xmrig | 207e467de2d8622946b9d4d366ba7908c70d8e3d35d3a55f68a01c7394dd6d1b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
Size

1.6MB
MD5

206dc549db6c9d4cd330aabae3f06a92
SHA1

6816dda84faf8d9a542448e562bf0ad55235c631
SHA256

207e467de2d8622946b9d4d366ba7908c70d8e3d35d3a55f68a01c7394dd6d1b
SHA512

3062b444156f93dd99b61d4f38304b22d268d6596ff8b74e306a1e092c85175057a4f7c9c988f6f4d909dc1fc1282198eb9f4c61fe069ecaf44551bcbf1043a6
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOyldYYz46ub4WyADRAEdO+zs:knw9oUUEEDlGUh+hNMz5ukW4+zs

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/720-428-0x00007FF6E9990000-0x00007FF6E9D81000-memory.dmp	xmrig
behavioral2/memory/3176-429-0x00007FF6FA9E0000-0x00007FF6FADD1000-memory.dmp	xmrig
behavioral2/memory/1172-11-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp	xmrig
behavioral2/memory/3080-430-0x00007FF6B7C40000-0x00007FF6B8031000-memory.dmp	xmrig
behavioral2/memory/1540-431-0x00007FF699630000-0x00007FF699A21000-memory.dmp	xmrig
behavioral2/memory/2508-433-0x00007FF6C2170000-0x00007FF6C2561000-memory.dmp	xmrig
behavioral2/memory/1096-432-0x00007FF6395B0000-0x00007FF6399A1000-memory.dmp	xmrig
behavioral2/memory/2372-434-0x00007FF6D23F0000-0x00007FF6D27E1000-memory.dmp	xmrig
behavioral2/memory/4824-435-0x00007FF78F250000-0x00007FF78F641000-memory.dmp	xmrig
behavioral2/memory/4924-438-0x00007FF7E5700000-0x00007FF7E5AF1000-memory.dmp	xmrig
behavioral2/memory/2760-437-0x00007FF7D2540000-0x00007FF7D2931000-memory.dmp	xmrig
behavioral2/memory/1296-446-0x00007FF7C47D0000-0x00007FF7C4BC1000-memory.dmp	xmrig
behavioral2/memory/4100-453-0x00007FF621430000-0x00007FF621821000-memory.dmp	xmrig
behavioral2/memory/3872-436-0x00007FF7BB0E0000-0x00007FF7BB4D1000-memory.dmp	xmrig
behavioral2/memory/2392-460-0x00007FF6A2F40000-0x00007FF6A3331000-memory.dmp	xmrig
behavioral2/memory/4684-455-0x00007FF644830000-0x00007FF644C21000-memory.dmp	xmrig
behavioral2/memory/3092-465-0x00007FF615610000-0x00007FF615A01000-memory.dmp	xmrig
behavioral2/memory/1212-470-0x00007FF76E710000-0x00007FF76EB01000-memory.dmp	xmrig
behavioral2/memory/2464-478-0x00007FF76A860000-0x00007FF76AC51000-memory.dmp	xmrig
behavioral2/memory/880-482-0x00007FF743340000-0x00007FF743731000-memory.dmp	xmrig
behavioral2/memory/1848-488-0x00007FF7CB470000-0x00007FF7CB861000-memory.dmp	xmrig
behavioral2/memory/4224-491-0x00007FF7E1B00000-0x00007FF7E1EF1000-memory.dmp	xmrig
behavioral2/memory/3388-490-0x00007FF726E20000-0x00007FF727211000-memory.dmp	xmrig
behavioral2/memory/1916-1988-0x00007FF630BA0000-0x00007FF630F91000-memory.dmp	xmrig
behavioral2/memory/1172-1989-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp	xmrig
behavioral2/memory/5104-1990-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp	xmrig
behavioral2/memory/1172-2016-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp	xmrig
behavioral2/memory/5104-2018-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp	xmrig
behavioral2/memory/720-2020-0x00007FF6E9990000-0x00007FF6E9D81000-memory.dmp	xmrig
behavioral2/memory/4824-2032-0x00007FF78F250000-0x00007FF78F641000-memory.dmp	xmrig
behavioral2/memory/1096-2026-0x00007FF6395B0000-0x00007FF6399A1000-memory.dmp	xmrig
behavioral2/memory/3176-2034-0x00007FF6FA9E0000-0x00007FF6FADD1000-memory.dmp	xmrig
behavioral2/memory/3080-2022-0x00007FF6B7C40000-0x00007FF6B8031000-memory.dmp	xmrig
behavioral2/memory/2508-2030-0x00007FF6C2170000-0x00007FF6C2561000-memory.dmp	xmrig
behavioral2/memory/2372-2028-0x00007FF6D23F0000-0x00007FF6D27E1000-memory.dmp	xmrig
behavioral2/memory/1540-2024-0x00007FF699630000-0x00007FF699A21000-memory.dmp	xmrig
behavioral2/memory/3872-2041-0x00007FF7BB0E0000-0x00007FF7BB4D1000-memory.dmp	xmrig
behavioral2/memory/3092-2074-0x00007FF615610000-0x00007FF615A01000-memory.dmp	xmrig
behavioral2/memory/4224-2058-0x00007FF7E1B00000-0x00007FF7E1EF1000-memory.dmp	xmrig
behavioral2/memory/3388-2056-0x00007FF726E20000-0x00007FF727211000-memory.dmp	xmrig
behavioral2/memory/4924-2042-0x00007FF7E5700000-0x00007FF7E5AF1000-memory.dmp	xmrig
behavioral2/memory/1296-2039-0x00007FF7C47D0000-0x00007FF7C4BC1000-memory.dmp	xmrig
behavioral2/memory/4100-2049-0x00007FF621430000-0x00007FF621821000-memory.dmp	xmrig
behavioral2/memory/2760-2036-0x00007FF7D2540000-0x00007FF7D2931000-memory.dmp	xmrig
behavioral2/memory/880-2046-0x00007FF743340000-0x00007FF743731000-memory.dmp	xmrig
behavioral2/memory/2392-2044-0x00007FF6A2F40000-0x00007FF6A3331000-memory.dmp	xmrig
behavioral2/memory/1848-2078-0x00007FF7CB470000-0x00007FF7CB861000-memory.dmp	xmrig
behavioral2/memory/4684-2051-0x00007FF644830000-0x00007FF644C21000-memory.dmp	xmrig
behavioral2/memory/1212-2080-0x00007FF76E710000-0x00007FF76EB01000-memory.dmp	xmrig
behavioral2/memory/2464-2076-0x00007FF76A860000-0x00007FF76AC51000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1172	HoAAYSi.exe
5104	wXCzFBC.exe
720	hgRdIqY.exe
3176	Mwbihkk.exe
3080	zCVTiet.exe
1540	zlcEhvb.exe
1096	iRxFKNq.exe
2508	aCowvkS.exe
2372	KEThhsa.exe
4824	pyJsPmX.exe
3872	WllxJum.exe
2760	ruHmBMi.exe
4924	ZQizovF.exe
1296	XeAEeVx.exe
4100	AJEIZcA.exe
4684	hNeqVUy.exe
2392	fKDmirf.exe
3092	nNoXPkO.exe
1212	Vndagca.exe
2464	iLXeNUA.exe
880	vBkubqe.exe
1848	jtVkpKx.exe
3388	kpyFiEw.exe
4224	qqWKLtG.exe
4244	acREwbR.exe
1236	tuxuyQx.exe
3944	bYwkCIE.exe
2028	kCLELjT.exe
1048	ziFeJeT.exe
2296	dELPpio.exe
3984	GEvgWfz.exe
3392	SlUeRpk.exe
4092	ppfMtrc.exe
4988	mBvsIXz.exe
5100	AwHjAiz.exe
3596	FMkRhho.exe
4364	RZyVAhJ.exe
3556	cgGzNnG.exe
512	ceNfSbc.exe
1756	cJZvlad.exe
4120	lKybCER.exe
4304	wvDxoZg.exe
3088	eQzHEFQ.exe
548	JpfPjQP.exe
1992	SgxevmG.exe
2740	ZEOnXlV.exe
3284	YxqKTOh.exe
4352	NtsTzuh.exe
3968	fldwAhC.exe
3904	OTKDugG.exe
4584	OIUQWPA.exe
4908	ZBVosFj.exe
3584	ytNAEmz.exe
3924	uWGFLOB.exe
1428	gTeErUb.exe
1772	tRQHCKL.exe
2420	uRfdhDL.exe
4504	vTrLjST.exe
2344	fkxlIWP.exe
4848	qbRQEEO.exe
1160	ueREkrV.exe
1252	tSRjMVt.exe
2620	hqpZutN.exe
4316	rvmGAnQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1916-0-0x00007FF630BA0000-0x00007FF630F91000-memory.dmp	upx
behavioral2/files/0x000e000000023b6d-4.dat	upx
behavioral2/memory/5104-14-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b74-13.dat	upx
behavioral2/files/0x000a000000023b76-28.dat	upx
behavioral2/files/0x000a000000023b79-43.dat	upx
behavioral2/files/0x000a000000023b7a-48.dat	upx
behavioral2/files/0x000a000000023b7b-53.dat	upx
behavioral2/files/0x000a000000023b7f-71.dat	upx
behavioral2/files/0x000a000000023b81-81.dat	upx
behavioral2/files/0x000a000000023b84-98.dat	upx
behavioral2/files/0x000a000000023b86-108.dat	upx
behavioral2/files/0x000a000000023b8a-128.dat	upx
behavioral2/files/0x000a000000023b8d-141.dat	upx
behavioral2/memory/720-428-0x00007FF6E9990000-0x00007FF6E9D81000-memory.dmp	upx
behavioral2/memory/3176-429-0x00007FF6FA9E0000-0x00007FF6FADD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-163.dat	upx
behavioral2/files/0x000a000000023b90-158.dat	upx
behavioral2/files/0x000a000000023b8f-153.dat	upx
behavioral2/files/0x000a000000023b8e-148.dat	upx
behavioral2/files/0x000a000000023b8c-138.dat	upx
behavioral2/files/0x000a000000023b8b-133.dat	upx
behavioral2/files/0x000a000000023b89-123.dat	upx
behavioral2/files/0x000a000000023b88-118.dat	upx
behavioral2/files/0x000a000000023b87-113.dat	upx
behavioral2/files/0x000a000000023b85-103.dat	upx
behavioral2/files/0x000a000000023b83-93.dat	upx
behavioral2/files/0x000a000000023b82-88.dat	upx
behavioral2/files/0x000a000000023b80-78.dat	upx
behavioral2/files/0x000a000000023b7e-68.dat	upx
behavioral2/files/0x000a000000023b7d-63.dat	upx
behavioral2/files/0x000a000000023b7c-58.dat	upx
behavioral2/files/0x000a000000023b78-38.dat	upx
behavioral2/files/0x000a000000023b77-33.dat	upx
behavioral2/files/0x000a000000023b75-23.dat	upx
behavioral2/memory/1172-11-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b73-10.dat	upx
behavioral2/memory/3080-430-0x00007FF6B7C40000-0x00007FF6B8031000-memory.dmp	upx
behavioral2/memory/1540-431-0x00007FF699630000-0x00007FF699A21000-memory.dmp	upx
behavioral2/memory/2508-433-0x00007FF6C2170000-0x00007FF6C2561000-memory.dmp	upx
behavioral2/memory/1096-432-0x00007FF6395B0000-0x00007FF6399A1000-memory.dmp	upx
behavioral2/memory/2372-434-0x00007FF6D23F0000-0x00007FF6D27E1000-memory.dmp	upx
behavioral2/memory/4824-435-0x00007FF78F250000-0x00007FF78F641000-memory.dmp	upx
behavioral2/memory/4924-438-0x00007FF7E5700000-0x00007FF7E5AF1000-memory.dmp	upx
behavioral2/memory/2760-437-0x00007FF7D2540000-0x00007FF7D2931000-memory.dmp	upx
behavioral2/memory/1296-446-0x00007FF7C47D0000-0x00007FF7C4BC1000-memory.dmp	upx
behavioral2/memory/4100-453-0x00007FF621430000-0x00007FF621821000-memory.dmp	upx
behavioral2/memory/3872-436-0x00007FF7BB0E0000-0x00007FF7BB4D1000-memory.dmp	upx
behavioral2/memory/2392-460-0x00007FF6A2F40000-0x00007FF6A3331000-memory.dmp	upx
behavioral2/memory/4684-455-0x00007FF644830000-0x00007FF644C21000-memory.dmp	upx
behavioral2/memory/3092-465-0x00007FF615610000-0x00007FF615A01000-memory.dmp	upx
behavioral2/memory/1212-470-0x00007FF76E710000-0x00007FF76EB01000-memory.dmp	upx
behavioral2/memory/2464-478-0x00007FF76A860000-0x00007FF76AC51000-memory.dmp	upx
behavioral2/memory/880-482-0x00007FF743340000-0x00007FF743731000-memory.dmp	upx
behavioral2/memory/1848-488-0x00007FF7CB470000-0x00007FF7CB861000-memory.dmp	upx
behavioral2/memory/4224-491-0x00007FF7E1B00000-0x00007FF7E1EF1000-memory.dmp	upx
behavioral2/memory/3388-490-0x00007FF726E20000-0x00007FF727211000-memory.dmp	upx
behavioral2/memory/1916-1988-0x00007FF630BA0000-0x00007FF630F91000-memory.dmp	upx
behavioral2/memory/1172-1989-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp	upx
behavioral2/memory/5104-1990-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp	upx
behavioral2/memory/1172-2016-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp	upx
behavioral2/memory/5104-2018-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp	upx
behavioral2/memory/720-2020-0x00007FF6E9990000-0x00007FF6E9D81000-memory.dmp	upx
behavioral2/memory/4824-2032-0x00007FF78F250000-0x00007FF78F641000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\PgDgcEQ.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\AtZAKUY.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\jBuSZwr.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\BMHJHRC.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\zqQnskv.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\TZtAOXh.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\urdcUwv.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\iUJFsjm.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\ZuKflmO.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\LmwQXcr.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\Byslvht.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\ZQizovF.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\NtsTzuh.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\uWGFLOB.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\xYMpmzY.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\jYHmEoX.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\GJkbAqb.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\fDyygtk.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\vUkISYk.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\iNKXhVM.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\YxMBToS.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\lZWisPk.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\IQJBcLb.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\iBKCloI.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\kpyFiEw.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\kCLELjT.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\yApBNun.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\ZqQEqTB.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\jbXUidV.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\bLGpIRd.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\nnUctAj.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\HuYNUsr.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\jtVkpKx.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\bTRTbHZ.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\kePtJex.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\zrZRBYF.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\tTpjEMn.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\cHQvpKx.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\ZBzZJvU.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\mnhiYOt.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\lPmSZNW.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\bTIcaZy.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\HIEXrwa.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\zlcgBHR.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\iBkuhTP.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\hasvvCQ.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\vtfOzXn.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\lcCeBAr.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\byJESvy.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\hNJlhod.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\mSSAaUK.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\MnxYnRi.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\mqgSwkm.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\tRQHCKL.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\WXpHVTv.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\NEjlvIq.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\RZyVAhJ.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\zFBUqJd.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\pzimyJj.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\GdsagNY.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\yZuOZJM.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\SyTNELQ.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\NOtrCEE.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
File created	C:\Windows\System32\LIJSIuL.exe	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13160	dwm.exe
Token: SeChangeNotifyPrivilege	13160	dwm.exe
Token: 33	13160	dwm.exe
Token: SeIncBasePriorityPrivilege	13160	dwm.exe
Token: SeShutdownPrivilege	13160	dwm.exe
Token: SeCreatePagefilePrivilege	13160	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1172	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	85
PID 1916 wrote to memory of 1172	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	85
PID 1916 wrote to memory of 5104	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	86
PID 1916 wrote to memory of 5104	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	86
PID 1916 wrote to memory of 720	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	87
PID 1916 wrote to memory of 720	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	87
PID 1916 wrote to memory of 3176	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	88
PID 1916 wrote to memory of 3176	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	88
PID 1916 wrote to memory of 3080	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	89
PID 1916 wrote to memory of 3080	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	89
PID 1916 wrote to memory of 1540	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	90
PID 1916 wrote to memory of 1540	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	90
PID 1916 wrote to memory of 1096	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	91
PID 1916 wrote to memory of 1096	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	91
PID 1916 wrote to memory of 2508	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	92
PID 1916 wrote to memory of 2508	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	92
PID 1916 wrote to memory of 2372	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	93
PID 1916 wrote to memory of 2372	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	93
PID 1916 wrote to memory of 4824	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	94
PID 1916 wrote to memory of 4824	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	94
PID 1916 wrote to memory of 3872	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	95
PID 1916 wrote to memory of 3872	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	95
PID 1916 wrote to memory of 2760	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	96
PID 1916 wrote to memory of 2760	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	96
PID 1916 wrote to memory of 4924	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	97
PID 1916 wrote to memory of 4924	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	97
PID 1916 wrote to memory of 1296	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	98
PID 1916 wrote to memory of 1296	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	98
PID 1916 wrote to memory of 4100	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	99
PID 1916 wrote to memory of 4100	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	99
PID 1916 wrote to memory of 4684	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	100
PID 1916 wrote to memory of 4684	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	100
PID 1916 wrote to memory of 2392	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	101
PID 1916 wrote to memory of 2392	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	101
PID 1916 wrote to memory of 3092	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	102
PID 1916 wrote to memory of 3092	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	102
PID 1916 wrote to memory of 1212	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	103
PID 1916 wrote to memory of 1212	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	103
PID 1916 wrote to memory of 2464	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	104
PID 1916 wrote to memory of 2464	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	104
PID 1916 wrote to memory of 880	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	105
PID 1916 wrote to memory of 880	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	105
PID 1916 wrote to memory of 1848	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	106
PID 1916 wrote to memory of 1848	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	106
PID 1916 wrote to memory of 3388	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	107
PID 1916 wrote to memory of 3388	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	107
PID 1916 wrote to memory of 4224	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	108
PID 1916 wrote to memory of 4224	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	108
PID 1916 wrote to memory of 4244	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	109
PID 1916 wrote to memory of 4244	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	109
PID 1916 wrote to memory of 1236	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	110
PID 1916 wrote to memory of 1236	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	110
PID 1916 wrote to memory of 3944	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	111
PID 1916 wrote to memory of 3944	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	111
PID 1916 wrote to memory of 2028	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	112
PID 1916 wrote to memory of 2028	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	112
PID 1916 wrote to memory of 1048	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	113
PID 1916 wrote to memory of 1048	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	113
PID 1916 wrote to memory of 2296	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	114
PID 1916 wrote to memory of 2296	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	114
PID 1916 wrote to memory of 3984	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	115
PID 1916 wrote to memory of 3984	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	115
PID 1916 wrote to memory of 3392	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	116
PID 1916 wrote to memory of 3392	1916	206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\206dc549db6c9d4cd330aabae3f06a92_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\System32\HoAAYSi.exe
  C:\Windows\System32\HoAAYSi.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\wXCzFBC.exe
  C:\Windows\System32\wXCzFBC.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System32\hgRdIqY.exe
  C:\Windows\System32\hgRdIqY.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System32\Mwbihkk.exe
  C:\Windows\System32\Mwbihkk.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\zCVTiet.exe
  C:\Windows\System32\zCVTiet.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\zlcEhvb.exe
  C:\Windows\System32\zlcEhvb.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\iRxFKNq.exe
  C:\Windows\System32\iRxFKNq.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System32\aCowvkS.exe
  C:\Windows\System32\aCowvkS.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\KEThhsa.exe
  C:\Windows\System32\KEThhsa.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System32\pyJsPmX.exe
  C:\Windows\System32\pyJsPmX.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System32\WllxJum.exe
  C:\Windows\System32\WllxJum.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System32\ruHmBMi.exe
  C:\Windows\System32\ruHmBMi.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\ZQizovF.exe
  C:\Windows\System32\ZQizovF.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\XeAEeVx.exe
  C:\Windows\System32\XeAEeVx.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System32\AJEIZcA.exe
  C:\Windows\System32\AJEIZcA.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System32\hNeqVUy.exe
  C:\Windows\System32\hNeqVUy.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System32\fKDmirf.exe
  C:\Windows\System32\fKDmirf.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System32\nNoXPkO.exe
  C:\Windows\System32\nNoXPkO.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System32\Vndagca.exe
  C:\Windows\System32\Vndagca.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System32\iLXeNUA.exe
  C:\Windows\System32\iLXeNUA.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System32\vBkubqe.exe
  C:\Windows\System32\vBkubqe.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System32\jtVkpKx.exe
  C:\Windows\System32\jtVkpKx.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\kpyFiEw.exe
  C:\Windows\System32\kpyFiEw.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System32\qqWKLtG.exe
  C:\Windows\System32\qqWKLtG.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System32\acREwbR.exe
  C:\Windows\System32\acREwbR.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System32\tuxuyQx.exe
  C:\Windows\System32\tuxuyQx.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System32\bYwkCIE.exe
  C:\Windows\System32\bYwkCIE.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System32\kCLELjT.exe
  C:\Windows\System32\kCLELjT.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\ziFeJeT.exe
  C:\Windows\System32\ziFeJeT.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System32\dELPpio.exe
  C:\Windows\System32\dELPpio.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\GEvgWfz.exe
  C:\Windows\System32\GEvgWfz.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System32\SlUeRpk.exe
  C:\Windows\System32\SlUeRpk.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System32\ppfMtrc.exe
  C:\Windows\System32\ppfMtrc.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\mBvsIXz.exe
  C:\Windows\System32\mBvsIXz.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System32\AwHjAiz.exe
  C:\Windows\System32\AwHjAiz.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\FMkRhho.exe
  C:\Windows\System32\FMkRhho.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\RZyVAhJ.exe
  C:\Windows\System32\RZyVAhJ.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\cgGzNnG.exe
  C:\Windows\System32\cgGzNnG.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System32\ceNfSbc.exe
  C:\Windows\System32\ceNfSbc.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\cJZvlad.exe
  C:\Windows\System32\cJZvlad.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System32\lKybCER.exe
  C:\Windows\System32\lKybCER.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System32\wvDxoZg.exe
  C:\Windows\System32\wvDxoZg.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System32\eQzHEFQ.exe
  C:\Windows\System32\eQzHEFQ.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System32\JpfPjQP.exe
  C:\Windows\System32\JpfPjQP.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\SgxevmG.exe
  C:\Windows\System32\SgxevmG.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\ZEOnXlV.exe
  C:\Windows\System32\ZEOnXlV.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System32\YxqKTOh.exe
  C:\Windows\System32\YxqKTOh.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\NtsTzuh.exe
  C:\Windows\System32\NtsTzuh.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\fldwAhC.exe
  C:\Windows\System32\fldwAhC.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System32\OTKDugG.exe
  C:\Windows\System32\OTKDugG.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System32\OIUQWPA.exe
  C:\Windows\System32\OIUQWPA.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\ZBVosFj.exe
  C:\Windows\System32\ZBVosFj.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System32\ytNAEmz.exe
  C:\Windows\System32\ytNAEmz.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System32\uWGFLOB.exe
  C:\Windows\System32\uWGFLOB.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\gTeErUb.exe
  C:\Windows\System32\gTeErUb.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\tRQHCKL.exe
  C:\Windows\System32\tRQHCKL.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System32\uRfdhDL.exe
  C:\Windows\System32\uRfdhDL.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System32\vTrLjST.exe
  C:\Windows\System32\vTrLjST.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\fkxlIWP.exe
  C:\Windows\System32\fkxlIWP.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\qbRQEEO.exe
  C:\Windows\System32\qbRQEEO.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\ueREkrV.exe
  C:\Windows\System32\ueREkrV.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\tSRjMVt.exe
  C:\Windows\System32\tSRjMVt.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System32\hqpZutN.exe
  C:\Windows\System32\hqpZutN.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\rvmGAnQ.exe
  C:\Windows\System32\rvmGAnQ.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System32\lapxpBM.exe
  C:\Windows\System32\lapxpBM.exe
  2⤵
  PID:1632
- C:\Windows\System32\DMazumS.exe
  C:\Windows\System32\DMazumS.exe
  2⤵
  PID:2720
- C:\Windows\System32\ToXLbTX.exe
  C:\Windows\System32\ToXLbTX.exe
  2⤵
  PID:4460
- C:\Windows\System32\yApBNun.exe
  C:\Windows\System32\yApBNun.exe
  2⤵
  PID:1112
- C:\Windows\System32\pLUMqxl.exe
  C:\Windows\System32\pLUMqxl.exe
  2⤵
  PID:4336
- C:\Windows\System32\vUkISYk.exe
  C:\Windows\System32\vUkISYk.exe
  2⤵
  PID:4496
- C:\Windows\System32\ZDYacIv.exe
  C:\Windows\System32\ZDYacIv.exe
  2⤵
  PID:2764
- C:\Windows\System32\EGnmUrH.exe
  C:\Windows\System32\EGnmUrH.exe
  2⤵
  PID:5116
- C:\Windows\System32\KqacwtX.exe
  C:\Windows\System32\KqacwtX.exe
  2⤵
  PID:3372
- C:\Windows\System32\mlIilfg.exe
  C:\Windows\System32\mlIilfg.exe
  2⤵
  PID:2700
- C:\Windows\System32\RHiqdwN.exe
  C:\Windows\System32\RHiqdwN.exe
  2⤵
  PID:3068
- C:\Windows\System32\HLfgPwl.exe
  C:\Windows\System32\HLfgPwl.exe
  2⤵
  PID:3948
- C:\Windows\System32\fATHkeH.exe
  C:\Windows\System32\fATHkeH.exe
  2⤵
  PID:2376
- C:\Windows\System32\dDEQNyo.exe
  C:\Windows\System32\dDEQNyo.exe
  2⤵
  PID:2888
- C:\Windows\System32\HAvoTHD.exe
  C:\Windows\System32\HAvoTHD.exe
  2⤵
  PID:3348
- C:\Windows\System32\uqFycrK.exe
  C:\Windows\System32\uqFycrK.exe
  2⤵
  PID:5140
- C:\Windows\System32\zOxhoUd.exe
  C:\Windows\System32\zOxhoUd.exe
  2⤵
  PID:5168
- C:\Windows\System32\eTkCeHA.exe
  C:\Windows\System32\eTkCeHA.exe
  2⤵
  PID:5196
- C:\Windows\System32\mXHJlWB.exe
  C:\Windows\System32\mXHJlWB.exe
  2⤵
  PID:5224
- C:\Windows\System32\YyAlYRZ.exe
  C:\Windows\System32\YyAlYRZ.exe
  2⤵
  PID:5248
- C:\Windows\System32\dPNBJbJ.exe
  C:\Windows\System32\dPNBJbJ.exe
  2⤵
  PID:5284
- C:\Windows\System32\lhZqgoN.exe
  C:\Windows\System32\lhZqgoN.exe
  2⤵
  PID:5308
- C:\Windows\System32\GFLtuSB.exe
  C:\Windows\System32\GFLtuSB.exe
  2⤵
  PID:5336
- C:\Windows\System32\tMLDTvd.exe
  C:\Windows\System32\tMLDTvd.exe
  2⤵
  PID:5364
- C:\Windows\System32\WEvfdfX.exe
  C:\Windows\System32\WEvfdfX.exe
  2⤵
  PID:5392
- C:\Windows\System32\jDRYIIo.exe
  C:\Windows\System32\jDRYIIo.exe
  2⤵
  PID:5416
- C:\Windows\System32\IhFxamz.exe
  C:\Windows\System32\IhFxamz.exe
  2⤵
  PID:5448
- C:\Windows\System32\zioCmGB.exe
  C:\Windows\System32\zioCmGB.exe
  2⤵
  PID:5476
- C:\Windows\System32\iUJFsjm.exe
  C:\Windows\System32\iUJFsjm.exe
  2⤵
  PID:5504
- C:\Windows\System32\WXpHVTv.exe
  C:\Windows\System32\WXpHVTv.exe
  2⤵
  PID:5532
- C:\Windows\System32\hFGbtMA.exe
  C:\Windows\System32\hFGbtMA.exe
  2⤵
  PID:5560
- C:\Windows\System32\fHhPfpY.exe
  C:\Windows\System32\fHhPfpY.exe
  2⤵
  PID:5592
- C:\Windows\System32\hbQDhwb.exe
  C:\Windows\System32\hbQDhwb.exe
  2⤵
  PID:5616
- C:\Windows\System32\cHQvpKx.exe
  C:\Windows\System32\cHQvpKx.exe
  2⤵
  PID:5648
- C:\Windows\System32\SVVMoaQ.exe
  C:\Windows\System32\SVVMoaQ.exe
  2⤵
  PID:5672
- C:\Windows\System32\lZWisPk.exe
  C:\Windows\System32\lZWisPk.exe
  2⤵
  PID:5700
- C:\Windows\System32\MOHYWUs.exe
  C:\Windows\System32\MOHYWUs.exe
  2⤵
  PID:5732
- C:\Windows\System32\mnZVSlv.exe
  C:\Windows\System32\mnZVSlv.exe
  2⤵
  PID:5752
- C:\Windows\System32\rOaNpeD.exe
  C:\Windows\System32\rOaNpeD.exe
  2⤵
  PID:5788
- C:\Windows\System32\prkFOAz.exe
  C:\Windows\System32\prkFOAz.exe
  2⤵
  PID:5812
- C:\Windows\System32\WqXnfUx.exe
  C:\Windows\System32\WqXnfUx.exe
  2⤵
  PID:5840
- C:\Windows\System32\qtJRFms.exe
  C:\Windows\System32\qtJRFms.exe
  2⤵
  PID:5868
- C:\Windows\System32\YmBvrYj.exe
  C:\Windows\System32\YmBvrYj.exe
  2⤵
  PID:5900
- C:\Windows\System32\GskKyAz.exe
  C:\Windows\System32\GskKyAz.exe
  2⤵
  PID:5936
- C:\Windows\System32\IlemrLt.exe
  C:\Windows\System32\IlemrLt.exe
  2⤵
  PID:5952
- C:\Windows\System32\vXbwHyW.exe
  C:\Windows\System32\vXbwHyW.exe
  2⤵
  PID:5980
- C:\Windows\System32\uNBGxLs.exe
  C:\Windows\System32\uNBGxLs.exe
  2⤵
  PID:6008
- C:\Windows\System32\ABGpZJA.exe
  C:\Windows\System32\ABGpZJA.exe
  2⤵
  PID:6036
- C:\Windows\System32\pVGyufb.exe
  C:\Windows\System32\pVGyufb.exe
  2⤵
  PID:6064
- C:\Windows\System32\RyupiJl.exe
  C:\Windows\System32\RyupiJl.exe
  2⤵
  PID:6092
- C:\Windows\System32\nMvSPkM.exe
  C:\Windows\System32\nMvSPkM.exe
  2⤵
  PID:6120
- C:\Windows\System32\WZVFyzf.exe
  C:\Windows\System32\WZVFyzf.exe
  2⤵
  PID:2164
- C:\Windows\System32\QDYyROW.exe
  C:\Windows\System32\QDYyROW.exe
  2⤵
  PID:1440
- C:\Windows\System32\riNOdGB.exe
  C:\Windows\System32\riNOdGB.exe
  2⤵
  PID:4008
- C:\Windows\System32\CZoBdWe.exe
  C:\Windows\System32\CZoBdWe.exe
  2⤵
  PID:2988
- C:\Windows\System32\soZoDpr.exe
  C:\Windows\System32\soZoDpr.exe
  2⤵
  PID:5152
- C:\Windows\System32\uLZBzyX.exe
  C:\Windows\System32\uLZBzyX.exe
  2⤵
  PID:5184
- C:\Windows\System32\bTRTbHZ.exe
  C:\Windows\System32\bTRTbHZ.exe
  2⤵
  PID:5428
- C:\Windows\System32\icXkLgs.exe
  C:\Windows\System32\icXkLgs.exe
  2⤵
  PID:5460
- C:\Windows\System32\yxrWpSH.exe
  C:\Windows\System32\yxrWpSH.exe
  2⤵
  PID:3888
- C:\Windows\System32\UFVjcfm.exe
  C:\Windows\System32\UFVjcfm.exe
  2⤵
  PID:5572
- C:\Windows\System32\aMYACQi.exe
  C:\Windows\System32\aMYACQi.exe
  2⤵
  PID:5644
- C:\Windows\System32\SzUrxTu.exe
  C:\Windows\System32\SzUrxTu.exe
  2⤵
  PID:5712
- C:\Windows\System32\ygFOcrf.exe
  C:\Windows\System32\ygFOcrf.exe
  2⤵
  PID:5764
- C:\Windows\System32\PtJctrj.exe
  C:\Windows\System32\PtJctrj.exe
  2⤵
  PID:5856
- C:\Windows\System32\pLfKTcI.exe
  C:\Windows\System32\pLfKTcI.exe
  2⤵
  PID:5884
- C:\Windows\System32\RikYHBd.exe
  C:\Windows\System32\RikYHBd.exe
  2⤵
  PID:5964
- C:\Windows\System32\NpWdAhf.exe
  C:\Windows\System32\NpWdAhf.exe
  2⤵
  PID:1064
- C:\Windows\System32\NEjlvIq.exe
  C:\Windows\System32\NEjlvIq.exe
  2⤵
  PID:6052
- C:\Windows\System32\zrpUPzN.exe
  C:\Windows\System32\zrpUPzN.exe
  2⤵
  PID:4872
- C:\Windows\System32\ZNmkmzQ.exe
  C:\Windows\System32\ZNmkmzQ.exe
  2⤵
  PID:1008
- C:\Windows\System32\ldxANzW.exe
  C:\Windows\System32\ldxANzW.exe
  2⤵
  PID:4380
- C:\Windows\System32\LQcprpB.exe
  C:\Windows\System32\LQcprpB.exe
  2⤵
  PID:4384
- C:\Windows\System32\zqQnskv.exe
  C:\Windows\System32\zqQnskv.exe
  2⤵
  PID:3296
- C:\Windows\System32\FdWkuMv.exe
  C:\Windows\System32\FdWkuMv.exe
  2⤵
  PID:2532
- C:\Windows\System32\hllccvL.exe
  C:\Windows\System32\hllccvL.exe
  2⤵
  PID:5300
- C:\Windows\System32\BfkHceU.exe
  C:\Windows\System32\BfkHceU.exe
  2⤵
  PID:5384
- C:\Windows\System32\vtfOzXn.exe
  C:\Windows\System32\vtfOzXn.exe
  2⤵
  PID:3660
- C:\Windows\System32\cnkLNBl.exe
  C:\Windows\System32\cnkLNBl.exe
  2⤵
  PID:592
- C:\Windows\System32\vWdmZCn.exe
  C:\Windows\System32\vWdmZCn.exe
  2⤵
  PID:2652
- C:\Windows\System32\rmFuBgG.exe
  C:\Windows\System32\rmFuBgG.exe
  2⤵
  PID:3576
- C:\Windows\System32\BMYcTfw.exe
  C:\Windows\System32\BMYcTfw.exe
  2⤵
  PID:5464
- C:\Windows\System32\mFCXOIO.exe
  C:\Windows\System32\mFCXOIO.exe
  2⤵
  PID:1036
- C:\Windows\System32\DifBOoG.exe
  C:\Windows\System32\DifBOoG.exe
  2⤵
  PID:5716
- C:\Windows\System32\BRGtEkj.exe
  C:\Windows\System32\BRGtEkj.exe
  2⤵
  PID:5828
- C:\Windows\System32\kePtJex.exe
  C:\Windows\System32\kePtJex.exe
  2⤵
  PID:5888
- C:\Windows\System32\RShzVse.exe
  C:\Windows\System32\RShzVse.exe
  2⤵
  PID:6048
- C:\Windows\System32\WFFIERi.exe
  C:\Windows\System32\WFFIERi.exe
  2⤵
  PID:1196
- C:\Windows\System32\iNKXhVM.exe
  C:\Windows\System32\iNKXhVM.exe
  2⤵
  PID:5628
- C:\Windows\System32\RTVOLVF.exe
  C:\Windows\System32\RTVOLVF.exe
  2⤵
  PID:4880
- C:\Windows\System32\ZNBmDpz.exe
  C:\Windows\System32\ZNBmDpz.exe
  2⤵
  PID:2704
- C:\Windows\System32\UGvtFYc.exe
  C:\Windows\System32\UGvtFYc.exe
  2⤵
  PID:4536
- C:\Windows\System32\QQpkQVo.exe
  C:\Windows\System32\QQpkQVo.exe
  2⤵
  PID:5328
- C:\Windows\System32\wPBUVdS.exe
  C:\Windows\System32\wPBUVdS.exe
  2⤵
  PID:3728
- C:\Windows\System32\ItYYEXq.exe
  C:\Windows\System32\ItYYEXq.exe
  2⤵
  PID:1892
- C:\Windows\System32\EcexaCu.exe
  C:\Windows\System32\EcexaCu.exe
  2⤵
  PID:4068
- C:\Windows\System32\ySTVJrR.exe
  C:\Windows\System32\ySTVJrR.exe
  2⤵
  PID:5876
- C:\Windows\System32\SoBnXSs.exe
  C:\Windows\System32\SoBnXSs.exe
  2⤵
  PID:6108
- C:\Windows\System32\nguOEOn.exe
  C:\Windows\System32\nguOEOn.exe
  2⤵
  PID:5524
- C:\Windows\System32\aittrog.exe
  C:\Windows\System32\aittrog.exe
  2⤵
  PID:4116
- C:\Windows\System32\iukjNcg.exe
  C:\Windows\System32\iukjNcg.exe
  2⤵
  PID:3344
- C:\Windows\System32\yjxJnSQ.exe
  C:\Windows\System32\yjxJnSQ.exe
  2⤵
  PID:948
- C:\Windows\System32\oPksYoO.exe
  C:\Windows\System32\oPksYoO.exe
  2⤵
  PID:4308
- C:\Windows\System32\evyPlWI.exe
  C:\Windows\System32\evyPlWI.exe
  2⤵
  PID:6080
- C:\Windows\System32\MfWFrPl.exe
  C:\Windows\System32\MfWFrPl.exe
  2⤵
  PID:6192
- C:\Windows\System32\MdzcqgW.exe
  C:\Windows\System32\MdzcqgW.exe
  2⤵
  PID:6224
- C:\Windows\System32\YzAieME.exe
  C:\Windows\System32\YzAieME.exe
  2⤵
  PID:6260
- C:\Windows\System32\wFDCcCQ.exe
  C:\Windows\System32\wFDCcCQ.exe
  2⤵
  PID:6276
- C:\Windows\System32\ZpjecSX.exe
  C:\Windows\System32\ZpjecSX.exe
  2⤵
  PID:6296
- C:\Windows\System32\yrjvXlr.exe
  C:\Windows\System32\yrjvXlr.exe
  2⤵
  PID:6340
- C:\Windows\System32\mplPaSi.exe
  C:\Windows\System32\mplPaSi.exe
  2⤵
  PID:6364
- C:\Windows\System32\iBXeQBs.exe
  C:\Windows\System32\iBXeQBs.exe
  2⤵
  PID:6388
- C:\Windows\System32\xtWmisd.exe
  C:\Windows\System32\xtWmisd.exe
  2⤵
  PID:6404
- C:\Windows\System32\btqLUwK.exe
  C:\Windows\System32\btqLUwK.exe
  2⤵
  PID:6448
- C:\Windows\System32\TPFMVED.exe
  C:\Windows\System32\TPFMVED.exe
  2⤵
  PID:6480
- C:\Windows\System32\PmTdoMc.exe
  C:\Windows\System32\PmTdoMc.exe
  2⤵
  PID:6508
- C:\Windows\System32\uEbmuPj.exe
  C:\Windows\System32\uEbmuPj.exe
  2⤵
  PID:6524
- C:\Windows\System32\EzmwGMZ.exe
  C:\Windows\System32\EzmwGMZ.exe
  2⤵
  PID:6544
- C:\Windows\System32\iggreXC.exe
  C:\Windows\System32\iggreXC.exe
  2⤵
  PID:6564
- C:\Windows\System32\NSzZgaZ.exe
  C:\Windows\System32\NSzZgaZ.exe
  2⤵
  PID:6580
- C:\Windows\System32\bZhpNUX.exe
  C:\Windows\System32\bZhpNUX.exe
  2⤵
  PID:6652
- C:\Windows\System32\uOHOoIq.exe
  C:\Windows\System32\uOHOoIq.exe
  2⤵
  PID:6684
- C:\Windows\System32\NcWfLno.exe
  C:\Windows\System32\NcWfLno.exe
  2⤵
  PID:6716
- C:\Windows\System32\zfYuuDc.exe
  C:\Windows\System32\zfYuuDc.exe
  2⤵
  PID:6740
- C:\Windows\System32\mipRovJ.exe
  C:\Windows\System32\mipRovJ.exe
  2⤵
  PID:6760
- C:\Windows\System32\xmNabmM.exe
  C:\Windows\System32\xmNabmM.exe
  2⤵
  PID:6784
- C:\Windows\System32\vIxDOoQ.exe
  C:\Windows\System32\vIxDOoQ.exe
  2⤵
  PID:6812
- C:\Windows\System32\AoodeAo.exe
  C:\Windows\System32\AoodeAo.exe
  2⤵
  PID:6840
- C:\Windows\System32\bQvMpkm.exe
  C:\Windows\System32\bQvMpkm.exe
  2⤵
  PID:6860
- C:\Windows\System32\qeMFRGZ.exe
  C:\Windows\System32\qeMFRGZ.exe
  2⤵
  PID:6884
- C:\Windows\System32\pbyxwEt.exe
  C:\Windows\System32\pbyxwEt.exe
  2⤵
  PID:6920
- C:\Windows\System32\ZvkWSkD.exe
  C:\Windows\System32\ZvkWSkD.exe
  2⤵
  PID:6940
- C:\Windows\System32\lPmSZNW.exe
  C:\Windows\System32\lPmSZNW.exe
  2⤵
  PID:6960
- C:\Windows\System32\xvNTydy.exe
  C:\Windows\System32\xvNTydy.exe
  2⤵
  PID:6996
- C:\Windows\System32\qsJYeoy.exe
  C:\Windows\System32\qsJYeoy.exe
  2⤵
  PID:7036
- C:\Windows\System32\lrItcIY.exe
  C:\Windows\System32\lrItcIY.exe
  2⤵
  PID:7088
- C:\Windows\System32\qDEDULD.exe
  C:\Windows\System32\qDEDULD.exe
  2⤵
  PID:7104
- C:\Windows\System32\amJFPSQ.exe
  C:\Windows\System32\amJFPSQ.exe
  2⤵
  PID:7124
- C:\Windows\System32\flzAIkH.exe
  C:\Windows\System32\flzAIkH.exe
  2⤵
  PID:7140
- C:\Windows\System32\PzJlEIu.exe
  C:\Windows\System32\PzJlEIu.exe
  2⤵
  PID:7164
- C:\Windows\System32\ZYJaWHO.exe
  C:\Windows\System32\ZYJaWHO.exe
  2⤵
  PID:6168
- C:\Windows\System32\nLzGAlG.exe
  C:\Windows\System32\nLzGAlG.exe
  2⤵
  PID:6244
- C:\Windows\System32\WsMjmaU.exe
  C:\Windows\System32\WsMjmaU.exe
  2⤵
  PID:6268
- C:\Windows\System32\iloJTuD.exe
  C:\Windows\System32\iloJTuD.exe
  2⤵
  PID:6460
- C:\Windows\System32\tfExVaA.exe
  C:\Windows\System32\tfExVaA.exe
  2⤵
  PID:6472
- C:\Windows\System32\HsYqoje.exe
  C:\Windows\System32\HsYqoje.exe
  2⤵
  PID:6492
- C:\Windows\System32\BJJNNLO.exe
  C:\Windows\System32\BJJNNLO.exe
  2⤵
  PID:6612
- C:\Windows\System32\HLcvPuX.exe
  C:\Windows\System32\HLcvPuX.exe
  2⤵
  PID:6604
- C:\Windows\System32\hQMvYhr.exe
  C:\Windows\System32\hQMvYhr.exe
  2⤵
  PID:6708
- C:\Windows\System32\gznWKRV.exe
  C:\Windows\System32\gznWKRV.exe
  2⤵
  PID:6776
- C:\Windows\System32\mbWaLnE.exe
  C:\Windows\System32\mbWaLnE.exe
  2⤵
  PID:6828
- C:\Windows\System32\bQbInoN.exe
  C:\Windows\System32\bQbInoN.exe
  2⤵
  PID:6980
- C:\Windows\System32\ItgBUae.exe
  C:\Windows\System32\ItgBUae.exe
  2⤵
  PID:7024
- C:\Windows\System32\iVRbfCx.exe
  C:\Windows\System32\iVRbfCx.exe
  2⤵
  PID:7068
- C:\Windows\System32\NkOrqgW.exe
  C:\Windows\System32\NkOrqgW.exe
  2⤵
  PID:7148
- C:\Windows\System32\hWFhPsC.exe
  C:\Windows\System32\hWFhPsC.exe
  2⤵
  PID:6284
- C:\Windows\System32\dXdmdYs.exe
  C:\Windows\System32\dXdmdYs.exe
  2⤵
  PID:6348
- C:\Windows\System32\vXTjgDu.exe
  C:\Windows\System32\vXTjgDu.exe
  2⤵
  PID:6520
- C:\Windows\System32\kXcrpqk.exe
  C:\Windows\System32\kXcrpqk.exe
  2⤵
  PID:6768
- C:\Windows\System32\fUwWmvO.exe
  C:\Windows\System32\fUwWmvO.exe
  2⤵
  PID:6908
- C:\Windows\System32\xWYMAtw.exe
  C:\Windows\System32\xWYMAtw.exe
  2⤵
  PID:7076
- C:\Windows\System32\qIZFiXm.exe
  C:\Windows\System32\qIZFiXm.exe
  2⤵
  PID:4596
- C:\Windows\System32\DncLqzc.exe
  C:\Windows\System32\DncLqzc.exe
  2⤵
  PID:6356
- C:\Windows\System32\dkXRFAA.exe
  C:\Windows\System32\dkXRFAA.exe
  2⤵
  PID:6736
- C:\Windows\System32\zURaiFz.exe
  C:\Windows\System32\zURaiFz.exe
  2⤵
  PID:6936
- C:\Windows\System32\mvweKZd.exe
  C:\Windows\System32\mvweKZd.exe
  2⤵
  PID:6456
- C:\Windows\System32\lYhlKUO.exe
  C:\Windows\System32\lYhlKUO.exe
  2⤵
  PID:7204
- C:\Windows\System32\xixocxb.exe
  C:\Windows\System32\xixocxb.exe
  2⤵
  PID:7220
- C:\Windows\System32\DMPsikl.exe
  C:\Windows\System32\DMPsikl.exe
  2⤵
  PID:7244
- C:\Windows\System32\pAZMkDe.exe
  C:\Windows\System32\pAZMkDe.exe
  2⤵
  PID:7280
- C:\Windows\System32\IyrUvMv.exe
  C:\Windows\System32\IyrUvMv.exe
  2⤵
  PID:7300
- C:\Windows\System32\TZtAOXh.exe
  C:\Windows\System32\TZtAOXh.exe
  2⤵
  PID:7328
- C:\Windows\System32\lAgxTtC.exe
  C:\Windows\System32\lAgxTtC.exe
  2⤵
  PID:7368
- C:\Windows\System32\aYEzlPk.exe
  C:\Windows\System32\aYEzlPk.exe
  2⤵
  PID:7388
- C:\Windows\System32\apcmngF.exe
  C:\Windows\System32\apcmngF.exe
  2⤵
  PID:7412
- C:\Windows\System32\PXYfhJX.exe
  C:\Windows\System32\PXYfhJX.exe
  2⤵
  PID:7432
- C:\Windows\System32\lWbUWvj.exe
  C:\Windows\System32\lWbUWvj.exe
  2⤵
  PID:7476
- C:\Windows\System32\wWexSmN.exe
  C:\Windows\System32\wWexSmN.exe
  2⤵
  PID:7508
- C:\Windows\System32\GdsagNY.exe
  C:\Windows\System32\GdsagNY.exe
  2⤵
  PID:7532
- C:\Windows\System32\yHrmovJ.exe
  C:\Windows\System32\yHrmovJ.exe
  2⤵
  PID:7564
- C:\Windows\System32\MrPrRBu.exe
  C:\Windows\System32\MrPrRBu.exe
  2⤵
  PID:7588
- C:\Windows\System32\zFBUqJd.exe
  C:\Windows\System32\zFBUqJd.exe
  2⤵
  PID:7604
- C:\Windows\System32\vDCgBul.exe
  C:\Windows\System32\vDCgBul.exe
  2⤵
  PID:7640
- C:\Windows\System32\lTpFLfG.exe
  C:\Windows\System32\lTpFLfG.exe
  2⤵
  PID:7656
- C:\Windows\System32\aZEMOsn.exe
  C:\Windows\System32\aZEMOsn.exe
  2⤵
  PID:7680
- C:\Windows\System32\RsdNrBc.exe
  C:\Windows\System32\RsdNrBc.exe
  2⤵
  PID:7720
- C:\Windows\System32\mulKULl.exe
  C:\Windows\System32\mulKULl.exe
  2⤵
  PID:7752
- C:\Windows\System32\WWHLprQ.exe
  C:\Windows\System32\WWHLprQ.exe
  2⤵
  PID:7776
- C:\Windows\System32\jKdnGQm.exe
  C:\Windows\System32\jKdnGQm.exe
  2⤵
  PID:7816
- C:\Windows\System32\UQoxjHl.exe
  C:\Windows\System32\UQoxjHl.exe
  2⤵
  PID:7844
- C:\Windows\System32\iWgQnMW.exe
  C:\Windows\System32\iWgQnMW.exe
  2⤵
  PID:7872
- C:\Windows\System32\RvUkEOX.exe
  C:\Windows\System32\RvUkEOX.exe
  2⤵
  PID:7900
- C:\Windows\System32\koUuXPF.exe
  C:\Windows\System32\koUuXPF.exe
  2⤵
  PID:7928
- C:\Windows\System32\iWVwNdY.exe
  C:\Windows\System32\iWVwNdY.exe
  2⤵
  PID:7944
- C:\Windows\System32\ZnUerkE.exe
  C:\Windows\System32\ZnUerkE.exe
  2⤵
  PID:7976
- C:\Windows\System32\WNdWEpn.exe
  C:\Windows\System32\WNdWEpn.exe
  2⤵
  PID:7992
- C:\Windows\System32\oFiHcOP.exe
  C:\Windows\System32\oFiHcOP.exe
  2⤵
  PID:8040
- C:\Windows\System32\IsHXlCb.exe
  C:\Windows\System32\IsHXlCb.exe
  2⤵
  PID:8068
- C:\Windows\System32\VQbWGUX.exe
  C:\Windows\System32\VQbWGUX.exe
  2⤵
  PID:8096
- C:\Windows\System32\YvrjstQ.exe
  C:\Windows\System32\YvrjstQ.exe
  2⤵
  PID:8112
- C:\Windows\System32\GqrXdDt.exe
  C:\Windows\System32\GqrXdDt.exe
  2⤵
  PID:8152
- C:\Windows\System32\cQlhExX.exe
  C:\Windows\System32\cQlhExX.exe
  2⤵
  PID:8180
- C:\Windows\System32\AbrhfpO.exe
  C:\Windows\System32\AbrhfpO.exe
  2⤵
  PID:7096
- C:\Windows\System32\aOPEfBF.exe
  C:\Windows\System32\aOPEfBF.exe
  2⤵
  PID:7188
- C:\Windows\System32\lcCeBAr.exe
  C:\Windows\System32\lcCeBAr.exe
  2⤵
  PID:7268
- C:\Windows\System32\IyOzcbi.exe
  C:\Windows\System32\IyOzcbi.exe
  2⤵
  PID:7292
- C:\Windows\System32\ptxMdhr.exe
  C:\Windows\System32\ptxMdhr.exe
  2⤵
  PID:7384
- C:\Windows\System32\ZqQEqTB.exe
  C:\Windows\System32\ZqQEqTB.exe
  2⤵
  PID:7428
- C:\Windows\System32\EQhqora.exe
  C:\Windows\System32\EQhqora.exe
  2⤵
  PID:7464
- C:\Windows\System32\kTUEfJq.exe
  C:\Windows\System32\kTUEfJq.exe
  2⤵
  PID:7552
- C:\Windows\System32\YsEPMTI.exe
  C:\Windows\System32\YsEPMTI.exe
  2⤵
  PID:7612
- C:\Windows\System32\ERErrzo.exe
  C:\Windows\System32\ERErrzo.exe
  2⤵
  PID:7676
- C:\Windows\System32\fntKSTi.exe
  C:\Windows\System32\fntKSTi.exe
  2⤵
  PID:7736
- C:\Windows\System32\hNJlhod.exe
  C:\Windows\System32\hNJlhod.exe
  2⤵
  PID:7800
- C:\Windows\System32\zlOjxqJ.exe
  C:\Windows\System32\zlOjxqJ.exe
  2⤵
  PID:7828
- C:\Windows\System32\byJESvy.exe
  C:\Windows\System32\byJESvy.exe
  2⤵
  PID:7924
- C:\Windows\System32\jbXUidV.exe
  C:\Windows\System32\jbXUidV.exe
  2⤵
  PID:8028
- C:\Windows\System32\urdcUwv.exe
  C:\Windows\System32\urdcUwv.exe
  2⤵
  PID:8148
- C:\Windows\System32\wJzLBsD.exe
  C:\Windows\System32\wJzLBsD.exe
  2⤵
  PID:7216
- C:\Windows\System32\UvNrEbx.exe
  C:\Windows\System32\UvNrEbx.exe
  2⤵
  PID:7312
- C:\Windows\System32\ywdorwv.exe
  C:\Windows\System32\ywdorwv.exe
  2⤵
  PID:7400
- C:\Windows\System32\zlcgBHR.exe
  C:\Windows\System32\zlcgBHR.exe
  2⤵
  PID:7600
- C:\Windows\System32\mVuLqTJ.exe
  C:\Windows\System32\mVuLqTJ.exe
  2⤵
  PID:7916
- C:\Windows\System32\VBRrEkc.exe
  C:\Windows\System32\VBRrEkc.exe
  2⤵
  PID:8052
- C:\Windows\System32\APjFOaX.exe
  C:\Windows\System32\APjFOaX.exe
  2⤵
  PID:7540
- C:\Windows\System32\mSSAaUK.exe
  C:\Windows\System32\mSSAaUK.exe
  2⤵
  PID:7728
- C:\Windows\System32\ivCfZpj.exe
  C:\Windows\System32\ivCfZpj.exe
  2⤵
  PID:8024
- C:\Windows\System32\xjnsCro.exe
  C:\Windows\System32\xjnsCro.exe
  2⤵
  PID:7672
- C:\Windows\System32\ktnQEKz.exe
  C:\Windows\System32\ktnQEKz.exe
  2⤵
  PID:8204
- C:\Windows\System32\oEtxxPO.exe
  C:\Windows\System32\oEtxxPO.exe
  2⤵
  PID:8228
- C:\Windows\System32\UyDfQzB.exe
  C:\Windows\System32\UyDfQzB.exe
  2⤵
  PID:8244
- C:\Windows\System32\YbEtFhD.exe
  C:\Windows\System32\YbEtFhD.exe
  2⤵
  PID:8284
- C:\Windows\System32\LuvtAsF.exe
  C:\Windows\System32\LuvtAsF.exe
  2⤵
  PID:8300
- C:\Windows\System32\pCzmAqB.exe
  C:\Windows\System32\pCzmAqB.exe
  2⤵
  PID:8332
- C:\Windows\System32\fgRSllk.exe
  C:\Windows\System32\fgRSllk.exe
  2⤵
  PID:8376
- C:\Windows\System32\DbsgzqW.exe
  C:\Windows\System32\DbsgzqW.exe
  2⤵
  PID:8396
- C:\Windows\System32\AtZAKUY.exe
  C:\Windows\System32\AtZAKUY.exe
  2⤵
  PID:8412
- C:\Windows\System32\YxMBToS.exe
  C:\Windows\System32\YxMBToS.exe
  2⤵
  PID:8476
- C:\Windows\System32\MOQOyMk.exe
  C:\Windows\System32\MOQOyMk.exe
  2⤵
  PID:8492
- C:\Windows\System32\wsyAqOs.exe
  C:\Windows\System32\wsyAqOs.exe
  2⤵
  PID:8556
- C:\Windows\System32\zsXfZSx.exe
  C:\Windows\System32\zsXfZSx.exe
  2⤵
  PID:8572
- C:\Windows\System32\teqLdWC.exe
  C:\Windows\System32\teqLdWC.exe
  2⤵
  PID:8596
- C:\Windows\System32\sWvYJju.exe
  C:\Windows\System32\sWvYJju.exe
  2⤵
  PID:8640
- C:\Windows\System32\qlewUCW.exe
  C:\Windows\System32\qlewUCW.exe
  2⤵
  PID:8664
- C:\Windows\System32\EYWfFvb.exe
  C:\Windows\System32\EYWfFvb.exe
  2⤵
  PID:8680
- C:\Windows\System32\rfHxCxZ.exe
  C:\Windows\System32\rfHxCxZ.exe
  2⤵
  PID:8696
- C:\Windows\System32\BvSmAPR.exe
  C:\Windows\System32\BvSmAPR.exe
  2⤵
  PID:8712
- C:\Windows\System32\wuvhLxw.exe
  C:\Windows\System32\wuvhLxw.exe
  2⤵
  PID:8792
- C:\Windows\System32\RddsOLT.exe
  C:\Windows\System32\RddsOLT.exe
  2⤵
  PID:8900
- C:\Windows\System32\jVTPnsl.exe
  C:\Windows\System32\jVTPnsl.exe
  2⤵
  PID:8928
- C:\Windows\System32\DGnMebV.exe
  C:\Windows\System32\DGnMebV.exe
  2⤵
  PID:8960
- C:\Windows\System32\pyLyjtF.exe
  C:\Windows\System32\pyLyjtF.exe
  2⤵
  PID:8992
- C:\Windows\System32\DZJhBGm.exe
  C:\Windows\System32\DZJhBGm.exe
  2⤵
  PID:9012
- C:\Windows\System32\VMazjCO.exe
  C:\Windows\System32\VMazjCO.exe
  2⤵
  PID:9052
- C:\Windows\System32\SMZXkGT.exe
  C:\Windows\System32\SMZXkGT.exe
  2⤵
  PID:9072
- C:\Windows\System32\FUkXIsF.exe
  C:\Windows\System32\FUkXIsF.exe
  2⤵
  PID:9092
- C:\Windows\System32\yZuOZJM.exe
  C:\Windows\System32\yZuOZJM.exe
  2⤵
  PID:9116
- C:\Windows\System32\qGiipEs.exe
  C:\Windows\System32\qGiipEs.exe
  2⤵
  PID:9136
- C:\Windows\System32\QNeSiAA.exe
  C:\Windows\System32\QNeSiAA.exe
  2⤵
  PID:9184
- C:\Windows\System32\IcsXQdT.exe
  C:\Windows\System32\IcsXQdT.exe
  2⤵
  PID:9204
- C:\Windows\System32\exlDZbv.exe
  C:\Windows\System32\exlDZbv.exe
  2⤵
  PID:8212
- C:\Windows\System32\oZWtjZg.exe
  C:\Windows\System32\oZWtjZg.exe
  2⤵
  PID:8260
- C:\Windows\System32\IMHBomh.exe
  C:\Windows\System32\IMHBomh.exe
  2⤵
  PID:8316
- C:\Windows\System32\WmWPuTS.exe
  C:\Windows\System32\WmWPuTS.exe
  2⤵
  PID:8424
- C:\Windows\System32\SyTNELQ.exe
  C:\Windows\System32\SyTNELQ.exe
  2⤵
  PID:8484
- C:\Windows\System32\uddSegw.exe
  C:\Windows\System32\uddSegw.exe
  2⤵
  PID:8616
- C:\Windows\System32\QpsBcqC.exe
  C:\Windows\System32\QpsBcqC.exe
  2⤵
  PID:8744
- C:\Windows\System32\rOPgFUU.exe
  C:\Windows\System32\rOPgFUU.exe
  2⤵
  PID:3808
- C:\Windows\System32\PGbgGKK.exe
  C:\Windows\System32\PGbgGKK.exe
  2⤵
  PID:8784
- C:\Windows\System32\yJjCfXh.exe
  C:\Windows\System32\yJjCfXh.exe
  2⤵
  PID:8704
- C:\Windows\System32\qaVjQPB.exe
  C:\Windows\System32\qaVjQPB.exe
  2⤵
  PID:8592
- C:\Windows\System32\DObzaMc.exe
  C:\Windows\System32\DObzaMc.exe
  2⤵
  PID:8732
- C:\Windows\System32\BqHAjTk.exe
  C:\Windows\System32\BqHAjTk.exe
  2⤵
  PID:8924
- C:\Windows\System32\coEtXqF.exe
  C:\Windows\System32\coEtXqF.exe
  2⤵
  PID:8852
- C:\Windows\System32\VOPYFDM.exe
  C:\Windows\System32\VOPYFDM.exe
  2⤵
  PID:8976
- C:\Windows\System32\PzBhbPh.exe
  C:\Windows\System32\PzBhbPh.exe
  2⤵
  PID:9060
- C:\Windows\System32\FQyIgOW.exe
  C:\Windows\System32\FQyIgOW.exe
  2⤵
  PID:9084
- C:\Windows\System32\bLGpIRd.exe
  C:\Windows\System32\bLGpIRd.exe
  2⤵
  PID:9152
- C:\Windows\System32\OHDepSH.exe
  C:\Windows\System32\OHDepSH.exe
  2⤵
  PID:8240
- C:\Windows\System32\OvuEiHa.exe
  C:\Windows\System32\OvuEiHa.exe
  2⤵
  PID:8372
- C:\Windows\System32\rZFdcgb.exe
  C:\Windows\System32\rZFdcgb.exe
  2⤵
  PID:8460
- C:\Windows\System32\auSUbfv.exe
  C:\Windows\System32\auSUbfv.exe
  2⤵
  PID:8440
- C:\Windows\System32\vxfbuoh.exe
  C:\Windows\System32\vxfbuoh.exe
  2⤵
  PID:8512
- C:\Windows\System32\wJbXQkM.exe
  C:\Windows\System32\wJbXQkM.exe
  2⤵
  PID:8656
- C:\Windows\System32\ZdFqrwz.exe
  C:\Windows\System32\ZdFqrwz.exe
  2⤵
  PID:8984
- C:\Windows\System32\oWeyyNV.exe
  C:\Windows\System32\oWeyyNV.exe
  2⤵
  PID:9144
- C:\Windows\System32\sYXsxqT.exe
  C:\Windows\System32\sYXsxqT.exe
  2⤵
  PID:7548
- C:\Windows\System32\nGLjmXt.exe
  C:\Windows\System32\nGLjmXt.exe
  2⤵
  PID:8780
- C:\Windows\System32\QAcgbxq.exe
  C:\Windows\System32\QAcgbxq.exe
  2⤵
  PID:8828
- C:\Windows\System32\lXAmHOI.exe
  C:\Windows\System32\lXAmHOI.exe
  2⤵
  PID:8352
- C:\Windows\System32\BPMDlbR.exe
  C:\Windows\System32\BPMDlbR.exe
  2⤵
  PID:8660
- C:\Windows\System32\NOtrCEE.exe
  C:\Windows\System32\NOtrCEE.exe
  2⤵
  PID:8568
- C:\Windows\System32\zRYSToO.exe
  C:\Windows\System32\zRYSToO.exe
  2⤵
  PID:9244
- C:\Windows\System32\KeoOaYg.exe
  C:\Windows\System32\KeoOaYg.exe
  2⤵
  PID:9268
- C:\Windows\System32\MZkzUdx.exe
  C:\Windows\System32\MZkzUdx.exe
  2⤵
  PID:9292
- C:\Windows\System32\KUrqHFq.exe
  C:\Windows\System32\KUrqHFq.exe
  2⤵
  PID:9332
- C:\Windows\System32\gcQvpfp.exe
  C:\Windows\System32\gcQvpfp.exe
  2⤵
  PID:9360
- C:\Windows\System32\QayVMRl.exe
  C:\Windows\System32\QayVMRl.exe
  2⤵
  PID:9376
- C:\Windows\System32\VVcMILf.exe
  C:\Windows\System32\VVcMILf.exe
  2⤵
  PID:9416
- C:\Windows\System32\IptJSFn.exe
  C:\Windows\System32\IptJSFn.exe
  2⤵
  PID:9432
- C:\Windows\System32\OQjbbIw.exe
  C:\Windows\System32\OQjbbIw.exe
  2⤵
  PID:9452
- C:\Windows\System32\WjWJcPn.exe
  C:\Windows\System32\WjWJcPn.exe
  2⤵
  PID:9472
- C:\Windows\System32\TsfEgsL.exe
  C:\Windows\System32\TsfEgsL.exe
  2⤵
  PID:9520
- C:\Windows\System32\nnUctAj.exe
  C:\Windows\System32\nnUctAj.exe
  2⤵
  PID:9548
- C:\Windows\System32\OCVouWD.exe
  C:\Windows\System32\OCVouWD.exe
  2⤵
  PID:9568
- C:\Windows\System32\BVuYqOC.exe
  C:\Windows\System32\BVuYqOC.exe
  2⤵
  PID:9604
- C:\Windows\System32\ZhKBSyH.exe
  C:\Windows\System32\ZhKBSyH.exe
  2⤵
  PID:9624
- C:\Windows\System32\vPqsrWI.exe
  C:\Windows\System32\vPqsrWI.exe
  2⤵
  PID:9648
- C:\Windows\System32\zVSfeGe.exe
  C:\Windows\System32\zVSfeGe.exe
  2⤵
  PID:9696
- C:\Windows\System32\MJWgQXa.exe
  C:\Windows\System32\MJWgQXa.exe
  2⤵
  PID:9716
- C:\Windows\System32\xYMpmzY.exe
  C:\Windows\System32\xYMpmzY.exe
  2⤵
  PID:9744
- C:\Windows\System32\LkJkEPA.exe
  C:\Windows\System32\LkJkEPA.exe
  2⤵
  PID:9760
- C:\Windows\System32\uFgWZok.exe
  C:\Windows\System32\uFgWZok.exe
  2⤵
  PID:9816
- C:\Windows\System32\QMimQCI.exe
  C:\Windows\System32\QMimQCI.exe
  2⤵
  PID:9840
- C:\Windows\System32\jBuSZwr.exe
  C:\Windows\System32\jBuSZwr.exe
  2⤵
  PID:9868
- C:\Windows\System32\ZuKflmO.exe
  C:\Windows\System32\ZuKflmO.exe
  2⤵
  PID:9884
- C:\Windows\System32\qvOPlYz.exe
  C:\Windows\System32\qvOPlYz.exe
  2⤵
  PID:9924
- C:\Windows\System32\HQNuxos.exe
  C:\Windows\System32\HQNuxos.exe
  2⤵
  PID:9940
- C:\Windows\System32\fbgPbXB.exe
  C:\Windows\System32\fbgPbXB.exe
  2⤵
  PID:9968
- C:\Windows\System32\ccrNhKs.exe
  C:\Windows\System32\ccrNhKs.exe
  2⤵
  PID:9988
- C:\Windows\System32\hziHZij.exe
  C:\Windows\System32\hziHZij.exe
  2⤵
  PID:10012
- C:\Windows\System32\MAfUnZn.exe
  C:\Windows\System32\MAfUnZn.exe
  2⤵
  PID:10032
- C:\Windows\System32\VGoCzcy.exe
  C:\Windows\System32\VGoCzcy.exe
  2⤵
  PID:10052
- C:\Windows\System32\IQJBcLb.exe
  C:\Windows\System32\IQJBcLb.exe
  2⤵
  PID:10084
- C:\Windows\System32\fkdCOlB.exe
  C:\Windows\System32\fkdCOlB.exe
  2⤵
  PID:10160
- C:\Windows\System32\GfAcZXt.exe
  C:\Windows\System32\GfAcZXt.exe
  2⤵
  PID:10180
- C:\Windows\System32\ZZYCKDW.exe
  C:\Windows\System32\ZZYCKDW.exe
  2⤵
  PID:10204
- C:\Windows\System32\bMFkUqJ.exe
  C:\Windows\System32\bMFkUqJ.exe
  2⤵
  PID:10232
- C:\Windows\System32\MnxYnRi.exe
  C:\Windows\System32\MnxYnRi.exe
  2⤵
  PID:9240
- C:\Windows\System32\iBKCloI.exe
  C:\Windows\System32\iBKCloI.exe
  2⤵
  PID:9256
- C:\Windows\System32\gEJdxEA.exe
  C:\Windows\System32\gEJdxEA.exe
  2⤵
  PID:9328
- C:\Windows\System32\pzimyJj.exe
  C:\Windows\System32\pzimyJj.exe
  2⤵
  PID:9396
- C:\Windows\System32\xvkXDoT.exe
  C:\Windows\System32\xvkXDoT.exe
  2⤵
  PID:9496
- C:\Windows\System32\JmGGJBh.exe
  C:\Windows\System32\JmGGJBh.exe
  2⤵
  PID:9576
- C:\Windows\System32\vpzwqLk.exe
  C:\Windows\System32\vpzwqLk.exe
  2⤵
  PID:9616
- C:\Windows\System32\ktHdDGe.exe
  C:\Windows\System32\ktHdDGe.exe
  2⤵
  PID:9676
- C:\Windows\System32\aIEXwRu.exe
  C:\Windows\System32\aIEXwRu.exe
  2⤵
  PID:9756
- C:\Windows\System32\TwAyIpt.exe
  C:\Windows\System32\TwAyIpt.exe
  2⤵
  PID:9808
- C:\Windows\System32\aOGRDgW.exe
  C:\Windows\System32\aOGRDgW.exe
  2⤵
  PID:9852
- C:\Windows\System32\qZZUZlK.exe
  C:\Windows\System32\qZZUZlK.exe
  2⤵
  PID:9904
- C:\Windows\System32\uDsVAxA.exe
  C:\Windows\System32\uDsVAxA.exe
  2⤵
  PID:9984
- C:\Windows\System32\LGYvalq.exe
  C:\Windows\System32\LGYvalq.exe
  2⤵
  PID:10024
- C:\Windows\System32\CmWqByV.exe
  C:\Windows\System32\CmWqByV.exe
  2⤵
  PID:10156
- C:\Windows\System32\kalLcUr.exe
  C:\Windows\System32\kalLcUr.exe
  2⤵
  PID:10192
- C:\Windows\System32\pclUEMN.exe
  C:\Windows\System32\pclUEMN.exe
  2⤵
  PID:9276
- C:\Windows\System32\YhuwGmR.exe
  C:\Windows\System32\YhuwGmR.exe
  2⤵
  PID:9444
- C:\Windows\System32\MLwHXmW.exe
  C:\Windows\System32\MLwHXmW.exe
  2⤵
  PID:9516
- C:\Windows\System32\tIrlXEj.exe
  C:\Windows\System32\tIrlXEj.exe
  2⤵
  PID:9728
- C:\Windows\System32\cvGPPQB.exe
  C:\Windows\System32\cvGPPQB.exe
  2⤵
  PID:9832
- C:\Windows\System32\aVHuKXs.exe
  C:\Windows\System32\aVHuKXs.exe
  2⤵
  PID:10044
- C:\Windows\System32\YLpDogV.exe
  C:\Windows\System32\YLpDogV.exe
  2⤵
  PID:10196
- C:\Windows\System32\kFxztKT.exe
  C:\Windows\System32\kFxztKT.exe
  2⤵
  PID:9344
- C:\Windows\System32\CdkwPXt.exe
  C:\Windows\System32\CdkwPXt.exe
  2⤵
  PID:9640
- C:\Windows\System32\XKpkNIc.exe
  C:\Windows\System32\XKpkNIc.exe
  2⤵
  PID:9224
- C:\Windows\System32\GlHrSKo.exe
  C:\Windows\System32\GlHrSKo.exe
  2⤵
  PID:10048
- C:\Windows\System32\XaFlRMA.exe
  C:\Windows\System32\XaFlRMA.exe
  2⤵
  PID:10248
- C:\Windows\System32\CPmorXz.exe
  C:\Windows\System32\CPmorXz.exe
  2⤵
  PID:10272
- C:\Windows\System32\qcBsvrx.exe
  C:\Windows\System32\qcBsvrx.exe
  2⤵
  PID:10292
- C:\Windows\System32\dIvJbJF.exe
  C:\Windows\System32\dIvJbJF.exe
  2⤵
  PID:10332
- C:\Windows\System32\beKyGif.exe
  C:\Windows\System32\beKyGif.exe
  2⤵
  PID:10352
- C:\Windows\System32\fPbfSoi.exe
  C:\Windows\System32\fPbfSoi.exe
  2⤵
  PID:10376
- C:\Windows\System32\OFYWeeI.exe
  C:\Windows\System32\OFYWeeI.exe
  2⤵
  PID:10416
- C:\Windows\System32\GwvGoiF.exe
  C:\Windows\System32\GwvGoiF.exe
  2⤵
  PID:10444
- C:\Windows\System32\ObdQxZE.exe
  C:\Windows\System32\ObdQxZE.exe
  2⤵
  PID:10472
- C:\Windows\System32\UjoVNdK.exe
  C:\Windows\System32\UjoVNdK.exe
  2⤵
  PID:10492
- C:\Windows\System32\qhmWbpJ.exe
  C:\Windows\System32\qhmWbpJ.exe
  2⤵
  PID:10516
- C:\Windows\System32\bTIcaZy.exe
  C:\Windows\System32\bTIcaZy.exe
  2⤵
  PID:10568
- C:\Windows\System32\SZuItOk.exe
  C:\Windows\System32\SZuItOk.exe
  2⤵
  PID:10584
- C:\Windows\System32\WNxKziR.exe
  C:\Windows\System32\WNxKziR.exe
  2⤵
  PID:10600
- C:\Windows\System32\QiSgznz.exe
  C:\Windows\System32\QiSgznz.exe
  2⤵
  PID:10628
- C:\Windows\System32\RPyRQFG.exe
  C:\Windows\System32\RPyRQFG.exe
  2⤵
  PID:10668
- C:\Windows\System32\hiBGZmF.exe
  C:\Windows\System32\hiBGZmF.exe
  2⤵
  PID:10684
- C:\Windows\System32\WcVqxCw.exe
  C:\Windows\System32\WcVqxCw.exe
  2⤵
  PID:10716
- C:\Windows\System32\mRUdism.exe
  C:\Windows\System32\mRUdism.exe
  2⤵
  PID:10740
- C:\Windows\System32\ZhhmoaY.exe
  C:\Windows\System32\ZhhmoaY.exe
  2⤵
  PID:10764
- C:\Windows\System32\xwHMuyz.exe
  C:\Windows\System32\xwHMuyz.exe
  2⤵
  PID:10780
- C:\Windows\System32\UiBNHQk.exe
  C:\Windows\System32\UiBNHQk.exe
  2⤵
  PID:10812
- C:\Windows\System32\sZEvCOh.exe
  C:\Windows\System32\sZEvCOh.exe
  2⤵
  PID:10852
- C:\Windows\System32\GrZHJhn.exe
  C:\Windows\System32\GrZHJhn.exe
  2⤵
  PID:10880
- C:\Windows\System32\vjYFCNP.exe
  C:\Windows\System32\vjYFCNP.exe
  2⤵
  PID:10916
- C:\Windows\System32\YzWISvS.exe
  C:\Windows\System32\YzWISvS.exe
  2⤵
  PID:10952
- C:\Windows\System32\moXOfVK.exe
  C:\Windows\System32\moXOfVK.exe
  2⤵
  PID:10980
- C:\Windows\System32\GPudhOI.exe
  C:\Windows\System32\GPudhOI.exe
  2⤵
  PID:11008
- C:\Windows\System32\qaPTzSC.exe
  C:\Windows\System32\qaPTzSC.exe
  2⤵
  PID:11032
- C:\Windows\System32\dNdKFRW.exe
  C:\Windows\System32\dNdKFRW.exe
  2⤵
  PID:11052
- C:\Windows\System32\iVAyepc.exe
  C:\Windows\System32\iVAyepc.exe
  2⤵
  PID:11080
- C:\Windows\System32\iNTiMSv.exe
  C:\Windows\System32\iNTiMSv.exe
  2⤵
  PID:11112
- C:\Windows\System32\QkEevQQ.exe
  C:\Windows\System32\QkEevQQ.exe
  2⤵
  PID:11164
- C:\Windows\System32\kWQuBUp.exe
  C:\Windows\System32\kWQuBUp.exe
  2⤵
  PID:11180
- C:\Windows\System32\wtpmhsP.exe
  C:\Windows\System32\wtpmhsP.exe
  2⤵
  PID:11196
- C:\Windows\System32\CyURvGg.exe
  C:\Windows\System32\CyURvGg.exe
  2⤵
  PID:11236
- C:\Windows\System32\wwIcfto.exe
  C:\Windows\System32\wwIcfto.exe
  2⤵
  PID:10224
- C:\Windows\System32\zQCtJeB.exe
  C:\Windows\System32\zQCtJeB.exe
  2⤵
  PID:10288
- C:\Windows\System32\OTqKqph.exe
  C:\Windows\System32\OTqKqph.exe
  2⤵
  PID:10320
- C:\Windows\System32\TnWMMnd.exe
  C:\Windows\System32\TnWMMnd.exe
  2⤵
  PID:10396
- C:\Windows\System32\QTOSvpa.exe
  C:\Windows\System32\QTOSvpa.exe
  2⤵
  PID:10428
- C:\Windows\System32\ajaVZrm.exe
  C:\Windows\System32\ajaVZrm.exe
  2⤵
  PID:10484
- C:\Windows\System32\VuPMvfV.exe
  C:\Windows\System32\VuPMvfV.exe
  2⤵
  PID:10576
- C:\Windows\System32\KDrPnWY.exe
  C:\Windows\System32\KDrPnWY.exe
  2⤵
  PID:10676
- C:\Windows\System32\guTWmkn.exe
  C:\Windows\System32\guTWmkn.exe
  2⤵
  PID:10760
- C:\Windows\System32\wDrJheI.exe
  C:\Windows\System32\wDrJheI.exe
  2⤵
  PID:10792
- C:\Windows\System32\iaMKycE.exe
  C:\Windows\System32\iaMKycE.exe
  2⤵
  PID:10828
- C:\Windows\System32\uuBKeRO.exe
  C:\Windows\System32\uuBKeRO.exe
  2⤵
  PID:10904
- C:\Windows\System32\DhGAnNc.exe
  C:\Windows\System32\DhGAnNc.exe
  2⤵
  PID:10976
- C:\Windows\System32\qyqKNVV.exe
  C:\Windows\System32\qyqKNVV.exe
  2⤵
  PID:11076
- C:\Windows\System32\EqtinDa.exe
  C:\Windows\System32\EqtinDa.exe
  2⤵
  PID:11136
- C:\Windows\System32\LmwQXcr.exe
  C:\Windows\System32\LmwQXcr.exe
  2⤵
  PID:11192
- C:\Windows\System32\hczWfZz.exe
  C:\Windows\System32\hczWfZz.exe
  2⤵
  PID:10260
- C:\Windows\System32\PgDgcEQ.exe
  C:\Windows\System32\PgDgcEQ.exe
  2⤵
  PID:10488
- C:\Windows\System32\KavEfmt.exe
  C:\Windows\System32\KavEfmt.exe
  2⤵
  PID:10592
- C:\Windows\System32\MhJqajW.exe
  C:\Windows\System32\MhJqajW.exe
  2⤵
  PID:10656
- C:\Windows\System32\LTBUJbO.exe
  C:\Windows\System32\LTBUJbO.exe
  2⤵
  PID:10772
- C:\Windows\System32\FBuIFCq.exe
  C:\Windows\System32\FBuIFCq.exe
  2⤵
  PID:10932
- C:\Windows\System32\urJryHI.exe
  C:\Windows\System32\urJryHI.exe
  2⤵
  PID:11044
- C:\Windows\System32\xDaoeJI.exe
  C:\Windows\System32\xDaoeJI.exe
  2⤵
  PID:10348
- C:\Windows\System32\Qbvvelc.exe
  C:\Windows\System32\Qbvvelc.exe
  2⤵
  PID:10456
- C:\Windows\System32\BAplzrd.exe
  C:\Windows\System32\BAplzrd.exe
  2⤵
  PID:11228
- C:\Windows\System32\sEeRFsS.exe
  C:\Windows\System32\sEeRFsS.exe
  2⤵
  PID:10800
- C:\Windows\System32\bCZKFSy.exe
  C:\Windows\System32\bCZKFSy.exe
  2⤵
  PID:11276
- C:\Windows\System32\qaLcsCF.exe
  C:\Windows\System32\qaLcsCF.exe
  2⤵
  PID:11304
- C:\Windows\System32\wswVsum.exe
  C:\Windows\System32\wswVsum.exe
  2⤵
  PID:11336
- C:\Windows\System32\bDMcPhD.exe
  C:\Windows\System32\bDMcPhD.exe
  2⤵
  PID:11360
- C:\Windows\System32\gEIYqsZ.exe
  C:\Windows\System32\gEIYqsZ.exe
  2⤵
  PID:11388
- C:\Windows\System32\vgZuabW.exe
  C:\Windows\System32\vgZuabW.exe
  2⤵
  PID:11416
- C:\Windows\System32\WvBpVAW.exe
  C:\Windows\System32\WvBpVAW.exe
  2⤵
  PID:11440
- C:\Windows\System32\rTfsJbE.exe
  C:\Windows\System32\rTfsJbE.exe
  2⤵
  PID:11480
- C:\Windows\System32\GiCTZEx.exe
  C:\Windows\System32\GiCTZEx.exe
  2⤵
  PID:11500
- C:\Windows\System32\VHOMHlJ.exe
  C:\Windows\System32\VHOMHlJ.exe
  2⤵
  PID:11516
- C:\Windows\System32\EoCDwDC.exe
  C:\Windows\System32\EoCDwDC.exe
  2⤵
  PID:11544
- C:\Windows\System32\PMEZyyL.exe
  C:\Windows\System32\PMEZyyL.exe
  2⤵
  PID:11564
- C:\Windows\System32\wezRzaJ.exe
  C:\Windows\System32\wezRzaJ.exe
  2⤵
  PID:11580
- C:\Windows\System32\XtgUalj.exe
  C:\Windows\System32\XtgUalj.exe
  2⤵
  PID:11604
- C:\Windows\System32\jYHmEoX.exe
  C:\Windows\System32\jYHmEoX.exe
  2⤵
  PID:11632
- C:\Windows\System32\RpLAqIH.exe
  C:\Windows\System32\RpLAqIH.exe
  2⤵
  PID:11704
- C:\Windows\System32\EztaIdb.exe
  C:\Windows\System32\EztaIdb.exe
  2⤵
  PID:11724
- C:\Windows\System32\pmdKOkb.exe
  C:\Windows\System32\pmdKOkb.exe
  2⤵
  PID:11752
- C:\Windows\System32\PJtNMGc.exe
  C:\Windows\System32\PJtNMGc.exe
  2⤵
  PID:11776
- C:\Windows\System32\lFIXaon.exe
  C:\Windows\System32\lFIXaon.exe
  2⤵
  PID:11808
- C:\Windows\System32\rPHJwkA.exe
  C:\Windows\System32\rPHJwkA.exe
  2⤵
  PID:11824
- C:\Windows\System32\NIZeqGg.exe
  C:\Windows\System32\NIZeqGg.exe
  2⤵
  PID:11844
- C:\Windows\System32\DkQTAnJ.exe
  C:\Windows\System32\DkQTAnJ.exe
  2⤵
  PID:11888
- C:\Windows\System32\HCbJRiw.exe
  C:\Windows\System32\HCbJRiw.exe
  2⤵
  PID:11916
- C:\Windows\System32\QYZorgx.exe
  C:\Windows\System32\QYZorgx.exe
  2⤵
  PID:11936
- C:\Windows\System32\ygPlZnV.exe
  C:\Windows\System32\ygPlZnV.exe
  2⤵
  PID:11956
- C:\Windows\System32\ZBzZJvU.exe
  C:\Windows\System32\ZBzZJvU.exe
  2⤵
  PID:12016
- C:\Windows\System32\yCTJzoA.exe
  C:\Windows\System32\yCTJzoA.exe
  2⤵
  PID:12036
- C:\Windows\System32\NXphzYS.exe
  C:\Windows\System32\NXphzYS.exe
  2⤵
  PID:12064
- C:\Windows\System32\kMLICap.exe
  C:\Windows\System32\kMLICap.exe
  2⤵
  PID:12092
- C:\Windows\System32\mnhiYOt.exe
  C:\Windows\System32\mnhiYOt.exe
  2⤵
  PID:12120
- C:\Windows\System32\aciHGjw.exe
  C:\Windows\System32\aciHGjw.exe
  2⤵
  PID:12144
- C:\Windows\System32\PXJhnEe.exe
  C:\Windows\System32\PXJhnEe.exe
  2⤵
  PID:12168
- C:\Windows\System32\yZJzNsA.exe
  C:\Windows\System32\yZJzNsA.exe
  2⤵
  PID:12184
- C:\Windows\System32\HuYNUsr.exe
  C:\Windows\System32\HuYNUsr.exe
  2⤵
  PID:12216
- C:\Windows\System32\foLAMvd.exe
  C:\Windows\System32\foLAMvd.exe
  2⤵
  PID:12240
- C:\Windows\System32\BMHJHRC.exe
  C:\Windows\System32\BMHJHRC.exe
  2⤵
  PID:12276
- C:\Windows\System32\TaXjsxs.exe
  C:\Windows\System32\TaXjsxs.exe
  2⤵
  PID:10832
- C:\Windows\System32\AqlTqlb.exe
  C:\Windows\System32\AqlTqlb.exe
  2⤵
  PID:11376
- C:\Windows\System32\ZIHRDCd.exe
  C:\Windows\System32\ZIHRDCd.exe
  2⤵
  PID:11452
- C:\Windows\System32\cMbXzik.exe
  C:\Windows\System32\cMbXzik.exe
  2⤵
  PID:11528
- C:\Windows\System32\gVBfHUJ.exe
  C:\Windows\System32\gVBfHUJ.exe
  2⤵
  PID:11628
- C:\Windows\System32\iBkuhTP.exe
  C:\Windows\System32\iBkuhTP.exe
  2⤵
  PID:11572
- C:\Windows\System32\PcCwjaM.exe
  C:\Windows\System32\PcCwjaM.exe
  2⤵
  PID:11720
- C:\Windows\System32\tTpjEMn.exe
  C:\Windows\System32\tTpjEMn.exe
  2⤵
  PID:11772
- C:\Windows\System32\HCHgpLZ.exe
  C:\Windows\System32\HCHgpLZ.exe
  2⤵
  PID:11836
- C:\Windows\System32\cTVkYFD.exe
  C:\Windows\System32\cTVkYFD.exe
  2⤵
  PID:11884
- C:\Windows\System32\jLlmaTU.exe
  C:\Windows\System32\jLlmaTU.exe
  2⤵
  PID:11952
- C:\Windows\System32\pfpeiLY.exe
  C:\Windows\System32\pfpeiLY.exe
  2⤵
  PID:12032
- C:\Windows\System32\phmTXhZ.exe
  C:\Windows\System32\phmTXhZ.exe
  2⤵
  PID:12104
- C:\Windows\System32\hasvvCQ.exe
  C:\Windows\System32\hasvvCQ.exe
  2⤵
  PID:12132
- C:\Windows\System32\xCkQnor.exe
  C:\Windows\System32\xCkQnor.exe
  2⤵
  PID:12204
- C:\Windows\System32\BWfkFZx.exe
  C:\Windows\System32\BWfkFZx.exe
  2⤵
  PID:11268
- C:\Windows\System32\WIVETzJ.exe
  C:\Windows\System32\WIVETzJ.exe
  2⤵
  PID:11316
- C:\Windows\System32\KEPuriG.exe
  C:\Windows\System32\KEPuriG.exe
  2⤵
  PID:11096
- C:\Windows\System32\GJkbAqb.exe
  C:\Windows\System32\GJkbAqb.exe
  2⤵
  PID:11740
- C:\Windows\System32\gMnpuiX.exe
  C:\Windows\System32\gMnpuiX.exe
  2⤵
  PID:5932
- C:\Windows\System32\GjVgapi.exe
  C:\Windows\System32\GjVgapi.exe
  2⤵
  PID:11896
- C:\Windows\System32\GxXZkkx.exe
  C:\Windows\System32\GxXZkkx.exe
  2⤵
  PID:11992
- C:\Windows\System32\fDyygtk.exe
  C:\Windows\System32\fDyygtk.exe
  2⤵
  PID:12156
- C:\Windows\System32\HIEXrwa.exe
  C:\Windows\System32\HIEXrwa.exe
  2⤵
  PID:11356
- C:\Windows\System32\LIJSIuL.exe
  C:\Windows\System32\LIJSIuL.exe
  2⤵
  PID:3700
- C:\Windows\System32\FDJppOE.exe
  C:\Windows\System32\FDJppOE.exe
  2⤵
  PID:11692
- C:\Windows\System32\cBkmqvO.exe
  C:\Windows\System32\cBkmqvO.exe
  2⤵
  PID:12128
- C:\Windows\System32\GxTFkiO.exe
  C:\Windows\System32\GxTFkiO.exe
  2⤵
  PID:12268
- C:\Windows\System32\yLLgpXF.exe
  C:\Windows\System32\yLLgpXF.exe
  2⤵
  PID:11924
- C:\Windows\System32\ZzGBuas.exe
  C:\Windows\System32\ZzGBuas.exe
  2⤵
  PID:11448
- C:\Windows\System32\dGVuWuM.exe
  C:\Windows\System32\dGVuWuM.exe
  2⤵
  PID:12304
- C:\Windows\System32\XUPlMJx.exe
  C:\Windows\System32\XUPlMJx.exe
  2⤵
  PID:12352
- C:\Windows\System32\mYldHZk.exe
  C:\Windows\System32\mYldHZk.exe
  2⤵
  PID:12376
- C:\Windows\System32\HDhcYDb.exe
  C:\Windows\System32\HDhcYDb.exe
  2⤵
  PID:12404
- C:\Windows\System32\bjCdFof.exe
  C:\Windows\System32\bjCdFof.exe
  2⤵
  PID:12448
- C:\Windows\System32\umKgvoS.exe
  C:\Windows\System32\umKgvoS.exe
  2⤵
  PID:12464
- C:\Windows\System32\efaCYnC.exe
  C:\Windows\System32\efaCYnC.exe
  2⤵
  PID:12484
- C:\Windows\System32\MjDIoJE.exe
  C:\Windows\System32\MjDIoJE.exe
  2⤵
  PID:12512
- C:\Windows\System32\lQZtFld.exe
  C:\Windows\System32\lQZtFld.exe
  2⤵
  PID:12536
- C:\Windows\System32\GupAupx.exe
  C:\Windows\System32\GupAupx.exe
  2⤵
  PID:12556
- C:\Windows\System32\gguvkAE.exe
  C:\Windows\System32\gguvkAE.exe
  2⤵
  PID:12596
- C:\Windows\System32\VkDofBm.exe
  C:\Windows\System32\VkDofBm.exe
  2⤵
  PID:12632
- C:\Windows\System32\zgnUiiJ.exe
  C:\Windows\System32\zgnUiiJ.exe
  2⤵
  PID:12652
- C:\Windows\System32\HaFuhRD.exe
  C:\Windows\System32\HaFuhRD.exe
  2⤵
  PID:12680
- C:\Windows\System32\VmQnGUs.exe
  C:\Windows\System32\VmQnGUs.exe
  2⤵
  PID:12708
- C:\Windows\System32\EBxsZrx.exe
  C:\Windows\System32\EBxsZrx.exe
  2⤵
  PID:12728
- C:\Windows\System32\BxOHiCf.exe
  C:\Windows\System32\BxOHiCf.exe
  2⤵
  PID:12752
- C:\Windows\System32\NCYlboA.exe
  C:\Windows\System32\NCYlboA.exe
  2⤵
  PID:12772
- C:\Windows\System32\NFfZmai.exe
  C:\Windows\System32\NFfZmai.exe
  2⤵
  PID:12804
- C:\Windows\System32\zrZRBYF.exe
  C:\Windows\System32\zrZRBYF.exe
  2⤵
  PID:12852
- C:\Windows\System32\dAOmpjN.exe
  C:\Windows\System32\dAOmpjN.exe
  2⤵
  PID:12896
- C:\Windows\System32\BbAtFuq.exe
  C:\Windows\System32\BbAtFuq.exe
  2⤵
  PID:12924
- C:\Windows\System32\mqgSwkm.exe
  C:\Windows\System32\mqgSwkm.exe
  2⤵
  PID:12948
- C:\Windows\System32\NKDRAvo.exe
  C:\Windows\System32\NKDRAvo.exe
  2⤵
  PID:12976
- C:\Windows\System32\vIQljGq.exe
  C:\Windows\System32\vIQljGq.exe
  2⤵
  PID:13004
- C:\Windows\System32\ScPCjpQ.exe
  C:\Windows\System32\ScPCjpQ.exe
  2⤵
  PID:13032
- C:\Windows\System32\AfnZzWH.exe
  C:\Windows\System32\AfnZzWH.exe
  2⤵
  PID:13052
- C:\Windows\System32\tGoIufB.exe
  C:\Windows\System32\tGoIufB.exe
  2⤵
  PID:13080
- C:\Windows\System32\GyLfPlR.exe
  C:\Windows\System32\GyLfPlR.exe
  2⤵
  PID:13120
- C:\Windows\System32\WIEcDGi.exe
  C:\Windows\System32\WIEcDGi.exe
  2⤵
  PID:13144
- C:\Windows\System32\UGczeyt.exe
  C:\Windows\System32\UGczeyt.exe
  2⤵
  PID:13164
- C:\Windows\System32\SFsjBEI.exe
  C:\Windows\System32\SFsjBEI.exe
  2⤵
  PID:13184
- C:\Windows\System32\UszJXFO.exe
  C:\Windows\System32\UszJXFO.exe
  2⤵
  PID:13212
- C:\Windows\System32\BXXnvhE.exe
  C:\Windows\System32\BXXnvhE.exe
  2⤵
  PID:13260
- C:\Windows\System32\mYyXSJu.exe
  C:\Windows\System32\mYyXSJu.exe
  2⤵
  PID:13276
- C:\Windows\System32\RtFbyjW.exe
  C:\Windows\System32\RtFbyjW.exe
  2⤵
  PID:13296
- C:\Windows\System32\XokoewD.exe
  C:\Windows\System32\XokoewD.exe
  2⤵
  PID:12296
- C:\Windows\System32\NktBMys.exe
  C:\Windows\System32\NktBMys.exe
  2⤵
  PID:12372
- C:\Windows\System32\pHqKBpM.exe
  C:\Windows\System32\pHqKBpM.exe
  2⤵
  PID:2276
- C:\Windows\System32\Fqtwioe.exe
  C:\Windows\System32\Fqtwioe.exe
  2⤵
  PID:12524

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AJEIZcA.exe

Filesize
1.6MB

MD5
c0bad52a9a071c36bef9852279b020e4

SHA1
04f9dc69a050cb2cd4ad871fe0e3328feced67f3

SHA256
429e20a9fa781a221fb658fea58e48353f25cd4c50cbc23cce724176ac8d48a1

SHA512
a76958bbb38b8e2b6ff4ae87d6d68e2507856d4392c4cea95309f5bd70e5d8e01f6599839119be5758ae8894d1f8214dd4d3c1a961cb985c24fda0fe19edbd00

Download Submit
C:\Windows\System32\GEvgWfz.exe

Filesize
1.6MB

MD5
4d1bfee81b232eb0fee1ed6f282a7f49

SHA1
5adddf15b2d0d2a23b4409e17f52e47c4322884f

SHA256
999e3e042f69cb5590556c505a778f555215770777963888389a441e5819808d

SHA512
7305d0aff51f469aada9c382cd7bfd540f3d5446747e66706063cda9ea2d58470ba0e3e63f5e9c94112afc0e578aa37fb2a2840a3074e87bbdc7bc2d88c36b90

Download Submit
C:\Windows\System32\HoAAYSi.exe

Filesize
1.6MB

MD5
82142d8b683fa39257982db9c8ff316b

SHA1
4d85ba784cb8c4972e1757546242cf0d36ed5a89

SHA256
6512d7d0f3c137dcdb65ad8af30be5ab0b767b376b173952103e3389c793233b

SHA512
125ddcc728c410769bd7802a0704bb10009e90d44e92908a1a69c9d4179aa438b592a16b3204b9059edae755cf55ee10503cb80ec26bf6ae11d7b19f08105de4

Download Submit
C:\Windows\System32\KEThhsa.exe

Filesize
1.6MB

MD5
eb3b1e393adf8b8a25e40bd6a048110e

SHA1
d4a8408e059b60268d7d440231a873d6bb6c123f

SHA256
5de865b781df64993521a99ae5389565125d939c5db2df91940e0da207ff2d0c

SHA512
7b575d8d6a6aa663e29c416c1134ceed3a50bc0f74355285c7fc62465cb0ca9deaccdb726839b47618ad7e68edebdd1f7542fc1f0da82f8fd86fab4276bad81b

Download Submit
C:\Windows\System32\Mwbihkk.exe

Filesize
1.6MB

MD5
399a44bf505fc5b0fbd7c64c48f20bb3

SHA1
619d6e8c816b3c10f6c346112f566531d270560f

SHA256
7b55d29e72078d4a5a9727c7b65f8bee9680ada2456d2d6aa3ca78ae3d99ab7d

SHA512
10afaa890c803845f8905bcc65df54683f26f12809526340b359fb4fedd7c413b9cdcd82fa21d0731283127405a9e1a3ec42274ced4953cef9425c80a257d171

Download Submit
C:\Windows\System32\SlUeRpk.exe

Filesize
1.6MB

MD5
49834b5f3d11009569dffdf696319c15

SHA1
b968ffbee2fcd1e4e9b6658da288f72e3b77caf3

SHA256
0fb9ad29852a0cde54fb7123873be2f494eca7a7f0b2fa47506c47cccc20291b

SHA512
dcc8986327dca1436766c13f053c6b1579e751513159612fe3537958fe3761ca3844a75138c77b911556979799a1f6fdb045e6284f0fe0ce060d32ed696668ef

Download Submit
C:\Windows\System32\Vndagca.exe

Filesize
1.6MB

MD5
ab6746cdb420ec3fdeac73c3aa0c5dc8

SHA1
bdefb90fa9ed1823523cd419950ac42e7a5f9493

SHA256
98c219acf3b669c714cf856bf40be77aa6866c95ca56a52b6db42db278de8218

SHA512
58a3470e2a32d02818a3bfeec6c2e615d4b6858c5bee4eeb45b9c0df6edc44da41bcc03c1c30b7d9184c40ae879e758b94dc7636f2cbeeedd4305ae929ac0ea9

Download Submit
C:\Windows\System32\WllxJum.exe

Filesize
1.6MB

MD5
67d53f450e38fe2e323611d4d1ef32c8

SHA1
10e85e18e808b48c917fda4583c92c6600a41fca

SHA256
f1b2464ee6e5a28e498c213a4fabdb8acee86201734bfa91ec1c1afaa5dd60c3

SHA512
c44e9378d87330bc97cd95fe474b156f7820b683d1e93fe6744600c686fd1d04a5a3b5a778e1cb1d59fe241c450dfbbf12fac5caa6ff982514e2616e3cc5b333

Download Submit
C:\Windows\System32\XeAEeVx.exe

Filesize
1.6MB

MD5
995c31275d2678e5695ae72329d66a86

SHA1
14caa7841929a8c7685f19af1f40fc7bd8ac1a6d

SHA256
934c638394fd30799b9d965690bfe77106db7078d7485744a3c790573cc44a9f

SHA512
246a7d92135639ad239e9a4f5de2084f9bafc5bf348bbbbc97e60606dad062219d36182c95fecb671ffeea875188c68d44f78ac7511e44957be184c205c1d7dc

Download Submit
C:\Windows\System32\ZQizovF.exe

Filesize
1.6MB

MD5
f189ec76316a010e37637e121d379666

SHA1
c6d96d7d483007002ebdafb026e77d145c210cf8

SHA256
7c44c4bcd37a4bc224b02793a9780f3170a3af9ebb0f9c3a3cc005d73f9063a1

SHA512
b495e4552177e60de24af5c1b98c635568767a8d6322f3fe5a4db85f7decd7c7de2260b714f272fc69d53bc789be8173301ed39811229dc74770c766e4bc6d75

Download Submit
C:\Windows\System32\aCowvkS.exe

Filesize
1.6MB

MD5
cdc84e8da17710bffb9be7557ee3ea2c

SHA1
86bfc75a57936e4bd684f1c31b576bdbdf29b794

SHA256
9e999b67ab75169f47106eaadc34f1869b293177811bafa98f67d57d62ed94e4

SHA512
3b48a0334c4be694be9e1a56109ad82050e4575dfa692f2148a3d3edbf2737ab36487a65a699de5fec1f62ae608b17b0259121d37d931e281ea786a4a4e0b10e

Download Submit
C:\Windows\System32\acREwbR.exe

Filesize
1.6MB

MD5
fa7cb967736c93a3ecd7c583b7b0ca30

SHA1
994ec351efe92d1ce6e1464dd2c229d01c23dbfd

SHA256
1db22ae5fe7bb5c30ea4ed2e3bbe401d770188f2ab51ede86306ae7725666d44

SHA512
91aa8fba5971d8acb8bfcc1806344f99f45b4fe689bc79d347a390163ef5c147ca15f9257ff240f49240b47aaba0ca42ee572658c5cf735638d5b0545ed90066

Download Submit
C:\Windows\System32\bYwkCIE.exe

Filesize
1.6MB

MD5
2daf37ec11ee451376fb3e76de1fa359

SHA1
9bb65e6c1267619e3cd21f7e383d64481982737b

SHA256
0b354e48590048def327eb1c43af434bbf25190dbd0603cf39102ba3c2acaaa2

SHA512
88b7cbc0e442e09e781d312ca6cc00ca2ef65b79268fd7df33903ed3607b32bf1ede807e5cac3fecb73a8ab875a18b7dd59e6a5ab4de2ee2e4e24f3ac1c99673

Download Submit
C:\Windows\System32\dELPpio.exe

Filesize
1.6MB

MD5
5c4f69f719e506e8b932b92984216bb0

SHA1
840c432291f5ce013353ebe8ecb9ee01d412b599

SHA256
d21174514e78c1cf46040b97ee2d049ad3866fab7f4afa38fa448347bb7f674d

SHA512
c63ba35a941b753a69a70604e6b160cb466f21c15253f4a5896705e96da11c90b2d68173f535f09ac3fc6600314d64c5c6d45d66988cd37997d859c2f206facb

Download Submit
C:\Windows\System32\fKDmirf.exe

Filesize
1.6MB

MD5
96383cfed5b1f90ac8d6c4b2f043e5cc

SHA1
ced50ebd42d58a022a7ee7371e4e498f09ab046b

SHA256
fb429cd442dfbe9fd2c056fef6ee1e5d0608b63f6ed2e2cae9cc4c5b9d8fae05

SHA512
6c8a7c385908eb28adfb45365a4d7b15475919fc51c11b66a4af5e50c3ab2ab22efa8665b106318062522d2ab0f8f50749e950948177cadd9418ed45fbcddea4

Download Submit
C:\Windows\System32\hNeqVUy.exe

Filesize
1.6MB

MD5
ee7d8b6d7baaf8d3d406e4fca024bf7c

SHA1
2ffe2c3f85c00bdf9e7dcb7104b2a7bd95e73959

SHA256
a35333da2a618efcec7fdfda3c3420499ff07b1bf8e055456efcbac883474ee4

SHA512
2b3fc8f5bc7d00e917368f5f9d53221317435dc61e33efb065867876f8ee9cd66af5b563701cb8a3c27a7005b07e15cdec0833b1c67ac489591430549bc76257

Download Submit
C:\Windows\System32\hgRdIqY.exe

Filesize
1.6MB

MD5
f0500b9441ac3e19adab4b8e472860bf

SHA1
7d688ff81ef668835129c31dd2c7d9739c687fd4

SHA256
5d23e43dd70978c11f81dce38b8c0a1c1ae41ff5083b8f9444381e4239ca6182

SHA512
a49d3a86957a1e277a9938957b067313b10f76462f0aab7b79238a46152c3cd2f7965011256003363ff221c9e12159b72f0979ad7a95b478e1bfe6350a566fac

Download Submit
C:\Windows\System32\iLXeNUA.exe

Filesize
1.6MB

MD5
11613aaaac30c074735ba409cc29a39e

SHA1
fc02fa0d1a42d80d34e5840d88463d6f0268fd12

SHA256
782cc925e1eca398514b9cb267fb76067fb67068c6371f80e95f267fbd1519ce

SHA512
76674d93c7d0a6bcfccef7f15ff49620af7fb45fa5036ab99646c355297ed4a1418f98363afb1bf2351d97541a4c7d220a5e8c41ea68759da7d084fe6c846869

Download Submit
C:\Windows\System32\iRxFKNq.exe

Filesize
1.6MB

MD5
8fdbdd9129e76b360a44f8b9dadc56a2

SHA1
97359384375973fc1fa9dbbf5a634a1f4a775a65

SHA256
8fa1de160aa96f3efdccacb9d8ad16abf38897eec1b684f276fd1f02500e74b4

SHA512
f339bcd4df1afc3b139fb05b0e172edc80e17697d969a23b63e8adfe5dc54a0054eb3c7ffd7f6caf59353326e23831e65ca31025e3f5eb299081ec5f2f57924d

Download Submit
C:\Windows\System32\jtVkpKx.exe

Filesize
1.6MB

MD5
09dab2f4df490a363fa2dd725c50ab61

SHA1
ddde49b457bec615b3aba6c6bbed915e5e43d323

SHA256
61517dd3cb0e7eb969f3698045df36926c1f2f290939effac1b59a55d5be2372

SHA512
d306a76fdb2c55ec29fc87134e026841fc8c90d22920b7c8be7dd477bf67ddc9d7c29a25dcbcdbf02ffa83561aa4ac348518351e9b2d77fe82c80cfd6f61025e

Download Submit
C:\Windows\System32\kCLELjT.exe

Filesize
1.6MB

MD5
e2cd53e2329395c9219e8921920036d9

SHA1
8d9ae1020ac8332367eb9e3f24726dd981657f9a

SHA256
26359093b7f1fd652c601bcd93361c07de4a43466d45de7a627d798a83e5f771

SHA512
c10ce5d4d63d50dad3a7b4e6bad4a5cbc39b3d8e70e01a78c2dbb566a5d7b0e845fcc05c16714cd69897c3457d0c144bf7017da7daa1801d1f5bd1af8897040e

Download Submit
C:\Windows\System32\kpyFiEw.exe

Filesize
1.6MB

MD5
a03a3187e747805b6f5f0e4afe303a75

SHA1
e4427e234589e587799d6c06bae28de30103703c

SHA256
47337581ab0ce00650375ac395a8d36bfd7eecc66b702b1db71e3eef45a8018d

SHA512
620b2308bbb8f8fd0044246f566ea829bb0da65ad0c39baa358326636f87927aec13100c38e1c1d848e716ef32c9fc725cf601c8219b7bc921e211559eb6ab27

Download Submit
C:\Windows\System32\nNoXPkO.exe

Filesize
1.6MB

MD5
66458a2d0878c9be858702ae74da4bba

SHA1
eea45adc220ec195d76a0ba9b43baad2353b3bfe

SHA256
e5cbacb5d29af54edc4e4ac069ee5ce6ae13e4832736776735ddeebce0c07194

SHA512
93fd9fb35930a3d928401e8fdf81d5b1ba1c838681706d08fa9df6682535dad129f6544331edd7f6638bc08bc604dda328e409a4d0ae20cf63a814386c3fb24d

Download Submit
C:\Windows\System32\pyJsPmX.exe

Filesize
1.6MB

MD5
c7d578ccf5720189619e4df7993a269c

SHA1
272f81a2db31d91956f509c053d540e09a37961e

SHA256
0dda81511f356b6d147e526df2235ff846ba2a7d92a7b9c7c749d1840dfb140c

SHA512
a074d42319189e850dc3dc112e1c89c2f66ac0aa2193410b3a508d5b82ac7426b72c464639de3bd4220f9af08c657e13dafecae2f4e408c94a79d3bffe824bef

Download Submit
C:\Windows\System32\qqWKLtG.exe

Filesize
1.6MB

MD5
0498e754f515aaf38b34754dbe95d67b

SHA1
3cc2edb02b3c59e092bb26a14d7c1fa22c7d3b40

SHA256
c8e8573c14acf3874b8e126c4b4011e9f59dc22825c92f35a5e1e87ff9e3c805

SHA512
bc073dd2d398580aac66ad18b3677280e312bc849e35d4f9d573c434fc45df56d5ad9d42c64db2bcd78bf7120daf7630d92b80e438542a17fcb38edb7058b978

Download Submit
C:\Windows\System32\ruHmBMi.exe

Filesize
1.6MB

MD5
6db73501501cac573f2f2ce59ae6db80

SHA1
28fc4a5a4b478304a68eaa5050f580d978b1b581

SHA256
4d3c8d58630432490b267d0bae741ce794920464808d52df0b14e405ed36b5c5

SHA512
6724b570899c3c128e79812853236607a0c5a37775fe1e091d2e209487eac62af02aa7f8dd84a15d24dafbdf4da6bfbd9801811cf83d6c3f41426e37ba11d1f9

Download Submit
C:\Windows\System32\tuxuyQx.exe

Filesize
1.6MB

MD5
912473a7c43756ff5294e433146467b7

SHA1
7cc66d0d94ccc9a8ce3405f6f83378b58c7cdbba

SHA256
7c400711100621170bcf10f660bfb1be458d2a02cdc833116fa31061c1866927

SHA512
60988e5bc58e12731284fe82fac7242d841d4472c00f80d8ff6d230f958d0860ccaba232cc45c1c2c62c3b503a08f614d4b41a172d3085b048c3b5acd61c0ee8

Download Submit
C:\Windows\System32\vBkubqe.exe

Filesize
1.6MB

MD5
35bd2281d7cbf54fd7ca7e917a2622c3

SHA1
1a5a76ec219dc6850de5df5849935854742bcd7e

SHA256
a3f05939bc845e590e11e446f1d14726d0b40ced62ff2714fc3bad687f1a7211

SHA512
094860fc56bf5e721ee41ee66c03a0d15f65527f70d5e4284c647265f003607d77a929dbf4330644cffe9c1377ce8a480354fe5bf60bace6c9838ee5613fbc1c

Download Submit
C:\Windows\System32\wXCzFBC.exe

Filesize
1.6MB

MD5
4256625f3311f4e9cd1342b877deeca0

SHA1
31458eaff29bc99eb2512956aa7e95282f3149cb

SHA256
ee7b54a9aa4a5fc9e250a88102f815bc041f1e680c89525e67c58d3fe0091785

SHA512
cc1a667087aeac74f4315405ea7ab3eb089dcd98d76b2d623664dc133bac67ddb6b6c140865a525901d0a8c0dec78edc52589773d042654ee3b392ea582770a7

Download Submit
C:\Windows\System32\zCVTiet.exe

Filesize
1.6MB

MD5
4f72f4fe25ec856e0178c7748ec49632

SHA1
333d0e6543e4a63ba3902543511bbd2e58ca5c61

SHA256
da81b16a7bf8c6ebc9b9641dd6840bd6e0730ec83836fc7b70a7effcc09fe988

SHA512
64bfeb582c652e86e9f14295270cc960363a9549bf5e24459c5b29756d5ac55dd16255b57a2c621972170decd8ec5d1ff93e8f3b9acdc6229d248e71680d8bfa

Download Submit
C:\Windows\System32\ziFeJeT.exe

Filesize
1.6MB

MD5
bf136884bb6697ae1d16108c79372286

SHA1
5c87bf0340f2641b99855977d22e0a128097c71e

SHA256
ca2cd5ae28e62ab3d79d333b92518a0b82ea93c7320b05714142ca87c7e38d51

SHA512
d9e3ed96544bb5486e19aa768a4cfc9792375401f6c0cdecfd27a0898d001b52550cc294b8b320ab5d2d650bd5a57c00ee5ca4c02a5cb114478190419802064a

Download Submit
C:\Windows\System32\zlcEhvb.exe

Filesize
1.6MB

MD5
5fb9cdce5d5f40026c2d9eb3e37141b8

SHA1
68f455e5b99d3ec81e9a5665ac479f608de86bf7

SHA256
4a38521c8105bacafdfbc3b5e18d5d0c8d4c28bff22e44fa44ac65195ecaf47a

SHA512
25a97027a4d9b547fcf7ffdb58d51e380fe5721bcdb05c058928b0c529fc3507fc5a9de181bee9b87c0b09fbd3f54f16d009c4c65a20bc0aff9d8cc25a3fc451

Download Submit
memory/720-2020-0x00007FF6E9990000-0x00007FF6E9D81000-memory.dmp

Filesize
3.9MB

Download
memory/720-428-0x00007FF6E9990000-0x00007FF6E9D81000-memory.dmp

Filesize
3.9MB

Download
memory/880-482-0x00007FF743340000-0x00007FF743731000-memory.dmp

Filesize
3.9MB

Download
memory/880-2046-0x00007FF743340000-0x00007FF743731000-memory.dmp

Filesize
3.9MB

Download
memory/1096-432-0x00007FF6395B0000-0x00007FF6399A1000-memory.dmp

Filesize
3.9MB

Download
memory/1096-2026-0x00007FF6395B0000-0x00007FF6399A1000-memory.dmp

Filesize
3.9MB

Download
memory/1172-11-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1172-2016-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1172-1989-0x00007FF63F2F0000-0x00007FF63F6E1000-memory.dmp

Filesize
3.9MB

Download
memory/1212-470-0x00007FF76E710000-0x00007FF76EB01000-memory.dmp

Filesize
3.9MB

Download
memory/1212-2080-0x00007FF76E710000-0x00007FF76EB01000-memory.dmp

Filesize
3.9MB

Download
memory/1296-2039-0x00007FF7C47D0000-0x00007FF7C4BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1296-446-0x00007FF7C47D0000-0x00007FF7C4BC1000-memory.dmp

Filesize
3.9MB

Download
memory/1540-431-0x00007FF699630000-0x00007FF699A21000-memory.dmp

Filesize
3.9MB

Download
memory/1540-2024-0x00007FF699630000-0x00007FF699A21000-memory.dmp

Filesize
3.9MB

Download
memory/1848-488-0x00007FF7CB470000-0x00007FF7CB861000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2078-0x00007FF7CB470000-0x00007FF7CB861000-memory.dmp

Filesize
3.9MB

Download
memory/1916-1-0x000001F16C0E0000-0x000001F16C0F0000-memory.dmp

Filesize
64KB

Download
memory/1916-1988-0x00007FF630BA0000-0x00007FF630F91000-memory.dmp

Filesize
3.9MB

Download
memory/1916-0-0x00007FF630BA0000-0x00007FF630F91000-memory.dmp

Filesize
3.9MB

Download
memory/2372-434-0x00007FF6D23F0000-0x00007FF6D27E1000-memory.dmp

Filesize
3.9MB

Download
memory/2372-2028-0x00007FF6D23F0000-0x00007FF6D27E1000-memory.dmp

Filesize
3.9MB

Download
memory/2392-460-0x00007FF6A2F40000-0x00007FF6A3331000-memory.dmp

Filesize
3.9MB

Download
memory/2392-2044-0x00007FF6A2F40000-0x00007FF6A3331000-memory.dmp

Filesize
3.9MB

Download
memory/2464-2076-0x00007FF76A860000-0x00007FF76AC51000-memory.dmp

Filesize
3.9MB

Download
memory/2464-478-0x00007FF76A860000-0x00007FF76AC51000-memory.dmp

Filesize
3.9MB

Download
memory/2508-433-0x00007FF6C2170000-0x00007FF6C2561000-memory.dmp

Filesize
3.9MB

Download
memory/2508-2030-0x00007FF6C2170000-0x00007FF6C2561000-memory.dmp

Filesize
3.9MB

Download
memory/2760-437-0x00007FF7D2540000-0x00007FF7D2931000-memory.dmp

Filesize
3.9MB

Download
memory/2760-2036-0x00007FF7D2540000-0x00007FF7D2931000-memory.dmp

Filesize
3.9MB

Download
memory/3080-430-0x00007FF6B7C40000-0x00007FF6B8031000-memory.dmp

Filesize
3.9MB

Download
memory/3080-2022-0x00007FF6B7C40000-0x00007FF6B8031000-memory.dmp

Filesize
3.9MB

Download
memory/3092-2074-0x00007FF615610000-0x00007FF615A01000-memory.dmp

Filesize
3.9MB

Download
memory/3092-465-0x00007FF615610000-0x00007FF615A01000-memory.dmp

Filesize
3.9MB

Download
memory/3176-429-0x00007FF6FA9E0000-0x00007FF6FADD1000-memory.dmp

Filesize
3.9MB

Download
memory/3176-2034-0x00007FF6FA9E0000-0x00007FF6FADD1000-memory.dmp

Filesize
3.9MB

Download
memory/3388-490-0x00007FF726E20000-0x00007FF727211000-memory.dmp

Filesize
3.9MB

Download
memory/3388-2056-0x00007FF726E20000-0x00007FF727211000-memory.dmp

Filesize
3.9MB

Download
memory/3872-436-0x00007FF7BB0E0000-0x00007FF7BB4D1000-memory.dmp

Filesize
3.9MB

Download
memory/3872-2041-0x00007FF7BB0E0000-0x00007FF7BB4D1000-memory.dmp

Filesize
3.9MB

Download
memory/4100-453-0x00007FF621430000-0x00007FF621821000-memory.dmp

Filesize
3.9MB

Download
memory/4100-2049-0x00007FF621430000-0x00007FF621821000-memory.dmp

Filesize
3.9MB

Download
memory/4224-2058-0x00007FF7E1B00000-0x00007FF7E1EF1000-memory.dmp

Filesize
3.9MB

Download
memory/4224-491-0x00007FF7E1B00000-0x00007FF7E1EF1000-memory.dmp

Filesize
3.9MB

Download
memory/4684-2051-0x00007FF644830000-0x00007FF644C21000-memory.dmp

Filesize
3.9MB

Download
memory/4684-455-0x00007FF644830000-0x00007FF644C21000-memory.dmp

Filesize
3.9MB

Download
memory/4824-435-0x00007FF78F250000-0x00007FF78F641000-memory.dmp

Filesize
3.9MB

Download
memory/4824-2032-0x00007FF78F250000-0x00007FF78F641000-memory.dmp

Filesize
3.9MB

Download
memory/4924-2042-0x00007FF7E5700000-0x00007FF7E5AF1000-memory.dmp

Filesize
3.9MB

Download
memory/4924-438-0x00007FF7E5700000-0x00007FF7E5AF1000-memory.dmp

Filesize
3.9MB

Download
memory/5104-2018-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp

Filesize
3.9MB

Download
memory/5104-1990-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp

Filesize
3.9MB

Download
memory/5104-14-0x00007FF628FD0000-0x00007FF6293C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads