xmrig | e7024780d04a5292593670bb08f27352a5694d48c20ae64d8a950bd8daa118ca

Analysis

max time kernel
101s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
Size

1.1MB
MD5

bb8b5ed36cf08b89eaa1bb67fc524ba3
SHA1

3d7e48504a1c28b6d728182aa3b9a963eaa6fb17
SHA256

e7024780d04a5292593670bb08f27352a5694d48c20ae64d8a950bd8daa118ca
SHA512

8e85ab1c2a9e50331c8485c39fff669f097cb4e5a5e9ba42ea15230b97ff93a15f399bc0fe72f8a340368c5fcd383dfc8e77d4f2b1c37f12f066c45583b4eb60
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCejIODosTigQytOFk:knw9oUUEEDlGUrMNn

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4356-37-0x00007FF73C180000-0x00007FF73C571000-memory.dmp	xmrig
behavioral2/memory/1680-52-0x00007FF656840000-0x00007FF656C31000-memory.dmp	xmrig
behavioral2/memory/4132-348-0x00007FF6E7E40000-0x00007FF6E8231000-memory.dmp	xmrig
behavioral2/memory/1376-353-0x00007FF6C52C0000-0x00007FF6C56B1000-memory.dmp	xmrig
behavioral2/memory/2560-370-0x00007FF6902E0000-0x00007FF6906D1000-memory.dmp	xmrig
behavioral2/memory/4004-378-0x00007FF6977A0000-0x00007FF697B91000-memory.dmp	xmrig
behavioral2/memory/5064-383-0x00007FF605680000-0x00007FF605A71000-memory.dmp	xmrig
behavioral2/memory/4676-384-0x00007FF693190000-0x00007FF693581000-memory.dmp	xmrig
behavioral2/memory/4496-386-0x00007FF6C38C0000-0x00007FF6C3CB1000-memory.dmp	xmrig
behavioral2/memory/2104-387-0x00007FF7CB260000-0x00007FF7CB651000-memory.dmp	xmrig
behavioral2/memory/3964-388-0x00007FF686FD0000-0x00007FF6873C1000-memory.dmp	xmrig
behavioral2/memory/5084-391-0x00007FF766010000-0x00007FF766401000-memory.dmp	xmrig
behavioral2/memory/2160-392-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp	xmrig
behavioral2/memory/1608-393-0x00007FF7CD1B0000-0x00007FF7CD5A1000-memory.dmp	xmrig
behavioral2/memory/1344-389-0x00007FF6D9A60000-0x00007FF6D9E51000-memory.dmp	xmrig
behavioral2/memory/4580-390-0x00007FF6FB550000-0x00007FF6FB941000-memory.dmp	xmrig
behavioral2/memory/2332-359-0x00007FF72E400000-0x00007FF72E7F1000-memory.dmp	xmrig
behavioral2/memory/632-26-0x00007FF7C55F0000-0x00007FF7C59E1000-memory.dmp	xmrig
behavioral2/memory/540-1915-0x00007FF736B60000-0x00007FF736F51000-memory.dmp	xmrig
behavioral2/memory/636-1920-0x00007FF606950000-0x00007FF606D41000-memory.dmp	xmrig
behavioral2/memory/3296-2060-0x00007FF748B70000-0x00007FF748F61000-memory.dmp	xmrig
behavioral2/memory/4356-2061-0x00007FF73C180000-0x00007FF73C571000-memory.dmp	xmrig
behavioral2/memory/4240-2062-0x00007FF70C120000-0x00007FF70C511000-memory.dmp	xmrig
behavioral2/memory/1228-2063-0x00007FF6F3E20000-0x00007FF6F4211000-memory.dmp	xmrig
behavioral2/memory/2268-2096-0x00007FF6B99F0000-0x00007FF6B9DE1000-memory.dmp	xmrig
behavioral2/memory/540-2098-0x00007FF736B60000-0x00007FF736F51000-memory.dmp	xmrig
behavioral2/memory/1920-2113-0x00007FF762820000-0x00007FF762C11000-memory.dmp	xmrig
behavioral2/memory/632-2111-0x00007FF7C55F0000-0x00007FF7C59E1000-memory.dmp	xmrig
behavioral2/memory/636-2115-0x00007FF606950000-0x00007FF606D41000-memory.dmp	xmrig
behavioral2/memory/3296-2119-0x00007FF748B70000-0x00007FF748F61000-memory.dmp	xmrig
behavioral2/memory/4356-2118-0x00007FF73C180000-0x00007FF73C571000-memory.dmp	xmrig
behavioral2/memory/2560-2121-0x00007FF6902E0000-0x00007FF6906D1000-memory.dmp	xmrig
behavioral2/memory/4004-2135-0x00007FF6977A0000-0x00007FF697B91000-memory.dmp	xmrig
behavioral2/memory/4496-2141-0x00007FF6C38C0000-0x00007FF6C3CB1000-memory.dmp	xmrig
behavioral2/memory/2104-2143-0x00007FF7CB260000-0x00007FF7CB651000-memory.dmp	xmrig
behavioral2/memory/4676-2139-0x00007FF693190000-0x00007FF693581000-memory.dmp	xmrig
behavioral2/memory/5064-2137-0x00007FF605680000-0x00007FF605A71000-memory.dmp	xmrig
behavioral2/memory/4240-2133-0x00007FF70C120000-0x00007FF70C511000-memory.dmp	xmrig
behavioral2/memory/1376-2131-0x00007FF6C52C0000-0x00007FF6C56B1000-memory.dmp	xmrig
behavioral2/memory/2332-2130-0x00007FF72E400000-0x00007FF72E7F1000-memory.dmp	xmrig
behavioral2/memory/1228-2127-0x00007FF6F3E20000-0x00007FF6F4211000-memory.dmp	xmrig
behavioral2/memory/4132-2125-0x00007FF6E7E40000-0x00007FF6E8231000-memory.dmp	xmrig
behavioral2/memory/1680-2123-0x00007FF656840000-0x00007FF656C31000-memory.dmp	xmrig
behavioral2/memory/3964-2145-0x00007FF686FD0000-0x00007FF6873C1000-memory.dmp	xmrig
behavioral2/memory/1344-2147-0x00007FF6D9A60000-0x00007FF6D9E51000-memory.dmp	xmrig
behavioral2/memory/5084-2149-0x00007FF766010000-0x00007FF766401000-memory.dmp	xmrig
behavioral2/memory/2268-2220-0x00007FF6B99F0000-0x00007FF6B9DE1000-memory.dmp	xmrig
behavioral2/memory/4580-2160-0x00007FF6FB550000-0x00007FF6FB941000-memory.dmp	xmrig
behavioral2/memory/1608-2157-0x00007FF7CD1B0000-0x00007FF7CD5A1000-memory.dmp	xmrig
behavioral2/memory/2160-2155-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

BGJIZKT.exeWVPgNkl.exewQRFdbO.exeVCMCQSw.exeroWFnpr.exetDXDygV.exeXxlQYiI.exeWXWtKEs.exeNxQIKcS.exetVWjaST.exeSpfiOPU.exeLUxCIei.exeMadwdeC.exedAllKdK.exeQzUGbCy.exelVicnRS.exevBRqIBd.exebqblbpd.exejzSTeRq.execFswcKt.exedvoCMbh.exezNBsBQA.exeFzXEPjM.exeHRtOEHM.exeEZuPapn.exeTHtxFIa.exeBqDdGSy.exezWBlbRw.exeAsPefuc.exesSrFLZa.exeVwPBBvI.exezQRaspR.exeShRUpKi.exejZtzfTQ.exeuHbRnNb.exetdyNrAB.exeOpefnsd.exeRoesSQF.exeZgAMFDV.exeiGDGinC.exeHnxllpi.exeGFqAkbx.exedgKnWtg.exejyJpldx.exebaUybnC.exeruqDDtZ.exeMWZaOCm.exeDVdzyFU.exeBHENOpT.exeLKUyCKY.exekYsWuhU.exefeQMomT.exeTFTxaCj.exeLFjwMQQ.exeedjshYj.exeJYGlwbR.exeXYqOEQW.exeAPUiNUh.exePPJnEMz.execKQljOm.exeWJaDxAj.exeFImHNXf.exeuPzfivH.exeNQRHZTH.exe

pid	process
1920	BGJIZKT.exe
632	WVPgNkl.exe
636	wQRFdbO.exe
3296	VCMCQSw.exe
4356	roWFnpr.exe
4240	tDXDygV.exe
1228	XxlQYiI.exe
1680	WXWtKEs.exe
2268	NxQIKcS.exe
4132	tVWjaST.exe
1376	SpfiOPU.exe
2332	LUxCIei.exe
2560	MadwdeC.exe
4004	dAllKdK.exe
5064	QzUGbCy.exe
4676	lVicnRS.exe
4496	vBRqIBd.exe
2104	bqblbpd.exe
3964	jzSTeRq.exe
1344	cFswcKt.exe
4580	dvoCMbh.exe
5084	zNBsBQA.exe
2160	FzXEPjM.exe
1608	HRtOEHM.exe
3252	EZuPapn.exe
3668	THtxFIa.exe
3444	BqDdGSy.exe
4124	zWBlbRw.exe
4080	AsPefuc.exe
4284	sSrFLZa.exe
4152	VwPBBvI.exe
3868	zQRaspR.exe
4788	ShRUpKi.exe
1980	jZtzfTQ.exe
1696	uHbRnNb.exe
1516	tdyNrAB.exe
4008	Opefnsd.exe
512	RoesSQF.exe
4032	ZgAMFDV.exe
1572	iGDGinC.exe
4740	Hnxllpi.exe
4720	GFqAkbx.exe
1612	dgKnWtg.exe
968	jyJpldx.exe
2652	baUybnC.exe
1220	ruqDDtZ.exe
4328	MWZaOCm.exe
3588	DVdzyFU.exe
1156	BHENOpT.exe
2820	LKUyCKY.exe
1736	kYsWuhU.exe
60	feQMomT.exe
3828	TFTxaCj.exe
2852	LFjwMQQ.exe
3360	edjshYj.exe
4700	JYGlwbR.exe
2204	XYqOEQW.exe
2036	APUiNUh.exe
392	PPJnEMz.exe
4500	cKQljOm.exe
2212	WJaDxAj.exe
4724	FImHNXf.exe
3740	uPzfivH.exe
4532	NQRHZTH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/540-0-0x00007FF736B60000-0x00007FF736F51000-memory.dmp	upx
C:\Windows\System32\BGJIZKT.exe	upx
behavioral2/memory/1920-18-0x00007FF762820000-0x00007FF762C11000-memory.dmp	upx
C:\Windows\System32\VCMCQSw.exe	upx
C:\Windows\System32\roWFnpr.exe	upx
behavioral2/memory/4356-37-0x00007FF73C180000-0x00007FF73C571000-memory.dmp	upx
C:\Windows\System32\tDXDygV.exe	upx
C:\Windows\System32\NxQIKcS.exe	upx
behavioral2/memory/1680-52-0x00007FF656840000-0x00007FF656C31000-memory.dmp	upx
C:\Windows\System32\tVWjaST.exe	upx
C:\Windows\System32\LUxCIei.exe	upx
C:\Windows\System32\dAllKdK.exe	upx
C:\Windows\System32\vBRqIBd.exe	upx
C:\Windows\System32\dvoCMbh.exe	upx
C:\Windows\System32\FzXEPjM.exe	upx
C:\Windows\System32\HRtOEHM.exe	upx
C:\Windows\System32\sSrFLZa.exe	upx
behavioral2/memory/4132-348-0x00007FF6E7E40000-0x00007FF6E8231000-memory.dmp	upx
behavioral2/memory/1376-353-0x00007FF6C52C0000-0x00007FF6C56B1000-memory.dmp	upx
behavioral2/memory/2560-370-0x00007FF6902E0000-0x00007FF6906D1000-memory.dmp	upx
behavioral2/memory/4004-378-0x00007FF6977A0000-0x00007FF697B91000-memory.dmp	upx
behavioral2/memory/5064-383-0x00007FF605680000-0x00007FF605A71000-memory.dmp	upx
behavioral2/memory/4676-384-0x00007FF693190000-0x00007FF693581000-memory.dmp	upx
behavioral2/memory/4496-386-0x00007FF6C38C0000-0x00007FF6C3CB1000-memory.dmp	upx
behavioral2/memory/2104-387-0x00007FF7CB260000-0x00007FF7CB651000-memory.dmp	upx
behavioral2/memory/3964-388-0x00007FF686FD0000-0x00007FF6873C1000-memory.dmp	upx
behavioral2/memory/5084-391-0x00007FF766010000-0x00007FF766401000-memory.dmp	upx
behavioral2/memory/2160-392-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp	upx
behavioral2/memory/1608-393-0x00007FF7CD1B0000-0x00007FF7CD5A1000-memory.dmp	upx
behavioral2/memory/1344-389-0x00007FF6D9A60000-0x00007FF6D9E51000-memory.dmp	upx
behavioral2/memory/4580-390-0x00007FF6FB550000-0x00007FF6FB941000-memory.dmp	upx
behavioral2/memory/2332-359-0x00007FF72E400000-0x00007FF72E7F1000-memory.dmp	upx
C:\Windows\System32\zQRaspR.exe	upx
C:\Windows\System32\VwPBBvI.exe	upx
C:\Windows\System32\AsPefuc.exe	upx
C:\Windows\System32\zWBlbRw.exe	upx
C:\Windows\System32\BqDdGSy.exe	upx
C:\Windows\System32\THtxFIa.exe	upx
C:\Windows\System32\EZuPapn.exe	upx
C:\Windows\System32\zNBsBQA.exe	upx
C:\Windows\System32\cFswcKt.exe	upx
C:\Windows\System32\jzSTeRq.exe	upx
C:\Windows\System32\bqblbpd.exe	upx
C:\Windows\System32\lVicnRS.exe	upx
C:\Windows\System32\QzUGbCy.exe	upx
C:\Windows\System32\MadwdeC.exe	upx
C:\Windows\System32\SpfiOPU.exe	upx
behavioral2/memory/2268-53-0x00007FF6B99F0000-0x00007FF6B9DE1000-memory.dmp	upx
C:\Windows\System32\WXWtKEs.exe	upx
C:\Windows\System32\XxlQYiI.exe	upx
behavioral2/memory/1228-45-0x00007FF6F3E20000-0x00007FF6F4211000-memory.dmp	upx
behavioral2/memory/4240-40-0x00007FF70C120000-0x00007FF70C511000-memory.dmp	upx
behavioral2/memory/632-26-0x00007FF7C55F0000-0x00007FF7C59E1000-memory.dmp	upx
behavioral2/memory/3296-27-0x00007FF748B70000-0x00007FF748F61000-memory.dmp	upx
behavioral2/memory/636-22-0x00007FF606950000-0x00007FF606D41000-memory.dmp	upx
C:\Windows\System32\wQRFdbO.exe	upx
C:\Windows\System32\WVPgNkl.exe	upx
behavioral2/memory/540-1915-0x00007FF736B60000-0x00007FF736F51000-memory.dmp	upx
behavioral2/memory/636-1920-0x00007FF606950000-0x00007FF606D41000-memory.dmp	upx
behavioral2/memory/3296-2060-0x00007FF748B70000-0x00007FF748F61000-memory.dmp	upx
behavioral2/memory/4356-2061-0x00007FF73C180000-0x00007FF73C571000-memory.dmp	upx
behavioral2/memory/4240-2062-0x00007FF70C120000-0x00007FF70C511000-memory.dmp	upx
behavioral2/memory/1228-2063-0x00007FF6F3E20000-0x00007FF6F4211000-memory.dmp	upx
behavioral2/memory/2268-2096-0x00007FF6B99F0000-0x00007FF6B9DE1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

Processes:

bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System32\oGHrelI.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\SasKXMg.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\urYEgaB.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\BclGruj.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\GIJLvSy.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\YQIRvIZ.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\VtLRHRb.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\SUGZrtO.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\hUnVULF.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\UOZLIwV.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\GxzWSxP.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\xxtHjpY.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\IgkGGxG.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\cQWXicw.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\QpkGjxJ.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\wEefWLM.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\OOtAnVY.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\BrDEStE.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\MqyZpUh.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\ficDrrR.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\biIjlAm.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\WcPNyfr.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\zFCDeCJ.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\sSrFLZa.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\AMGVfRm.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\ZUwZdZr.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\VongDlo.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\jyJpldx.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\JcQyvhe.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\RoUomVf.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\tVWjaST.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\qFIToqK.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\fYfuAmq.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\bMgmncj.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\zHbmLDg.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\sHrTtxo.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\zvwgpaT.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\JWaFbTj.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\AsPefuc.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\jZtzfTQ.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\pdfMBTp.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\FOmIYjH.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\qrHZQDX.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\oIugIHc.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\zNBsBQA.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\BqDdGSy.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\szJtlbq.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\oAeFZAl.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\mNNQSmi.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\LIUdYXR.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\pBBCgnI.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\IuqBSLc.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\ocBzrmX.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\xyhqdOn.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\fRMnMnZ.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\QpbpJiJ.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\JqxfTnV.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\xgvHMpb.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\AwCROUq.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\eIiyGpp.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\EUhDlzg.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\tWpqojw.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\SebGcMo.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
File created	C:\Windows\System32\RiQfwxF.exe	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	13100	dwm.exe
Token: SeChangeNotifyPrivilege	13100	dwm.exe
Token: 33	13100	dwm.exe
Token: SeIncBasePriorityPrivilege	13100	dwm.exe
Token: SeShutdownPrivilege	13100	dwm.exe
Token: SeCreatePagefilePrivilege	13100	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe

description	pid	process	target process
PID 540 wrote to memory of 1920	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	BGJIZKT.exe
PID 540 wrote to memory of 1920	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	BGJIZKT.exe
PID 540 wrote to memory of 632	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	WVPgNkl.exe
PID 540 wrote to memory of 632	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	WVPgNkl.exe
PID 540 wrote to memory of 636	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	wQRFdbO.exe
PID 540 wrote to memory of 636	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	wQRFdbO.exe
PID 540 wrote to memory of 4356	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	roWFnpr.exe
PID 540 wrote to memory of 4356	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	roWFnpr.exe
PID 540 wrote to memory of 3296	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	VCMCQSw.exe
PID 540 wrote to memory of 3296	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	VCMCQSw.exe
PID 540 wrote to memory of 4240	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	tDXDygV.exe
PID 540 wrote to memory of 4240	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	tDXDygV.exe
PID 540 wrote to memory of 1228	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	XxlQYiI.exe
PID 540 wrote to memory of 1228	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	XxlQYiI.exe
PID 540 wrote to memory of 1680	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	WXWtKEs.exe
PID 540 wrote to memory of 1680	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	WXWtKEs.exe
PID 540 wrote to memory of 2268	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	NxQIKcS.exe
PID 540 wrote to memory of 2268	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	NxQIKcS.exe
PID 540 wrote to memory of 4132	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	tVWjaST.exe
PID 540 wrote to memory of 4132	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	tVWjaST.exe
PID 540 wrote to memory of 1376	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	SpfiOPU.exe
PID 540 wrote to memory of 1376	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	SpfiOPU.exe
PID 540 wrote to memory of 2332	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	LUxCIei.exe
PID 540 wrote to memory of 2332	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	LUxCIei.exe
PID 540 wrote to memory of 2560	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	MadwdeC.exe
PID 540 wrote to memory of 2560	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	MadwdeC.exe
PID 540 wrote to memory of 4004	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	dAllKdK.exe
PID 540 wrote to memory of 4004	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	dAllKdK.exe
PID 540 wrote to memory of 5064	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	QzUGbCy.exe
PID 540 wrote to memory of 5064	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	QzUGbCy.exe
PID 540 wrote to memory of 4676	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	lVicnRS.exe
PID 540 wrote to memory of 4676	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	lVicnRS.exe
PID 540 wrote to memory of 4496	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	vBRqIBd.exe
PID 540 wrote to memory of 4496	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	vBRqIBd.exe
PID 540 wrote to memory of 2104	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	bqblbpd.exe
PID 540 wrote to memory of 2104	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	bqblbpd.exe
PID 540 wrote to memory of 3964	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	jzSTeRq.exe
PID 540 wrote to memory of 3964	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	jzSTeRq.exe
PID 540 wrote to memory of 1344	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	cFswcKt.exe
PID 540 wrote to memory of 1344	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	cFswcKt.exe
PID 540 wrote to memory of 4580	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	dvoCMbh.exe
PID 540 wrote to memory of 4580	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	dvoCMbh.exe
PID 540 wrote to memory of 5084	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	zNBsBQA.exe
PID 540 wrote to memory of 5084	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	zNBsBQA.exe
PID 540 wrote to memory of 2160	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	FzXEPjM.exe
PID 540 wrote to memory of 2160	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	FzXEPjM.exe
PID 540 wrote to memory of 1608	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	HRtOEHM.exe
PID 540 wrote to memory of 1608	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	HRtOEHM.exe
PID 540 wrote to memory of 3252	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	EZuPapn.exe
PID 540 wrote to memory of 3252	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	EZuPapn.exe
PID 540 wrote to memory of 3668	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	THtxFIa.exe
PID 540 wrote to memory of 3668	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	THtxFIa.exe
PID 540 wrote to memory of 3444	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	BqDdGSy.exe
PID 540 wrote to memory of 3444	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	BqDdGSy.exe
PID 540 wrote to memory of 4124	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	zWBlbRw.exe
PID 540 wrote to memory of 4124	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	zWBlbRw.exe
PID 540 wrote to memory of 4080	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	AsPefuc.exe
PID 540 wrote to memory of 4080	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	AsPefuc.exe
PID 540 wrote to memory of 4284	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	sSrFLZa.exe
PID 540 wrote to memory of 4284	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	sSrFLZa.exe
PID 540 wrote to memory of 4152	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	VwPBBvI.exe
PID 540 wrote to memory of 4152	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	VwPBBvI.exe
PID 540 wrote to memory of 3868	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	zQRaspR.exe
PID 540 wrote to memory of 3868	540	bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe	zQRaspR.exe

C:\Users\Admin\AppData\Local\Temp\bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb8b5ed36cf08b89eaa1bb67fc524ba3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\System32\BGJIZKT.exe
C:\Windows\System32\BGJIZKT.exe
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\WVPgNkl.exe
C:\Windows\System32\WVPgNkl.exe
2⤵
- Executes dropped EXE
PID:632

C:\Windows\System32\wQRFdbO.exe
C:\Windows\System32\wQRFdbO.exe
2⤵
- Executes dropped EXE
PID:636

C:\Windows\System32\roWFnpr.exe
C:\Windows\System32\roWFnpr.exe
2⤵
- Executes dropped EXE
PID:4356

C:\Windows\System32\VCMCQSw.exe
C:\Windows\System32\VCMCQSw.exe
2⤵
- Executes dropped EXE
PID:3296

C:\Windows\System32\tDXDygV.exe
C:\Windows\System32\tDXDygV.exe
2⤵
- Executes dropped EXE
PID:4240

C:\Windows\System32\XxlQYiI.exe
C:\Windows\System32\XxlQYiI.exe
2⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\WXWtKEs.exe
C:\Windows\System32\WXWtKEs.exe
2⤵
- Executes dropped EXE
PID:1680

C:\Windows\System32\NxQIKcS.exe
C:\Windows\System32\NxQIKcS.exe
2⤵
- Executes dropped EXE
PID:2268

C:\Windows\System32\tVWjaST.exe
C:\Windows\System32\tVWjaST.exe
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\System32\SpfiOPU.exe
C:\Windows\System32\SpfiOPU.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System32\LUxCIei.exe
C:\Windows\System32\LUxCIei.exe
2⤵
- Executes dropped EXE
PID:2332

C:\Windows\System32\MadwdeC.exe
C:\Windows\System32\MadwdeC.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System32\dAllKdK.exe
C:\Windows\System32\dAllKdK.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\System32\QzUGbCy.exe
C:\Windows\System32\QzUGbCy.exe
2⤵
- Executes dropped EXE
PID:5064

C:\Windows\System32\lVicnRS.exe
C:\Windows\System32\lVicnRS.exe
2⤵
- Executes dropped EXE
PID:4676

C:\Windows\System32\vBRqIBd.exe
C:\Windows\System32\vBRqIBd.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System32\bqblbpd.exe
C:\Windows\System32\bqblbpd.exe
2⤵
- Executes dropped EXE
PID:2104

C:\Windows\System32\jzSTeRq.exe
C:\Windows\System32\jzSTeRq.exe
2⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\cFswcKt.exe
C:\Windows\System32\cFswcKt.exe
2⤵
- Executes dropped EXE
PID:1344

C:\Windows\System32\dvoCMbh.exe
C:\Windows\System32\dvoCMbh.exe
2⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\zNBsBQA.exe
C:\Windows\System32\zNBsBQA.exe
2⤵
- Executes dropped EXE
PID:5084

C:\Windows\System32\FzXEPjM.exe
C:\Windows\System32\FzXEPjM.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System32\HRtOEHM.exe
C:\Windows\System32\HRtOEHM.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\EZuPapn.exe
C:\Windows\System32\EZuPapn.exe
2⤵
- Executes dropped EXE
PID:3252

C:\Windows\System32\THtxFIa.exe
C:\Windows\System32\THtxFIa.exe
2⤵
- Executes dropped EXE
PID:3668

C:\Windows\System32\BqDdGSy.exe
C:\Windows\System32\BqDdGSy.exe
2⤵
- Executes dropped EXE
PID:3444

C:\Windows\System32\zWBlbRw.exe
C:\Windows\System32\zWBlbRw.exe
2⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\AsPefuc.exe
C:\Windows\System32\AsPefuc.exe
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\sSrFLZa.exe
C:\Windows\System32\sSrFLZa.exe
2⤵
- Executes dropped EXE
PID:4284

C:\Windows\System32\VwPBBvI.exe
C:\Windows\System32\VwPBBvI.exe
2⤵
- Executes dropped EXE
PID:4152

C:\Windows\System32\zQRaspR.exe
C:\Windows\System32\zQRaspR.exe
2⤵
- Executes dropped EXE
PID:3868

C:\Windows\System32\ShRUpKi.exe
C:\Windows\System32\ShRUpKi.exe
2⤵
- Executes dropped EXE
PID:4788

C:\Windows\System32\jZtzfTQ.exe
C:\Windows\System32\jZtzfTQ.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Windows\System32\uHbRnNb.exe
C:\Windows\System32\uHbRnNb.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System32\tdyNrAB.exe
C:\Windows\System32\tdyNrAB.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\System32\Opefnsd.exe
C:\Windows\System32\Opefnsd.exe
2⤵
- Executes dropped EXE
PID:4008

C:\Windows\System32\RoesSQF.exe
C:\Windows\System32\RoesSQF.exe
2⤵
- Executes dropped EXE
PID:512

C:\Windows\System32\ZgAMFDV.exe
C:\Windows\System32\ZgAMFDV.exe
2⤵
- Executes dropped EXE
PID:4032

C:\Windows\System32\iGDGinC.exe
C:\Windows\System32\iGDGinC.exe
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\Hnxllpi.exe
C:\Windows\System32\Hnxllpi.exe
2⤵
- Executes dropped EXE
PID:4740

C:\Windows\System32\GFqAkbx.exe
C:\Windows\System32\GFqAkbx.exe
2⤵
- Executes dropped EXE
PID:4720

C:\Windows\System32\dgKnWtg.exe
C:\Windows\System32\dgKnWtg.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\jyJpldx.exe
C:\Windows\System32\jyJpldx.exe
2⤵
- Executes dropped EXE
PID:968

C:\Windows\System32\baUybnC.exe
C:\Windows\System32\baUybnC.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\ruqDDtZ.exe
C:\Windows\System32\ruqDDtZ.exe
2⤵
- Executes dropped EXE
PID:1220

C:\Windows\System32\MWZaOCm.exe
C:\Windows\System32\MWZaOCm.exe
2⤵
- Executes dropped EXE
PID:4328

C:\Windows\System32\DVdzyFU.exe
C:\Windows\System32\DVdzyFU.exe
2⤵
- Executes dropped EXE
PID:3588

C:\Windows\System32\BHENOpT.exe
C:\Windows\System32\BHENOpT.exe
2⤵
- Executes dropped EXE
PID:1156

C:\Windows\System32\LKUyCKY.exe
C:\Windows\System32\LKUyCKY.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\kYsWuhU.exe
C:\Windows\System32\kYsWuhU.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System32\feQMomT.exe
C:\Windows\System32\feQMomT.exe
2⤵
- Executes dropped EXE
PID:60

C:\Windows\System32\TFTxaCj.exe
C:\Windows\System32\TFTxaCj.exe
2⤵
- Executes dropped EXE
PID:3828

C:\Windows\System32\LFjwMQQ.exe
C:\Windows\System32\LFjwMQQ.exe
2⤵
- Executes dropped EXE
PID:2852

C:\Windows\System32\edjshYj.exe
C:\Windows\System32\edjshYj.exe
2⤵
- Executes dropped EXE
PID:3360

C:\Windows\System32\JYGlwbR.exe
C:\Windows\System32\JYGlwbR.exe
2⤵
- Executes dropped EXE
PID:4700

C:\Windows\System32\XYqOEQW.exe
C:\Windows\System32\XYqOEQW.exe
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\System32\APUiNUh.exe
C:\Windows\System32\APUiNUh.exe
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\System32\PPJnEMz.exe
C:\Windows\System32\PPJnEMz.exe
2⤵
- Executes dropped EXE
PID:392

C:\Windows\System32\cKQljOm.exe
C:\Windows\System32\cKQljOm.exe
2⤵
- Executes dropped EXE
PID:4500

C:\Windows\System32\WJaDxAj.exe
C:\Windows\System32\WJaDxAj.exe
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\System32\FImHNXf.exe
C:\Windows\System32\FImHNXf.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System32\uPzfivH.exe
C:\Windows\System32\uPzfivH.exe
2⤵
- Executes dropped EXE
PID:3740

C:\Windows\System32\NQRHZTH.exe
C:\Windows\System32\NQRHZTH.exe
2⤵
- Executes dropped EXE
PID:4532

C:\Windows\System32\FHwrPPw.exe
C:\Windows\System32\FHwrPPw.exe
2⤵
PID:752

C:\Windows\System32\vijoXij.exe
C:\Windows\System32\vijoXij.exe
2⤵
PID:2580

C:\Windows\System32\uEFyoHF.exe
C:\Windows\System32\uEFyoHF.exe
2⤵
PID:3796

C:\Windows\System32\oJVVUIu.exe
C:\Windows\System32\oJVVUIu.exe
2⤵
PID:4172

C:\Windows\System32\cILdcEo.exe
C:\Windows\System32\cILdcEo.exe
2⤵
PID:2668

C:\Windows\System32\urYEgaB.exe
C:\Windows\System32\urYEgaB.exe
2⤵
PID:1500

C:\Windows\System32\DVDKDwY.exe
C:\Windows\System32\DVDKDwY.exe
2⤵
PID:2768

C:\Windows\System32\lNBCeMe.exe
C:\Windows\System32\lNBCeMe.exe
2⤵
PID:2340

C:\Windows\System32\XwCjQoS.exe
C:\Windows\System32\XwCjQoS.exe
2⤵
PID:2972

C:\Windows\System32\aopuipA.exe
C:\Windows\System32\aopuipA.exe
2⤵
PID:3272

C:\Windows\System32\FTzhZuE.exe
C:\Windows\System32\FTzhZuE.exe
2⤵
PID:1564

C:\Windows\System32\TmEOgsy.exe
C:\Windows\System32\TmEOgsy.exe
2⤵
PID:4588

C:\Windows\System32\MUnCXIB.exe
C:\Windows\System32\MUnCXIB.exe
2⤵
PID:2968

C:\Windows\System32\DZvVokw.exe
C:\Windows\System32\DZvVokw.exe
2⤵
PID:3576

C:\Windows\System32\sHrTtxo.exe
C:\Windows\System32\sHrTtxo.exe
2⤵
PID:4856

C:\Windows\System32\wTIVtnz.exe
C:\Windows\System32\wTIVtnz.exe
2⤵
PID:3768

C:\Windows\System32\CuoKBcG.exe
C:\Windows\System32\CuoKBcG.exe
2⤵
PID:64

C:\Windows\System32\LlzUZUt.exe
C:\Windows\System32\LlzUZUt.exe
2⤵
PID:3496

C:\Windows\System32\WjwdbDA.exe
C:\Windows\System32\WjwdbDA.exe
2⤵
PID:3084

C:\Windows\System32\BclGruj.exe
C:\Windows\System32\BclGruj.exe
2⤵
PID:428

C:\Windows\System32\rGjfKBp.exe
C:\Windows\System32\rGjfKBp.exe
2⤵
PID:2640

C:\Windows\System32\LGmlisR.exe
C:\Windows\System32\LGmlisR.exe
2⤵
PID:4520

C:\Windows\System32\BMCMHou.exe
C:\Windows\System32\BMCMHou.exe
2⤵
PID:4524

C:\Windows\System32\JNairYG.exe
C:\Windows\System32\JNairYG.exe
2⤵
PID:440

C:\Windows\System32\aZJnjoX.exe
C:\Windows\System32\aZJnjoX.exe
2⤵
PID:1028

C:\Windows\System32\FGVImca.exe
C:\Windows\System32\FGVImca.exe
2⤵
PID:3520

C:\Windows\System32\UbkZWjU.exe
C:\Windows\System32\UbkZWjU.exe
2⤵
PID:4420

C:\Windows\System32\XRguWyx.exe
C:\Windows\System32\XRguWyx.exe
2⤵
PID:3148

C:\Windows\System32\UKqnVkY.exe
C:\Windows\System32\UKqnVkY.exe
2⤵
PID:3220

C:\Windows\System32\iwmeMFe.exe
C:\Windows\System32\iwmeMFe.exe
2⤵
PID:2188

C:\Windows\System32\AwCROUq.exe
C:\Windows\System32\AwCROUq.exe
2⤵
PID:1792

C:\Windows\System32\AATlAXR.exe
C:\Windows\System32\AATlAXR.exe
2⤵
PID:1060

C:\Windows\System32\JYOiPFd.exe
C:\Windows\System32\JYOiPFd.exe
2⤵
PID:3524

C:\Windows\System32\IgkGGxG.exe
C:\Windows\System32\IgkGGxG.exe
2⤵
PID:2000

C:\Windows\System32\YGSmvBm.exe
C:\Windows\System32\YGSmvBm.exe
2⤵
PID:4184

C:\Windows\System32\dQWgQeP.exe
C:\Windows\System32\dQWgQeP.exe
2⤵
PID:5124

C:\Windows\System32\ofaEywK.exe
C:\Windows\System32\ofaEywK.exe
2⤵
PID:5140

C:\Windows\System32\WmpbkFQ.exe
C:\Windows\System32\WmpbkFQ.exe
2⤵
PID:5156

C:\Windows\System32\GIJLvSy.exe
C:\Windows\System32\GIJLvSy.exe
2⤵
PID:5176

C:\Windows\System32\tTNyDPr.exe
C:\Windows\System32\tTNyDPr.exe
2⤵
PID:5328

C:\Windows\System32\yCGtJqm.exe
C:\Windows\System32\yCGtJqm.exe
2⤵
PID:5356

C:\Windows\System32\CiVsokY.exe
C:\Windows\System32\CiVsokY.exe
2⤵
PID:5388

C:\Windows\System32\HHXVBrO.exe
C:\Windows\System32\HHXVBrO.exe
2⤵
PID:5420

C:\Windows\System32\YQIRvIZ.exe
C:\Windows\System32\YQIRvIZ.exe
2⤵
PID:5456

C:\Windows\System32\cQWXicw.exe
C:\Windows\System32\cQWXicw.exe
2⤵
PID:5484

C:\Windows\System32\Wnkkfic.exe
C:\Windows\System32\Wnkkfic.exe
2⤵
PID:5508

C:\Windows\System32\UkRlYkn.exe
C:\Windows\System32\UkRlYkn.exe
2⤵
PID:5532

C:\Windows\System32\JcQyvhe.exe
C:\Windows\System32\JcQyvhe.exe
2⤵
PID:5556

C:\Windows\System32\iatDbbL.exe
C:\Windows\System32\iatDbbL.exe
2⤵
PID:5580

C:\Windows\System32\kIwBItf.exe
C:\Windows\System32\kIwBItf.exe
2⤵
PID:5632

C:\Windows\System32\znxoQUq.exe
C:\Windows\System32\znxoQUq.exe
2⤵
PID:5648

C:\Windows\System32\gbatWJA.exe
C:\Windows\System32\gbatWJA.exe
2⤵
PID:5668

C:\Windows\System32\zpWcDaI.exe
C:\Windows\System32\zpWcDaI.exe
2⤵
PID:5696

C:\Windows\System32\GTBUREs.exe
C:\Windows\System32\GTBUREs.exe
2⤵
PID:5748

C:\Windows\System32\nftkPHW.exe
C:\Windows\System32\nftkPHW.exe
2⤵
PID:5768

C:\Windows\System32\ocJoJUP.exe
C:\Windows\System32\ocJoJUP.exe
2⤵
PID:5788

C:\Windows\System32\eUJnYpT.exe
C:\Windows\System32\eUJnYpT.exe
2⤵
PID:5816

C:\Windows\System32\PvdvNfa.exe
C:\Windows\System32\PvdvNfa.exe
2⤵
PID:5832

C:\Windows\System32\pSwVnUb.exe
C:\Windows\System32\pSwVnUb.exe
2⤵
PID:5856

C:\Windows\System32\BdwXARo.exe
C:\Windows\System32\BdwXARo.exe
2⤵
PID:5908

C:\Windows\System32\SmnyVqj.exe
C:\Windows\System32\SmnyVqj.exe
2⤵
PID:5944

C:\Windows\System32\sSJpNfX.exe
C:\Windows\System32\sSJpNfX.exe
2⤵
PID:5968

C:\Windows\System32\oxASIsE.exe
C:\Windows\System32\oxASIsE.exe
2⤵
PID:6008

C:\Windows\System32\pdfMBTp.exe
C:\Windows\System32\pdfMBTp.exe
2⤵
PID:6024

C:\Windows\System32\bozfttq.exe
C:\Windows\System32\bozfttq.exe
2⤵
PID:6052

C:\Windows\System32\gYIvLYx.exe
C:\Windows\System32\gYIvLYx.exe
2⤵
PID:6092

C:\Windows\System32\kCqzOTM.exe
C:\Windows\System32\kCqzOTM.exe
2⤵
PID:6108

C:\Windows\System32\zGneKKz.exe
C:\Windows\System32\zGneKKz.exe
2⤵
PID:6124

C:\Windows\System32\pTMMmnD.exe
C:\Windows\System32\pTMMmnD.exe
2⤵
PID:3264

C:\Windows\System32\KMAWGWz.exe
C:\Windows\System32\KMAWGWz.exe
2⤵
PID:2964

C:\Windows\System32\utZOMof.exe
C:\Windows\System32\utZOMof.exe
2⤵
PID:2764

C:\Windows\System32\BdDKRYP.exe
C:\Windows\System32\BdDKRYP.exe
2⤵
PID:4024

C:\Windows\System32\Afzniun.exe
C:\Windows\System32\Afzniun.exe
2⤵
PID:5264

C:\Windows\System32\MqyZpUh.exe
C:\Windows\System32\MqyZpUh.exe
2⤵
PID:5196

C:\Windows\System32\hbRkmuT.exe
C:\Windows\System32\hbRkmuT.exe
2⤵
PID:5348

C:\Windows\System32\aMaOvEn.exe
C:\Windows\System32\aMaOvEn.exe
2⤵
PID:5404

C:\Windows\System32\yVLGUho.exe
C:\Windows\System32\yVLGUho.exe
2⤵
PID:3044

C:\Windows\System32\UytDNSc.exe
C:\Windows\System32\UytDNSc.exe
2⤵
PID:5468

C:\Windows\System32\HvdEcWD.exe
C:\Windows\System32\HvdEcWD.exe
2⤵
PID:5544

C:\Windows\System32\cIEBZFm.exe
C:\Windows\System32\cIEBZFm.exe
2⤵
PID:5540

C:\Windows\System32\fHbyWlg.exe
C:\Windows\System32\fHbyWlg.exe
2⤵
PID:5624

C:\Windows\System32\oeNVhcL.exe
C:\Windows\System32\oeNVhcL.exe
2⤵
PID:5640

C:\Windows\System32\xakCeqq.exe
C:\Windows\System32\xakCeqq.exe
2⤵
PID:5848

C:\Windows\System32\KPRquMa.exe
C:\Windows\System32\KPRquMa.exe
2⤵
PID:5900

C:\Windows\System32\WryErob.exe
C:\Windows\System32\WryErob.exe
2⤵
PID:5940

C:\Windows\System32\FOmIYjH.exe
C:\Windows\System32\FOmIYjH.exe
2⤵
PID:5992

C:\Windows\System32\XZlJDwe.exe
C:\Windows\System32\XZlJDwe.exe
2⤵
PID:6076

C:\Windows\System32\MQXcOxU.exe
C:\Windows\System32\MQXcOxU.exe
2⤵
PID:3168

C:\Windows\System32\mRfFWOu.exe
C:\Windows\System32\mRfFWOu.exe
2⤵
PID:980

C:\Windows\System32\TgDeClR.exe
C:\Windows\System32\TgDeClR.exe
2⤵
PID:1216

C:\Windows\System32\lDjDURW.exe
C:\Windows\System32\lDjDURW.exe
2⤵
PID:5316

C:\Windows\System32\WVHASGE.exe
C:\Windows\System32\WVHASGE.exe
2⤵
PID:5660

C:\Windows\System32\sJimFCU.exe
C:\Windows\System32\sJimFCU.exe
2⤵
PID:5756

C:\Windows\System32\OClRySX.exe
C:\Windows\System32\OClRySX.exe
2⤵
PID:5868

C:\Windows\System32\dUkjQke.exe
C:\Windows\System32\dUkjQke.exe
2⤵
PID:2772

C:\Windows\System32\aeSXUdJ.exe
C:\Windows\System32\aeSXUdJ.exe
2⤵
PID:4996

C:\Windows\System32\jvfIxLq.exe
C:\Windows\System32\jvfIxLq.exe
2⤵
PID:5656

C:\Windows\System32\WWIVTkg.exe
C:\Windows\System32\WWIVTkg.exe
2⤵
PID:5164

C:\Windows\System32\XXyBSRV.exe
C:\Windows\System32\XXyBSRV.exe
2⤵
PID:3568

C:\Windows\System32\EvCwXbr.exe
C:\Windows\System32\EvCwXbr.exe
2⤵
PID:5784

C:\Windows\System32\XLftnBr.exe
C:\Windows\System32\XLftnBr.exe
2⤵
PID:5600

C:\Windows\System32\tprUrMJ.exe
C:\Windows\System32\tprUrMJ.exe
2⤵
PID:6152

C:\Windows\System32\ywbnBrm.exe
C:\Windows\System32\ywbnBrm.exe
2⤵
PID:6176

C:\Windows\System32\FSehjfM.exe
C:\Windows\System32\FSehjfM.exe
2⤵
PID:6192

C:\Windows\System32\QhwteNA.exe
C:\Windows\System32\QhwteNA.exe
2⤵
PID:6212

C:\Windows\System32\yliYedf.exe
C:\Windows\System32\yliYedf.exe
2⤵
PID:6232

C:\Windows\System32\NANRRQk.exe
C:\Windows\System32\NANRRQk.exe
2⤵
PID:6248

C:\Windows\System32\ZqGKVpj.exe
C:\Windows\System32\ZqGKVpj.exe
2⤵
PID:6280

C:\Windows\System32\NYozNKz.exe
C:\Windows\System32\NYozNKz.exe
2⤵
PID:6312

C:\Windows\System32\IZySDpd.exe
C:\Windows\System32\IZySDpd.exe
2⤵
PID:6408

C:\Windows\System32\eqVJvUR.exe
C:\Windows\System32\eqVJvUR.exe
2⤵
PID:6436

C:\Windows\System32\LGkzfhI.exe
C:\Windows\System32\LGkzfhI.exe
2⤵
PID:6452

C:\Windows\System32\bVhakbE.exe
C:\Windows\System32\bVhakbE.exe
2⤵
PID:6488

C:\Windows\System32\xggyFlK.exe
C:\Windows\System32\xggyFlK.exe
2⤵
PID:6520

C:\Windows\System32\nAcsoHo.exe
C:\Windows\System32\nAcsoHo.exe
2⤵
PID:6564

C:\Windows\System32\zYUjKmu.exe
C:\Windows\System32\zYUjKmu.exe
2⤵
PID:6580

C:\Windows\System32\gXDiDrg.exe
C:\Windows\System32\gXDiDrg.exe
2⤵
PID:6608

C:\Windows\System32\UasJDhZ.exe
C:\Windows\System32\UasJDhZ.exe
2⤵
PID:6628

C:\Windows\System32\Toclava.exe
C:\Windows\System32\Toclava.exe
2⤵
PID:6652

C:\Windows\System32\bCpOxNx.exe
C:\Windows\System32\bCpOxNx.exe
2⤵
PID:6688

C:\Windows\System32\zszddzj.exe
C:\Windows\System32\zszddzj.exe
2⤵
PID:6704

C:\Windows\System32\UtjKIqP.exe
C:\Windows\System32\UtjKIqP.exe
2⤵
PID:6760

C:\Windows\System32\zzIVVrW.exe
C:\Windows\System32\zzIVVrW.exe
2⤵
PID:6780

C:\Windows\System32\VtLRHRb.exe
C:\Windows\System32\VtLRHRb.exe
2⤵
PID:6804

C:\Windows\System32\SUGZrtO.exe
C:\Windows\System32\SUGZrtO.exe
2⤵
PID:6820

C:\Windows\System32\qsIwRCa.exe
C:\Windows\System32\qsIwRCa.exe
2⤵
PID:6868

C:\Windows\System32\BzMbmOr.exe
C:\Windows\System32\BzMbmOr.exe
2⤵
PID:6884

C:\Windows\System32\pwDvAeL.exe
C:\Windows\System32\pwDvAeL.exe
2⤵
PID:6908

C:\Windows\System32\calRrmx.exe
C:\Windows\System32\calRrmx.exe
2⤵
PID:6948

C:\Windows\System32\CBUNmrD.exe
C:\Windows\System32\CBUNmrD.exe
2⤵
PID:6968

C:\Windows\System32\HxCeevC.exe
C:\Windows\System32\HxCeevC.exe
2⤵
PID:6996

C:\Windows\System32\ZUEgFNK.exe
C:\Windows\System32\ZUEgFNK.exe
2⤵
PID:7016

C:\Windows\System32\eIiyGpp.exe
C:\Windows\System32\eIiyGpp.exe
2⤵
PID:7052

C:\Windows\System32\FEAWZgH.exe
C:\Windows\System32\FEAWZgH.exe
2⤵
PID:7072

C:\Windows\System32\neqysmv.exe
C:\Windows\System32\neqysmv.exe
2⤵
PID:7104

C:\Windows\System32\GDWMWxf.exe
C:\Windows\System32\GDWMWxf.exe
2⤵
PID:7148

C:\Windows\System32\DmskpCF.exe
C:\Windows\System32\DmskpCF.exe
2⤵
PID:7164

C:\Windows\System32\bygeGuK.exe
C:\Windows\System32\bygeGuK.exe
2⤵
PID:2844

C:\Windows\System32\KaEfKqL.exe
C:\Windows\System32\KaEfKqL.exe
2⤵
PID:6200

C:\Windows\System32\ALggoem.exe
C:\Windows\System32\ALggoem.exe
2⤵
PID:6240

C:\Windows\System32\DQBqcaK.exe
C:\Windows\System32\DQBqcaK.exe
2⤵
PID:6356

C:\Windows\System32\vPHdkuu.exe
C:\Windows\System32\vPHdkuu.exe
2⤵
PID:6404

C:\Windows\System32\RTTmrVg.exe
C:\Windows\System32\RTTmrVg.exe
2⤵
PID:6428

C:\Windows\System32\szJtlbq.exe
C:\Windows\System32\szJtlbq.exe
2⤵
PID:6508

C:\Windows\System32\jhVkvlp.exe
C:\Windows\System32\jhVkvlp.exe
2⤵
PID:6640

C:\Windows\System32\WtdmzEe.exe
C:\Windows\System32\WtdmzEe.exe
2⤵
PID:6752

C:\Windows\System32\tutCERL.exe
C:\Windows\System32\tutCERL.exe
2⤵
PID:6812

C:\Windows\System32\wGIWWEj.exe
C:\Windows\System32\wGIWWEj.exe
2⤵
PID:6876

C:\Windows\System32\xiITeLK.exe
C:\Windows\System32\xiITeLK.exe
2⤵
PID:6916

C:\Windows\System32\WPOwGLH.exe
C:\Windows\System32\WPOwGLH.exe
2⤵
PID:7040

C:\Windows\System32\IfbOYZX.exe
C:\Windows\System32\IfbOYZX.exe
2⤵
PID:7088

C:\Windows\System32\YtHOWyi.exe
C:\Windows\System32\YtHOWyi.exe
2⤵
PID:7144

C:\Windows\System32\hBZjJtG.exe
C:\Windows\System32\hBZjJtG.exe
2⤵
PID:6336

C:\Windows\System32\CrmTcCD.exe
C:\Windows\System32\CrmTcCD.exe
2⤵
PID:6500

C:\Windows\System32\iVExhXz.exe
C:\Windows\System32\iVExhXz.exe
2⤵
PID:6616

C:\Windows\System32\rAeTiUc.exe
C:\Windows\System32\rAeTiUc.exe
2⤵
PID:6900

C:\Windows\System32\ZewIRpv.exe
C:\Windows\System32\ZewIRpv.exe
2⤵
PID:7080

C:\Windows\System32\JQUZVaG.exe
C:\Windows\System32\JQUZVaG.exe
2⤵
PID:6228

C:\Windows\System32\ScCqmyb.exe
C:\Windows\System32\ScCqmyb.exe
2⤵
PID:6792

C:\Windows\System32\pXHgVPQ.exe
C:\Windows\System32\pXHgVPQ.exe
2⤵
PID:7064

C:\Windows\System32\PnPYEjQ.exe
C:\Windows\System32\PnPYEjQ.exe
2⤵
PID:7012

C:\Windows\System32\ZSWfnDJ.exe
C:\Windows\System32\ZSWfnDJ.exe
2⤵
PID:7192

C:\Windows\System32\WaoscNE.exe
C:\Windows\System32\WaoscNE.exe
2⤵
PID:7220

C:\Windows\System32\pPKsGJw.exe
C:\Windows\System32\pPKsGJw.exe
2⤵
PID:7240

C:\Windows\System32\iqmUDZj.exe
C:\Windows\System32\iqmUDZj.exe
2⤵
PID:7264

C:\Windows\System32\GDZKyhY.exe
C:\Windows\System32\GDZKyhY.exe
2⤵
PID:7296

C:\Windows\System32\NBwktqn.exe
C:\Windows\System32\NBwktqn.exe
2⤵
PID:7312

C:\Windows\System32\qcHLNUZ.exe
C:\Windows\System32\qcHLNUZ.exe
2⤵
PID:7356

C:\Windows\System32\ocBzrmX.exe
C:\Windows\System32\ocBzrmX.exe
2⤵
PID:7384

C:\Windows\System32\fhlnvCq.exe
C:\Windows\System32\fhlnvCq.exe
2⤵
PID:7416

C:\Windows\System32\EkWhVSB.exe
C:\Windows\System32\EkWhVSB.exe
2⤵
PID:7444

C:\Windows\System32\wlQcgEj.exe
C:\Windows\System32\wlQcgEj.exe
2⤵
PID:7460

C:\Windows\System32\oqFyCPV.exe
C:\Windows\System32\oqFyCPV.exe
2⤵
PID:7480

C:\Windows\System32\pKEJIev.exe
C:\Windows\System32\pKEJIev.exe
2⤵
PID:7516

C:\Windows\System32\fxJiPCJ.exe
C:\Windows\System32\fxJiPCJ.exe
2⤵
PID:7560

C:\Windows\System32\xCHUydh.exe
C:\Windows\System32\xCHUydh.exe
2⤵
PID:7584

C:\Windows\System32\CZZriaD.exe
C:\Windows\System32\CZZriaD.exe
2⤵
PID:7600

C:\Windows\System32\SyrOFgQ.exe
C:\Windows\System32\SyrOFgQ.exe
2⤵
PID:7620

C:\Windows\System32\fkwwcul.exe
C:\Windows\System32\fkwwcul.exe
2⤵
PID:7664

C:\Windows\System32\tFaqmpC.exe
C:\Windows\System32\tFaqmpC.exe
2⤵
PID:7680

C:\Windows\System32\RTlvxUJ.exe
C:\Windows\System32\RTlvxUJ.exe
2⤵
PID:7708

C:\Windows\System32\UoBMiJA.exe
C:\Windows\System32\UoBMiJA.exe
2⤵
PID:7732

C:\Windows\System32\lRKcViQ.exe
C:\Windows\System32\lRKcViQ.exe
2⤵
PID:7760

C:\Windows\System32\PtXHvDn.exe
C:\Windows\System32\PtXHvDn.exe
2⤵
PID:7792

C:\Windows\System32\rMFseQn.exe
C:\Windows\System32\rMFseQn.exe
2⤵
PID:7808

C:\Windows\System32\lRshRdf.exe
C:\Windows\System32\lRshRdf.exe
2⤵
PID:7828

C:\Windows\System32\Tetkhvt.exe
C:\Windows\System32\Tetkhvt.exe
2⤵
PID:7864

C:\Windows\System32\oAeFZAl.exe
C:\Windows\System32\oAeFZAl.exe
2⤵
PID:7908

C:\Windows\System32\MRLTfbd.exe
C:\Windows\System32\MRLTfbd.exe
2⤵
PID:7924

C:\Windows\System32\qzSgOWJ.exe
C:\Windows\System32\qzSgOWJ.exe
2⤵
PID:7960

C:\Windows\System32\QFoYcLT.exe
C:\Windows\System32\QFoYcLT.exe
2⤵
PID:8012

C:\Windows\System32\CqBqtrE.exe
C:\Windows\System32\CqBqtrE.exe
2⤵
PID:8036

C:\Windows\System32\sLDzilP.exe
C:\Windows\System32\sLDzilP.exe
2⤵
PID:8056

C:\Windows\System32\pUQWsmA.exe
C:\Windows\System32\pUQWsmA.exe
2⤵
PID:8100

C:\Windows\System32\PDaNxfl.exe
C:\Windows\System32\PDaNxfl.exe
2⤵
PID:8124

C:\Windows\System32\WtuEAza.exe
C:\Windows\System32\WtuEAza.exe
2⤵
PID:8160

C:\Windows\System32\DMqfCsA.exe
C:\Windows\System32\DMqfCsA.exe
2⤵
PID:8184

C:\Windows\System32\SZgalIQ.exe
C:\Windows\System32\SZgalIQ.exe
2⤵
PID:6264

C:\Windows\System32\zOnMimh.exe
C:\Windows\System32\zOnMimh.exe
2⤵
PID:7236

C:\Windows\System32\PIieGBY.exe
C:\Windows\System32\PIieGBY.exe
2⤵
PID:7284

C:\Windows\System32\kuJaEYJ.exe
C:\Windows\System32\kuJaEYJ.exe
2⤵
PID:7412

C:\Windows\System32\GMjCXua.exe
C:\Windows\System32\GMjCXua.exe
2⤵
PID:7456

C:\Windows\System32\TqZABqO.exe
C:\Windows\System32\TqZABqO.exe
2⤵
PID:7528

C:\Windows\System32\MVRbpXa.exe
C:\Windows\System32\MVRbpXa.exe
2⤵
PID:7552

C:\Windows\System32\iJcpygk.exe
C:\Windows\System32\iJcpygk.exe
2⤵
PID:7616

C:\Windows\System32\pJcsDEZ.exe
C:\Windows\System32\pJcsDEZ.exe
2⤵
PID:7692

C:\Windows\System32\RzNWHSv.exe
C:\Windows\System32\RzNWHSv.exe
2⤵
PID:7756

C:\Windows\System32\dfAnedp.exe
C:\Windows\System32\dfAnedp.exe
2⤵
PID:7772

C:\Windows\System32\NGPXOei.exe
C:\Windows\System32\NGPXOei.exe
2⤵
PID:7816

C:\Windows\System32\wPuCczg.exe
C:\Windows\System32\wPuCczg.exe
2⤵
PID:7900

C:\Windows\System32\apAuIcQ.exe
C:\Windows\System32\apAuIcQ.exe
2⤵
PID:8048

C:\Windows\System32\qRUAGSt.exe
C:\Windows\System32\qRUAGSt.exe
2⤵
PID:8072

C:\Windows\System32\VDraYFE.exe
C:\Windows\System32\VDraYFE.exe
2⤵
PID:5268

C:\Windows\System32\uLOxVyJ.exe
C:\Windows\System32\uLOxVyJ.exe
2⤵
PID:6932

C:\Windows\System32\kYpVqNK.exe
C:\Windows\System32\kYpVqNK.exe
2⤵
PID:7212

C:\Windows\System32\UgvuigT.exe
C:\Windows\System32\UgvuigT.exe
2⤵
PID:7476

C:\Windows\System32\iJTXsXw.exe
C:\Windows\System32\iJTXsXw.exe
2⤵
PID:7656

C:\Windows\System32\ZAbEhbm.exe
C:\Windows\System32\ZAbEhbm.exe
2⤵
PID:7728

C:\Windows\System32\vRvqghE.exe
C:\Windows\System32\vRvqghE.exe
2⤵
PID:6668

C:\Windows\System32\nIRPYnG.exe
C:\Windows\System32\nIRPYnG.exe
2⤵
PID:7896

C:\Windows\System32\XKYOTfy.exe
C:\Windows\System32\XKYOTfy.exe
2⤵
PID:8008

C:\Windows\System32\vPaBwPv.exe
C:\Windows\System32\vPaBwPv.exe
2⤵
PID:7232

C:\Windows\System32\slAdxSG.exe
C:\Windows\System32\slAdxSG.exe
2⤵
PID:7804

C:\Windows\System32\UxlNWJb.exe
C:\Windows\System32\UxlNWJb.exe
2⤵
PID:7880

C:\Windows\System32\yavVndU.exe
C:\Windows\System32\yavVndU.exe
2⤵
PID:8172

C:\Windows\System32\wYmQuNW.exe
C:\Windows\System32\wYmQuNW.exe
2⤵
PID:7988

C:\Windows\System32\iLYDodi.exe
C:\Windows\System32\iLYDodi.exe
2⤵
PID:7556

C:\Windows\System32\xyhqdOn.exe
C:\Windows\System32\xyhqdOn.exe
2⤵
PID:8208

C:\Windows\System32\KKLnuuP.exe
C:\Windows\System32\KKLnuuP.exe
2⤵
PID:8244

C:\Windows\System32\eeudqwo.exe
C:\Windows\System32\eeudqwo.exe
2⤵
PID:8292

C:\Windows\System32\alJmUrV.exe
C:\Windows\System32\alJmUrV.exe
2⤵
PID:8324

C:\Windows\System32\zTvdqAR.exe
C:\Windows\System32\zTvdqAR.exe
2⤵
PID:8348

C:\Windows\System32\PjROVhg.exe
C:\Windows\System32\PjROVhg.exe
2⤵
PID:8380

C:\Windows\System32\YsqRajQ.exe
C:\Windows\System32\YsqRajQ.exe
2⤵
PID:8404

C:\Windows\System32\IpvUDMq.exe
C:\Windows\System32\IpvUDMq.exe
2⤵
PID:8424

C:\Windows\System32\pgZsneA.exe
C:\Windows\System32\pgZsneA.exe
2⤵
PID:8468

C:\Windows\System32\GKjNltn.exe
C:\Windows\System32\GKjNltn.exe
2⤵
PID:8492

C:\Windows\System32\AjhRxVH.exe
C:\Windows\System32\AjhRxVH.exe
2⤵
PID:8524

C:\Windows\System32\yzpMLiy.exe
C:\Windows\System32\yzpMLiy.exe
2⤵
PID:8544

C:\Windows\System32\AMGVfRm.exe
C:\Windows\System32\AMGVfRm.exe
2⤵
PID:8568

C:\Windows\System32\PgVUBnv.exe
C:\Windows\System32\PgVUBnv.exe
2⤵
PID:8612

C:\Windows\System32\VfKSEse.exe
C:\Windows\System32\VfKSEse.exe
2⤵
PID:8640

C:\Windows\System32\sdKrxhC.exe
C:\Windows\System32\sdKrxhC.exe
2⤵
PID:8664

C:\Windows\System32\mvXPnjj.exe
C:\Windows\System32\mvXPnjj.exe
2⤵
PID:8692

C:\Windows\System32\vJRkrsh.exe
C:\Windows\System32\vJRkrsh.exe
2⤵
PID:8712

C:\Windows\System32\PDjDNaI.exe
C:\Windows\System32\PDjDNaI.exe
2⤵
PID:8740

C:\Windows\System32\uDjTpDs.exe
C:\Windows\System32\uDjTpDs.exe
2⤵
PID:8784

C:\Windows\System32\QDDDrAQ.exe
C:\Windows\System32\QDDDrAQ.exe
2⤵
PID:8800

C:\Windows\System32\ecugsmm.exe
C:\Windows\System32\ecugsmm.exe
2⤵
PID:8824

C:\Windows\System32\mMlLSIH.exe
C:\Windows\System32\mMlLSIH.exe
2⤵
PID:8860

C:\Windows\System32\qzNLgrc.exe
C:\Windows\System32\qzNLgrc.exe
2⤵
PID:8880

C:\Windows\System32\ZUwZdZr.exe
C:\Windows\System32\ZUwZdZr.exe
2⤵
PID:8920

C:\Windows\System32\GLaYjao.exe
C:\Windows\System32\GLaYjao.exe
2⤵
PID:8940

C:\Windows\System32\xxYVXJL.exe
C:\Windows\System32\xxYVXJL.exe
2⤵
PID:8960

C:\Windows\System32\icDmTSx.exe
C:\Windows\System32\icDmTSx.exe
2⤵
PID:8996

C:\Windows\System32\rdIQhrN.exe
C:\Windows\System32\rdIQhrN.exe
2⤵
PID:9032

C:\Windows\System32\WxBrmfZ.exe
C:\Windows\System32\WxBrmfZ.exe
2⤵
PID:9056

C:\Windows\System32\tRPPcZt.exe
C:\Windows\System32\tRPPcZt.exe
2⤵
PID:9072

C:\Windows\System32\vfgamfP.exe
C:\Windows\System32\vfgamfP.exe
2⤵
PID:9096

C:\Windows\System32\WCTQoDv.exe
C:\Windows\System32\WCTQoDv.exe
2⤵
PID:9136

C:\Windows\System32\qezvYTV.exe
C:\Windows\System32\qezvYTV.exe
2⤵
PID:9160

C:\Windows\System32\pKPYKuD.exe
C:\Windows\System32\pKPYKuD.exe
2⤵
PID:9196

C:\Windows\System32\qPAHEFI.exe
C:\Windows\System32\qPAHEFI.exe
2⤵
PID:8112

C:\Windows\System32\wSojgVc.exe
C:\Windows\System32\wSojgVc.exe
2⤵
PID:8256

C:\Windows\System32\JRVSckX.exe
C:\Windows\System32\JRVSckX.exe
2⤵
PID:8316

C:\Windows\System32\SclyRJa.exe
C:\Windows\System32\SclyRJa.exe
2⤵
PID:8368

C:\Windows\System32\xRsgvSQ.exe
C:\Windows\System32\xRsgvSQ.exe
2⤵
PID:8396

C:\Windows\System32\TAHDfRV.exe
C:\Windows\System32\TAHDfRV.exe
2⤵
PID:8440

C:\Windows\System32\BgpSfNG.exe
C:\Windows\System32\BgpSfNG.exe
2⤵
PID:5936

C:\Windows\System32\OSRpvFe.exe
C:\Windows\System32\OSRpvFe.exe
2⤵
PID:8500

C:\Windows\System32\fwqTPOj.exe
C:\Windows\System32\fwqTPOj.exe
2⤵
PID:8564

C:\Windows\System32\fiVZHvw.exe
C:\Windows\System32\fiVZHvw.exe
2⤵
PID:5232

C:\Windows\System32\KYwOpCO.exe
C:\Windows\System32\KYwOpCO.exe
2⤵
PID:8672

C:\Windows\System32\CSBCIfG.exe
C:\Windows\System32\CSBCIfG.exe
2⤵
PID:8700

C:\Windows\System32\PxtcXsh.exe
C:\Windows\System32\PxtcXsh.exe
2⤵
PID:8808

C:\Windows\System32\SlLLHfC.exe
C:\Windows\System32\SlLLHfC.exe
2⤵
PID:8852

C:\Windows\System32\lSEkdgi.exe
C:\Windows\System32\lSEkdgi.exe
2⤵
PID:8876

C:\Windows\System32\EUhDlzg.exe
C:\Windows\System32\EUhDlzg.exe
2⤵
PID:8956

C:\Windows\System32\iuWlYLL.exe
C:\Windows\System32\iuWlYLL.exe
2⤵
PID:9064

C:\Windows\System32\xhqmYxg.exe
C:\Windows\System32\xhqmYxg.exe
2⤵
PID:9108

C:\Windows\System32\mqYQVnf.exe
C:\Windows\System32\mqYQVnf.exe
2⤵
PID:9208

C:\Windows\System32\xQCncgT.exe
C:\Windows\System32\xQCncgT.exe
2⤵
PID:8340

C:\Windows\System32\ZvDCjHY.exe
C:\Windows\System32\ZvDCjHY.exe
2⤵
PID:8420

C:\Windows\System32\CUrollp.exe
C:\Windows\System32\CUrollp.exe
2⤵
PID:5592

C:\Windows\System32\loNKPuM.exe
C:\Windows\System32\loNKPuM.exe
2⤵
PID:8608

C:\Windows\System32\fRMnMnZ.exe
C:\Windows\System32\fRMnMnZ.exe
2⤵
PID:8708

C:\Windows\System32\KlJiEor.exe
C:\Windows\System32\KlJiEor.exe
2⤵
PID:8768

C:\Windows\System32\DRdUpou.exe
C:\Windows\System32\DRdUpou.exe
2⤵
PID:9008

C:\Windows\System32\oiKbLau.exe
C:\Windows\System32\oiKbLau.exe
2⤵
PID:9148

C:\Windows\System32\EALMsAv.exe
C:\Windows\System32\EALMsAv.exe
2⤵
PID:8304

C:\Windows\System32\mWVsLpj.exe
C:\Windows\System32\mWVsLpj.exe
2⤵
PID:8536

C:\Windows\System32\UmkahBb.exe
C:\Windows\System32\UmkahBb.exe
2⤵
PID:8652

C:\Windows\System32\vFhNvnL.exe
C:\Windows\System32\vFhNvnL.exe
2⤵
PID:9124

C:\Windows\System32\VdbWPqd.exe
C:\Windows\System32\VdbWPqd.exe
2⤵
PID:9224

C:\Windows\System32\iCdZtjp.exe
C:\Windows\System32\iCdZtjp.exe
2⤵
PID:9280

C:\Windows\System32\lBgmuJh.exe
C:\Windows\System32\lBgmuJh.exe
2⤵
PID:9304

C:\Windows\System32\FLRirWf.exe
C:\Windows\System32\FLRirWf.exe
2⤵
PID:9332

C:\Windows\System32\qSMuIgV.exe
C:\Windows\System32\qSMuIgV.exe
2⤵
PID:9352

C:\Windows\System32\IdLVQWm.exe
C:\Windows\System32\IdLVQWm.exe
2⤵
PID:9388

C:\Windows\System32\GvaEzdf.exe
C:\Windows\System32\GvaEzdf.exe
2⤵
PID:9420

C:\Windows\System32\KInusuA.exe
C:\Windows\System32\KInusuA.exe
2⤵
PID:9444

C:\Windows\System32\OlNmzLp.exe
C:\Windows\System32\OlNmzLp.exe
2⤵
PID:9464

C:\Windows\System32\QuUPDpx.exe
C:\Windows\System32\QuUPDpx.exe
2⤵
PID:9484

C:\Windows\System32\EQkADWC.exe
C:\Windows\System32\EQkADWC.exe
2⤵
PID:9524

C:\Windows\System32\cYFysph.exe
C:\Windows\System32\cYFysph.exe
2⤵
PID:9540

C:\Windows\System32\ASoVhwD.exe
C:\Windows\System32\ASoVhwD.exe
2⤵
PID:9572

C:\Windows\System32\yBpVOQD.exe
C:\Windows\System32\yBpVOQD.exe
2⤵
PID:9596

C:\Windows\System32\pwDMsee.exe
C:\Windows\System32\pwDMsee.exe
2⤵
PID:9612

C:\Windows\System32\CtHXvRk.exe
C:\Windows\System32\CtHXvRk.exe
2⤵
PID:9640

C:\Windows\System32\tOcEhuG.exe
C:\Windows\System32\tOcEhuG.exe
2⤵
PID:9668

C:\Windows\System32\mNNQSmi.exe
C:\Windows\System32\mNNQSmi.exe
2⤵
PID:9728

C:\Windows\System32\JLkTbCI.exe
C:\Windows\System32\JLkTbCI.exe
2⤵
PID:9752

C:\Windows\System32\PBIlSbi.exe
C:\Windows\System32\PBIlSbi.exe
2⤵
PID:9772

C:\Windows\System32\pRVgEMD.exe
C:\Windows\System32\pRVgEMD.exe
2⤵
PID:9792

C:\Windows\System32\zSqhpbe.exe
C:\Windows\System32\zSqhpbe.exe
2⤵
PID:9832

C:\Windows\System32\VwmfVsc.exe
C:\Windows\System32\VwmfVsc.exe
2⤵
PID:9856

C:\Windows\System32\UYKMJQO.exe
C:\Windows\System32\UYKMJQO.exe
2⤵
PID:9876

C:\Windows\System32\nAmHaKe.exe
C:\Windows\System32\nAmHaKe.exe
2⤵
PID:9904

C:\Windows\System32\XeCavXF.exe
C:\Windows\System32\XeCavXF.exe
2⤵
PID:9928

C:\Windows\System32\tGVlDLB.exe
C:\Windows\System32\tGVlDLB.exe
2⤵
PID:9956

C:\Windows\System32\fWyjWmy.exe
C:\Windows\System32\fWyjWmy.exe
2⤵
PID:10004

C:\Windows\System32\dcPajkR.exe
C:\Windows\System32\dcPajkR.exe
2⤵
PID:10032

C:\Windows\System32\wmkPCsw.exe
C:\Windows\System32\wmkPCsw.exe
2⤵
PID:10060

C:\Windows\System32\bAfuxZD.exe
C:\Windows\System32\bAfuxZD.exe
2⤵
PID:10080

C:\Windows\System32\NlGXgiH.exe
C:\Windows\System32\NlGXgiH.exe
2⤵
PID:10120

C:\Windows\System32\LvKrLbv.exe
C:\Windows\System32\LvKrLbv.exe
2⤵
PID:10144

C:\Windows\System32\bsEDiZV.exe
C:\Windows\System32\bsEDiZV.exe
2⤵
PID:10168

C:\Windows\System32\zvwgpaT.exe
C:\Windows\System32\zvwgpaT.exe
2⤵
PID:10192

C:\Windows\System32\kptupyX.exe
C:\Windows\System32\kptupyX.exe
2⤵
PID:10232

C:\Windows\System32\aOIhfge.exe
C:\Windows\System32\aOIhfge.exe
2⤵
PID:9068

C:\Windows\System32\caEEbSm.exe
C:\Windows\System32\caEEbSm.exe
2⤵
PID:9220

C:\Windows\System32\tnbAFSw.exe
C:\Windows\System32\tnbAFSw.exe
2⤵
PID:9300

C:\Windows\System32\BWoLHPn.exe
C:\Windows\System32\BWoLHPn.exe
2⤵
PID:9344

C:\Windows\System32\tACTDXk.exe
C:\Windows\System32\tACTDXk.exe
2⤵
PID:9416

C:\Windows\System32\hUnVULF.exe
C:\Windows\System32\hUnVULF.exe
2⤵
PID:9456

C:\Windows\System32\lDbeuFm.exe
C:\Windows\System32\lDbeuFm.exe
2⤵
PID:9636

C:\Windows\System32\NGqHsAX.exe
C:\Windows\System32\NGqHsAX.exe
2⤵
PID:9676

C:\Windows\System32\dMpIjrf.exe
C:\Windows\System32\dMpIjrf.exe
2⤵
PID:9760

C:\Windows\System32\NwzehDO.exe
C:\Windows\System32\NwzehDO.exe
2⤵
PID:9784

C:\Windows\System32\kxVLhNX.exe
C:\Windows\System32\kxVLhNX.exe
2⤵
PID:9884

C:\Windows\System32\qrHZQDX.exe
C:\Windows\System32\qrHZQDX.exe
2⤵
PID:9940

C:\Windows\System32\NZsqZZB.exe
C:\Windows\System32\NZsqZZB.exe
2⤵
PID:10024

C:\Windows\System32\XUnzPvJ.exe
C:\Windows\System32\XUnzPvJ.exe
2⤵
PID:10068

C:\Windows\System32\PYOtwfh.exe
C:\Windows\System32\PYOtwfh.exe
2⤵
PID:10136

C:\Windows\System32\pCFSZQc.exe
C:\Windows\System32\pCFSZQc.exe
2⤵
PID:10180

C:\Windows\System32\yuadKGt.exe
C:\Windows\System32\yuadKGt.exe
2⤵
PID:9252

C:\Windows\System32\YbVGnRB.exe
C:\Windows\System32\YbVGnRB.exe
2⤵
PID:9240

C:\Windows\System32\TMFigGr.exe
C:\Windows\System32\TMFigGr.exe
2⤵
PID:9584

C:\Windows\System32\UwQubRO.exe
C:\Windows\System32\UwQubRO.exe
2⤵
PID:9536

C:\Windows\System32\awKmVFl.exe
C:\Windows\System32\awKmVFl.exe
2⤵
PID:9844

C:\Windows\System32\maSdUsF.exe
C:\Windows\System32\maSdUsF.exe
2⤵
PID:9992

C:\Windows\System32\QcPXPeE.exe
C:\Windows\System32\QcPXPeE.exe
2⤵
PID:10164

C:\Windows\System32\UOZLIwV.exe
C:\Windows\System32\UOZLIwV.exe
2⤵
PID:10224

C:\Windows\System32\oiyPMrv.exe
C:\Windows\System32\oiyPMrv.exe
2⤵
PID:9504

C:\Windows\System32\PHrAsqZ.exe
C:\Windows\System32\PHrAsqZ.exe
2⤵
PID:9764

C:\Windows\System32\FpuySqB.exe
C:\Windows\System32\FpuySqB.exe
2⤵
PID:10100

C:\Windows\System32\QKxqvQm.exe
C:\Windows\System32\QKxqvQm.exe
2⤵
PID:9324

C:\Windows\System32\zgkPwhQ.exe
C:\Windows\System32\zgkPwhQ.exe
2⤵
PID:10272

C:\Windows\System32\NDtWyEj.exe
C:\Windows\System32\NDtWyEj.exe
2⤵
PID:10292

C:\Windows\System32\gwGVMNU.exe
C:\Windows\System32\gwGVMNU.exe
2⤵
PID:10324

C:\Windows\System32\RelvaJj.exe
C:\Windows\System32\RelvaJj.exe
2⤵
PID:10348

C:\Windows\System32\tlYaZBv.exe
C:\Windows\System32\tlYaZBv.exe
2⤵
PID:10380

C:\Windows\System32\hTsGcQu.exe
C:\Windows\System32\hTsGcQu.exe
2⤵
PID:10428

C:\Windows\System32\gdnyYPg.exe
C:\Windows\System32\gdnyYPg.exe
2⤵
PID:10444

C:\Windows\System32\qVkfBEp.exe
C:\Windows\System32\qVkfBEp.exe
2⤵
PID:10464

C:\Windows\System32\rHGguOw.exe
C:\Windows\System32\rHGguOw.exe
2⤵
PID:10492

C:\Windows\System32\tQGrZZa.exe
C:\Windows\System32\tQGrZZa.exe
2⤵
PID:10544

C:\Windows\System32\NuPGtOu.exe
C:\Windows\System32\NuPGtOu.exe
2⤵
PID:10560

C:\Windows\System32\XYoqEqR.exe
C:\Windows\System32\XYoqEqR.exe
2⤵
PID:10576

C:\Windows\System32\niDvlsg.exe
C:\Windows\System32\niDvlsg.exe
2⤵
PID:10592

C:\Windows\System32\ovamNcz.exe
C:\Windows\System32\ovamNcz.exe
2⤵
PID:10608

C:\Windows\System32\rqwDaMu.exe
C:\Windows\System32\rqwDaMu.exe
2⤵
PID:10660

C:\Windows\System32\GwiOJKj.exe
C:\Windows\System32\GwiOJKj.exe
2⤵
PID:10692

C:\Windows\System32\FBEVpoa.exe
C:\Windows\System32\FBEVpoa.exe
2⤵
PID:10712

C:\Windows\System32\IPeSjzx.exe
C:\Windows\System32\IPeSjzx.exe
2⤵
PID:10780

C:\Windows\System32\nKvlJwd.exe
C:\Windows\System32\nKvlJwd.exe
2⤵
PID:10816

C:\Windows\System32\TikACac.exe
C:\Windows\System32\TikACac.exe
2⤵
PID:10836

C:\Windows\System32\IHWEibu.exe
C:\Windows\System32\IHWEibu.exe
2⤵
PID:10864

C:\Windows\System32\IPsJRrE.exe
C:\Windows\System32\IPsJRrE.exe
2⤵
PID:10948

C:\Windows\System32\rsjaGxG.exe
C:\Windows\System32\rsjaGxG.exe
2⤵
PID:10964

C:\Windows\System32\rnAMhTM.exe
C:\Windows\System32\rnAMhTM.exe
2⤵
PID:11008

C:\Windows\System32\zybzZZq.exe
C:\Windows\System32\zybzZZq.exe
2⤵
PID:11060

C:\Windows\System32\qFIToqK.exe
C:\Windows\System32\qFIToqK.exe
2⤵
PID:11080

C:\Windows\System32\vejFoIR.exe
C:\Windows\System32\vejFoIR.exe
2⤵
PID:11096

C:\Windows\System32\PczpXng.exe
C:\Windows\System32\PczpXng.exe
2⤵
PID:11124

C:\Windows\System32\CtQtgfR.exe
C:\Windows\System32\CtQtgfR.exe
2⤵
PID:11140

C:\Windows\System32\heGDpMd.exe
C:\Windows\System32\heGDpMd.exe
2⤵
PID:11164

C:\Windows\System32\AWotGpk.exe
C:\Windows\System32\AWotGpk.exe
2⤵
PID:11212

C:\Windows\System32\kbPpztc.exe
C:\Windows\System32\kbPpztc.exe
2⤵
PID:9348

C:\Windows\System32\AApzkpx.exe
C:\Windows\System32\AApzkpx.exe
2⤵
PID:10268

C:\Windows\System32\vAUIeAH.exe
C:\Windows\System32\vAUIeAH.exe
2⤵
PID:10344

C:\Windows\System32\uturQbP.exe
C:\Windows\System32\uturQbP.exe
2⤵
PID:10392

C:\Windows\System32\dwpsejM.exe
C:\Windows\System32\dwpsejM.exe
2⤵
PID:10520

C:\Windows\System32\ficDrrR.exe
C:\Windows\System32\ficDrrR.exe
2⤵
PID:10532

C:\Windows\System32\XoaamCs.exe
C:\Windows\System32\XoaamCs.exe
2⤵
PID:10512

C:\Windows\System32\ZCgWsAC.exe
C:\Windows\System32\ZCgWsAC.exe
2⤵
PID:10640

C:\Windows\System32\BlMENdw.exe
C:\Windows\System32\BlMENdw.exe
2⤵
PID:10676

C:\Windows\System32\jimewME.exe
C:\Windows\System32\jimewME.exe
2⤵
PID:10440

C:\Windows\System32\VBTLFzY.exe
C:\Windows\System32\VBTLFzY.exe
2⤵
PID:10600

C:\Windows\System32\YHzKYco.exe
C:\Windows\System32\YHzKYco.exe
2⤵
PID:10644

C:\Windows\System32\MXeGcAN.exe
C:\Windows\System32\MXeGcAN.exe
2⤵
PID:10800

C:\Windows\System32\pUrlgws.exe
C:\Windows\System32\pUrlgws.exe
2⤵
PID:10848

C:\Windows\System32\klzOtSm.exe
C:\Windows\System32\klzOtSm.exe
2⤵
PID:10788

C:\Windows\System32\Rozkruz.exe
C:\Windows\System32\Rozkruz.exe
2⤵
PID:10852

C:\Windows\System32\Mbrquvk.exe
C:\Windows\System32\Mbrquvk.exe
2⤵
PID:10976

C:\Windows\System32\Buiiyaf.exe
C:\Windows\System32\Buiiyaf.exe
2⤵
PID:11052

C:\Windows\System32\LSEFiNZ.exe
C:\Windows\System32\LSEFiNZ.exe
2⤵
PID:11148

C:\Windows\System32\FBwzbhF.exe
C:\Windows\System32\FBwzbhF.exe
2⤵
PID:11172

C:\Windows\System32\aXpJjQa.exe
C:\Windows\System32\aXpJjQa.exe
2⤵
PID:10364

C:\Windows\System32\PSwLjni.exe
C:\Windows\System32\PSwLjni.exe
2⤵
PID:9552

C:\Windows\System32\jCcITDQ.exe
C:\Windows\System32\jCcITDQ.exe
2⤵
PID:10688

C:\Windows\System32\bwiyfwV.exe
C:\Windows\System32\bwiyfwV.exe
2⤵
PID:10700

C:\Windows\System32\vyVZsAU.exe
C:\Windows\System32\vyVZsAU.exe
2⤵
PID:10880

C:\Windows\System32\gLLSGNO.exe
C:\Windows\System32\gLLSGNO.exe
2⤵
PID:11092

C:\Windows\System32\ErikBWF.exe
C:\Windows\System32\ErikBWF.exe
2⤵
PID:11112

C:\Windows\System32\ohyRDIy.exe
C:\Windows\System32\ohyRDIy.exe
2⤵
PID:11104

C:\Windows\System32\biIjlAm.exe
C:\Windows\System32\biIjlAm.exe
2⤵
PID:10404

C:\Windows\System32\JWaFbTj.exe
C:\Windows\System32\JWaFbTj.exe
2⤵
PID:10552

C:\Windows\System32\FysckCe.exe
C:\Windows\System32\FysckCe.exe
2⤵
PID:11152

C:\Windows\System32\BxIXImV.exe
C:\Windows\System32\BxIXImV.exe
2⤵
PID:10996

C:\Windows\System32\SRjORZh.exe
C:\Windows\System32\SRjORZh.exe
2⤵
PID:10624

C:\Windows\System32\znMCCnR.exe
C:\Windows\System32\znMCCnR.exe
2⤵
PID:11316

C:\Windows\System32\mMFoXYO.exe
C:\Windows\System32\mMFoXYO.exe
2⤵
PID:11332

C:\Windows\System32\byqwZKn.exe
C:\Windows\System32\byqwZKn.exe
2⤵
PID:11352

C:\Windows\System32\kqdpWDd.exe
C:\Windows\System32\kqdpWDd.exe
2⤵
PID:11372

C:\Windows\System32\tWpqojw.exe
C:\Windows\System32\tWpqojw.exe
2⤵
PID:11412

C:\Windows\System32\qLPXerG.exe
C:\Windows\System32\qLPXerG.exe
2⤵
PID:11452

C:\Windows\System32\WBzRpvm.exe
C:\Windows\System32\WBzRpvm.exe
2⤵
PID:11468

C:\Windows\System32\WHLqUWe.exe
C:\Windows\System32\WHLqUWe.exe
2⤵
PID:11496

C:\Windows\System32\GIKLRAx.exe
C:\Windows\System32\GIKLRAx.exe
2⤵
PID:11544

C:\Windows\System32\wrtBbwA.exe
C:\Windows\System32\wrtBbwA.exe
2⤵
PID:11564

C:\Windows\System32\GGboSTS.exe
C:\Windows\System32\GGboSTS.exe
2⤵
PID:11596

C:\Windows\System32\AwmTltD.exe
C:\Windows\System32\AwmTltD.exe
2⤵
PID:11632

C:\Windows\System32\ABwkfFR.exe
C:\Windows\System32\ABwkfFR.exe
2⤵
PID:11656

C:\Windows\System32\PuJqyjj.exe
C:\Windows\System32\PuJqyjj.exe
2⤵
PID:11680

C:\Windows\System32\sQweoks.exe
C:\Windows\System32\sQweoks.exe
2⤵
PID:11704

C:\Windows\System32\mAvYScK.exe
C:\Windows\System32\mAvYScK.exe
2⤵
PID:11744

C:\Windows\System32\gsFcTIX.exe
C:\Windows\System32\gsFcTIX.exe
2⤵
PID:11760

C:\Windows\System32\tFmhRKO.exe
C:\Windows\System32\tFmhRKO.exe
2⤵
PID:11796

C:\Windows\System32\VOcXRVh.exe
C:\Windows\System32\VOcXRVh.exe
2⤵
PID:11816

C:\Windows\System32\aSNHpfD.exe
C:\Windows\System32\aSNHpfD.exe
2⤵
PID:11856

C:\Windows\System32\jkNfyPZ.exe
C:\Windows\System32\jkNfyPZ.exe
2⤵
PID:11884

C:\Windows\System32\qvQhwgC.exe
C:\Windows\System32\qvQhwgC.exe
2⤵
PID:11924

C:\Windows\System32\EYkijlp.exe
C:\Windows\System32\EYkijlp.exe
2⤵
PID:11940

C:\Windows\System32\fYfuAmq.exe
C:\Windows\System32\fYfuAmq.exe
2⤵
PID:11968

C:\Windows\System32\utwksWo.exe
C:\Windows\System32\utwksWo.exe
2⤵
PID:11992

C:\Windows\System32\UPfwZrQ.exe
C:\Windows\System32\UPfwZrQ.exe
2⤵
PID:12012

C:\Windows\System32\fsDZwMF.exe
C:\Windows\System32\fsDZwMF.exe
2⤵
PID:12032

C:\Windows\System32\VeMUNvQ.exe
C:\Windows\System32\VeMUNvQ.exe
2⤵
PID:12056

C:\Windows\System32\HZnTMeV.exe
C:\Windows\System32\HZnTMeV.exe
2⤵
PID:12072

C:\Windows\System32\botSuBu.exe
C:\Windows\System32\botSuBu.exe
2⤵
PID:12104

C:\Windows\System32\jETZfkS.exe
C:\Windows\System32\jETZfkS.exe
2⤵
PID:12132

C:\Windows\System32\cTBDdIR.exe
C:\Windows\System32\cTBDdIR.exe
2⤵
PID:12148

C:\Windows\System32\oNfMbCl.exe
C:\Windows\System32\oNfMbCl.exe
2⤵
PID:12184

C:\Windows\System32\GxzWSxP.exe
C:\Windows\System32\GxzWSxP.exe
2⤵
PID:12208

C:\Windows\System32\JSVxHcd.exe
C:\Windows\System32\JSVxHcd.exe
2⤵
PID:12228

C:\Windows\System32\yQwDAOP.exe
C:\Windows\System32\yQwDAOP.exe
2⤵
PID:12268

C:\Windows\System32\plKXBvA.exe
C:\Windows\System32\plKXBvA.exe
2⤵
PID:10572

C:\Windows\System32\HVegfqC.exe
C:\Windows\System32\HVegfqC.exe
2⤵
PID:11292

C:\Windows\System32\QpkGjxJ.exe
C:\Windows\System32\QpkGjxJ.exe
2⤵
PID:11408

C:\Windows\System32\KHNPWns.exe
C:\Windows\System32\KHNPWns.exe
2⤵
PID:11524

C:\Windows\System32\UTaaKmi.exe
C:\Windows\System32\UTaaKmi.exe
2⤵
PID:11560

C:\Windows\System32\bqboMNx.exe
C:\Windows\System32\bqboMNx.exe
2⤵
PID:11620

C:\Windows\System32\LIUdYXR.exe
C:\Windows\System32\LIUdYXR.exe
2⤵
PID:10904

C:\Windows\System32\QpbpJiJ.exe
C:\Windows\System32\QpbpJiJ.exe
2⤵
PID:11688

C:\Windows\System32\SebGcMo.exe
C:\Windows\System32\SebGcMo.exe
2⤵
PID:11712

C:\Windows\System32\PYxGAKR.exe
C:\Windows\System32\PYxGAKR.exe
2⤵
PID:11768

C:\Windows\System32\BgZCqxs.exe
C:\Windows\System32\BgZCqxs.exe
2⤵
PID:11900

C:\Windows\System32\qMQBSqN.exe
C:\Windows\System32\qMQBSqN.exe
2⤵
PID:12008

C:\Windows\System32\HvcDPmg.exe
C:\Windows\System32\HvcDPmg.exe
2⤵
PID:12124

C:\Windows\System32\JUcZWWT.exe
C:\Windows\System32\JUcZWWT.exe
2⤵
PID:12140

C:\Windows\System32\XMrlxaZ.exe
C:\Windows\System32\XMrlxaZ.exe
2⤵
PID:12236

C:\Windows\System32\mYyNdHy.exe
C:\Windows\System32\mYyNdHy.exe
2⤵
PID:12200

C:\Windows\System32\RoUomVf.exe
C:\Windows\System32\RoUomVf.exe
2⤵
PID:12280

C:\Windows\System32\DOBNBRg.exe
C:\Windows\System32\DOBNBRg.exe
2⤵
PID:11348

C:\Windows\System32\xAHDXkO.exe
C:\Windows\System32\xAHDXkO.exe
2⤵
PID:11676

C:\Windows\System32\PSnnBzB.exe
C:\Windows\System32\PSnnBzB.exe
2⤵
PID:11852

C:\Windows\System32\kGnXzTd.exe
C:\Windows\System32\kGnXzTd.exe
2⤵
PID:12028

C:\Windows\System32\hTmQfCr.exe
C:\Windows\System32\hTmQfCr.exe
2⤵
PID:12172

C:\Windows\System32\WcPNyfr.exe
C:\Windows\System32\WcPNyfr.exe
2⤵
PID:12156

C:\Windows\System32\pmGZLbd.exe
C:\Windows\System32\pmGZLbd.exe
2⤵
PID:11624

C:\Windows\System32\HpoaQCC.exe
C:\Windows\System32\HpoaQCC.exe
2⤵
PID:11832

C:\Windows\System32\HcqiXry.exe
C:\Windows\System32\HcqiXry.exe
2⤵
PID:11488

C:\Windows\System32\nxiKyru.exe
C:\Windows\System32\nxiKyru.exe
2⤵
PID:11964

C:\Windows\System32\IWKlmbj.exe
C:\Windows\System32\IWKlmbj.exe
2⤵
PID:12304

C:\Windows\System32\aKIxBOo.exe
C:\Windows\System32\aKIxBOo.exe
2⤵
PID:12328

C:\Windows\System32\idkuBCv.exe
C:\Windows\System32\idkuBCv.exe
2⤵
PID:12352

C:\Windows\System32\HGIytTa.exe
C:\Windows\System32\HGIytTa.exe
2⤵
PID:12384

C:\Windows\System32\yuQpuHJ.exe
C:\Windows\System32\yuQpuHJ.exe
2⤵
PID:12412

C:\Windows\System32\dmkgagN.exe
C:\Windows\System32\dmkgagN.exe
2⤵
PID:12432

C:\Windows\System32\MVfaaFB.exe
C:\Windows\System32\MVfaaFB.exe
2⤵
PID:12464

C:\Windows\System32\ewLBDRu.exe
C:\Windows\System32\ewLBDRu.exe
2⤵
PID:12484

C:\Windows\System32\cwfNSge.exe
C:\Windows\System32\cwfNSge.exe
2⤵
PID:12500

C:\Windows\System32\EWqkRnf.exe
C:\Windows\System32\EWqkRnf.exe
2⤵
PID:12572

C:\Windows\System32\WCPgRhU.exe
C:\Windows\System32\WCPgRhU.exe
2⤵
PID:12592

C:\Windows\System32\jgaUZjy.exe
C:\Windows\System32\jgaUZjy.exe
2⤵
PID:12616

C:\Windows\System32\kIsUWqq.exe
C:\Windows\System32\kIsUWqq.exe
2⤵
PID:12636

C:\Windows\System32\AiXswNB.exe
C:\Windows\System32\AiXswNB.exe
2⤵
PID:12676

C:\Windows\System32\jomqDfK.exe
C:\Windows\System32\jomqDfK.exe
2⤵
PID:12696

C:\Windows\System32\rODbEiM.exe
C:\Windows\System32\rODbEiM.exe
2⤵
PID:12720

C:\Windows\System32\CHCFiVh.exe
C:\Windows\System32\CHCFiVh.exe
2⤵
PID:12740

C:\Windows\System32\FPkUsOy.exe
C:\Windows\System32\FPkUsOy.exe
2⤵
PID:12756

C:\Windows\System32\Qzyhfgk.exe
C:\Windows\System32\Qzyhfgk.exe
2⤵
PID:12792

C:\Windows\System32\oIugIHc.exe
C:\Windows\System32\oIugIHc.exe
2⤵
PID:12828

C:\Windows\System32\jjUcCSA.exe
C:\Windows\System32\jjUcCSA.exe
2⤵
PID:12848

C:\Windows\System32\bHVBoSE.exe
C:\Windows\System32\bHVBoSE.exe
2⤵
PID:12876

C:\Windows\System32\EUKAtQb.exe
C:\Windows\System32\EUKAtQb.exe
2⤵
PID:12896

C:\Windows\System32\EsdzFqj.exe
C:\Windows\System32\EsdzFqj.exe
2⤵
PID:12924

C:\Windows\System32\cjQQeZD.exe
C:\Windows\System32\cjQQeZD.exe
2⤵
PID:12972

C:\Windows\System32\vYlCUxk.exe
C:\Windows\System32\vYlCUxk.exe
2⤵
PID:13012

C:\Windows\System32\JqxfTnV.exe
C:\Windows\System32\JqxfTnV.exe
2⤵
PID:13036

C:\Windows\System32\fkdneZs.exe
C:\Windows\System32\fkdneZs.exe
2⤵
PID:13052

C:\Windows\System32\iUUkPRd.exe
C:\Windows\System32\iUUkPRd.exe
2⤵
PID:13072

C:\Windows\System32\lGwkfaI.exe
C:\Windows\System32\lGwkfaI.exe
2⤵
PID:13120

C:\Windows\System32\KNuUyRS.exe
C:\Windows\System32\KNuUyRS.exe
2⤵
PID:13140

C:\Windows\System32\dqjiiUO.exe
C:\Windows\System32\dqjiiUO.exe
2⤵
PID:13176

C:\Windows\System32\liRklUp.exe
C:\Windows\System32\liRklUp.exe
2⤵
PID:13212

C:\Windows\System32\mapmmoy.exe
C:\Windows\System32\mapmmoy.exe
2⤵
PID:13244

C:\Windows\System32\vbGhqAZ.exe
C:\Windows\System32\vbGhqAZ.exe
2⤵
PID:13268

C:\Windows\System32\xxtHjpY.exe
C:\Windows\System32\xxtHjpY.exe
2⤵
PID:11492

C:\Windows\System32\ZYXnfWH.exe
C:\Windows\System32\ZYXnfWH.exe
2⤵
PID:12348

C:\Windows\System32\DlCIrvC.exe
C:\Windows\System32\DlCIrvC.exe
2⤵
PID:12380

C:\Windows\System32\fwHtjrP.exe
C:\Windows\System32\fwHtjrP.exe
2⤵
PID:12476

C:\Windows\System32\Bwoaoct.exe
C:\Windows\System32\Bwoaoct.exe
2⤵
PID:12520

C:\Windows\System32\sixtFVo.exe
C:\Windows\System32\sixtFVo.exe
2⤵
PID:12600

C:\Windows\System32\XhdvgTR.exe
C:\Windows\System32\XhdvgTR.exe
2⤵
PID:12652

C:\Windows\System32\kPfZHVk.exe
C:\Windows\System32\kPfZHVk.exe
2⤵
PID:12704

C:\Windows\System32\fPXHPBD.exe
C:\Windows\System32\fPXHPBD.exe
2⤵
PID:12768

C:\Windows\System32\EMnheSv.exe
C:\Windows\System32\EMnheSv.exe
2⤵
PID:12856

C:\Windows\System32\LCQWios.exe
C:\Windows\System32\LCQWios.exe
2⤵
PID:12892

C:\Windows\System32\RiQfwxF.exe
C:\Windows\System32\RiQfwxF.exe
2⤵
PID:13204

C:\Windows\System32\MkUBJCY.exe
C:\Windows\System32\MkUBJCY.exe
2⤵
PID:12428

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13100

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AsPefuc.exe
Filesize
1.1MB

MD5
c1240fa1de7ed0936941f01e5d4d58ce

SHA1
701563cc355e3cc3c380d7c1c52b6789f630eefe

SHA256
f12b3dcb21cf72d40160db81b318d920b956649ffceff46dd51cca56716910a0

SHA512
5303da7e217938dc40c5220dcf0417fefa0299c2cbbbfa9fce0cae0f5c945c08771e7cfe275ffdf1f39eff07235805bb84cf589c5b41e38b10514872a94eec7c

Download Submit
C:\Windows\System32\BGJIZKT.exe
Filesize
1.1MB

MD5
727fd1311234f3bc40628c87f8d8b165

SHA1
fe1d70c564cf36173a6572b3ac23f66474498495

SHA256
655aaae9cd48ad1890e20d11370908ee9fc763919b174f550f9554acde20715c

SHA512
f1e825404e10ceb86809f391b1de8748de16bfe45f0352c2196fb9f1b3da0b8ac717c7e323533c430175e8508b8e461902a8847ef0dffb989b026e02ed8a37f9

Download Submit
C:\Windows\System32\BqDdGSy.exe
Filesize
1.1MB

MD5
f779cfbfb9dcdd475c2b881a20f93c1d

SHA1
b3ab808ae6499e46ebe53fc28b75dccd479038d2

SHA256
cb7ceed5e0d7bb562d0ad502fd450b6011f3039720a9d3c56d05804444622739

SHA512
59aced3bf53784f21a1ca4c8344d0b25c9a0463ca5a67ab698c07be8b371793e978d1363a3c96e7ca747a0663f79c838118720222156bde372d4e8ab991107d8

Download Submit
C:\Windows\System32\EZuPapn.exe
Filesize
1.1MB

MD5
bf3e7b82b67e003b2c0b0809ed66f834

SHA1
1d7ca530e67f1aa31cda9bb91e41b789f123e8a8

SHA256
3084126e09aea8fabb1fcff462bcdba2d03851f1df3fb1fbb7eb17b446607c09

SHA512
84fc59fe3195f0087b0aaba1caef249c237421b96d5493dded684ddd98dbe28c722eab277f62313f977e281f148c01437cf410a59ccb83341b4ef529875e7845

Download Submit
C:\Windows\System32\FzXEPjM.exe
Filesize
1.1MB

MD5
8452500644294a43d7b283ac801236fd

SHA1
d983bb6ef317cd9a34c3820be24f28cbed0e5ede

SHA256
5ec74cd7269c794ed605a3d385c27c8318fba0d2f0d9abcddfa88a1948148396

SHA512
241323c0da7138e68244768d500baed9adb9a393253bcc0d691d15093538732d5283dd55a92b01374aca0cf6915251406c69586de79f5153b0f3d5810c9c1245

Download Submit
C:\Windows\System32\HRtOEHM.exe
Filesize
1.1MB

MD5
e6c06c5afedd1b3caa071ac983d4d583

SHA1
935e89f22cee0d21013d36ec4ad17819837619c1

SHA256
517da2c76280cc19bf51ef983b8fcd97e489b69c1a9a745a79f2c32ee5c33de3

SHA512
e2171e6549df74fa3cb362982c21f8338d9a8a3485add1f76177776da7debaca59e88c51581de0b5b12079755afba02acf5194cc933318f4d13b6f2b43fcb2fe

Download Submit
C:\Windows\System32\LUxCIei.exe
Filesize
1.1MB

MD5
203a8cf8e8ea3385cf01a9d4fac7b8b2

SHA1
9604b82fe64ceffdf92dc82e04242fc65246cbc0

SHA256
b849e649f13c4879bb7e93d1e3db4b9be040e12b612172a6f1ce4e413eafa39f

SHA512
95347b4be349376ce9b328af7df8bd66958610b140c55579b39fb1cc37b17eafac3a31225e276916de81d058ffb7b40ce6e081b7d5dd3e726cb1a059d287f7a6

Download Submit
C:\Windows\System32\MadwdeC.exe
Filesize
1.1MB

MD5
b570fd2813569097b43fdf8d9a79f61b

SHA1
bb062228fcb9c568118cf46f5faac9251317c8be

SHA256
85074008c2aeafea682ca4537a29e9ec600d8fa6bca55744133c5fefdb59ca20

SHA512
f645e51800269e3a7d4cc82ff150c76107ddb1f68e4439e2390035e6a8df6d74f14927e4fc1426b7a27f594b486e9c2eecaba937cb2cce09aaceff06add6582b

Download Submit
C:\Windows\System32\NxQIKcS.exe
Filesize
1.1MB

MD5
1e863497734d29c7affc8ab9c5b3e4df

SHA1
35e519f4b1a2a4bc2a4a569844fd4be23a45eee6

SHA256
b16b7e46dd22b722cd937316ea86122e52dc9249c2595ac4d38b56d7d13262e8

SHA512
e412c73c8071428e141008082031472a0062108c2da11e11f585380f833aa59f3dcf22b55183ac37135a5b9a6de65b6f92f5d4d9ce1129c5e6e4a8686a561939

Download Submit
C:\Windows\System32\QzUGbCy.exe
Filesize
1.1MB

MD5
69c90fd30439d0499ecb38f03d34b652

SHA1
91c66908b911c5e5476a31fa973c33a266e2592c

SHA256
572d27d35794c6cff72f488353e392ec578b7127d7335a492c3f4ce0375d97d2

SHA512
64b17d4dc70db30d56814520ddedf78b8206d71113105d1ef08b2d24170867548f569f96f5cf50878ac7a3623a131b8c4846740f07e181504499d0fbc7634bf4

Download Submit
C:\Windows\System32\SpfiOPU.exe
Filesize
1.1MB

MD5
57381ab8011f08870210dbae966e8c3b

SHA1
e80258a27dcdfce07f3cff1778b921a1d580016a

SHA256
3cb5a462a47fefa21be8b78b4d1fc89fed7f4149f6f3bcaf1a6ba13fd6e4d1e9

SHA512
0344205c7efea5b06f545be8793bb0ce9524197f868b7c57db038cb522c2311ca594ed98de70bc7938d61554cdb291513dbd94598c163c6300cbd9ea013aa059

Download Submit
C:\Windows\System32\THtxFIa.exe
Filesize
1.1MB

MD5
373b4cf60298d2385230ff598540fa6c

SHA1
a9e5f2f9c8bdcfc01dce52d4cd002842f3cb698a

SHA256
2567a614ec2198121a0115ee07f9544c63fb340302601aaa127b3ecf9e5bb5bf

SHA512
832343c334119fd774117f6ed955604b134a4faf6e15d46a009dc4a890d5998ca62017316f9bf5c4935883d679c31b8dbb1ba8a6601ef78575d4a83e41e80381

Download Submit
C:\Windows\System32\VCMCQSw.exe
Filesize
1.1MB

MD5
6a58601af972cef077f9a7fce6a1b071

SHA1
e6cd18cd8465984dde8a5595b6fea2741b812672

SHA256
e47e3a0289f67904c3617fa53817dfc46fc5bc26aa531310c7042731a2737b07

SHA512
04372ba8b1e0129e6bc1d08f93a1300d2daf0219f99d93a4230769d940424f4965f71f4223c6d13ab0c9b4dea83eca7d34edeb17a726885b8c883a951f0d3df5

Download Submit
C:\Windows\System32\VwPBBvI.exe
Filesize
1.1MB

MD5
f97a611d83d019879797a9cf05559cd5

SHA1
2282a275104e9af5cd5ec1c2f79f64ab23f88e7c

SHA256
f76eb7cb33892145eacb9186efb7c14bd4fa17e3b84dad962a78dd04f8bcf917

SHA512
48e1f770db34911523b50cd9f7ca56d977c153040a7f96c6d37c63a4af4fe82a2d9b3e4ea03f30501c32fe8e8559ab2522207519ef0f8fc2ae88fe025b26ec26

Download Submit
C:\Windows\System32\WVPgNkl.exe
Filesize
1.1MB

MD5
bd61cc42c8f4709331953994846f92c9

SHA1
b37a95a85d7c3394e618facb0d85b05fe4295e4c

SHA256
546b9fc998e5dacbaaeda400022b891cca254f70b1b9e81aa72001c8dcdd144e

SHA512
f94a4671a68185cf13ce474646c75017d1ca116b3012e7fc423f8ae972bb48f381387054a4a46ce015a20a34d27ad95c37971bdcddd7104459212eeb969b9cde

Download Submit
C:\Windows\System32\WXWtKEs.exe
Filesize
1.1MB

MD5
84b8ec1f0c05b6ee35ef606f953c33ce

SHA1
69a2e4f8861ab49371d1f79ca5fdf4208101467a

SHA256
9ce905ea611ccf608d2dfc68b9ee4157130eb0b23ba0817d08849e090e1e170e

SHA512
2ff7f27a3be9b4c57558e42e29f8e5ee18e878b5bfab2684c12035d3d33fc3e3c8c861b01e7f8b44b6af9033f640cf4135fbe360786a55ecc360bf691f3a6a97

Download Submit
C:\Windows\System32\XxlQYiI.exe
Filesize
1.1MB

MD5
0d1fa8ba0b3dcc93d9829df8130f9236

SHA1
b949f2f648a75e74b64fbb807b44f0c1e57f6f5b

SHA256
83ce98019fa3e9eabdd17c5de66150a75618d08f7ae1e1ce430c9d1156335865

SHA512
a2a82c77e5b6e07ed8ebc10baf38b3282f448ba189e825244bc8653bafb0862d8d26a442f66f989e827a5d0572af088dd48b4891ae84e84187d61f14cfe7b456

Download Submit
C:\Windows\System32\bqblbpd.exe
Filesize
1.1MB

MD5
0ef3c995d8c9a9710315872b6dd40f80

SHA1
307a30b5019a9d43ea09256fd3ce3882c01b4198

SHA256
8fafd70babb6f26cdbfe9812bafd011a35b46a8e4a1c5295c9079a23420697be

SHA512
4aeccd83cdebd5dcc8d55f1d84b81cb9e3f178d3392e066c0b339476112ef8e3f0517bf00e738ce37ef46831911457b877fb7f86423375e485b4f0d45d6d398b

Download Submit
C:\Windows\System32\cFswcKt.exe
Filesize
1.1MB

MD5
387bb41dccba2c741f0b80dedc490c39

SHA1
d9f79d980fc32d11a4a9be3a587b24f13d729b28

SHA256
6f5062fb1edb2f611732e217937cb21ffd168c99de77c80f7d1b80ebb2b41d2f

SHA512
0347960a1b461d93b096f2407af5bc9e6697803f372b338c1daf15347c1015ca36c64d4b867f84b121dc5c82b5fc6d87c155de6f261ac501cabf050f9252a359

Download Submit
C:\Windows\System32\dAllKdK.exe
Filesize
1.1MB

MD5
f8f6bc424025b55eb8ecab04763d3352

SHA1
9a2b7647be4ef458cdac31e1a76a5c78411e783c

SHA256
6ce4ec6b83da24fceb787ac96422afcac13704cff37116112828a02a11bd8f8f

SHA512
add88f2204cf5f78f1742509e4c29f1153fc4c2175f5f314c02cf8ed74ccadee2a819f7463a4733f0d7ec617fa307776f7dfc485859653f7326c0901aeb5e88b

Download Submit
C:\Windows\System32\dvoCMbh.exe
Filesize
1.1MB

MD5
a956c8ae07747403c616de1e5108b1a3

SHA1
7819d959114f9051fb875ad1c1207b696eb92354

SHA256
c687d5f5e7988a3ba0fd8533e815806c41a958da62e2df2e81f91e1a57167fae

SHA512
c420dd1d260cc549a7c13ce1d4b971f796735b820a0dcdeac198aed60bfefe6d78ff305d52b19fe65b0fa4cb31868d37dda76bfcfecdad886813948da9fa7fca

Download Submit
C:\Windows\System32\jzSTeRq.exe
Filesize
1.1MB

MD5
531a394313b8e96645d13f89b87cea47

SHA1
b312e1c0c24c576b0a2687728432b0241a9a62cc

SHA256
3780c23a0ce9b5dd352529e2e5d6cb0435cd7d9574f7b93faef311bd4e0bf275

SHA512
5bb42f4b53c205a20ef77151405f26840dbc12eff91e848f73258a3bedb8188b898eead7ff486b27f6753af04c1c8ad147dd0f6dfad786e79e33acc61351ba21

Download Submit
C:\Windows\System32\lVicnRS.exe
Filesize
1.1MB

MD5
8555fb6b0c1e1dda51f6101b0ff434ca

SHA1
4f13a84f60210e2458d0668c70875713e7c1b52e

SHA256
ea3c5239b5e8f5fb9007e0a4ebc65a6f807fea2c3f21e7e905afdd92b35307cf

SHA512
739039431c43fdbeaac970f3765c695d40fc232eac1745663a56862bc4535fa3335468253792fb4e0b6c36eea65bbbfaa88ecea2863cdda561f8ca9e6d137454

Download Submit
C:\Windows\System32\roWFnpr.exe
Filesize
1.1MB

MD5
72fcec3877fa85876cc89d7662a1819f

SHA1
140906b1c45408364b9c59d2cd0e95d1498db55d

SHA256
c709cc1d195715ace34c50160b50a812a1eeee1166b797b8ea7b7a2923646187

SHA512
1283f3c0663252f8f800d991f12d50fa72e37ff7ff76ba989aa5e81c01199fc0a09e286ae9eb9401ad07b6d75cb047acd04a1f2b333442f42b4a32696e8c6dce

Download Submit
C:\Windows\System32\sSrFLZa.exe
Filesize
1.1MB

MD5
9564ad6e005736bf19b9c2c035fafe71

SHA1
0f4646057068f71d9fe70bacaa1fcd9c6704edce

SHA256
3820ed544172ec2779b9aac46de2a9a759bade6c0e9bc5be5cfd873aa7487ddb

SHA512
ecce16eef54e0045112b20723b5cb58bd7c5db89811392542ef83fad1553fb54fdb1b992384d960db86e585cae49c945c931002c5e05004cf527c889a03a36d4

Download Submit
C:\Windows\System32\tDXDygV.exe
Filesize
1.1MB

MD5
c28be304253331138db31822a80a2a03

SHA1
784a400ec7de957480fd85e20e7bd77cc74b362d

SHA256
bd189872894ffb03f2d43bb9f21a17bd497a664fb64d457466611c0a7083ff05

SHA512
155ba76d7cde60633af67f19773a58f1af018dcc91b678fa0ca50358ccea002e86745bfc90278099d1d396b1f20cb353c60f45d991e00b4f814b8cd6f2d3fdf8

Download Submit
C:\Windows\System32\tVWjaST.exe
Filesize
1.1MB

MD5
a7de0c02550da1cc095c4b211e0f2855

SHA1
2d1aa0d47c41a405bc631002509c3a6aba668c6a

SHA256
49b07bfdceb1a9fcf1131a0bd41120b45e660a6e952b2cbd6e6ce4d3ada2f3fb

SHA512
b851d8a34c30dc588f996dfa18c813886ae6f6a2c7361e769e898146d654204fbd307d1e6c0ea7a53ee8a9564a6abc6bdf746375f06a227c918ad5af1e79a905

Download Submit
C:\Windows\System32\vBRqIBd.exe
Filesize
1.1MB

MD5
318654232a5370a5f6b94976fdb9684d

SHA1
48c11a9b8ca893860ac18ddcd0af8434b5d58e68

SHA256
21153ab1bb210dcfc7fa027234406d4ef6b3f9ed0d6cc616d32da7ed2f8bafb5

SHA512
9541c846f828b809a59c2260e740eed66fbf37bb96037a6485028a37c56a34fb3f4b6b4d7aaaee92cc42e74dddef92584afdeccf0a816c5ffe7e00b8bd46f6ac

Download Submit
C:\Windows\System32\wQRFdbO.exe
Filesize
1.1MB

MD5
c9fad6009bafc6bffc14efea6c2b84da

SHA1
2ab7439576452dc14186484dc65b62249baf6d3f

SHA256
26405a1b21a69de02cde01757716c87d6fff2e58845b88329049a197d94daea1

SHA512
21e8a7a46c638f815c4b63a4aaf013cc125ef09a3bafbfddeabc723d98524b05136908b64f464ead0a34060c8c022195a5f2c049d5c19c6b3c55cafb27936a6f

Download Submit
C:\Windows\System32\zNBsBQA.exe
Filesize
1.1MB

MD5
da0ad31a0c3f935844337faeb5d5a4aa

SHA1
5355b0a3902bcd2980bebdfa2657ab4c750f134f

SHA256
e4571f49488cfe982dd580c2154c6a2dede32384ed5c22955b46c86f89e07138

SHA512
dd05cdd0f924b911c1c9c878ee9dba61e2c18c67d0189cb9e37ed87169c9dd59071fc7873eba3459e822bed86e2807046f246df577cfb0aa1fe5abcff2ac27bc

Download Submit
C:\Windows\System32\zQRaspR.exe
Filesize
1.1MB

MD5
0717ca0c45add6bbef52245af5990ccb

SHA1
62b1b16c554169b52d946295a57c36de1674615f

SHA256
3d22bf49a6a858f6c3983bc0fecdecb3e41e436403125713ade9a0d6dc8cb5e8

SHA512
78b7e8a98a49147004633d7303725137299385ed7c218948eddb4b2c98a49c0660e9a4dd81088dd992a7616153eefed42e35cf539149b0b7be3a3263a4bbcb3c

Download Submit
C:\Windows\System32\zWBlbRw.exe
Filesize
1.1MB

MD5
4d0c2036b82f3e89436adb2de87c6820

SHA1
248ad5d2d47270d48e4d094268bd7b38d6502662

SHA256
bc5c033479fde2fa63d44a4a73d6513cfb5baa2828f5e87ed93e8820f20f50f7

SHA512
e985d7f6a39ee145afe19e609e70a2bffbcdce9c3c95aa03200459772e93116cf477c988a5ff828752885861e5bdc4658bbdf7796a4fa1d3faa75420fe50261d

Download Submit
memory/540-1915-0x00007FF736B60000-0x00007FF736F51000-memory.dmp

Filesize
3.9MB

Download
memory/540-2098-0x00007FF736B60000-0x00007FF736F51000-memory.dmp

Filesize
3.9MB

Download
memory/540-0-0x00007FF736B60000-0x00007FF736F51000-memory.dmp

Filesize
3.9MB

Download
memory/540-1-0x00000195FA630000-0x00000195FA640000-memory.dmp

Filesize
64KB

Download
memory/632-2111-0x00007FF7C55F0000-0x00007FF7C59E1000-memory.dmp

Filesize
3.9MB

Download
memory/632-26-0x00007FF7C55F0000-0x00007FF7C59E1000-memory.dmp

Filesize
3.9MB

Download
memory/636-2115-0x00007FF606950000-0x00007FF606D41000-memory.dmp

Filesize
3.9MB

Download
memory/636-22-0x00007FF606950000-0x00007FF606D41000-memory.dmp

Filesize
3.9MB

Download
memory/636-1920-0x00007FF606950000-0x00007FF606D41000-memory.dmp

Filesize
3.9MB

Download
memory/1228-2127-0x00007FF6F3E20000-0x00007FF6F4211000-memory.dmp

Filesize
3.9MB

Download
memory/1228-45-0x00007FF6F3E20000-0x00007FF6F4211000-memory.dmp

Filesize
3.9MB

Download
memory/1228-2063-0x00007FF6F3E20000-0x00007FF6F4211000-memory.dmp

Filesize
3.9MB

Download
memory/1344-389-0x00007FF6D9A60000-0x00007FF6D9E51000-memory.dmp

Filesize
3.9MB

Download
memory/1344-2147-0x00007FF6D9A60000-0x00007FF6D9E51000-memory.dmp

Filesize
3.9MB

Download
memory/1376-2131-0x00007FF6C52C0000-0x00007FF6C56B1000-memory.dmp

Filesize
3.9MB

Download
memory/1376-353-0x00007FF6C52C0000-0x00007FF6C56B1000-memory.dmp

Filesize
3.9MB

Download
memory/1608-2157-0x00007FF7CD1B0000-0x00007FF7CD5A1000-memory.dmp

Filesize
3.9MB

Download
memory/1608-393-0x00007FF7CD1B0000-0x00007FF7CD5A1000-memory.dmp

Filesize
3.9MB

Download
memory/1680-2123-0x00007FF656840000-0x00007FF656C31000-memory.dmp

Filesize
3.9MB

Download
memory/1680-52-0x00007FF656840000-0x00007FF656C31000-memory.dmp

Filesize
3.9MB

Download
memory/1920-2113-0x00007FF762820000-0x00007FF762C11000-memory.dmp

Filesize
3.9MB

Download
memory/1920-18-0x00007FF762820000-0x00007FF762C11000-memory.dmp

Filesize
3.9MB

Download
memory/2104-387-0x00007FF7CB260000-0x00007FF7CB651000-memory.dmp

Filesize
3.9MB

Download
memory/2104-2143-0x00007FF7CB260000-0x00007FF7CB651000-memory.dmp

Filesize
3.9MB

Download
memory/2160-392-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2155-0x00007FF79C4B0000-0x00007FF79C8A1000-memory.dmp

Filesize
3.9MB

Download
memory/2268-2220-0x00007FF6B99F0000-0x00007FF6B9DE1000-memory.dmp

Filesize
3.9MB

Download
memory/2268-53-0x00007FF6B99F0000-0x00007FF6B9DE1000-memory.dmp

Filesize
3.9MB

Download
memory/2268-2096-0x00007FF6B99F0000-0x00007FF6B9DE1000-memory.dmp

Filesize
3.9MB

Download
memory/2332-359-0x00007FF72E400000-0x00007FF72E7F1000-memory.dmp

Filesize
3.9MB

Download
memory/2332-2130-0x00007FF72E400000-0x00007FF72E7F1000-memory.dmp

Filesize
3.9MB

Download
memory/2560-370-0x00007FF6902E0000-0x00007FF6906D1000-memory.dmp

Filesize
3.9MB

Download
memory/2560-2121-0x00007FF6902E0000-0x00007FF6906D1000-memory.dmp

Filesize
3.9MB

Download
memory/3296-27-0x00007FF748B70000-0x00007FF748F61000-memory.dmp

Filesize
3.9MB

Download
memory/3296-2119-0x00007FF748B70000-0x00007FF748F61000-memory.dmp

Filesize
3.9MB

Download
memory/3296-2060-0x00007FF748B70000-0x00007FF748F61000-memory.dmp

Filesize
3.9MB

Download
memory/3964-2145-0x00007FF686FD0000-0x00007FF6873C1000-memory.dmp

Filesize
3.9MB

Download
memory/3964-388-0x00007FF686FD0000-0x00007FF6873C1000-memory.dmp

Filesize
3.9MB

Download
memory/4004-378-0x00007FF6977A0000-0x00007FF697B91000-memory.dmp

Filesize
3.9MB

Download
memory/4004-2135-0x00007FF6977A0000-0x00007FF697B91000-memory.dmp

Filesize
3.9MB

Download
memory/4132-2125-0x00007FF6E7E40000-0x00007FF6E8231000-memory.dmp

Filesize
3.9MB

Download
memory/4132-348-0x00007FF6E7E40000-0x00007FF6E8231000-memory.dmp

Filesize
3.9MB

Download
memory/4240-40-0x00007FF70C120000-0x00007FF70C511000-memory.dmp

Filesize
3.9MB

Download
memory/4240-2133-0x00007FF70C120000-0x00007FF70C511000-memory.dmp

Filesize
3.9MB

Download
memory/4240-2062-0x00007FF70C120000-0x00007FF70C511000-memory.dmp

Filesize
3.9MB

Download
memory/4356-2061-0x00007FF73C180000-0x00007FF73C571000-memory.dmp

Filesize
3.9MB

Download
memory/4356-37-0x00007FF73C180000-0x00007FF73C571000-memory.dmp

Filesize
3.9MB

Download
memory/4356-2118-0x00007FF73C180000-0x00007FF73C571000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2141-0x00007FF6C38C0000-0x00007FF6C3CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-386-0x00007FF6C38C0000-0x00007FF6C3CB1000-memory.dmp

Filesize
3.9MB

Download
memory/4580-2160-0x00007FF6FB550000-0x00007FF6FB941000-memory.dmp

Filesize
3.9MB

Download
memory/4580-390-0x00007FF6FB550000-0x00007FF6FB941000-memory.dmp

Filesize
3.9MB

Download
memory/4676-384-0x00007FF693190000-0x00007FF693581000-memory.dmp

Filesize
3.9MB

Download
memory/4676-2139-0x00007FF693190000-0x00007FF693581000-memory.dmp

Filesize
3.9MB

Download
memory/5064-383-0x00007FF605680000-0x00007FF605A71000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2137-0x00007FF605680000-0x00007FF605A71000-memory.dmp

Filesize
3.9MB

Download
memory/5084-2149-0x00007FF766010000-0x00007FF766401000-memory.dmp

Filesize
3.9MB

Download
memory/5084-391-0x00007FF766010000-0x00007FF766401000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads