYCxTOD.exe
  2⤵
  PID:8388
- C:\Windows\System32\YJkiwKE.exe
  C:\Windows\System32\YJkiwKE.exe
  2⤵
  PID:8428
- C:\Windows\System32\KwohflI.exe
  C:\Windows\System32\KwohflI.exe
  2⤵
  PID:8460
- C:\Windows\System32\GMNdWju.exe
  C:\Windows\System32\GMNdWju.exe
  2⤵
  PID:8488
- C:\Windows\System32\pLZAltb.exe
  C:\Windows\System32\pLZAltb.exe
  2⤵
  PID:8504
- C:\Windows\System32\rZdeczr.exe
  C:\Windows\System32\rZdeczr.exe
  2⤵
  PID:8528
- C:\Windows\System32\YucdYfh.exe
  C:\Windows\System32\YucdYfh.exe
  2⤵
  PID:8580
- C:\Windows\System32\gOmKXEH.exe
  C:\Windows\System32\gOmKXEH.exe
  2⤵
  PID:8608
- C:\Windows\System32\QrrRPZz.exe
  C:\Windows\System32\QrrRPZz.exe
  2⤵
  PID:8624
- C:\Windows\System32\YVemEGg.exe
  C:\Windows\System32\YVemEGg.exe
  2⤵
  PID:8648
- C:\Windows\System32\TpoIqtU.exe
  C:\Windows\System32\TpoIqtU.exe
  2⤵
  PID:8668
- C:\Windows\System32\IryObmI.exe
  C:\Windows\System32\IryObmI.exe
  2⤵
  PID:8684
- C:\Windows\System32\lJAKfXw.exe
  C:\Windows\System32\lJAKfXw.exe
  2⤵
  PID:8704
- C:\Windows\System32\qEHrCWd.exe
  C:\Windows\System32\qEHrCWd.exe
  2⤵
  PID:8732
- C:\Windows\System32\PkGwapI.exe
  C:\Windows\System32\PkGwapI.exe
  2⤵
  PID:8756
- C:\Windows\System32\TAmNFOH.exe
  C:\Windows\System32\TAmNFOH.exe
  2⤵
  PID:8808
- C:\Windows\System32\CvkKstQ.exe
  C:\Windows\System32\CvkKstQ.exe
  2⤵
  PID:8848
- C:\Windows\System32\AUojuIU.exe
  C:\Windows\System32\AUojuIU.exe
  2⤵
  PID:8868
- C:\Windows\System32\XfeBCix.exe
  C:\Windows\System32\XfeBCix.exe
  2⤵
  PID:8904
- C:\Windows\System32\xkexOyt.exe
  C:\Windows\System32\xkexOyt.exe
  2⤵
  PID:8924
- C:\Windows\System32\DnIrTsI.exe
  C:\Windows\System32\DnIrTsI.exe
  2⤵
  PID:8952
- C:\Windows\System32\iXgxfqa.exe
  C:\Windows\System32\iXgxfqa.exe
  2⤵
  PID:8968
- C:\Windows\System32\PYDIaDa.exe
  C:\Windows\System32\PYDIaDa.exe
  2⤵
  PID:8996
- C:\Windows\System32\bEckKjn.exe
  C:\Windows\System32\bEckKjn.exe
  2⤵
  PID:9016
- C:\Windows\System32\BeZBCDM.exe
  C:\Windows\System32\BeZBCDM.exe
  2⤵
  PID:9052
- C:\Windows\System32\dLlgQkZ.exe
  C:\Windows\System32\dLlgQkZ.exe
  2⤵
  PID:9096
- C:\Windows\System32\spQSheA.exe
  C:\Windows\System32\spQSheA.exe
  2⤵
  PID:9136
- C:\Windows\System32\XUSRMSP.exe
  C:\Windows\System32\XUSRMSP.exe
  2⤵
  PID:9156
- C:\Windows\System32\sTNJxmL.exe
  C:\Windows\System32\sTNJxmL.exe
  2⤵
  PID:9192
- C:\Windows\System32\cXGLuqn.exe
  C:\Windows\System32\cXGLuqn.exe
  2⤵
  PID:8216
- C:\Windows\System32\VYnyJun.exe
  C:\Windows\System32\VYnyJun.exe
  2⤵
  PID:8240
- C:\Windows\System32\ZuWhvln.exe
  C:\Windows\System32\ZuWhvln.exe
  2⤵
  PID:8320
- C:\Windows\System32\LHgmGfk.exe
  C:\Windows\System32\LHgmGfk.exe
  2⤵
  PID:7508
- C:\Windows\System32\ksomxTq.exe
  C:\Windows\System32\ksomxTq.exe
  2⤵
  PID:8452
- C:\Windows\System32\MHiXDsX.exe
  C:\Windows\System32\MHiXDsX.exe
  2⤵
  PID:8512
- C:\Windows\System32\qBgqJBB.exe
  C:\Windows\System32\qBgqJBB.exe
  2⤵
  PID:8516
- C:\Windows\System32\asDTCwV.exe
  C:\Windows\System32\asDTCwV.exe
  2⤵
  PID:8636
- C:\Windows\System32\FtIvSbx.exe
  C:\Windows\System32\FtIvSbx.exe
  2⤵
  PID:8716
- C:\Windows\System32\WUmIYqs.exe
  C:\Windows\System32\WUmIYqs.exe
  2⤵
  PID:8692
- C:\Windows\System32\KpnmMXZ.exe
  C:\Windows\System32\KpnmMXZ.exe
  2⤵
  PID:8780
- C:\Windows\System32\hrfCuYX.exe
  C:\Windows\System32\hrfCuYX.exe
  2⤵
  PID:8832
- C:\Windows\System32\UukjSCF.exe
  C:\Windows\System32\UukjSCF.exe
  2⤵
  PID:8896
- C:\Windows\System32\LKXZgyl.exe
  C:\Windows\System32\LKXZgyl.exe
  2⤵
  PID:8984
- C:\Windows\System32\yeYxVIs.exe
  C:\Windows\System32\yeYxVIs.exe
  2⤵
  PID:9012
- C:\Windows\System32\wXUoUwA.exe
  C:\Windows\System32\wXUoUwA.exe
  2⤵
  PID:9104
- C:\Windows\System32\ZiQjCKm.exe
  C:\Windows\System32\ZiQjCKm.exe
  2⤵
  PID:9212
- C:\Windows\System32\RgxQuEk.exe
  C:\Windows\System32\RgxQuEk.exe
  2⤵
  PID:8384
- C:\Windows\System32\mqmoPEB.exe
  C:\Windows\System32\mqmoPEB.exe
  2⤵
  PID:8540
- C:\Windows\System32\DGPFcWI.exe
  C:\Windows\System32\DGPFcWI.exe
  2⤵
  PID:8596
- C:\Windows\System32\jHPZiAp.exe
  C:\Windows\System32\jHPZiAp.exe
  2⤵
  PID:8748
- C:\Windows\System32\ApPfgrV.exe
  C:\Windows\System32\ApPfgrV.exe
  2⤵
  PID:8828
- C:\Windows\System32\wjqwkGj.exe
  C:\Windows\System32\wjqwkGj.exe
  2⤵
  PID:8876
- C:\Windows\System32\UWjYPcY.exe
  C:\Windows\System32\UWjYPcY.exe
  2⤵
  PID:9188
- C:\Windows\System32\cPxPlcZ.exe
  C:\Windows\System32\cPxPlcZ.exe
  2⤵
  PID:8484
- C:\Windows\System32\wZCzoBs.exe
  C:\Windows\System32\wZCzoBs.exe
  2⤵
  PID:9024
- C:\Windows\System32\agFGAWk.exe
  C:\Windows\System32\agFGAWk.exe
  2⤵
  PID:8700
- C:\Windows\System32\EkPUUKM.exe
  C:\Windows\System32\EkPUUKM.exe
  2⤵
  PID:9220
- C:\Windows\System32\NDlUXmv.exe
  C:\Windows\System32\NDlUXmv.exe
  2⤵
  PID:9240
- C:\Windows\System32\LQblRka.exe
  C:\Windows\System32\LQblRka.exe
  2⤵
  PID:9260
- C:\Windows\System32\FoNhyUf.exe
  C:\Windows\System32\FoNhyUf.exe
  2⤵
  PID:9292
- C:\Windows\System32\qsWKdux.exe
  C:\Windows\System32\qsWKdux.exe
  2⤵
  PID:9344
- C:\Windows\System32\OllAEKY.exe
  C:\Windows\System32\OllAEKY.exe
  2⤵
  PID:9440
- C:\Windows\System32\YYFGrBb.exe
  C:\Windows\System32\YYFGrBb.exe
  2⤵
  PID:9456
- C:\Windows\System32\zuWqEwX.exe
  C:\Windows\System32\zuWqEwX.exe
  2⤵
  PID:9472
- C:\Windows\System32\jevHjEm.exe
  C:\Windows\System32\jevHjEm.exe
  2⤵
  PID:9488
- C:\Windows\System32\BWneHtt.exe
  C:\Windows\System32\BWneHtt.exe
  2⤵
  PID:9504
- C:\Windows\System32\xBruRQV.exe
  C:\Windows\System32\xBruRQV.exe
  2⤵
  PID:9520
- C:\Windows\System32\CEPnLwI.exe
  C:\Windows\System32\CEPnLwI.exe
  2⤵
  PID:9536
- C:\Windows\System32\ddVNlow.exe
  C:\Windows\System32\ddVNlow.exe
  2⤵
  PID:9552
- C:\Windows\System32\kfOEbWk.exe
  C:\Windows\System32\kfOEbWk.exe
  2⤵
  PID:9568
- C:\Windows\System32\HeyOSgF.exe
  C:\Windows\System32\HeyOSgF.exe
  2⤵
  PID:9588
- C:\Windows\System32\EwvIsjV.exe
  C:\Windows\System32\EwvIsjV.exe
  2⤵
  PID:9640
- C:\Windows\System32\tseeqGm.exe
  C:\Windows\System32\tseeqGm.exe
  2⤵
  PID:9668
- C:\Windows\System32\nYOVFCd.exe
  C:\Windows\System32\nYOVFCd.exe
  2⤵
  PID:9696
- C:\Windows\System32\zkufdBS.exe
  C:\Windows\System32\zkufdBS.exe
  2⤵
  PID:9848
- C:\Windows\System32\xEtZVvZ.exe
  C:\Windows\System32\xEtZVvZ.exe
  2⤵
  PID:9876
- C:\Windows\System32\cHxfNFc.exe
  C:\Windows\System32\cHxfNFc.exe
  2⤵
  PID:9904
- C:\Windows\System32\tjsViYy.exe
  C:\Windows\System32\tjsViYy.exe
  2⤵
  PID:9928
- C:\Windows\System32\aqDxbDi.exe
  C:\Windows\System32\aqDxbDi.exe
  2⤵
  PID:9960
- C:\Windows\System32\UwiRcEX.exe
  C:\Windows\System32\UwiRcEX.exe
  2⤵
  PID:9988
- C:\Windows\System32\rBUSfmH.exe
  C:\Windows\System32\rBUSfmH.exe
  2⤵
  PID:10004
- C:\Windows\System32\ArxeFHd.exe
  C:\Windows\System32\ArxeFHd.exe
  2⤵
  PID:10028
- C:\Windows\System32\eBdZIsl.exe
  C:\Windows\System32\eBdZIsl.exe
  2⤵
  PID:10044
- C:\Windows\System32\xKvoAMD.exe
  C:\Windows\System32\xKvoAMD.exe
  2⤵
  PID:10076
- C:\Windows\System32\MvwZgEs.exe
  C:\Windows\System32\MvwZgEs.exe
  2⤵
  PID:10100
- C:\Windows\System32\MmVyCIz.exe
  C:\Windows\System32\MmVyCIz.exe
  2⤵
  PID:10160
- C:\Windows\System32\alcynNV.exe
  C:\Windows\System32\alcynNV.exe
  2⤵
  PID:10184
- C:\Windows\System32\aGbfIxy.exe
  C:\Windows\System32\aGbfIxy.exe
  2⤵
  PID:10200
- C:\Windows\System32\RzKHZKV.exe
  C:\Windows\System32\RzKHZKV.exe
  2⤵
  PID:10224
- C:\Windows\System32\CXKGwPd.exe
  C:\Windows\System32\CXKGwPd.exe
  2⤵
  PID:9276
- C:\Windows\System32\AVGQtuv.exe
  C:\Windows\System32\AVGQtuv.exe
  2⤵
  PID:9320
- C:\Windows\System32\RcJzTGN.exe
  C:\Windows\System32\RcJzTGN.exe
  2⤵
  PID:9392
- C:\Windows\System32\CjJTfhK.exe
  C:\Windows\System32\CjJTfhK.exe
  2⤵
  PID:9352
- C:\Windows\System32\qZJWdTD.exe
  C:\Windows\System32\qZJWdTD.exe
  2⤵
  PID:9404
- C:\Windows\System32\AccjyZQ.exe
  C:\Windows\System32\AccjyZQ.exe
  2⤵
  PID:9632
- C:\Windows\System32\LwCcwXc.exe
  C:\Windows\System32\LwCcwXc.exe
  2⤵
  PID:9544
- C:\Windows\System32\xrtAZVA.exe
  C:\Windows\System32\xrtAZVA.exe
  2⤵
  PID:9692
- C:\Windows\System32\iPyXmoE.exe
  C:\Windows\System32\iPyXmoE.exe
  2⤵
  PID:9500
- C:\Windows\System32\RaKbHKd.exe
  C:\Windows\System32\RaKbHKd.exe
  2⤵
  PID:9596
- C:\Windows\System32\logQtPy.exe
  C:\Windows\System32\logQtPy.exe
  2⤵
  PID:9616
- C:\Windows\System32\eOIwmHU.exe
  C:\Windows\System32\eOIwmHU.exe
  2⤵
  PID:9748
- C:\Windows\System32\ASeYsRj.exe
  C:\Windows\System32\ASeYsRj.exe
  2⤵
  PID:9864
- C:\Windows\System32\mhIwXdQ.exe
  C:\Windows\System32\mhIwXdQ.exe
  2⤵
  PID:9888
- C:\Windows\System32\sJYnoyZ.exe
  C:\Windows\System32\sJYnoyZ.exe
  2⤵
  PID:9968
- C:\Windows\System32\CBYQzbR.exe
  C:\Windows\System32\CBYQzbR.exe
  2⤵
  PID:10096
- C:\Windows\System32\WpaWbLV.exe
  C:\Windows\System32\WpaWbLV.exe
  2⤵
  PID:10192
- C:\Windows\System32\aanMboa.exe
  C:\Windows\System32\aanMboa.exe
  2⤵
  PID:9228
- C:\Windows\System32\EhdTBwa.exe
  C:\Windows\System32\EhdTBwa.exe
  2⤵
  PID:9336
- C:\Windows\System32\TmtUkgQ.exe
  C:\Windows\System32\TmtUkgQ.exe
  2⤵
  PID:9376
- C:\Windows\System32\EZTajGv.exe
  C:\Windows\System32\EZTajGv.exe
  2⤵
  PID:9528
- C:\Windows\System32\uSgFnWX.exe
  C:\Windows\System32\uSgFnWX.exe
  2⤵
  PID:9452
- C:\Windows\System32\XrgorvN.exe
  C:\Windows\System32\XrgorvN.exe
  2⤵
  PID:9652
- C:\Windows\System32\azfdSvw.exe
  C:\Windows\System32\azfdSvw.exe
  2⤵
  PID:9940
- C:\Windows\System32\AIozHCW.exe
  C:\Windows\System32\AIozHCW.exe
  2⤵
  PID:10128
- C:\Windows\System32\sRGWFgj.exe
  C:\Windows\System32\sRGWFgj.exe
  2⤵
  PID:10216
- C:\Windows\System32\jpFmZpQ.exe
  C:\Windows\System32\jpFmZpQ.exe
  2⤵
  PID:9420
- C:\Windows\System32\gLkeFtT.exe
  C:\Windows\System32\gLkeFtT.exe
  2⤵
  PID:9448
- C:\Windows\System32\vQyaXhv.exe
  C:\Windows\System32\vQyaXhv.exe
  2⤵
  PID:9996
- C:\Windows\System32\TFeunVL.exe
  C:\Windows\System32\TFeunVL.exe
  2⤵
  PID:10148
- C:\Windows\System32\jtyhJkQ.exe
  C:\Windows\System32\jtyhJkQ.exe
  2⤵
  PID:9648
- C:\Windows\System32\sZejwaF.exe
  C:\Windows\System32\sZejwaF.exe
  2⤵
  PID:10260
- C:\Windows\System32\ZjsezqM.exe
  C:\Windows\System32\ZjsezqM.exe
  2⤵
  PID:10280
- C:\Windows\System32\rJTQexg.exe
  C:\Windows\System32\rJTQexg.exe
  2⤵
  PID:10300
- C:\Windows\System32\gSjRoPd.exe
  C:\Windows\System32\gSjRoPd.exe
  2⤵
  PID:10320
- C:\Windows\System32\VyJWkfc.exe
  C:\Windows\System32\VyJWkfc.exe
  2⤵
  PID:10344
- C:\Windows\System32\wQGkZAQ.exe
  C:\Windows\System32\wQGkZAQ.exe
  2⤵
  PID:10380
- C:\Windows\System32\dgDTAAP.exe
  C:\Windows\System32\dgDTAAP.exe
  2⤵
  PID:10400
- C:\Windows\System32\ssIyWHn.exe
  C:\Windows\System32\ssIyWHn.exe
  2⤵
  PID:10416
- C:\Windows\System32\YhMsgej.exe
  C:\Windows\System32\YhMsgej.exe
  2⤵
  PID:10488
- C:\Windows\System32\TOgORxT.exe
  C:\Windows\System32\TOgORxT.exe
  2⤵
  PID:10520
- C:\Windows\System32\HnfudOx.exe
  C:\Windows\System32\HnfudOx.exe
  2⤵
  PID:10540
- C:\Windows\System32\HDPRzOD.exe
  C:\Windows\System32\HDPRzOD.exe
  2⤵
  PID:10556
- C:\Windows\System32\smMBtRx.exe
  C:\Windows\System32\smMBtRx.exe
  2⤵
  PID:10576
- C:\Windows\System32\VLpkrID.exe
  C:\Windows\System32\VLpkrID.exe
  2⤵
  PID:10640
- C:\Windows\System32\LJPcmGq.exe
  C:\Windows\System32\LJPcmGq.exe
  2⤵
  PID:10668
- C:\Windows\System32\OecHjCP.exe
  C:\Windows\System32\OecHjCP.exe
  2⤵
  PID:10700
- C:\Windows\System32\SjRZEKM.exe
  C:\Windows\System32\SjRZEKM.exe
  2⤵
  PID:10724
- C:\Windows\System32\nTJIWwH.exe
  C:\Windows\System32\nTJIWwH.exe
  2⤵
  PID:10740
- C:\Windows\System32\hYYctZL.exe
  C:\Windows\System32\hYYctZL.exe
  2⤵
  PID:10768
- C:\Windows\System32\LIeJmOC.exe
  C:\Windows\System32\LIeJmOC.exe
  2⤵
  PID:10788
- C:\Windows\System32\TMQdbdw.exe
  C:\Windows\System32\TMQdbdw.exe
  2⤵
  PID:10804
- C:\Windows\System32\rcxNwSv.exe
  C:\Windows\System32\rcxNwSv.exe
  2⤵
  PID:10852
- C:\Windows\System32\eTfNLqE.exe
  C:\Windows\System32\eTfNLqE.exe
  2⤵
  PID:10892
- C:\Windows\System32\FaiiRlO.exe
  C:\Windows\System32\FaiiRlO.exe
  2⤵
  PID:10920
- C:\Windows\System32\TcsxlKA.exe
  C:\Windows\System32\TcsxlKA.exe
  2⤵
  PID:10936
- C:\Windows\System32\eppaEPe.exe
  C:\Windows\System32\eppaEPe.exe
  2⤵
  PID:10960
- C:\Windows\System32\UjEjklN.exe
  C:\Windows\System32\UjEjklN.exe
  2⤵
  PID:10984
- C:\Windows\System32\rcMbpwq.exe
  C:\Windows\System32\rcMbpwq.exe
  2⤵
  PID:11000
- C:\Windows\System32\jwSbxqN.exe
  C:\Windows\System32\jwSbxqN.exe
  2⤵
  PID:11024
- C:\Windows\System32\VuStHVl.exe
  C:\Windows\System32\VuStHVl.exe
  2⤵
  PID:11076
- C:\Windows\System32\JCMYgDV.exe
  C:\Windows\System32\JCMYgDV.exe
  2⤵
  PID:11108
- C:\Windows\System32\xZARXrr.exe
  C:\Windows\System32\xZARXrr.exe
  2⤵
  PID:11132
- C:\Windows\System32\cJTAmkm.exe
  C:\Windows\System32\cJTAmkm.exe
  2⤵
  PID:11156
- C:\Windows\System32\hefwgQZ.exe
  C:\Windows\System32\hefwgQZ.exe
  2⤵
  PID:11184
- C:\Windows\System32\obFsPBY.exe
  C:\Windows\System32\obFsPBY.exe
  2⤵
  PID:11228
- C:\Windows\System32\JIXFTfE.exe
  C:\Windows\System32\JIXFTfE.exe
  2⤵
  PID:11244
- C:\Windows\System32\RRHAlVJ.exe
  C:\Windows\System32\RRHAlVJ.exe
  2⤵
  PID:9284
- C:\Windows\System32\sdpPDuG.exe
  C:\Windows\System32\sdpPDuG.exe
  2⤵
  PID:10276
- C:\Windows\System32\gwwhwWa.exe
  C:\Windows\System32\gwwhwWa.exe
  2⤵
  PID:10356
- C:\Windows\System32\AWnNung.exe
  C:\Windows\System32\AWnNung.exe
  2⤵
  PID:10360
- C:\Windows\System32\wFTDIWn.exe
  C:\Windows\System32\wFTDIWn.exe
  2⤵
  PID:10432
- C:\Windows\System32\BJGlyXK.exe
  C:\Windows\System32\BJGlyXK.exe
  2⤵
  PID:10552
- C:\Windows\System32\AXHyxIn.exe
  C:\Windows\System32\AXHyxIn.exe
  2⤵
  PID:10604
- C:\Windows\System32\JflVlOn.exe
  C:\Windows\System32\JflVlOn.exe
  2⤵
  PID:10632
- C:\Windows\System32\byApmxH.exe
  C:\Windows\System32\byApmxH.exe
  2⤵
  PID:10752
- C:\Windows\System32\zhEYrvs.exe
  C:\Windows\System32\zhEYrvs.exe
  2⤵
  PID:10812
- C:\Windows\System32\HaAopCt.exe
  C:\Windows\System32\HaAopCt.exe
  2⤵
  PID:10872
- C:\Windows\System32\MbiluEM.exe
  C:\Windows\System32\MbiluEM.exe
  2⤵
  PID:10904
- C:\Windows\System32\KgpIBhu.exe
  C:\Windows\System32\KgpIBhu.exe
  2⤵
  PID:11068
- C:\Windows\System32\JuuhwpV.exe
  C:\Windows\System32\JuuhwpV.exe
  2⤵
  PID:11124
- C:\Windows\System32\FuUuYIS.exe
  C:\Windows\System32\FuUuYIS.exe
  2⤵
  PID:11148
- C:\Windows\System32\vHmxwtz.exe
  C:\Windows\System32\vHmxwtz.exe
  2⤵
  PID:11180
- C:\Windows\System32\opIDTCF.exe
  C:\Windows\System32\opIDTCF.exe
  2⤵
  PID:11212
- C:\Windows\System32\eiCDSBq.exe
  C:\Windows\System32\eiCDSBq.exe
  2⤵
  PID:10296
- C:\Windows\System32\tmdGnyP.exe
  C:\Windows\System32\tmdGnyP.exe
  2⤵
  PID:10440
- C:\Windows\System32\HFXTIJU.exe
  C:\Windows\System32\HFXTIJU.exe
  2⤵
  PID:10572
- C:\Windows\System32\kdInivD.exe
  C:\Windows\System32\kdInivD.exe
  2⤵
  PID:10756
- C:\Windows\System32\PPXwnQY.exe
  C:\Windows\System32\PPXwnQY.exe
  2⤵
  PID:11104
- C:\Windows\System32\cOeAEhA.exe
  C:\Windows\System32\cOeAEhA.exe
  2⤵
  PID:11192
- C:\Windows\System32\EbrpjBp.exe
  C:\Windows\System32\EbrpjBp.exe
  2⤵
  PID:10268
- C:\Windows\System32\KqjcFPL.exe
  C:\Windows\System32\KqjcFPL.exe
  2⤵
  PID:10464
- C:\Windows\System32\inkQOWv.exe
  C:\Windows\System32\inkQOWv.exe
  2⤵
  PID:10692
- C:\Windows\System32\wTleOCv.exe
  C:\Windows\System32\wTleOCv.exe
  2⤵
  PID:11172
- C:\Windows\System32\ACqeHNu.exe
  C:\Windows\System32\ACqeHNu.exe
  2⤵
  PID:11072
- C:\Windows\System32\nzmdayI.exe
  C:\Windows\System32\nzmdayI.exe
  2⤵
  PID:11292
- C:\Windows\System32\udqUWbD.exe
  C:\Windows\System32\udqUWbD.exe
  2⤵
  PID:11324
- C:\Windows\System32\XfYBtWh.exe
  C:\Windows\System32\XfYBtWh.exe
  2⤵
  PID:11344
- C:\Windows\System32\IvxxNyE.exe
  C:\Windows\System32\IvxxNyE.exe
  2⤵
  PID:11368
- C:\Windows\System32\xiDiodQ.exe
  C:\Windows\System32\xiDiodQ.exe
  2⤵
  PID:11388
- C:\Windows\System32\xoYPvZq.exe
  C:\Windows\System32\xoYPvZq.exe
  2⤵
  PID:11404
- C:\Windows\System32\kssNORn.exe
  C:\Windows\System32\kssNORn.exe
  2⤵
  PID:11428
- C:\Windows\System32\abTRxJm.exe
  C:\Windows\System32\abTRxJm.exe
  2⤵
  PID:11456
- C:\Windows\System32\sZuLeqf.exe
  C:\Windows\System32\sZuLeqf.exe
  2⤵
  PID:11472
- C:\Windows\System32\DWsFnSa.exe
  C:\Windows\System32\DWsFnSa.exe
  2⤵
  PID:11504
- C:\Windows\System32\FqwsqMX.exe
  C:\Windows\System32\FqwsqMX.exe
  2⤵
  PID:11564
- C:\Windows\System32\OJSSjqS.exe
  C:\Windows\System32\OJSSjqS.exe
  2⤵
  PID:11584
- C:\Windows\System32\knxaJOG.exe
  C:\Windows\System32\knxaJOG.exe
  2⤵
  PID:11604
- C:\Windows\System32\ugMXxhJ.exe
  C:\Windows\System32\ugMXxhJ.exe
  2⤵
  PID:11624
- C:\Windows\System32\pQKSnJP.exe
  C:\Windows\System32\pQKSnJP.exe
  2⤵
  PID:11672
- C:\Windows\System32\hiuZQUz.exe
  C:\Windows\System32\hiuZQUz.exe
  2⤵
  PID:11720
- C:\Windows\System32\eqlyLik.exe
  C:\Windows\System32\eqlyLik.exe
  2⤵
  PID:11744
- C:\Windows\System32\mgeDayC.exe
  C:\Windows\System32\mgeDayC.exe
  2⤵
  PID:11764
- C:\Windows\System32\MNMvPTy.exe
  C:\Windows\System32\MNMvPTy.exe
  2⤵
  PID:11780
- C:\Windows\System32\fcqlzWJ.exe
  C:\Windows\System32\fcqlzWJ.exe
  2⤵
  PID:11800
- C:\Windows\System32\pQPbIFV.exe
  C:\Windows\System32\pQPbIFV.exe
  2⤵
  PID:11844
- C:\Windows\System32\FxLHEXK.exe
  C:\Windows\System32\FxLHEXK.exe
  2⤵
  PID:11860
- C:\Windows\System32\bHWurOy.exe
  C:\Windows\System32\bHWurOy.exe
  2⤵
  PID:11916
- C:\Windows\System32\FoAKMpI.exe
  C:\Windows\System32\FoAKMpI.exe
  2⤵
  PID:11944
- C:\Windows\System32\ThFDESI.exe
  C:\Windows\System32\ThFDESI.exe
  2⤵
  PID:11960
- C:\Windows\System32\KeTWSlM.exe
  C:\Windows\System32\KeTWSlM.exe
  2⤵
  PID:11980
- C:\Windows\System32\xHsrVND.exe
  C:\Windows\System32\xHsrVND.exe
  2⤵
  PID:12012
- C:\Windows\System32\exziyVp.exe
  C:\Windows\System32\exziyVp.exe
  2⤵
  PID:12056
- C:\Windows\System32\QbzZexH.exe
  C:\Windows\System32\QbzZexH.exe
  2⤵
  PID:12084
- C:\Windows\System32\KfgKlVb.exe
  C:\Windows\System32\KfgKlVb.exe
  2⤵
  PID:12112
- C:\Windows\System32\TzGyxOl.exe
  C:\Windows\System32\TzGyxOl.exe
  2⤵
  PID:12140
- C:\Windows\System32\MBRqIbr.exe
  C:\Windows\System32\MBRqIbr.exe
  2⤵
  PID:12156
- C:\Windows\System32\MUtyIVR.exe
  C:\Windows\System32\MUtyIVR.exe
  2⤵
  PID:12180
- C:\Windows\System32\xEaKndy.exe
  C:\Windows\System32\xEaKndy.exe
  2⤵
  PID:12200
- C:\Windows\System32\LhRreEf.exe
  C:\Windows\System32\LhRreEf.exe
  2⤵
  PID:12252
- C:\Windows\System32\eXkLSRX.exe
  C:\Windows\System32\eXkLSRX.exe
  2⤵
  PID:12276
- C:\Windows\System32\arMiSRh.exe
  C:\Windows\System32\arMiSRh.exe
  2⤵
  PID:10948
- C:\Windows\System32\tNhDiNw.exe
  C:\Windows\System32\tNhDiNw.exe
  2⤵
  PID:11300
- C:\Windows\System32\WbOzdnh.exe
  C:\Windows\System32\WbOzdnh.exe
  2⤵
  PID:11356
- C:\Windows\System32\hqpMCvC.exe
  C:\Windows\System32\hqpMCvC.exe
  2⤵
  PID:11412
- C:\Windows\System32\RrdteLt.exe
  C:\Windows\System32\RrdteLt.exe
  2⤵
  PID:11580
- C:\Windows\System32\WRVDKKx.exe
  C:\Windows\System32\WRVDKKx.exe
  2⤵
  PID:10072
- C:\Windows\System32\QwwXxZy.exe
  C:\Windows\System32\QwwXxZy.exe
  2⤵
  PID:11688
- C:\Windows\System32\bUmDBuw.exe
  C:\Windows\System32\bUmDBuw.exe
  2⤵
  PID:11736
- C:\Windows\System32\KefeFnz.exe
  C:\Windows\System32\KefeFnz.exe
  2⤵
  PID:11808
- C:\Windows\System32\SooRUsz.exe
  C:\Windows\System32\SooRUsz.exe
  2⤵
  PID:11888
- C:\Windows\System32\yCLAvUn.exe
  C:\Windows\System32\yCLAvUn.exe
  2⤵
  PID:11904
- C:\Windows\System32\llsWFxR.exe
  C:\Windows\System32\llsWFxR.exe
  2⤵
  PID:11972
- C:\Windows\System32\OgvrdyG.exe
  C:\Windows\System32\OgvrdyG.exe
  2⤵
  PID:12040
- C:\Windows\System32\mzdQwfm.exe
  C:\Windows\System32\mzdQwfm.exe
  2⤵
  PID:12148
- C:\Windows\System32\vMKCLMJ.exe
  C:\Windows\System32\vMKCLMJ.exe
  2⤵
  PID:12168
- C:\Windows\System32\wLNPnUa.exe
  C:\Windows\System32\wLNPnUa.exe
  2⤵
  PID:12236
- C:\Windows\System32\mOtLSdi.exe
  C:\Windows\System32\mOtLSdi.exe
  2⤵
  PID:12264
- C:\Windows\System32\kgfySnV.exe
  C:\Windows\System32\kgfySnV.exe
  2⤵
  PID:11396
- C:\Windows\System32\FipOTSM.exe
  C:\Windows\System32\FipOTSM.exe
  2⤵
  PID:11464
- C:\Windows\System32\HUTzgvF.exe
  C:\Windows\System32\HUTzgvF.exe
  2⤵
  PID:11760
- C:\Windows\System32\mExUEqs.exe
  C:\Windows\System32\mExUEqs.exe
  2⤵
  PID:11788
- C:\Windows\System32\LKJavYu.exe
  C:\Windows\System32\LKJavYu.exe
  2⤵
  PID:11940
- C:\Windows\System32\IwWzEJv.exe
  C:\Windows\System32\IwWzEJv.exe
  2⤵
  PID:4640
- C:\Windows\System32\WzHknCX.exe
  C:\Windows\System32\WzHknCX.exe
  2⤵
  PID:11336
- C:\Windows\System32\RNBCynb.exe
  C:\Windows\System32\RNBCynb.exe
  2⤵
  PID:3668
- C:\Windows\System32\xarcEle.exe
  C:\Windows\System32\xarcEle.exe
  2⤵
  PID:12152
- C:\Windows\System32\GRmzIMk.exe
  C:\Windows\System32\GRmzIMk.exe
  2⤵
  PID:11596
- C:\Windows\System32\YFMFHRQ.exe
  C:\Windows\System32\YFMFHRQ.exe
  2⤵
  PID:2724
- C:\Windows\System32\SCeNlZv.exe
  C:\Windows\System32\SCeNlZv.exe
  2⤵
  PID:12212
- C:\Windows\System32\WnvuNSi.exe
  C:\Windows\System32\WnvuNSi.exe
  2⤵
  PID:1988
- C:\Windows\System32\OeCVtGc.exe
  C:\Windows\System32\OeCVtGc.exe
  2⤵
  PID:12320
- C:\Windows\System32\nAoFKns.exe
  C:\Windows\System32\nAoFKns.exe
  2⤵
  PID:12336
- C:\Windows\System32\eFDZXJA.exe
  C:\Windows\System32\eFDZXJA.exe
  2⤵
  PID:12356
- C:\Windows\System32\mlebTxn.exe
  C:\Windows\System32\mlebTxn.exe
  2⤵
  PID:12392
- C:\Windows\System32\hOcjSjs.exe
  C:\Windows\System32\hOcjSjs.exe
  2⤵
  PID:12408
- C:\Windows\System32\zgjlySw.exe
  C:\Windows\System32\zgjlySw.exe
  2⤵
  PID:12436
- C:\Windows\System32\kfhnHqO.exe
  C:\Windows\System32\kfhnHqO.exe
  2⤵
  PID:12456
- C:\Windows\System32\FIKxpoJ.exe
  C:\Windows\System32\FIKxpoJ.exe
  2⤵
  PID:12476
- C:\Windows\System32\KeSMYoU.exe
  C:\Windows\System32\KeSMYoU.exe
  2⤵
  PID:12500
- C:\Windows\System32\TeUMHGi.exe
  C:\Windows\System32\TeUMHGi.exe
  2⤵
  PID:12572
- C:\Windows\System32\eONzwpI.exe
  C:\Windows\System32\eONzwpI.exe
  2⤵
  PID:12592
- C:\Windows\System32\Pawvtud.exe
  C:\Windows\System32\Pawvtud.exe
  2⤵
  PID:12612
- C:\Windows\System32\NZNInZh.exe
  C:\Windows\System32\NZNInZh.exe
  2⤵
  PID:12636
- C:\Windows\System32\jPFdGBC.exe
  C:\Windows\System32\jPFdGBC.exe
  2⤵
  PID:12656
- C:\Windows\System32\mfdqjcf.exe
  C:\Windows\System32\mfdqjcf.exe
  2⤵
  PID:12672
- C:\Windows\System32\lECSiZh.exe
  C:\Windows\System32\lECSiZh.exe
  2⤵
  PID:12696
- C:\Windows\System32\OnPUPdn.exe
  C:\Windows\System32\OnPUPdn.exe
  2⤵
  PID:12724
- C:\Windows\System32\hWMSkLj.exe
  C:\Windows\System32\hWMSkLj.exe
  2⤵
  PID:12740
- C:\Windows\System32\gLTNNvH.exe
  C:\Windows\System32\gLTNNvH.exe
  2⤵
  PID:12792
- C:\Windows\System32\zDJDNrH.exe
  C:\Windows\System32\zDJDNrH.exe
  2⤵
  PID:12840
- C:\Windows\System32\aqvHTDF.exe
  C:\Windows\System32\aqvHTDF.exe
  2⤵
  PID:12872
- C:\Windows\System32\NASbQsd.exe
  C:\Windows\System32\NASbQsd.exe
  2⤵
  PID:12900
- C:\Windows\System32\rmXqgcH.exe
  C:\Windows\System32\rmXqgcH.exe
  2⤵
  PID:12920
- C:\Windows\System32\nOhSwLa.exe
  C:\Windows\System32\nOhSwLa.exe
  2⤵
  PID:12944
- C:\Windows\System32\bvtyAoA.exe
  C:\Windows\System32\bvtyAoA.exe
  2⤵
  PID:12984
- C:\Windows\System32\UBgVPOl.exe
  C:\Windows\System32\UBgVPOl.exe
  2⤵
  PID:13004
- C:\Windows\System32\OBCjCNp.exe
  C:\Windows\System32\OBCjCNp.exe
  2⤵
  PID:13028
- C:\Windows\System32\qtjNVsf.exe
  C:\Windows\System32\qtjNVsf.exe
  2⤵
  PID:13072
- C:\Windows\System32\iqyclva.exe
  C:\Windows\System32\iqyclva.exe
  2⤵
  PID:13096
- C:\Windows\System32\mevoLvt.exe
  C:\Windows\System32\mevoLvt.exe
  2⤵
  PID:13112
- C:\Windows\System32\uQoHAxW.exe
  C:\Windows\System32\uQoHAxW.exe
  2⤵
  PID:13136
- C:\Windows\System32\gJwxuID.exe
  C:\Windows\System32\gJwxuID.exe
  2⤵
  PID:13164
- C:\Windows\System32\CQZXHxm.exe
  C:\Windows\System32\CQZXHxm.exe
  2⤵
  PID:13196
- C:\Windows\System32\VZXmVMn.exe
  C:\Windows\System32\VZXmVMn.exe
  2⤵
  PID:13220
- C:\Windows\System32\hsoIzPa.exe
  C:\Windows\System32\hsoIzPa.exe
  2⤵
  PID:13244
- C:\Windows\System32\BbdsuLo.exe
  C:\Windows\System32\BbdsuLo.exe
  2⤵
  PID:13268
- C:\Windows\System32\JJDdmpc.exe
  C:\Windows\System32\JJDdmpc.exe
  2⤵
  PID:11852
- C:\Windows\System32\uUXKAyz.exe
  C:\Windows\System32\uUXKAyz.exe
  2⤵
  PID:12344
- C:\Windows\System32\zDkdFmZ.exe
  C:\Windows\System32\zDkdFmZ.exe
  2⤵
  PID:12380
- C:\Windows\System32\xlLtinh.exe
  C:\Windows\System32\xlLtinh.exe
  2⤵
  PID:12420
- C:\Windows\System32\HXyujht.exe
  C:\Windows\System32\HXyujht.exe
  2⤵
  PID:12464
- C:\Windows\System32\zplpJzT.exe
  C:\Windows\System32\zplpJzT.exe
  2⤵
  PID:12552
- C:\Windows\System32\KOofAmb.exe
  C:\Windows\System32\KOofAmb.exe
  2⤵
  PID:12664
- C:\Windows\System32\gdYBPHx.exe
  C:\Windows\System32\gdYBPHx.exe
  2⤵
  PID:12736
- C:\Windows\System32\iVYYZyl.exe
  C:\Windows\System32\iVYYZyl.exe
  2⤵
  PID:12748
- C:\Windows\System32\lcrRamt.exe
  C:\Windows\System32\lcrRamt.exe
  2⤵
  PID:12860
- C:\Windows\System32\GSCHqig.exe
  C:\Windows\System32\GSCHqig.exe
  2⤵
  PID:12916
- C:\Windows\System32\ofmoMXL.exe
  C:\Windows\System32\ofmoMXL.exe
  2⤵
  PID:13012

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BbjIrki.exe

Filesize
1.3MB

MD5
e6b4ac35ae8dc41db208415c8a77f78d

SHA1
b5b3db71118b584ae2747951c5e3fa792ac93149

SHA256
4ddd63e8b55a2acbb526d1d3268c2e06c71f5138557b3e3535d2f8a339538167

SHA512
53a85cd1640f76555c6ad38be615d8ba66ed8a75527e5ef60c40adf78205a495c704d8565c19830499a8ff3837e97729593f3ca85c11d12574627dff9da7e65f

Download Submit
C:\Windows\System32\CFMHphe.exe

Filesize
1.3MB

MD5
6a368f7e7656fc8185a0a661bea97317

SHA1
cef464952170a3c4cfa9f86f5effe125dd49559f

SHA256
afbf1aca92a5c2b6757c33d77a057e96b401d1bac56f713ebdd498f896b2f029

SHA512
cd2ea97fe7ffffda2c14c0cd550702377c207cb68f5fcc8c2b748361164e9b5f5e4686c05634956943b924aa6f9c0863d322d334a13c5b7c889d8681ac8d90ff

Download Submit
C:\Windows\System32\FiIlLxh.exe

Filesize
1.3MB

MD5
08329c4c58e13ffa0530124e99d7bcd9

SHA1
30636877652264b36134620845f7cabc36c87fb9

SHA256
5aeacfe3900938993a886b8188f56dd968c85d50b8c6dbe7aa73c5e9973f0c87

SHA512
04e91146300fe7bf781b6ce504c29ab4e09d5fed2c4ab50c21c2e970a6b0d5cd455d9c4f20150fea630182599a6276b6efc63a440fff6573a731813fd37de419

Download Submit
C:\Windows\System32\IYgjEoZ.exe

Filesize
1.3MB

MD5
aef03f393eb79c0e305c9c947aaf5dd3

SHA1
526dc53f064119461c0534befea36509eea8644e

SHA256
5904078949b7194840f05302247705c5bd87f5fbc7ad47c6222463d4a2c2284b

SHA512
925915840f721d491ead762fc6af23048af6612b21d61041f0af19b4b65f39088c9c13863200120d91fc4878755d9a1a152d324191855af65733ab0d672e5da6

Download Submit
C:\Windows\System32\MjJIrGX.exe

Filesize
1.3MB

MD5
c5c6f3298a1077f6089e762324e8fe4a

SHA1
c648434f3c562efaa59534854b634a843439610e

SHA256
6e8f3f7eb925e06c2dfcec88b633ea5cb3b24b1ea6f252e10230c5f90e05d296

SHA512
9e98767b983d7feff7f7b34e94ed3f1d3419fbc7b78b5d190087bfb63fe4b2a255c4e601bfd5aeae09736353f35bcfdc5e8498641d0ca62a26b190c59eaee1d5

Download Submit
C:\Windows\System32\NXjNbdw.exe

Filesize
1.3MB

MD5
f3b52b9723857b565017ef059bf9981b

SHA1
9cec8e9b53bf33405dde5c30e358ad855ec92bc9

SHA256
204727fa08ee8626a3e9af3a76d458e99cecc3b5fcc6ff4d67819c6105396373

SHA512
913f31ea5ab4a92f5fc0e86884f4e9136b76f858824c34bb5d3824082c8bb6abcc14650f6f3490866bc6ce83db15ac8b65973551f3e284c18eb4e0ec7f2eef60

Download Submit
C:\Windows\System32\OiLauwX.exe

Filesize
1.3MB

MD5
ee56509e5a7c13a7539cf28f76bea5ed

SHA1
ae4f6b8741e67ab62a3b3ad26629da227bf39a11

SHA256
003a4548b26f95eaa6c0acfbebd2ea926c2ed925f57d7552d4ebf1af8bccc69e

SHA512
8af9e85328d0f71868d900707a03a7c50632181f7ca3925e78f656f0d0f0878722629419a37a1b4ac06262f971e2c0bea3bead2aff1821c7c1e49670a7db2f0f

Download Submit
C:\Windows\System32\PLeaMya.exe

Filesize
1.3MB

MD5
fc3bc0f6d701bb805e07934379c59d21

SHA1
aa1c5d5ff73937f986d07007f093671617f652ec

SHA256
908ab82d62a1ddc3d2efaaed65d04e807afad41bb626006b9874a792e239e6ea

SHA512
f3c3a5097d8a05744db713dc8604b034b6df93dc30af397186880c524c7c6dd5d37cebd6df7c26899d7ef3c8a3d1c48064fa9d032da61c45e22d765f2f25fda7

Download Submit
C:\Windows\System32\QHOTaYc.exe

Filesize
1.3MB

MD5
c57d0d89112449b9baa347d1874d8567

SHA1
6396da2d00a402c25b3c406dd2362ea86c4abf0d

SHA256
b0e4fb17af28bc3a2b1c9c96ccfa0463cc3422569d251a15e7004660c0042f94

SHA512
020cbe56bb99aadebdd1ab80d74c3e68054bc8a76e6336542aed2d7dca6f4bbbb1d5bbf3240bce49126c1b0e3eaf4456485662843b0e0c0d19376ce0736f607f

Download Submit
C:\Windows\System32\QzyKCEm.exe

Filesize
1.3MB

MD5
898504fa09b57572b2347dc1bedb1db8

SHA1
466a4df182680499f24c8b8dae313f81007ce679

SHA256
169ee19394fffbfd2436f95575b24b048609bd4b077e7e723ed577753cff6936

SHA512
b8bbd50d2d1d78eb88e83a2e995deab44ac631c6f001712f34004ef9607eec2acbdc9c23f3e5e83db8e320a89e51398fdf5a416ea8bb67ccf1582e12ddc63b08

Download Submit
C:\Windows\System32\TVgsfWj.exe

Filesize
1.3MB

MD5
9614631a69eaef801a8a95ba0bfb5222

SHA1
2350459c2204a4a9d1e198129cfdd51c15e357db

SHA256
28a4fa122149c6cc14acf8a2d80192c2b723508e8ac174f70292537d0954e7e8

SHA512
bcbdf8328f7ef8e2af8cec6a410c3f7156c3b529cfb1f090f1382a21b1c00aa631342859e9bbced8b0f09faffbc0bf074cdd272696dc8fb8cfd983691d370ef9

Download Submit
C:\Windows\System32\UFfLpJv.exe

Filesize
1.3MB

MD5
1566c103be966c98e924d514fb85a946

SHA1
c088c8d9b3dea63b37b06d31fd89fa66790aa1e5

SHA256
3b5072b4320aa68f67207eb2a585661f8c9dc2ab6c54d9c1981bb1313f326df0

SHA512
b84f62b24baaf39709ee570051a3cc83cfd29814c6338634b79fcf9ba006c2676c066cbfd45392e0842e73309ed55fcbc62a5dc815c152c086c297e2213682a7

Download Submit
C:\Windows\System32\VVYZSEb.exe

Filesize
1.3MB

MD5
dcf3f7e6fe91c3f7d17d0db547e92ab0

SHA1
cb8b971b0d417eac33f83da9938c3eab5c18c58c

SHA256
80ecb8e0e7dc798b241ea28063597afc870d08d3fdc33dfaf46a5b82bb27245e

SHA512
57b6a791ee427ff0bdc6ddd5c8ece9b349a4c79c3b604e4dbb60071b3250ec6b2b7f8d5cfecad88cda7d7bd1a09e80f35439a88d6d64d707770ad74e72604b35

Download Submit
C:\Windows\System32\WbUJMgY.exe

Filesize
1.3MB

MD5
9cb6d451dd1043652d3e94a510d8698f

SHA1
c6a7228400e09314cb1cfc14a880da94f88e8ae3

SHA256
b3b9e600c40cefce414aca46ebc3e7752a7cb53b271afa0e6a1c1d86f6f958e2

SHA512
a0fd8851287b5bb41133d2bf9778888da8298b7d775cc610460ed0915fdfb552a5215e960bcb1ba9706efdbab5e084694039b17701e1458fbb1305d8b638943c

Download Submit
C:\Windows\System32\ZYKbiHO.exe

Filesize
1.3MB

MD5
f24c079e3dc041344d1862d1f635ce7a

SHA1
547262103b5623c4345600b88779a806fda12f6e

SHA256
b850c62192bb953cd485dabb5e448fc09f902b476647e782513a0abc330c99aa

SHA512
f2753e4bc324479a3359ef99a0cdcadd0df1306173e97e280db4230a478f06ab8c98c037bce7c54e4749a4045b8595096fe5814a59cae67cf96a5a85f0ec7025

Download Submit
C:\Windows\System32\cmivrWA.exe

Filesize
1.3MB

MD5
721a3dc50bfba0c22f7186ac018a140b

SHA1
a27f548180a3857133c51038adb0a599e87e1461

SHA256
92debeff811557259a9450d0ff6eefed97544d55cefd56a98e44702269316209

SHA512
93100bfc7cf7b901283b4e2f711ea0328eb5edecdfd79e84f18733e77244479ca270a6dab0feb8fac7995f4a8cf9250d5e10d503c08c966734b37b7793b1ac37

Download Submit
C:\Windows\System32\ekKRhoA.exe

Filesize
1.3MB

MD5
2c373197913d0c7ac683ecdb62fa29c6

SHA1
3e58b44fad489912c40185d8b9f86e14f5feac79

SHA256
539ea2116303fa1a76304304541ee8e1ae3965455703114b21cb2ba931a6e00b

SHA512
b202e6eb18e6b59c5973af3efc136ce6eb6acc5b41a6faad22ecb60dd2189ee8510033bc2e5d5d87d299c13096c44bcd6ec00bec57dc3171364dafd06293b36f

Download Submit
C:\Windows\System32\exbhBwQ.exe

Filesize
1.3MB

MD5
7231d3996ac645d9f6f3323ff34155a5

SHA1
c1daf79bd5506776a409c969f2a8722c4c7ab499

SHA256
9a0d644206478a6699598daa5e2285fc9938f200b23b211f3b08b85e515c7819

SHA512
ed5d5ac507e1fabee262871d75eaef3ad772df3c353d9d7a699b4cf989c2cfec253d760348bebdce50f21e4414de5557da96c908768afef6fae311c6b7aee6ca

Download Submit
C:\Windows\System32\gBgxjnC.exe

Filesize
1.3MB

MD5
10caf502065e4e13597d77dbd68d1e73

SHA1
5d48ddcef3727f078f47de73abd934f5ffba37c0

SHA256
42f868dbcd5de22fd0d4cc31364c83117e4f1beb442b48584a8221024a840f9d

SHA512
179c0c7f5962a0a1c1f706a7d41c59c286c21be1ecdcd8f7edc83c95a12106582398565f56e306d1be0d5e3c399b34ebc7de0d7faea28a2b974f79452bcea845

Download Submit
C:\Windows\System32\hHjcMiZ.exe

Filesize
1.3MB

MD5
09f5cf76595bbbc8df8d7e4a8e2272ef

SHA1
5dab8d0d0e954748e6bd4619d31ca8d85f388ced

SHA256
529ade85e6b1a4defc8c189d0cf078187ecf707f00dd7a04a1542a99552d50f4

SHA512
439bd65c97dc3308edb7717017f7a87066ac9b662333ec8fd341ddcf639d85f08761a2edce7bc6b5189a859ff680e063344f84cb4c0886e294a7825aa5b8fadf

Download Submit
C:\Windows\System32\iKXPYhz.exe

Filesize
1.3MB

MD5
5e0d6c29df8f7bb08879376278e11cee

SHA1
c9a5c4af062bc4f1627bfd3839890deda9ab1f6b

SHA256
f7f97e495f975b36eb4054fd4d1661855090b02e76b726abddf0b11a6e273062

SHA512
eb68fe0335076063911b95b9119e9188befa15d0b7fb097a008a04bbaba086905a46d894d72b9c65a3c568e8b8a4f712cc9c582efe1a4554fb26dff977027781

Download Submit
C:\Windows\System32\ikTwzxb.exe

Filesize
1.3MB

MD5
ee9e67897c652799efe10061c2f2735c

SHA1
758da06f46bf05c55b7da265ac540cddf1fd8a17

SHA256
0be0e639ffbc99e1eb88890f4d96122d0771568f6fb1c710c1dad19f70718eb0

SHA512
8e0f46ff23de37e6f5538ff4a90d54cd5c38eabeeea1ca41fa8f05bfc3c203aff4548ed304935fea434af5fd16fae736a5e482add0c7a5605b8e7a96ce32d81a

Download Submit
C:\Windows\System32\jDQQIRK.exe

Filesize
1.3MB

MD5
4ed42987f45092e935dab8d987ae0689

SHA1
a9f1db17339e6eeac1019a45f6ae691f5752de1d

SHA256
b29f682a920f924d68442086d851f5623d5c45f09dcc8552b83c2062a775d361

SHA512
b8b11d4fab8e089c67c690556210383a24ebd6a794a4cf34c143a66d1c99b32294b6be2af98b8815cc3b5a93eacc0c57cd25ebffa525b8ced1c9c7bf836520d5

Download Submit
C:\Windows\System32\lHtLrHF.exe

Filesize
1.3MB

MD5
209e9015e6211b49ed5fbecacaa4f5ff

SHA1
88bbb099e9cd8ec236b65582afcfd49c34505888

SHA256
49592b38abc49a07005d166047da4d949c9ebe09472ea811e9ded0369c0d36b7

SHA512
9b789ffa1a7499def09094e3d240ab259abf6a047b97afd0542e6944ce3e85746be8b4c62fd50986ffb06e1bd8fbf98173aa48977d59c91610555412078fa781

Download Submit
C:\Windows\System32\myzOMNp.exe

Filesize
1.3MB

MD5
537a3bdbf527061ccadb834674461f1f

SHA1
5e8b44613138e3d7ed3e163aef3699fa6df1b979

SHA256
5c1eb0bfa5baad22c18b6eccdcab0bc11c8edd8031b85a5213b9bd16d4a9918d

SHA512
498bfc4f871c61c443a513a9f758dec21b48b0d3b42ea29220d8e0585a619df1db156e2c2d20908afcebc4600d507526428647207376373de69ab91ebc0df87b

Download Submit
C:\Windows\System32\phsbvBU.exe

Filesize
1.3MB

MD5
48bfba4d37e697701d629c1aab111bf4

SHA1
42b435d701cda6c135713a76a0ed9e55505f352c

SHA256
8d04634f09dd7b49ba5fdaa54b7e34f20a6ce44348763749b2a3ebaa7a361276

SHA512
6c891a4a5aad219b6f1ea3269b6aafcb4744564b41dbb3b67ee2c0b5b5160d5dad1224262f4757e9b2d117ba3ce53af334898f3bacfeb32b251981eb0aa5d377

Download Submit
C:\Windows\System32\pyofUJx.exe

Filesize
1.3MB

MD5
5b091e7f77dcd7ffd17d65c876088b41

SHA1
89be3acec1040d707ea49ffd34e6fa9d678625e4

SHA256
a2cd696c0f5cb2cf61fea513d080849edf4ce1f33e2dc67f69b1a4730e37d6b6

SHA512
b761ac822e83fc1f41ab4ba1a498613fee73110108d0530b8b17021decfed4708f37b9fee32c33791ed3a43f58ac03fb0da88552ca4613b147be80693834b256

Download Submit
C:\Windows\System32\sdJfgna.exe

Filesize
1.3MB

MD5
cca2d228f8da6a63729b08cb64389ea1

SHA1
31ac15f2ddaf8c222b07fa015acf3d42b486118b

SHA256
332cd40cd200cd6e3297ef23bed20c922f5057bdd17b17f898c2504d0588e52a

SHA512
0ad20482a92fa12b357221d39ce8031786a4efb2d0e275462bcd0539c7d8515cd68564d132e2115d8a10031d2953d6ceb0f2c6cc442ca1ec94a06c712c4f2f15

Download Submit
C:\Windows\System32\tdaMjkZ.exe

Filesize
1.3MB

MD5
3cd9850951941c5dd81908e30136d831

SHA1
13bc54d547525b7f4edd95e52e901da9278cae78

SHA256
45da311b39217eb4b3199386f7ca6053416cff2c00c0d83e932daf629332456a

SHA512
12f8ae90547c5e719df791edbe7e9a095676950fdbcfc6b7881ab7e7696d6983c4a2175695e62e88f7c0a01ef16c1f77fcf6c55a5e76f006c36d1807d885047c

Download Submit
C:\Windows\System32\wAuwuYN.exe

Filesize
1.3MB

MD5
ea6f14f9c28c30fc4103b30c25897145

SHA1
af105f8c32635f170e3373803391cc1c8ce02d8a

SHA256
262c5eaa85a5b21642295758e00d74b2ff062490a527b0719de84562dd98b2a8

SHA512
3434f1b9f064434cad3f10532b312bd8d9e2c47c7814dc0745b6927901a12eb2aefe2a5de6c2ad82e6d5034047a7969d8075a1a37750473c0e4c33cd22bcfbae

Download Submit
C:\Windows\System32\wWGJwjI.exe

Filesize
1.3MB

MD5
c8a028a8d3a0b987592eb629b51323e7

SHA1
2cab349a6fb48ab74c688286d08ac7b9c60ffed1

SHA256
7bef7dc5342b09d92a5361fc5e9c35987fc953f5891b6578d64b283e174fbfd2

SHA512
bb21739980ac6ba79bb9a09a323c96891a998705136ad3686b7901ad74397228fd788837ba0e538b699752987eaec5888b8a17d39f2b9408d5c7cf13f3f4c4d3

Download Submit
C:\Windows\System32\yBGGXXg.exe

Filesize
1.3MB

MD5
0c11f7dfd92ceadd115a87cb1b6c83e2

SHA1
e8e25ffb8ec77f37e93a9308111e01227a847822

SHA256
29764a778bb3da7e43500920e2426cf6555c4e33f2c27513a4046feac110241c

SHA512
2f6cd0aa3513d9ba81a981367cf07478df06bccec2986f38eb6bb5fca73cb19581bd241272516241b9b3ad4a0397c5b49b7b109eb4852333415c9234561498ed

Download Submit
memory/704-484-0x00007FF6273F0000-0x00007FF6277E1000-memory.dmp

Filesize
3.9MB

Download
memory/704-2083-0x00007FF6273F0000-0x00007FF6277E1000-memory.dmp

Filesize
3.9MB

Download
memory/980-393-0x00007FF74B6C0000-0x00007FF74BAB1000-memory.dmp

Filesize
3.9MB

Download
memory/980-2053-0x00007FF74B6C0000-0x00007FF74BAB1000-memory.dmp

Filesize
3.9MB

Download
memory/1296-390-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp

Filesize
3.9MB

Download
memory/1296-2012-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp

Filesize
3.9MB

Download
memory/1296-1998-0x00007FF78EDD0000-0x00007FF78F1C1000-memory.dmp

Filesize
3.9MB

Download
memory/1328-2010-0x00007FF6543F0000-0x00007FF6547E1000-memory.dmp

Filesize
3.9MB

Download
memory/1328-37-0x00007FF6543F0000-0x00007FF6547E1000-memory.dmp

Filesize
3.9MB

Download
memory/1428-2006-0x00007FF760F50000-0x00007FF761341000-memory.dmp

Filesize
3.9MB

Download
memory/1428-24-0x00007FF760F50000-0x00007FF761341000-memory.dmp

Filesize
3.9MB

Download
memory/1428-1963-0x00007FF760F50000-0x00007FF761341000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2051-0x00007FF7CBFB0000-0x00007FF7CC3A1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-424-0x00007FF7CBFB0000-0x00007FF7CC3A1000-memory.dmp

Filesize
3.9MB

Download
memory/1952-33-0x00007FF676E30000-0x00007FF677221000-memory.dmp

Filesize
3.9MB

Download
memory/1952-1980-0x00007FF676E30000-0x00007FF677221000-memory.dmp

Filesize
3.9MB

Download
memory/1952-2016-0x00007FF676E30000-0x00007FF677221000-memory.dmp

Filesize
3.9MB

Download
memory/1984-38-0x00007FF6E1780000-0x00007FF6E1B71000-memory.dmp

Filesize
3.9MB

Download
memory/1984-1997-0x00007FF6E1780000-0x00007FF6E1B71000-memory.dmp

Filesize
3.9MB

Download
memory/1984-2014-0x00007FF6E1780000-0x00007FF6E1B71000-memory.dmp

Filesize
3.9MB

Download
memory/2020-2008-0x00007FF76C560000-0x00007FF76C951000-memory.dmp

Filesize
3.9MB

Download
memory/2020-41-0x00007FF76C560000-0x00007FF76C951000-memory.dmp

Filesize
3.9MB

Download
memory/2568-2065-0x00007FF626E20000-0x00007FF627211000-memory.dmp

Filesize
3.9MB

Download
memory/2568-410-0x00007FF626E20000-0x00007FF627211000-memory.dmp

Filesize
3.9MB

Download
memory/2784-2080-0x00007FF63B3A0000-0x00007FF63B791000-memory.dmp

Filesize
3.9MB

Download
memory/2784-479-0x00007FF63B3A0000-0x00007FF63B791000-memory.dmp

Filesize
3.9MB

Download
memory/2888-494-0x00007FF6A0BC0000-0x00007FF6A0FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2888-2043-0x00007FF6A0BC0000-0x00007FF6A0FB1000-memory.dmp

Filesize
3.9MB

Download
memory/3016-2057-0x00007FF6D3290000-0x00007FF6D3681000-memory.dmp

Filesize
3.9MB

Download
memory/3016-432-0x00007FF6D3290000-0x00007FF6D3681000-memory.dmp

Filesize
3.9MB

Download
memory/3272-2049-0x00007FF646840000-0x00007FF646C31000-memory.dmp

Filesize
3.9MB

Download
memory/3272-392-0x00007FF646840000-0x00007FF646C31000-memory.dmp

Filesize
3.9MB

Download
memory/3568-485-0x00007FF760E10000-0x00007FF761201000-memory.dmp

Filesize
3.9MB

Download
memory/3568-2078-0x00007FF760E10000-0x00007FF761201000-memory.dmp

Filesize
3.9MB

Download
memory/3616-430-0x00007FF6852F0000-0x00007FF6856E1000-memory.dmp

Filesize
3.9MB

Download
memory/3616-2067-0x00007FF6852F0000-0x00007FF6856E1000-memory.dmp

Filesize
3.9MB

Download
memory/3632-399-0x00007FF68EF30000-0x00007FF68F321000-memory.dmp

Filesize
3.9MB

Download
memory/3632-2055-0x00007FF68EF30000-0x00007FF68F321000-memory.dmp

Filesize
3.9MB

Download
memory/3944-407-0x00007FF6CBEB0000-0x00007FF6CC2A1000-memory.dmp

Filesize
3.9MB

Download
memory/3944-2061-0x00007FF6CBEB0000-0x00007FF6CC2A1000-memory.dmp

Filesize
3.9MB

Download
memory/4056-493-0x00007FF630F40000-0x00007FF631331000-memory.dmp

Filesize
3.9MB

Download
memory/4056-2137-0x00007FF630F40000-0x00007FF631331000-memory.dmp

Filesize
3.9MB

Download
memory/4180-2063-0x00007FF761660000-0x00007FF761A51000-memory.dmp

Filesize
3.9MB

Download
memory/4180-449-0x00007FF761660000-0x00007FF761A51000-memory.dmp

Filesize
3.9MB

Download
memory/4796-471-0x00007FF670CE0000-0x00007FF6710D1000-memory.dmp

Filesize
3.9MB

Download
memory/4796-2071-0x00007FF670CE0000-0x00007FF6710D1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-2059-0x00007FF6930E0000-0x00007FF6934D1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-427-0x00007FF6930E0000-0x00007FF6934D1000-memory.dmp

Filesize
3.9MB

Download
memory/4940-0-0x00007FF74C1F0000-0x00007FF74C5E1000-memory.dmp

Filesize
3.9MB

Download
memory/4940-1-0x0000022B41810000-0x0000022B41820000-memory.dmp

Filesize
64KB

Download
memory/5044-2069-0x00007FF664D20000-0x00007FF665111000-memory.dmp

Filesize
3.9MB

Download
memory/5044-440-0x00007FF664D20000-0x00007FF665111000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2004-0x00007FF713750000-0x00007FF713B41000-memory.dmp

Filesize
3.9MB

Download
memory/5088-15-0x00007FF713750000-0x00007FF713B41000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads