xmrig | 28a3d3927f8fcc34b8fa1c337c85032fabec64a149d1959f601750ac24b525e6

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
Size

1.1MB
MD5

005e54381bdfee37a976e678fa8f6a53
SHA1

65a429910ae92c78fe95c795b296fb5f178ea814
SHA256

28a3d3927f8fcc34b8fa1c337c85032fabec64a149d1959f601750ac24b525e6
SHA512

4db3a465b8a1159746f132a4912523fdd48cccbc13f087b7fc813c8b4b9dc1a7d8e812ac7bbc08f82c9022938325312c34a501aa764685495a23e8237658df9c
SSDEEP

24576:JanwhSe11QSONCpGJCjETPl+Me7bPMS8YkgcRqifh+8x:knw9oUUEEDl+xTMS8Tg2

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral2/memory/2940-86-0x00007FF76B030000-0x00007FF76B421000-memory.dmp	xmrig
behavioral2/memory/4960-95-0x00007FF766200000-0x00007FF7665F1000-memory.dmp	xmrig
behavioral2/memory/3252-114-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp	xmrig
behavioral2/memory/4100-278-0x00007FF793110000-0x00007FF793501000-memory.dmp	xmrig
behavioral2/memory/1648-280-0x00007FF650840000-0x00007FF650C31000-memory.dmp	xmrig
behavioral2/memory/636-281-0x00007FF74AAC0000-0x00007FF74AEB1000-memory.dmp	xmrig
behavioral2/memory/1416-279-0x00007FF6418B0000-0x00007FF641CA1000-memory.dmp	xmrig
behavioral2/memory/4060-1206-0x00007FF7C47E0000-0x00007FF7C4BD1000-memory.dmp	xmrig
behavioral2/memory/4616-1953-0x00007FF70C290000-0x00007FF70C681000-memory.dmp	xmrig
behavioral2/memory/5048-1956-0x00007FF71C2B0000-0x00007FF71C6A1000-memory.dmp	xmrig
behavioral2/memory/3316-1957-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp	xmrig
behavioral2/memory/2932-1955-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp	xmrig
behavioral2/memory/3160-1954-0x00007FF7B8940000-0x00007FF7B8D31000-memory.dmp	xmrig
behavioral2/memory/1924-1652-0x00007FF68AEA0000-0x00007FF68B291000-memory.dmp	xmrig
behavioral2/memory/3252-1969-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp	xmrig
behavioral2/memory/3788-1204-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp	xmrig
behavioral2/memory/5100-1970-0x00007FF62A380000-0x00007FF62A771000-memory.dmp	xmrig
behavioral2/memory/2396-1971-0x00007FF7F2D30000-0x00007FF7F3121000-memory.dmp	xmrig
behavioral2/memory/1732-2004-0x00007FF6DC5C0000-0x00007FF6DC9B1000-memory.dmp	xmrig
behavioral2/memory/3788-2006-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp	xmrig
behavioral2/memory/1540-104-0x00007FF6C4200000-0x00007FF6C45F1000-memory.dmp	xmrig
behavioral2/memory/1048-98-0x00007FF7F39E0000-0x00007FF7F3DD1000-memory.dmp	xmrig
behavioral2/memory/460-101-0x00007FF6566E0000-0x00007FF656AD1000-memory.dmp	xmrig
behavioral2/memory/3096-93-0x00007FF716E50000-0x00007FF717241000-memory.dmp	xmrig
behavioral2/memory/1920-90-0x00007FF60D9D0000-0x00007FF60DDC1000-memory.dmp	xmrig
behavioral2/memory/3316-89-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp	xmrig
behavioral2/memory/2644-84-0x00007FF6C4AA0000-0x00007FF6C4E91000-memory.dmp	xmrig
behavioral2/memory/2932-58-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp	xmrig
behavioral2/memory/3456-55-0x00007FF643B50000-0x00007FF643F41000-memory.dmp	xmrig
behavioral2/memory/4060-2011-0x00007FF7C47E0000-0x00007FF7C4BD1000-memory.dmp	xmrig
behavioral2/memory/3096-2015-0x00007FF716E50000-0x00007FF717241000-memory.dmp	xmrig
behavioral2/memory/4616-2017-0x00007FF70C290000-0x00007FF70C681000-memory.dmp	xmrig
behavioral2/memory/2644-2021-0x00007FF6C4AA0000-0x00007FF6C4E91000-memory.dmp	xmrig
behavioral2/memory/3456-2019-0x00007FF643B50000-0x00007FF643F41000-memory.dmp	xmrig
behavioral2/memory/2940-2051-0x00007FF76B030000-0x00007FF76B421000-memory.dmp	xmrig
behavioral2/memory/5048-2055-0x00007FF71C2B0000-0x00007FF71C6A1000-memory.dmp	xmrig
behavioral2/memory/460-2057-0x00007FF6566E0000-0x00007FF656AD1000-memory.dmp	xmrig
behavioral2/memory/3316-2059-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp	xmrig
behavioral2/memory/5100-2063-0x00007FF62A380000-0x00007FF62A771000-memory.dmp	xmrig
behavioral2/memory/3252-2065-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp	xmrig
behavioral2/memory/1540-2061-0x00007FF6C4200000-0x00007FF6C45F1000-memory.dmp	xmrig
behavioral2/memory/1920-2053-0x00007FF60D9D0000-0x00007FF60DDC1000-memory.dmp	xmrig
behavioral2/memory/1048-2049-0x00007FF7F39E0000-0x00007FF7F3DD1000-memory.dmp	xmrig
behavioral2/memory/4960-2047-0x00007FF766200000-0x00007FF7665F1000-memory.dmp	xmrig
behavioral2/memory/3160-2045-0x00007FF7B8940000-0x00007FF7B8D31000-memory.dmp	xmrig
behavioral2/memory/2396-2067-0x00007FF7F2D30000-0x00007FF7F3121000-memory.dmp	xmrig
behavioral2/memory/1416-2073-0x00007FF6418B0000-0x00007FF641CA1000-memory.dmp	xmrig
behavioral2/memory/636-2077-0x00007FF74AAC0000-0x00007FF74AEB1000-memory.dmp	xmrig
behavioral2/memory/1648-2075-0x00007FF650840000-0x00007FF650C31000-memory.dmp	xmrig
behavioral2/memory/4100-2071-0x00007FF793110000-0x00007FF793501000-memory.dmp	xmrig
behavioral2/memory/1732-2069-0x00007FF6DC5C0000-0x00007FF6DC9B1000-memory.dmp	xmrig
behavioral2/memory/2932-2042-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp	xmrig
behavioral2/memory/1924-2013-0x00007FF68AEA0000-0x00007FF68B291000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4060	iJqzvem.exe
1924	NyHTmmU.exe
4616	wSMqJJv.exe
3096	YlfUFDT.exe
3160	jZgqHan.exe
3456	aSWOlun.exe
2932	QLyNhHR.exe
4960	qYLUNwF.exe
5048	yrEBccO.exe
2644	oYjBKYD.exe
1048	NefVvSy.exe
2940	ufkeuXT.exe
460	BeSTjUr.exe
3316	dRPOjup.exe
1920	ggjcAjW.exe
1540	ghnusbc.exe
5100	dtPGTPQ.exe
3252	nzgKEdP.exe
2396	hImjVai.exe
1732	scIEEpz.exe
4100	ysZHSlX.exe
1416	mrMCTwi.exe
1648	uOIZAnu.exe
636	jVWsEFj.exe
4756	emIwfQd.exe
4612	tJYLItV.exe
4256	YPlxEWW.exe
4660	MTtwbrL.exe
3284	YYhgfWu.exe
4108	pOjhVGA.exe
5008	OPqfpsJ.exe
400	KkXgZPG.exe
1872	tKDmktQ.exe
3332	KJZKdnR.exe
3636	FSIwKlU.exe
2620	IBbEmHr.exe
4848	VdkwIGV.exe
2468	FloRITJ.exe
2484	TmoYDIF.exe
4556	vRSmXiP.exe
1068	oVpOLqm.exe
4872	LqENScc.exe
4364	JbuqZKt.exe
4844	hOlTlLj.exe
452	MYzQXXe.exe
3000	CFRrhuf.exe
2928	UaOnxJT.exe
4332	nODMseA.exe
2216	kBinNEO.exe
4916	MketQxb.exe
2284	sIWKXNa.exe
1456	ZVzQilQ.exe
3740	ByyNaCZ.exe
3384	RSDcCMI.exe
2172	nofXBCd.exe
3228	oERdbRj.exe
3448	tKzafYi.exe
2100	houSmet.exe
5068	wZxxMuc.exe
1804	wfpmuxA.exe
3140	HJmYfaI.exe
3080	QielSZB.exe
3464	rUrNXIa.exe
1484	bscaYnv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3788-0-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp	upx
behavioral2/memory/3160-39-0x00007FF7B8940000-0x00007FF7B8D31000-memory.dmp	upx
behavioral2/files/0x000700000002342b-47.dat	upx
behavioral2/files/0x0007000000023428-50.dat	upx
behavioral2/files/0x000700000002342a-65.dat	upx
behavioral2/files/0x0007000000023430-76.dat	upx
behavioral2/memory/2940-86-0x00007FF76B030000-0x00007FF76B421000-memory.dmp	upx
behavioral2/files/0x0007000000023431-87.dat	upx
behavioral2/memory/4960-95-0x00007FF766200000-0x00007FF7665F1000-memory.dmp	upx
behavioral2/files/0x0008000000023420-102.dat	upx
behavioral2/memory/5100-108-0x00007FF62A380000-0x00007FF62A771000-memory.dmp	upx
behavioral2/memory/2396-116-0x00007FF7F2D30000-0x00007FF7F3121000-memory.dmp	upx
behavioral2/memory/1732-117-0x00007FF6DC5C0000-0x00007FF6DC9B1000-memory.dmp	upx
behavioral2/files/0x0007000000023434-115.dat	upx
behavioral2/memory/3252-114-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp	upx
behavioral2/files/0x0007000000023433-112.dat	upx
behavioral2/files/0x0007000000023436-134.dat	upx
behavioral2/files/0x000700000002343a-151.dat	upx
behavioral2/files/0x000700000002343d-164.dat	upx
behavioral2/memory/4100-278-0x00007FF793110000-0x00007FF793501000-memory.dmp	upx
behavioral2/memory/1648-280-0x00007FF650840000-0x00007FF650C31000-memory.dmp	upx
behavioral2/memory/636-281-0x00007FF74AAC0000-0x00007FF74AEB1000-memory.dmp	upx
behavioral2/memory/1416-279-0x00007FF6418B0000-0x00007FF641CA1000-memory.dmp	upx
behavioral2/memory/4060-1206-0x00007FF7C47E0000-0x00007FF7C4BD1000-memory.dmp	upx
behavioral2/memory/4616-1953-0x00007FF70C290000-0x00007FF70C681000-memory.dmp	upx
behavioral2/memory/5048-1956-0x00007FF71C2B0000-0x00007FF71C6A1000-memory.dmp	upx
behavioral2/memory/3316-1957-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp	upx
behavioral2/memory/2932-1955-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp	upx
behavioral2/memory/3160-1954-0x00007FF7B8940000-0x00007FF7B8D31000-memory.dmp	upx
behavioral2/memory/1924-1652-0x00007FF68AEA0000-0x00007FF68B291000-memory.dmp	upx
behavioral2/memory/3252-1969-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp	upx
behavioral2/memory/3788-1204-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp	upx
behavioral2/memory/5100-1970-0x00007FF62A380000-0x00007FF62A771000-memory.dmp	upx
behavioral2/memory/2396-1971-0x00007FF7F2D30000-0x00007FF7F3121000-memory.dmp	upx
behavioral2/memory/1732-2004-0x00007FF6DC5C0000-0x00007FF6DC9B1000-memory.dmp	upx
behavioral2/memory/3788-2006-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp	upx
behavioral2/files/0x0007000000023440-181.dat	upx
behavioral2/files/0x000700000002343f-176.dat	upx
behavioral2/files/0x000700000002343e-171.dat	upx
behavioral2/files/0x000700000002343c-161.dat	upx
behavioral2/files/0x000700000002343b-156.dat	upx
behavioral2/files/0x0007000000023439-146.dat	upx
behavioral2/files/0x0007000000023438-144.dat	upx
behavioral2/files/0x0007000000023437-139.dat	upx
behavioral2/files/0x0007000000023435-129.dat	upx
behavioral2/files/0x0007000000023432-105.dat	upx
behavioral2/memory/1540-104-0x00007FF6C4200000-0x00007FF6C45F1000-memory.dmp	upx
behavioral2/memory/1048-98-0x00007FF7F39E0000-0x00007FF7F3DD1000-memory.dmp	upx
behavioral2/memory/460-101-0x00007FF6566E0000-0x00007FF656AD1000-memory.dmp	upx
behavioral2/memory/3096-93-0x00007FF716E50000-0x00007FF717241000-memory.dmp	upx
behavioral2/memory/1920-90-0x00007FF60D9D0000-0x00007FF60DDC1000-memory.dmp	upx
behavioral2/memory/3316-89-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp	upx
behavioral2/memory/2644-84-0x00007FF6C4AA0000-0x00007FF6C4E91000-memory.dmp	upx
behavioral2/files/0x000700000002342f-82.dat	upx
behavioral2/memory/5048-80-0x00007FF71C2B0000-0x00007FF71C6A1000-memory.dmp	upx
behavioral2/files/0x000700000002342e-78.dat	upx
behavioral2/files/0x000700000002342d-75.dat	upx
behavioral2/files/0x000700000002342c-68.dat	upx
behavioral2/memory/2932-58-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp	upx
behavioral2/files/0x0007000000023429-57.dat	upx
behavioral2/memory/3456-55-0x00007FF643B50000-0x00007FF643F41000-memory.dmp	upx
behavioral2/files/0x0007000000023426-49.dat	upx
behavioral2/files/0x0007000000023427-32.dat	upx
behavioral2/memory/4616-27-0x00007FF70C290000-0x00007FF70C681000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\hijgdHK.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\SGPdcBK.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\vJbxcpf.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\NPEVXBz.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\zTtRvJm.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\XiljuxT.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\ROKsorz.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\wfcPDMj.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\axLHMls.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\OcmSQQJ.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\KkXgZPG.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\jYpwFpB.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\EvMamya.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\ojtXxxi.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\xqXrSVY.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\hULaYcP.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\TEzGBCo.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\ufkeuXT.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\OfezuES.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\mrMCTwi.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\qIHGIzf.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\BNtOmTv.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\LYSFCZi.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\IURSFjj.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\goMYjjo.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\emIwfQd.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\EnqwVMt.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\HVBYtTy.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\HEqqDzR.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\alrPEUy.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\jVWsEFj.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\YXnxfCs.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\gEylQnw.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\VDYzKfW.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\uTTFkkb.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\LIyktoj.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\rUtukzf.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\lQhVgVr.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\rCtfQGu.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\ZiESgEm.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\JZMOVXe.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\sgLKzEy.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\xSQpnJt.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\pZXEwqm.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\IDwWTYD.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\DgXMTAG.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\zUWUqmi.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\rnLLpsn.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\wfpmuxA.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\RWTnzho.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\XxXWMst.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\PgRqxCr.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\lwuCJfU.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\qYVabFJ.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\lSNdxJW.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\iQwBYAS.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\kJLZFMZ.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\XjzQqgc.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\NzlkEhX.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\yrEBccO.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\SDULagp.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\ZpVTnli.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\WwjwhdT.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
File created	C:\Windows\System32\cTTFwsh.exe	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13540	dwm.exe
Token: SeChangeNotifyPrivilege	13540	dwm.exe
Token: 33	13540	dwm.exe
Token: SeIncBasePriorityPrivilege	13540	dwm.exe
Token: SeShutdownPrivilege	13540	dwm.exe
Token: SeCreatePagefilePrivilege	13540	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4060	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	85
PID 3788 wrote to memory of 4060	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	85
PID 3788 wrote to memory of 1924	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	86
PID 3788 wrote to memory of 1924	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	86
PID 3788 wrote to memory of 4616	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	87
PID 3788 wrote to memory of 4616	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	87
PID 3788 wrote to memory of 3096	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	88
PID 3788 wrote to memory of 3096	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	88
PID 3788 wrote to memory of 3160	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	89
PID 3788 wrote to memory of 3160	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	89
PID 3788 wrote to memory of 3456	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	90
PID 3788 wrote to memory of 3456	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	90
PID 3788 wrote to memory of 2932	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	91
PID 3788 wrote to memory of 2932	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	91
PID 3788 wrote to memory of 4960	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	92
PID 3788 wrote to memory of 4960	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	92
PID 3788 wrote to memory of 5048	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	93
PID 3788 wrote to memory of 5048	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	93
PID 3788 wrote to memory of 2644	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	94
PID 3788 wrote to memory of 2644	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	94
PID 3788 wrote to memory of 1048	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	95
PID 3788 wrote to memory of 1048	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	95
PID 3788 wrote to memory of 2940	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	96
PID 3788 wrote to memory of 2940	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	96
PID 3788 wrote to memory of 460	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	97
PID 3788 wrote to memory of 460	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	97
PID 3788 wrote to memory of 3316	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	98
PID 3788 wrote to memory of 3316	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	98
PID 3788 wrote to memory of 1920	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	99
PID 3788 wrote to memory of 1920	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	99
PID 3788 wrote to memory of 1540	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	100
PID 3788 wrote to memory of 1540	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	100
PID 3788 wrote to memory of 5100	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	101
PID 3788 wrote to memory of 5100	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	101
PID 3788 wrote to memory of 3252	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	102
PID 3788 wrote to memory of 3252	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	102
PID 3788 wrote to memory of 2396	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	103
PID 3788 wrote to memory of 2396	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	103
PID 3788 wrote to memory of 1732	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	104
PID 3788 wrote to memory of 1732	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	104
PID 3788 wrote to memory of 4100	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	105
PID 3788 wrote to memory of 4100	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	105
PID 3788 wrote to memory of 1416	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	106
PID 3788 wrote to memory of 1416	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	106
PID 3788 wrote to memory of 1648	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	107
PID 3788 wrote to memory of 1648	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	107
PID 3788 wrote to memory of 636	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	108
PID 3788 wrote to memory of 636	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	108
PID 3788 wrote to memory of 4756	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	109
PID 3788 wrote to memory of 4756	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	109
PID 3788 wrote to memory of 4612	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	110
PID 3788 wrote to memory of 4612	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	110
PID 3788 wrote to memory of 4256	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	111
PID 3788 wrote to memory of 4256	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	111
PID 3788 wrote to memory of 4660	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	112
PID 3788 wrote to memory of 4660	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	112
PID 3788 wrote to memory of 3284	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	113
PID 3788 wrote to memory of 3284	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	113
PID 3788 wrote to memory of 4108	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	114
PID 3788 wrote to memory of 4108	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	114
PID 3788 wrote to memory of 5008	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	115
PID 3788 wrote to memory of 5008	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	115
PID 3788 wrote to memory of 400	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	116
PID 3788 wrote to memory of 400	3788	005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\1729302181\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\1729302181\zmstage.exe
1⤵
PID:2472

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\005e54381bdfee37a976e678fa8f6a53_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\System32\iJqzvem.exe
  C:\Windows\System32\iJqzvem.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\NyHTmmU.exe
  C:\Windows\System32\NyHTmmU.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System32\wSMqJJv.exe
  C:\Windows\System32\wSMqJJv.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System32\YlfUFDT.exe
  C:\Windows\System32\YlfUFDT.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\jZgqHan.exe
  C:\Windows\System32\jZgqHan.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System32\aSWOlun.exe
  C:\Windows\System32\aSWOlun.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System32\QLyNhHR.exe
  C:\Windows\System32\QLyNhHR.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\qYLUNwF.exe
  C:\Windows\System32\qYLUNwF.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\yrEBccO.exe
  C:\Windows\System32\yrEBccO.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\oYjBKYD.exe
  C:\Windows\System32\oYjBKYD.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System32\NefVvSy.exe
  C:\Windows\System32\NefVvSy.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System32\ufkeuXT.exe
  C:\Windows\System32\ufkeuXT.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System32\BeSTjUr.exe
  C:\Windows\System32\BeSTjUr.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System32\dRPOjup.exe
  C:\Windows\System32\dRPOjup.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System32\ggjcAjW.exe
  C:\Windows\System32\ggjcAjW.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\ghnusbc.exe
  C:\Windows\System32\ghnusbc.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System32\dtPGTPQ.exe
  C:\Windows\System32\dtPGTPQ.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System32\nzgKEdP.exe
  C:\Windows\System32\nzgKEdP.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\hImjVai.exe
  C:\Windows\System32\hImjVai.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System32\scIEEpz.exe
  C:\Windows\System32\scIEEpz.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System32\ysZHSlX.exe
  C:\Windows\System32\ysZHSlX.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System32\mrMCTwi.exe
  C:\Windows\System32\mrMCTwi.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\uOIZAnu.exe
  C:\Windows\System32\uOIZAnu.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\jVWsEFj.exe
  C:\Windows\System32\jVWsEFj.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System32\emIwfQd.exe
  C:\Windows\System32\emIwfQd.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System32\tJYLItV.exe
  C:\Windows\System32\tJYLItV.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System32\YPlxEWW.exe
  C:\Windows\System32\YPlxEWW.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\MTtwbrL.exe
  C:\Windows\System32\MTtwbrL.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System32\YYhgfWu.exe
  C:\Windows\System32\YYhgfWu.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System32\pOjhVGA.exe
  C:\Windows\System32\pOjhVGA.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\OPqfpsJ.exe
  C:\Windows\System32\OPqfpsJ.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\KkXgZPG.exe
  C:\Windows\System32\KkXgZPG.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\tKDmktQ.exe
  C:\Windows\System32\tKDmktQ.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System32\KJZKdnR.exe
  C:\Windows\System32\KJZKdnR.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System32\FSIwKlU.exe
  C:\Windows\System32\FSIwKlU.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System32\IBbEmHr.exe
  C:\Windows\System32\IBbEmHr.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System32\VdkwIGV.exe
  C:\Windows\System32\VdkwIGV.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\FloRITJ.exe
  C:\Windows\System32\FloRITJ.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System32\TmoYDIF.exe
  C:\Windows\System32\TmoYDIF.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\vRSmXiP.exe
  C:\Windows\System32\vRSmXiP.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System32\oVpOLqm.exe
  C:\Windows\System32\oVpOLqm.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\LqENScc.exe
  C:\Windows\System32\LqENScc.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System32\JbuqZKt.exe
  C:\Windows\System32\JbuqZKt.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\hOlTlLj.exe
  C:\Windows\System32\hOlTlLj.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\MYzQXXe.exe
  C:\Windows\System32\MYzQXXe.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System32\CFRrhuf.exe
  C:\Windows\System32\CFRrhuf.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System32\UaOnxJT.exe
  C:\Windows\System32\UaOnxJT.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\nODMseA.exe
  C:\Windows\System32\nODMseA.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System32\kBinNEO.exe
  C:\Windows\System32\kBinNEO.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\MketQxb.exe
  C:\Windows\System32\MketQxb.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\sIWKXNa.exe
  C:\Windows\System32\sIWKXNa.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\ZVzQilQ.exe
  C:\Windows\System32\ZVzQilQ.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\ByyNaCZ.exe
  C:\Windows\System32\ByyNaCZ.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System32\RSDcCMI.exe
  C:\Windows\System32\RSDcCMI.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System32\nofXBCd.exe
  C:\Windows\System32\nofXBCd.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System32\oERdbRj.exe
  C:\Windows\System32\oERdbRj.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System32\tKzafYi.exe
  C:\Windows\System32\tKzafYi.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\houSmet.exe
  C:\Windows\System32\houSmet.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\wZxxMuc.exe
  C:\Windows\System32\wZxxMuc.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System32\wfpmuxA.exe
  C:\Windows\System32\wfpmuxA.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\HJmYfaI.exe
  C:\Windows\System32\HJmYfaI.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System32\QielSZB.exe
  C:\Windows\System32\QielSZB.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\rUrNXIa.exe
  C:\Windows\System32\rUrNXIa.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\bscaYnv.exe
  C:\Windows\System32\bscaYnv.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System32\VCRecSL.exe
  C:\Windows\System32\VCRecSL.exe
  2⤵
  PID:1676
- C:\Windows\System32\luJKqmp.exe
  C:\Windows\System32\luJKqmp.exe
  2⤵
  PID:4928
- C:\Windows\System32\FJkLFlH.exe
  C:\Windows\System32\FJkLFlH.exe
  2⤵
  PID:1492
- C:\Windows\System32\RhkbtBw.exe
  C:\Windows\System32\RhkbtBw.exe
  2⤵
  PID:1700
- C:\Windows\System32\XqEifDg.exe
  C:\Windows\System32\XqEifDg.exe
  2⤵
  PID:4816
- C:\Windows\System32\GkCnNfY.exe
  C:\Windows\System32\GkCnNfY.exe
  2⤵
  PID:2784
- C:\Windows\System32\eLJEuRe.exe
  C:\Windows\System32\eLJEuRe.exe
  2⤵
  PID:3716
- C:\Windows\System32\UCkiBvu.exe
  C:\Windows\System32\UCkiBvu.exe
  2⤵
  PID:5044
- C:\Windows\System32\ccTaCjp.exe
  C:\Windows\System32\ccTaCjp.exe
  2⤵
  PID:4028
- C:\Windows\System32\EfIiybw.exe
  C:\Windows\System32\EfIiybw.exe
  2⤵
  PID:1164
- C:\Windows\System32\dZqclhY.exe
  C:\Windows\System32\dZqclhY.exe
  2⤵
  PID:4796
- C:\Windows\System32\wzOyMQr.exe
  C:\Windows\System32\wzOyMQr.exe
  2⤵
  PID:1996
- C:\Windows\System32\RJAlYWs.exe
  C:\Windows\System32\RJAlYWs.exe
  2⤵
  PID:2088
- C:\Windows\System32\hOhbVBH.exe
  C:\Windows\System32\hOhbVBH.exe
  2⤵
  PID:3212
- C:\Windows\System32\nWwKrnr.exe
  C:\Windows\System32\nWwKrnr.exe
  2⤵
  PID:4048
- C:\Windows\System32\eTdokKw.exe
  C:\Windows\System32\eTdokKw.exe
  2⤵
  PID:3948
- C:\Windows\System32\WOTQLuM.exe
  C:\Windows\System32\WOTQLuM.exe
  2⤵
  PID:1536
- C:\Windows\System32\WqwnPHq.exe
  C:\Windows\System32\WqwnPHq.exe
  2⤵
  PID:4440
- C:\Windows\System32\rpaTGmi.exe
  C:\Windows\System32\rpaTGmi.exe
  2⤵
  PID:4776
- C:\Windows\System32\JvhcplM.exe
  C:\Windows\System32\JvhcplM.exe
  2⤵
  PID:3832
- C:\Windows\System32\DXaIhGl.exe
  C:\Windows\System32\DXaIhGl.exe
  2⤵
  PID:4508
- C:\Windows\System32\lSNdxJW.exe
  C:\Windows\System32\lSNdxJW.exe
  2⤵
  PID:4480
- C:\Windows\System32\vLyAFFu.exe
  C:\Windows\System32\vLyAFFu.exe
  2⤵
  PID:2124
- C:\Windows\System32\rCtfQGu.exe
  C:\Windows\System32\rCtfQGu.exe
  2⤵
  PID:1496
- C:\Windows\System32\YBllxRX.exe
  C:\Windows\System32\YBllxRX.exe
  2⤵
  PID:3764
- C:\Windows\System32\NQQQZLF.exe
  C:\Windows\System32\NQQQZLF.exe
  2⤵
  PID:3392
- C:\Windows\System32\zaLSPkr.exe
  C:\Windows\System32\zaLSPkr.exe
  2⤵
  PID:2640
- C:\Windows\System32\WwjwhdT.exe
  C:\Windows\System32\WwjwhdT.exe
  2⤵
  PID:1744
- C:\Windows\System32\PCCrvKq.exe
  C:\Windows\System32\PCCrvKq.exe
  2⤵
  PID:4856
- C:\Windows\System32\odkikSC.exe
  C:\Windows\System32\odkikSC.exe
  2⤵
  PID:2472
- C:\Windows\System32\wRIhrGQ.exe
  C:\Windows\System32\wRIhrGQ.exe
  2⤵
  PID:1856
- C:\Windows\System32\SFmDETo.exe
  C:\Windows\System32\SFmDETo.exe
  2⤵
  PID:3196
- C:\Windows\System32\SKwZOSz.exe
  C:\Windows\System32\SKwZOSz.exe
  2⤵
  PID:1520
- C:\Windows\System32\qVCrutp.exe
  C:\Windows\System32\qVCrutp.exe
  2⤵
  PID:5132
- C:\Windows\System32\LHyWzLz.exe
  C:\Windows\System32\LHyWzLz.exe
  2⤵
  PID:5160
- C:\Windows\System32\zUWUqmi.exe
  C:\Windows\System32\zUWUqmi.exe
  2⤵
  PID:5220
- C:\Windows\System32\uYAcDPr.exe
  C:\Windows\System32\uYAcDPr.exe
  2⤵
  PID:5248
- C:\Windows\System32\xTlmPtR.exe
  C:\Windows\System32\xTlmPtR.exe
  2⤵
  PID:5264
- C:\Windows\System32\tzipaUD.exe
  C:\Windows\System32\tzipaUD.exe
  2⤵
  PID:5296
- C:\Windows\System32\dPZpUmT.exe
  C:\Windows\System32\dPZpUmT.exe
  2⤵
  PID:5316
- C:\Windows\System32\DgXMTAG.exe
  C:\Windows\System32\DgXMTAG.exe
  2⤵
  PID:5360
- C:\Windows\System32\VAdSRbu.exe
  C:\Windows\System32\VAdSRbu.exe
  2⤵
  PID:5388
- C:\Windows\System32\usCoOwA.exe
  C:\Windows\System32\usCoOwA.exe
  2⤵
  PID:5404
- C:\Windows\System32\sbvNJHM.exe
  C:\Windows\System32\sbvNJHM.exe
  2⤵
  PID:5424
- C:\Windows\System32\VcDDQSv.exe
  C:\Windows\System32\VcDDQSv.exe
  2⤵
  PID:5444
- C:\Windows\System32\iHHipoK.exe
  C:\Windows\System32\iHHipoK.exe
  2⤵
  PID:5460
- C:\Windows\System32\iQwBYAS.exe
  C:\Windows\System32\iQwBYAS.exe
  2⤵
  PID:5488
- C:\Windows\System32\zTtRvJm.exe
  C:\Windows\System32\zTtRvJm.exe
  2⤵
  PID:5516
- C:\Windows\System32\LyUJdZE.exe
  C:\Windows\System32\LyUJdZE.exe
  2⤵
  PID:5532
- C:\Windows\System32\DEKvwgl.exe
  C:\Windows\System32\DEKvwgl.exe
  2⤵
  PID:5576
- C:\Windows\System32\qGNLFvO.exe
  C:\Windows\System32\qGNLFvO.exe
  2⤵
  PID:5632
- C:\Windows\System32\xfuMPtn.exe
  C:\Windows\System32\xfuMPtn.exe
  2⤵
  PID:5660
- C:\Windows\System32\hgspvDI.exe
  C:\Windows\System32\hgspvDI.exe
  2⤵
  PID:5680
- C:\Windows\System32\vIyHMSO.exe
  C:\Windows\System32\vIyHMSO.exe
  2⤵
  PID:5696
- C:\Windows\System32\BTElUvi.exe
  C:\Windows\System32\BTElUvi.exe
  2⤵
  PID:5716
- C:\Windows\System32\tOGNvbm.exe
  C:\Windows\System32\tOGNvbm.exe
  2⤵
  PID:5748
- C:\Windows\System32\YXnxfCs.exe
  C:\Windows\System32\YXnxfCs.exe
  2⤵
  PID:5804
- C:\Windows\System32\CaCFBbe.exe
  C:\Windows\System32\CaCFBbe.exe
  2⤵
  PID:5828
- C:\Windows\System32\tmDlBXG.exe
  C:\Windows\System32\tmDlBXG.exe
  2⤵
  PID:5856
- C:\Windows\System32\vueEOBc.exe
  C:\Windows\System32\vueEOBc.exe
  2⤵
  PID:5896
- C:\Windows\System32\PAFlccn.exe
  C:\Windows\System32\PAFlccn.exe
  2⤵
  PID:5916
- C:\Windows\System32\QDuMqwX.exe
  C:\Windows\System32\QDuMqwX.exe
  2⤵
  PID:5948
- C:\Windows\System32\fCPWdfM.exe
  C:\Windows\System32\fCPWdfM.exe
  2⤵
  PID:5964
- C:\Windows\System32\xMLfBqO.exe
  C:\Windows\System32\xMLfBqO.exe
  2⤵
  PID:5984
- C:\Windows\System32\VuzipER.exe
  C:\Windows\System32\VuzipER.exe
  2⤵
  PID:6024
- C:\Windows\System32\UDhIAhE.exe
  C:\Windows\System32\UDhIAhE.exe
  2⤵
  PID:6052
- C:\Windows\System32\bGBqDdh.exe
  C:\Windows\System32\bGBqDdh.exe
  2⤵
  PID:6076
- C:\Windows\System32\gMtaFNS.exe
  C:\Windows\System32\gMtaFNS.exe
  2⤵
  PID:6092
- C:\Windows\System32\XUFtNHq.exe
  C:\Windows\System32\XUFtNHq.exe
  2⤵
  PID:6116
- C:\Windows\System32\khcgMtL.exe
  C:\Windows\System32\khcgMtL.exe
  2⤵
  PID:3376
- C:\Windows\System32\RCrzTsQ.exe
  C:\Windows\System32\RCrzTsQ.exe
  2⤵
  PID:2680
- C:\Windows\System32\qYVabFJ.exe
  C:\Windows\System32\qYVabFJ.exe
  2⤵
  PID:5140
- C:\Windows\System32\UtUKbUR.exe
  C:\Windows\System32\UtUKbUR.exe
  2⤵
  PID:5232
- C:\Windows\System32\cTtKslT.exe
  C:\Windows\System32\cTtKslT.exe
  2⤵
  PID:5308
- C:\Windows\System32\gEylQnw.exe
  C:\Windows\System32\gEylQnw.exe
  2⤵
  PID:5440
- C:\Windows\System32\xeoReDh.exe
  C:\Windows\System32\xeoReDh.exe
  2⤵
  PID:5544
- C:\Windows\System32\ydrFzbv.exe
  C:\Windows\System32\ydrFzbv.exe
  2⤵
  PID:5540
- C:\Windows\System32\uauIUuq.exe
  C:\Windows\System32\uauIUuq.exe
  2⤵
  PID:5656
- C:\Windows\System32\wDXFCXh.exe
  C:\Windows\System32\wDXFCXh.exe
  2⤵
  PID:5704
- C:\Windows\System32\rzYsypz.exe
  C:\Windows\System32\rzYsypz.exe
  2⤵
  PID:5788
- C:\Windows\System32\MQzijjo.exe
  C:\Windows\System32\MQzijjo.exe
  2⤵
  PID:5824
- C:\Windows\System32\oOCGcIk.exe
  C:\Windows\System32\oOCGcIk.exe
  2⤵
  PID:5904
- C:\Windows\System32\hjDGxiO.exe
  C:\Windows\System32\hjDGxiO.exe
  2⤵
  PID:5980
- C:\Windows\System32\kpZUNmG.exe
  C:\Windows\System32\kpZUNmG.exe
  2⤵
  PID:6008
- C:\Windows\System32\lzsoxre.exe
  C:\Windows\System32\lzsoxre.exe
  2⤵
  PID:6088
- C:\Windows\System32\BwtNrPq.exe
  C:\Windows\System32\BwtNrPq.exe
  2⤵
  PID:6136
- C:\Windows\System32\ZcTgmAn.exe
  C:\Windows\System32\ZcTgmAn.exe
  2⤵
  PID:1072
- C:\Windows\System32\YUEgJtX.exe
  C:\Windows\System32\YUEgJtX.exe
  2⤵
  PID:5276
- C:\Windows\System32\YzVNKaq.exe
  C:\Windows\System32\YzVNKaq.exe
  2⤵
  PID:5384
- C:\Windows\System32\hdkmXUA.exe
  C:\Windows\System32\hdkmXUA.exe
  2⤵
  PID:5524
- C:\Windows\System32\KOWWKIT.exe
  C:\Windows\System32\KOWWKIT.exe
  2⤵
  PID:5604
- C:\Windows\System32\OtOAGof.exe
  C:\Windows\System32\OtOAGof.exe
  2⤵
  PID:5712
- C:\Windows\System32\qmvlZQk.exe
  C:\Windows\System32\qmvlZQk.exe
  2⤵
  PID:5940
- C:\Windows\System32\NLvbiXQ.exe
  C:\Windows\System32\NLvbiXQ.exe
  2⤵
  PID:5256
- C:\Windows\System32\oXhWxiI.exe
  C:\Windows\System32\oXhWxiI.exe
  2⤵
  PID:4592
- C:\Windows\System32\lzVDUeA.exe
  C:\Windows\System32\lzVDUeA.exe
  2⤵
  PID:5784
- C:\Windows\System32\heDIags.exe
  C:\Windows\System32\heDIags.exe
  2⤵
  PID:6132
- C:\Windows\System32\VugpkeI.exe
  C:\Windows\System32\VugpkeI.exe
  2⤵
  PID:5200
- C:\Windows\System32\kgtKZZN.exe
  C:\Windows\System32\kgtKZZN.exe
  2⤵
  PID:5672
- C:\Windows\System32\VDYzKfW.exe
  C:\Windows\System32\VDYzKfW.exe
  2⤵
  PID:6164
- C:\Windows\System32\EppSbmr.exe
  C:\Windows\System32\EppSbmr.exe
  2⤵
  PID:6180
- C:\Windows\System32\SDULagp.exe
  C:\Windows\System32\SDULagp.exe
  2⤵
  PID:6216
- C:\Windows\System32\trHbYNN.exe
  C:\Windows\System32\trHbYNN.exe
  2⤵
  PID:6232
- C:\Windows\System32\mWIeqSq.exe
  C:\Windows\System32\mWIeqSq.exe
  2⤵
  PID:6256
- C:\Windows\System32\smEzGcu.exe
  C:\Windows\System32\smEzGcu.exe
  2⤵
  PID:6280
- C:\Windows\System32\CmLNGoP.exe
  C:\Windows\System32\CmLNGoP.exe
  2⤵
  PID:6324
- C:\Windows\System32\vuucIaJ.exe
  C:\Windows\System32\vuucIaJ.exe
  2⤵
  PID:6340
- C:\Windows\System32\ZDcXocu.exe
  C:\Windows\System32\ZDcXocu.exe
  2⤵
  PID:6364
- C:\Windows\System32\dUccYRZ.exe
  C:\Windows\System32\dUccYRZ.exe
  2⤵
  PID:6408
- C:\Windows\System32\kJLZFMZ.exe
  C:\Windows\System32\kJLZFMZ.exe
  2⤵
  PID:6436
- C:\Windows\System32\SMxMTxi.exe
  C:\Windows\System32\SMxMTxi.exe
  2⤵
  PID:6484
- C:\Windows\System32\KCkIELe.exe
  C:\Windows\System32\KCkIELe.exe
  2⤵
  PID:6520
- C:\Windows\System32\ZPtHxer.exe
  C:\Windows\System32\ZPtHxer.exe
  2⤵
  PID:6544
- C:\Windows\System32\BURLZHL.exe
  C:\Windows\System32\BURLZHL.exe
  2⤵
  PID:6576
- C:\Windows\System32\UEkTJAd.exe
  C:\Windows\System32\UEkTJAd.exe
  2⤵
  PID:6592
- C:\Windows\System32\zlrJQbw.exe
  C:\Windows\System32\zlrJQbw.exe
  2⤵
  PID:6616
- C:\Windows\System32\kquAuEO.exe
  C:\Windows\System32\kquAuEO.exe
  2⤵
  PID:6648
- C:\Windows\System32\HCbHaEZ.exe
  C:\Windows\System32\HCbHaEZ.exe
  2⤵
  PID:6672
- C:\Windows\System32\UuzOupj.exe
  C:\Windows\System32\UuzOupj.exe
  2⤵
  PID:6704
- C:\Windows\System32\FcgMBhX.exe
  C:\Windows\System32\FcgMBhX.exe
  2⤵
  PID:6724
- C:\Windows\System32\YCjLauc.exe
  C:\Windows\System32\YCjLauc.exe
  2⤵
  PID:6760
- C:\Windows\System32\IRrDiUT.exe
  C:\Windows\System32\IRrDiUT.exe
  2⤵
  PID:6784
- C:\Windows\System32\egrUXQH.exe
  C:\Windows\System32\egrUXQH.exe
  2⤵
  PID:6816
- C:\Windows\System32\cYpSFrd.exe
  C:\Windows\System32\cYpSFrd.exe
  2⤵
  PID:6840
- C:\Windows\System32\WAgYXwk.exe
  C:\Windows\System32\WAgYXwk.exe
  2⤵
  PID:6888
- C:\Windows\System32\VOYYSjq.exe
  C:\Windows\System32\VOYYSjq.exe
  2⤵
  PID:6908
- C:\Windows\System32\iEZEvHm.exe
  C:\Windows\System32\iEZEvHm.exe
  2⤵
  PID:6932
- C:\Windows\System32\CcXDYZH.exe
  C:\Windows\System32\CcXDYZH.exe
  2⤵
  PID:6972
- C:\Windows\System32\CKfhySM.exe
  C:\Windows\System32\CKfhySM.exe
  2⤵
  PID:7004
- C:\Windows\System32\EMhvjUm.exe
  C:\Windows\System32\EMhvjUm.exe
  2⤵
  PID:7028
- C:\Windows\System32\LAezCpi.exe
  C:\Windows\System32\LAezCpi.exe
  2⤵
  PID:7044
- C:\Windows\System32\cGXZRiA.exe
  C:\Windows\System32\cGXZRiA.exe
  2⤵
  PID:7088
- C:\Windows\System32\KjCrIiY.exe
  C:\Windows\System32\KjCrIiY.exe
  2⤵
  PID:7112
- C:\Windows\System32\QhtUytR.exe
  C:\Windows\System32\QhtUytR.exe
  2⤵
  PID:7136
- C:\Windows\System32\igHHzgK.exe
  C:\Windows\System32\igHHzgK.exe
  2⤵
  PID:7156
- C:\Windows\System32\jIrMKOu.exe
  C:\Windows\System32\jIrMKOu.exe
  2⤵
  PID:3068
- C:\Windows\System32\yAkjMaF.exe
  C:\Windows\System32\yAkjMaF.exe
  2⤵
  PID:6192
- C:\Windows\System32\IFvIPid.exe
  C:\Windows\System32\IFvIPid.exe
  2⤵
  PID:3920
- C:\Windows\System32\ONmUZFb.exe
  C:\Windows\System32\ONmUZFb.exe
  2⤵
  PID:6308
- C:\Windows\System32\KUDKrfq.exe
  C:\Windows\System32\KUDKrfq.exe
  2⤵
  PID:6336
- C:\Windows\System32\NWeXzDR.exe
  C:\Windows\System32\NWeXzDR.exe
  2⤵
  PID:6480
- C:\Windows\System32\RlZZxsa.exe
  C:\Windows\System32\RlZZxsa.exe
  2⤵
  PID:6536
- C:\Windows\System32\bvBHQAT.exe
  C:\Windows\System32\bvBHQAT.exe
  2⤵
  PID:6644
- C:\Windows\System32\IUvWFqQ.exe
  C:\Windows\System32\IUvWFqQ.exe
  2⤵
  PID:6640
- C:\Windows\System32\cYBdvld.exe
  C:\Windows\System32\cYBdvld.exe
  2⤵
  PID:6716
- C:\Windows\System32\mDYjrJJ.exe
  C:\Windows\System32\mDYjrJJ.exe
  2⤵
  PID:2248
- C:\Windows\System32\TCMullL.exe
  C:\Windows\System32\TCMullL.exe
  2⤵
  PID:6828
- C:\Windows\System32\BGLJiQN.exe
  C:\Windows\System32\BGLJiQN.exe
  2⤵
  PID:6960
- C:\Windows\System32\yZiBerN.exe
  C:\Windows\System32\yZiBerN.exe
  2⤵
  PID:5080
- C:\Windows\System32\vJbxcpf.exe
  C:\Windows\System32\vJbxcpf.exe
  2⤵
  PID:7052
- C:\Windows\System32\CgmryUV.exe
  C:\Windows\System32\CgmryUV.exe
  2⤵
  PID:7100
- C:\Windows\System32\MnkYMFI.exe
  C:\Windows\System32\MnkYMFI.exe
  2⤵
  PID:5452
- C:\Windows\System32\dkUOOMK.exe
  C:\Windows\System32\dkUOOMK.exe
  2⤵
  PID:6228
- C:\Windows\System32\Aeljvnq.exe
  C:\Windows\System32\Aeljvnq.exe
  2⤵
  PID:6700
- C:\Windows\System32\FGuYgQW.exe
  C:\Windows\System32\FGuYgQW.exe
  2⤵
  PID:6780
- C:\Windows\System32\TFlgPMA.exe
  C:\Windows\System32\TFlgPMA.exe
  2⤵
  PID:5456
- C:\Windows\System32\VeYFRik.exe
  C:\Windows\System32\VeYFRik.exe
  2⤵
  PID:6924
- C:\Windows\System32\bcFhjpT.exe
  C:\Windows\System32\bcFhjpT.exe
  2⤵
  PID:7020
- C:\Windows\System32\RoNkqaZ.exe
  C:\Windows\System32\RoNkqaZ.exe
  2⤵
  PID:7124
- C:\Windows\System32\kOmKmsX.exe
  C:\Windows\System32\kOmKmsX.exe
  2⤵
  PID:6880
- C:\Windows\System32\BJcALXB.exe
  C:\Windows\System32\BJcALXB.exe
  2⤵
  PID:6988
- C:\Windows\System32\cZKGQaF.exe
  C:\Windows\System32\cZKGQaF.exe
  2⤵
  PID:6464
- C:\Windows\System32\NOMwpVt.exe
  C:\Windows\System32\NOMwpVt.exe
  2⤵
  PID:7176
- C:\Windows\System32\IloKtQj.exe
  C:\Windows\System32\IloKtQj.exe
  2⤵
  PID:7196
- C:\Windows\System32\dGTuxZm.exe
  C:\Windows\System32\dGTuxZm.exe
  2⤵
  PID:7220
- C:\Windows\System32\gLDgpoT.exe
  C:\Windows\System32\gLDgpoT.exe
  2⤵
  PID:7272
- C:\Windows\System32\XjzQqgc.exe
  C:\Windows\System32\XjzQqgc.exe
  2⤵
  PID:7320
- C:\Windows\System32\DTUJXBz.exe
  C:\Windows\System32\DTUJXBz.exe
  2⤵
  PID:7340
- C:\Windows\System32\uTTFkkb.exe
  C:\Windows\System32\uTTFkkb.exe
  2⤵
  PID:7364
- C:\Windows\System32\EudKYlC.exe
  C:\Windows\System32\EudKYlC.exe
  2⤵
  PID:7392
- C:\Windows\System32\fRvzUDN.exe
  C:\Windows\System32\fRvzUDN.exe
  2⤵
  PID:7428
- C:\Windows\System32\gvjpHfg.exe
  C:\Windows\System32\gvjpHfg.exe
  2⤵
  PID:7452
- C:\Windows\System32\MGmvsDH.exe
  C:\Windows\System32\MGmvsDH.exe
  2⤵
  PID:7484
- C:\Windows\System32\ASVQJsZ.exe
  C:\Windows\System32\ASVQJsZ.exe
  2⤵
  PID:7508
- C:\Windows\System32\vUUnhzL.exe
  C:\Windows\System32\vUUnhzL.exe
  2⤵
  PID:7532
- C:\Windows\System32\NFwJWns.exe
  C:\Windows\System32\NFwJWns.exe
  2⤵
  PID:7548
- C:\Windows\System32\sOwiQYG.exe
  C:\Windows\System32\sOwiQYG.exe
  2⤵
  PID:7616
- C:\Windows\System32\LieRslf.exe
  C:\Windows\System32\LieRslf.exe
  2⤵
  PID:7636
- C:\Windows\System32\KMngulu.exe
  C:\Windows\System32\KMngulu.exe
  2⤵
  PID:7676
- C:\Windows\System32\nNyVgyB.exe
  C:\Windows\System32\nNyVgyB.exe
  2⤵
  PID:7704
- C:\Windows\System32\beIwKfe.exe
  C:\Windows\System32\beIwKfe.exe
  2⤵
  PID:7744
- C:\Windows\System32\PqrPLXw.exe
  C:\Windows\System32\PqrPLXw.exe
  2⤵
  PID:7764
- C:\Windows\System32\dHGbsAt.exe
  C:\Windows\System32\dHGbsAt.exe
  2⤵
  PID:7784
- C:\Windows\System32\hYOERpu.exe
  C:\Windows\System32\hYOERpu.exe
  2⤵
  PID:7808
- C:\Windows\System32\qFJWwHQ.exe
  C:\Windows\System32\qFJWwHQ.exe
  2⤵
  PID:7828
- C:\Windows\System32\JZMOVXe.exe
  C:\Windows\System32\JZMOVXe.exe
  2⤵
  PID:7860
- C:\Windows\System32\ekPpQLH.exe
  C:\Windows\System32\ekPpQLH.exe
  2⤵
  PID:7892
- C:\Windows\System32\SGPdcBK.exe
  C:\Windows\System32\SGPdcBK.exe
  2⤵
  PID:7916
- C:\Windows\System32\goMYjjo.exe
  C:\Windows\System32\goMYjjo.exe
  2⤵
  PID:7944
- C:\Windows\System32\MFafWUF.exe
  C:\Windows\System32\MFafWUF.exe
  2⤵
  PID:7980
- C:\Windows\System32\OcmSQQJ.exe
  C:\Windows\System32\OcmSQQJ.exe
  2⤵
  PID:8020
- C:\Windows\System32\yuEkFbz.exe
  C:\Windows\System32\yuEkFbz.exe
  2⤵
  PID:8036
- C:\Windows\System32\ikiwmqD.exe
  C:\Windows\System32\ikiwmqD.exe
  2⤵
  PID:8064
- C:\Windows\System32\CXBZblb.exe
  C:\Windows\System32\CXBZblb.exe
  2⤵
  PID:8092
- C:\Windows\System32\IXnmTjq.exe
  C:\Windows\System32\IXnmTjq.exe
  2⤵
  PID:8124
- C:\Windows\System32\WTBNoAX.exe
  C:\Windows\System32\WTBNoAX.exe
  2⤵
  PID:8160
- C:\Windows\System32\VnkSdYc.exe
  C:\Windows\System32\VnkSdYc.exe
  2⤵
  PID:8188
- C:\Windows\System32\KJleBJJ.exe
  C:\Windows\System32\KJleBJJ.exe
  2⤵
  PID:7172
- C:\Windows\System32\QJOLrtV.exe
  C:\Windows\System32\QJOLrtV.exe
  2⤵
  PID:7212
- C:\Windows\System32\QxhYbnD.exe
  C:\Windows\System32\QxhYbnD.exe
  2⤵
  PID:7352
- C:\Windows\System32\xfPTEVG.exe
  C:\Windows\System32\xfPTEVG.exe
  2⤵
  PID:7420
- C:\Windows\System32\bnlJkSi.exe
  C:\Windows\System32\bnlJkSi.exe
  2⤵
  PID:7448
- C:\Windows\System32\ZjHREVw.exe
  C:\Windows\System32\ZjHREVw.exe
  2⤵
  PID:7496
- C:\Windows\System32\mduWYsh.exe
  C:\Windows\System32\mduWYsh.exe
  2⤵
  PID:7632
- C:\Windows\System32\FMDrlDq.exe
  C:\Windows\System32\FMDrlDq.exe
  2⤵
  PID:7688
- C:\Windows\System32\FEzvjfq.exe
  C:\Windows\System32\FEzvjfq.exe
  2⤵
  PID:7752
- C:\Windows\System32\vfeKGfa.exe
  C:\Windows\System32\vfeKGfa.exe
  2⤵
  PID:7820
- C:\Windows\System32\wuviSLE.exe
  C:\Windows\System32\wuviSLE.exe
  2⤵
  PID:7900
- C:\Windows\System32\OfezuES.exe
  C:\Windows\System32\OfezuES.exe
  2⤵
  PID:7908
- C:\Windows\System32\IpfiLEM.exe
  C:\Windows\System32\IpfiLEM.exe
  2⤵
  PID:8028
- C:\Windows\System32\xiuJcng.exe
  C:\Windows\System32\xiuJcng.exe
  2⤵
  PID:8056
- C:\Windows\System32\sicpOos.exe
  C:\Windows\System32\sicpOos.exe
  2⤵
  PID:8120
- C:\Windows\System32\rjhBZRj.exe
  C:\Windows\System32\rjhBZRj.exe
  2⤵
  PID:6904
- C:\Windows\System32\fBpZSJB.exe
  C:\Windows\System32\fBpZSJB.exe
  2⤵
  PID:7472
- C:\Windows\System32\vPbnlSH.exe
  C:\Windows\System32\vPbnlSH.exe
  2⤵
  PID:7524
- C:\Windows\System32\QLBiQTz.exe
  C:\Windows\System32\QLBiQTz.exe
  2⤵
  PID:7560
- C:\Windows\System32\PdFTDDW.exe
  C:\Windows\System32\PdFTDDW.exe
  2⤵
  PID:7728
- C:\Windows\System32\PZbVwXe.exe
  C:\Windows\System32\PZbVwXe.exe
  2⤵
  PID:7800
- C:\Windows\System32\ndWTnUj.exe
  C:\Windows\System32\ndWTnUj.exe
  2⤵
  PID:8060
- C:\Windows\System32\WLyYkCG.exe
  C:\Windows\System32\WLyYkCG.exe
  2⤵
  PID:7796
- C:\Windows\System32\XHjGCHE.exe
  C:\Windows\System32\XHjGCHE.exe
  2⤵
  PID:8044
- C:\Windows\System32\CJyCRMr.exe
  C:\Windows\System32\CJyCRMr.exe
  2⤵
  PID:7608
- C:\Windows\System32\sgLKzEy.exe
  C:\Windows\System32\sgLKzEy.exe
  2⤵
  PID:8204
- C:\Windows\System32\aanWlBV.exe
  C:\Windows\System32\aanWlBV.exe
  2⤵
  PID:8244
- C:\Windows\System32\ATpjPzy.exe
  C:\Windows\System32\ATpjPzy.exe
  2⤵
  PID:8268
- C:\Windows\System32\jYpwFpB.exe
  C:\Windows\System32\jYpwFpB.exe
  2⤵
  PID:8296
- C:\Windows\System32\xSQpnJt.exe
  C:\Windows\System32\xSQpnJt.exe
  2⤵
  PID:8336
- C:\Windows\System32\VSWmAzx.exe
  C:\Windows\System32\VSWmAzx.exe
  2⤵
  PID:8360
- C:\Windows\System32\FBxdlLj.exe
  C:\Windows\System32\FBxdlLj.exe
  2⤵
  PID:8380
- C:\Windows\System32\oqzRrFt.exe
  C:\Windows\System32\oqzRrFt.exe
  2⤵
  PID:8400
- C:\Windows\System32\SutmUor.exe
  C:\Windows\System32\SutmUor.exe
  2⤵
  PID:8436
- C:\Windows\System32\IYtWEDy.exe
  C:\Windows\System32\IYtWEDy.exe
  2⤵
  PID:8456
- C:\Windows\System32\yHZonGE.exe
  C:\Windows\System32\yHZonGE.exe
  2⤵
  PID:8500
- C:\Windows\System32\xzIdMxA.exe
  C:\Windows\System32\xzIdMxA.exe
  2⤵
  PID:8528
- C:\Windows\System32\XVInOrU.exe
  C:\Windows\System32\XVInOrU.exe
  2⤵
  PID:8568
- C:\Windows\System32\IRZvOyC.exe
  C:\Windows\System32\IRZvOyC.exe
  2⤵
  PID:8588
- C:\Windows\System32\YlwsHQz.exe
  C:\Windows\System32\YlwsHQz.exe
  2⤵
  PID:8612
- C:\Windows\System32\VqzMIeO.exe
  C:\Windows\System32\VqzMIeO.exe
  2⤵
  PID:8644
- C:\Windows\System32\bPyKHqk.exe
  C:\Windows\System32\bPyKHqk.exe
  2⤵
  PID:8664
- C:\Windows\System32\ntIcuAG.exe
  C:\Windows\System32\ntIcuAG.exe
  2⤵
  PID:8708
- C:\Windows\System32\YdKAHMB.exe
  C:\Windows\System32\YdKAHMB.exe
  2⤵
  PID:8728
- C:\Windows\System32\FVPNhiR.exe
  C:\Windows\System32\FVPNhiR.exe
  2⤵
  PID:8768
- C:\Windows\System32\nxIoNUy.exe
  C:\Windows\System32\nxIoNUy.exe
  2⤵
  PID:8800
- C:\Windows\System32\gFdCsKG.exe
  C:\Windows\System32\gFdCsKG.exe
  2⤵
  PID:8820
- C:\Windows\System32\JPsTwOm.exe
  C:\Windows\System32\JPsTwOm.exe
  2⤵
  PID:8848
- C:\Windows\System32\WStDgoM.exe
  C:\Windows\System32\WStDgoM.exe
  2⤵
  PID:8864
- C:\Windows\System32\wHfVyII.exe
  C:\Windows\System32\wHfVyII.exe
  2⤵
  PID:8908
- C:\Windows\System32\oxxHuVB.exe
  C:\Windows\System32\oxxHuVB.exe
  2⤵
  PID:8932
- C:\Windows\System32\hjlUeVE.exe
  C:\Windows\System32\hjlUeVE.exe
  2⤵
  PID:8952
- C:\Windows\System32\uCaQhyf.exe
  C:\Windows\System32\uCaQhyf.exe
  2⤵
  PID:8992
- C:\Windows\System32\ixnomaJ.exe
  C:\Windows\System32\ixnomaJ.exe
  2⤵
  PID:9020
- C:\Windows\System32\RWTnzho.exe
  C:\Windows\System32\RWTnzho.exe
  2⤵
  PID:9044
- C:\Windows\System32\eOcbhaz.exe
  C:\Windows\System32\eOcbhaz.exe
  2⤵
  PID:9076
- C:\Windows\System32\xPKyZGN.exe
  C:\Windows\System32\xPKyZGN.exe
  2⤵
  PID:9096
- C:\Windows\System32\fAdoIrY.exe
  C:\Windows\System32\fAdoIrY.exe
  2⤵
  PID:9152
- C:\Windows\System32\TUhMrHq.exe
  C:\Windows\System32\TUhMrHq.exe
  2⤵
  PID:9176
- C:\Windows\System32\LmQsivX.exe
  C:\Windows\System32\LmQsivX.exe
  2⤵
  PID:9208
- C:\Windows\System32\FwzZBSm.exe
  C:\Windows\System32\FwzZBSm.exe
  2⤵
  PID:8200
- C:\Windows\System32\EnqwVMt.exe
  C:\Windows\System32\EnqwVMt.exe
  2⤵
  PID:8224
- C:\Windows\System32\GQtpuwb.exe
  C:\Windows\System32\GQtpuwb.exe
  2⤵
  PID:8352
- C:\Windows\System32\vRSjXRn.exe
  C:\Windows\System32\vRSjXRn.exe
  2⤵
  PID:4852
- C:\Windows\System32\xfrPDnh.exe
  C:\Windows\System32\xfrPDnh.exe
  2⤵
  PID:8464
- C:\Windows\System32\UdAWSHR.exe
  C:\Windows\System32\UdAWSHR.exe
  2⤵
  PID:8536
- C:\Windows\System32\EvMamya.exe
  C:\Windows\System32\EvMamya.exe
  2⤵
  PID:8600
- C:\Windows\System32\mFYUUKM.exe
  C:\Windows\System32\mFYUUKM.exe
  2⤵
  PID:8660
- C:\Windows\System32\ROobTRB.exe
  C:\Windows\System32\ROobTRB.exe
  2⤵
  PID:8676
- C:\Windows\System32\updYtcQ.exe
  C:\Windows\System32\updYtcQ.exe
  2⤵
  PID:8788
- C:\Windows\System32\DNTaQeg.exe
  C:\Windows\System32\DNTaQeg.exe
  2⤵
  PID:8816
- C:\Windows\System32\gbfCAdN.exe
  C:\Windows\System32\gbfCAdN.exe
  2⤵
  PID:8876
- C:\Windows\System32\vJkQwXX.exe
  C:\Windows\System32\vJkQwXX.exe
  2⤵
  PID:8924
- C:\Windows\System32\tVdZIKF.exe
  C:\Windows\System32\tVdZIKF.exe
  2⤵
  PID:9056
- C:\Windows\System32\lFbsNSa.exe
  C:\Windows\System32\lFbsNSa.exe
  2⤵
  PID:9112
- C:\Windows\System32\OxZCNcc.exe
  C:\Windows\System32\OxZCNcc.exe
  2⤵
  PID:9168
- C:\Windows\System32\RxibsvG.exe
  C:\Windows\System32\RxibsvG.exe
  2⤵
  PID:8276
- C:\Windows\System32\aTkefkn.exe
  C:\Windows\System32\aTkefkn.exe
  2⤵
  PID:8420
- C:\Windows\System32\MCYqKMQ.exe
  C:\Windows\System32\MCYqKMQ.exe
  2⤵
  PID:8004
- C:\Windows\System32\XHsbKTb.exe
  C:\Windows\System32\XHsbKTb.exe
  2⤵
  PID:8640
- C:\Windows\System32\BkEqOuj.exe
  C:\Windows\System32\BkEqOuj.exe
  2⤵
  PID:8884
- C:\Windows\System32\bBrrpsu.exe
  C:\Windows\System32\bBrrpsu.exe
  2⤵
  PID:9084
- C:\Windows\System32\fNmVXUI.exe
  C:\Windows\System32\fNmVXUI.exe
  2⤵
  PID:9192
- C:\Windows\System32\wYZvbET.exe
  C:\Windows\System32\wYZvbET.exe
  2⤵
  PID:8576
- C:\Windows\System32\SttebVt.exe
  C:\Windows\System32\SttebVt.exe
  2⤵
  PID:8220
- C:\Windows\System32\RsnVMWK.exe
  C:\Windows\System32\RsnVMWK.exe
  2⤵
  PID:8888
- C:\Windows\System32\rdqlUoQ.exe
  C:\Windows\System32\rdqlUoQ.exe
  2⤵
  PID:8520
- C:\Windows\System32\hSRSFXu.exe
  C:\Windows\System32\hSRSFXu.exe
  2⤵
  PID:9256
- C:\Windows\System32\QYFoiNn.exe
  C:\Windows\System32\QYFoiNn.exe
  2⤵
  PID:9276
- C:\Windows\System32\MXUwcbE.exe
  C:\Windows\System32\MXUwcbE.exe
  2⤵
  PID:9300
- C:\Windows\System32\IYQZWKl.exe
  C:\Windows\System32\IYQZWKl.exe
  2⤵
  PID:9324
- C:\Windows\System32\DkgrXBY.exe
  C:\Windows\System32\DkgrXBY.exe
  2⤵
  PID:9364
- C:\Windows\System32\JBNtMIY.exe
  C:\Windows\System32\JBNtMIY.exe
  2⤵
  PID:9384
- C:\Windows\System32\JuZvOAm.exe
  C:\Windows\System32\JuZvOAm.exe
  2⤵
  PID:9428
- C:\Windows\System32\cKclTDj.exe
  C:\Windows\System32\cKclTDj.exe
  2⤵
  PID:9448
- C:\Windows\System32\xpflqDv.exe
  C:\Windows\System32\xpflqDv.exe
  2⤵
  PID:9472
- C:\Windows\System32\qIHGIzf.exe
  C:\Windows\System32\qIHGIzf.exe
  2⤵
  PID:9496
- C:\Windows\System32\LIyktoj.exe
  C:\Windows\System32\LIyktoj.exe
  2⤵
  PID:9524
- C:\Windows\System32\cTTFwsh.exe
  C:\Windows\System32\cTTFwsh.exe
  2⤵
  PID:9552
- C:\Windows\System32\ojtXxxi.exe
  C:\Windows\System32\ojtXxxi.exe
  2⤵
  PID:9584
- C:\Windows\System32\dxbuBgl.exe
  C:\Windows\System32\dxbuBgl.exe
  2⤵
  PID:9720
- C:\Windows\System32\bfGRtmx.exe
  C:\Windows\System32\bfGRtmx.exe
  2⤵
  PID:9796
- C:\Windows\System32\yDxSkby.exe
  C:\Windows\System32\yDxSkby.exe
  2⤵
  PID:9820
- C:\Windows\System32\iEbEDIt.exe
  C:\Windows\System32\iEbEDIt.exe
  2⤵
  PID:9840
- C:\Windows\System32\oZfzboz.exe
  C:\Windows\System32\oZfzboz.exe
  2⤵
  PID:9872
- C:\Windows\System32\AhWtsLK.exe
  C:\Windows\System32\AhWtsLK.exe
  2⤵
  PID:9904
- C:\Windows\System32\pnMVXzW.exe
  C:\Windows\System32\pnMVXzW.exe
  2⤵
  PID:9924
- C:\Windows\System32\affvGhG.exe
  C:\Windows\System32\affvGhG.exe
  2⤵
  PID:9960
- C:\Windows\System32\OddrEGm.exe
  C:\Windows\System32\OddrEGm.exe
  2⤵
  PID:9984
- C:\Windows\System32\crcmizg.exe
  C:\Windows\System32\crcmizg.exe
  2⤵
  PID:10004
- C:\Windows\System32\boyKPjN.exe
  C:\Windows\System32\boyKPjN.exe
  2⤵
  PID:10024
- C:\Windows\System32\vGnUofD.exe
  C:\Windows\System32\vGnUofD.exe
  2⤵
  PID:10044
- C:\Windows\System32\SFWIhpd.exe
  C:\Windows\System32\SFWIhpd.exe
  2⤵
  PID:10064
- C:\Windows\System32\MTevvtf.exe
  C:\Windows\System32\MTevvtf.exe
  2⤵
  PID:10096
- C:\Windows\System32\YTBkpIq.exe
  C:\Windows\System32\YTBkpIq.exe
  2⤵
  PID:10156
- C:\Windows\System32\qsUTksN.exe
  C:\Windows\System32\qsUTksN.exe
  2⤵
  PID:10180
- C:\Windows\System32\KABIjHk.exe
  C:\Windows\System32\KABIjHk.exe
  2⤵
  PID:10208
- C:\Windows\System32\KaswRki.exe
  C:\Windows\System32\KaswRki.exe
  2⤵
  PID:10232
- C:\Windows\System32\rmqZBaa.exe
  C:\Windows\System32\rmqZBaa.exe
  2⤵
  PID:9236
- C:\Windows\System32\IiOcZUA.exe
  C:\Windows\System32\IiOcZUA.exe
  2⤵
  PID:1952
- C:\Windows\System32\rEVmkNp.exe
  C:\Windows\System32\rEVmkNp.exe
  2⤵
  PID:9376
- C:\Windows\System32\jXfOlSo.exe
  C:\Windows\System32\jXfOlSo.exe
  2⤵
  PID:9372
- C:\Windows\System32\PYvSLTA.exe
  C:\Windows\System32\PYvSLTA.exe
  2⤵
  PID:9488
- C:\Windows\System32\hnofBxf.exe
  C:\Windows\System32\hnofBxf.exe
  2⤵
  PID:9612
- C:\Windows\System32\ndAaJSA.exe
  C:\Windows\System32\ndAaJSA.exe
  2⤵
  PID:9568
- C:\Windows\System32\YYFXZVG.exe
  C:\Windows\System32\YYFXZVG.exe
  2⤵
  PID:9592
- C:\Windows\System32\jkzsVsj.exe
  C:\Windows\System32\jkzsVsj.exe
  2⤵
  PID:9688
- C:\Windows\System32\JPVTjFY.exe
  C:\Windows\System32\JPVTjFY.exe
  2⤵
  PID:9652
- C:\Windows\System32\pZXEwqm.exe
  C:\Windows\System32\pZXEwqm.exe
  2⤵
  PID:4376
- C:\Windows\System32\KhYGhPF.exe
  C:\Windows\System32\KhYGhPF.exe
  2⤵
  PID:9828
- C:\Windows\System32\EnEbCxj.exe
  C:\Windows\System32\EnEbCxj.exe
  2⤵
  PID:9860
- C:\Windows\System32\ZxctkLC.exe
  C:\Windows\System32\ZxctkLC.exe
  2⤵
  PID:9920
- C:\Windows\System32\wfcPDMj.exe
  C:\Windows\System32\wfcPDMj.exe
  2⤵
  PID:9996
- C:\Windows\System32\QyjSCLv.exe
  C:\Windows\System32\QyjSCLv.exe
  2⤵
  PID:10036
- C:\Windows\System32\aQrLIdo.exe
  C:\Windows\System32\aQrLIdo.exe
  2⤵
  PID:10128
- C:\Windows\System32\XghalPz.exe
  C:\Windows\System32\XghalPz.exe
  2⤵
  PID:10200
- C:\Windows\System32\XyzChlt.exe
  C:\Windows\System32\XyzChlt.exe
  2⤵
  PID:10224
- C:\Windows\System32\pXLwNnS.exe
  C:\Windows\System32\pXLwNnS.exe
  2⤵
  PID:9356
- C:\Windows\System32\oBcIhtD.exe
  C:\Windows\System32\oBcIhtD.exe
  2⤵
  PID:9564
- C:\Windows\System32\LvncnJr.exe
  C:\Windows\System32\LvncnJr.exe
  2⤵
  PID:9504
- C:\Windows\System32\yBKWUYu.exe
  C:\Windows\System32\yBKWUYu.exe
  2⤵
  PID:9616
- C:\Windows\System32\iuUZtJV.exe
  C:\Windows\System32\iuUZtJV.exe
  2⤵
  PID:9696
- C:\Windows\System32\pcmbBmo.exe
  C:\Windows\System32\pcmbBmo.exe
  2⤵
  PID:9952
- C:\Windows\System32\zghXNtS.exe
  C:\Windows\System32\zghXNtS.exe
  2⤵
  PID:10032
- C:\Windows\System32\gfbCfsa.exe
  C:\Windows\System32\gfbCfsa.exe
  2⤵
  PID:10192
- C:\Windows\System32\oOqmooa.exe
  C:\Windows\System32\oOqmooa.exe
  2⤵
  PID:9576
- C:\Windows\System32\mfgrCYZ.exe
  C:\Windows\System32\mfgrCYZ.exe
  2⤵
  PID:9636
- C:\Windows\System32\mTfUOaw.exe
  C:\Windows\System32\mTfUOaw.exe
  2⤵
  PID:9852
- C:\Windows\System32\odoNgSn.exe
  C:\Windows\System32\odoNgSn.exe
  2⤵
  PID:10112
- C:\Windows\System32\ekExGnF.exe
  C:\Windows\System32\ekExGnF.exe
  2⤵
  PID:9296
- C:\Windows\System32\teAVIEv.exe
  C:\Windows\System32\teAVIEv.exe
  2⤵
  PID:9416
- C:\Windows\System32\HVBYtTy.exe
  C:\Windows\System32\HVBYtTy.exe
  2⤵
  PID:9400
- C:\Windows\System32\PiDZuGg.exe
  C:\Windows\System32\PiDZuGg.exe
  2⤵
  PID:10244
- C:\Windows\System32\eikmIju.exe
  C:\Windows\System32\eikmIju.exe
  2⤵
  PID:10296
- C:\Windows\System32\aiGmVlI.exe
  C:\Windows\System32\aiGmVlI.exe
  2⤵
  PID:10364
- C:\Windows\System32\BNtOmTv.exe
  C:\Windows\System32\BNtOmTv.exe
  2⤵
  PID:10384
- C:\Windows\System32\LbFAhRh.exe
  C:\Windows\System32\LbFAhRh.exe
  2⤵
  PID:10408
- C:\Windows\System32\dUiMDqv.exe
  C:\Windows\System32\dUiMDqv.exe
  2⤵
  PID:10424
- C:\Windows\System32\YxwVdAJ.exe
  C:\Windows\System32\YxwVdAJ.exe
  2⤵
  PID:10460
- C:\Windows\System32\hijgdHK.exe
  C:\Windows\System32\hijgdHK.exe
  2⤵
  PID:10488
- C:\Windows\System32\WBhYSjG.exe
  C:\Windows\System32\WBhYSjG.exe
  2⤵
  PID:10508
- C:\Windows\System32\qxhtGes.exe
  C:\Windows\System32\qxhtGes.exe
  2⤵
  PID:10544
- C:\Windows\System32\YzRndUq.exe
  C:\Windows\System32\YzRndUq.exe
  2⤵
  PID:10576
- C:\Windows\System32\UVRqqRF.exe
  C:\Windows\System32\UVRqqRF.exe
  2⤵
  PID:10604
- C:\Windows\System32\pEnicGA.exe
  C:\Windows\System32\pEnicGA.exe
  2⤵
  PID:10624
- C:\Windows\System32\ydxSCgp.exe
  C:\Windows\System32\ydxSCgp.exe
  2⤵
  PID:10644
- C:\Windows\System32\eEkUCpW.exe
  C:\Windows\System32\eEkUCpW.exe
  2⤵
  PID:10660
- C:\Windows\System32\ZpPNBTe.exe
  C:\Windows\System32\ZpPNBTe.exe
  2⤵
  PID:10720
- C:\Windows\System32\gYlXFId.exe
  C:\Windows\System32\gYlXFId.exe
  2⤵
  PID:10744
- C:\Windows\System32\ieKsZop.exe
  C:\Windows\System32\ieKsZop.exe
  2⤵
  PID:10776
- C:\Windows\System32\PCehqdM.exe
  C:\Windows\System32\PCehqdM.exe
  2⤵
  PID:10792
- C:\Windows\System32\CcKaQPL.exe
  C:\Windows\System32\CcKaQPL.exe
  2⤵
  PID:10816
- C:\Windows\System32\DWnsQJG.exe
  C:\Windows\System32\DWnsQJG.exe
  2⤵
  PID:10836
- C:\Windows\System32\wSimghF.exe
  C:\Windows\System32\wSimghF.exe
  2⤵
  PID:10864
- C:\Windows\System32\XiljuxT.exe
  C:\Windows\System32\XiljuxT.exe
  2⤵
  PID:10904
- C:\Windows\System32\VpIfVws.exe
  C:\Windows\System32\VpIfVws.exe
  2⤵
  PID:10924
- C:\Windows\System32\wrCQhgK.exe
  C:\Windows\System32\wrCQhgK.exe
  2⤵
  PID:10960
- C:\Windows\System32\CmENLTr.exe
  C:\Windows\System32\CmENLTr.exe
  2⤵
  PID:10988
- C:\Windows\System32\uaFfKGZ.exe
  C:\Windows\System32\uaFfKGZ.exe
  2⤵
  PID:11024
- C:\Windows\System32\NcmuCQj.exe
  C:\Windows\System32\NcmuCQj.exe
  2⤵
  PID:11040
- C:\Windows\System32\WEQqvAu.exe
  C:\Windows\System32\WEQqvAu.exe
  2⤵
  PID:11060
- C:\Windows\System32\JRKoila.exe
  C:\Windows\System32\JRKoila.exe
  2⤵
  PID:11104
- C:\Windows\System32\mQsczsS.exe
  C:\Windows\System32\mQsczsS.exe
  2⤵
  PID:11144
- C:\Windows\System32\xqXrSVY.exe
  C:\Windows\System32\xqXrSVY.exe
  2⤵
  PID:11180
- C:\Windows\System32\LYSFCZi.exe
  C:\Windows\System32\LYSFCZi.exe
  2⤵
  PID:11204
- C:\Windows\System32\XtgARbd.exe
  C:\Windows\System32\XtgARbd.exe
  2⤵
  PID:11224
- C:\Windows\System32\yhCWgfI.exe
  C:\Windows\System32\yhCWgfI.exe
  2⤵
  PID:11240
- C:\Windows\System32\uuXDsMw.exe
  C:\Windows\System32\uuXDsMw.exe
  2⤵
  PID:10256
- C:\Windows\System32\xbjiHhI.exe
  C:\Windows\System32\xbjiHhI.exe
  2⤵
  PID:10336
- C:\Windows\System32\LqUFzoR.exe
  C:\Windows\System32\LqUFzoR.exe
  2⤵
  PID:10420
- C:\Windows\System32\mygAbec.exe
  C:\Windows\System32\mygAbec.exe
  2⤵
  PID:10472
- C:\Windows\System32\zbFItNk.exe
  C:\Windows\System32\zbFItNk.exe
  2⤵
  PID:10504
- C:\Windows\System32\MZLulSb.exe
  C:\Windows\System32\MZLulSb.exe
  2⤵
  PID:10616
- C:\Windows\System32\RzPOAvi.exe
  C:\Windows\System32\RzPOAvi.exe
  2⤵
  PID:10640
- C:\Windows\System32\QDIhYGL.exe
  C:\Windows\System32\QDIhYGL.exe
  2⤵
  PID:10696
- C:\Windows\System32\ZhvuveR.exe
  C:\Windows\System32\ZhvuveR.exe
  2⤵
  PID:10784
- C:\Windows\System32\yNsmFSI.exe
  C:\Windows\System32\yNsmFSI.exe
  2⤵
  PID:10860
- C:\Windows\System32\FruyOJc.exe
  C:\Windows\System32\FruyOJc.exe
  2⤵
  PID:10880
- C:\Windows\System32\aXlLoGk.exe
  C:\Windows\System32\aXlLoGk.exe
  2⤵
  PID:10952
- C:\Windows\System32\RdXBYPs.exe
  C:\Windows\System32\RdXBYPs.exe
  2⤵
  PID:10052
- C:\Windows\System32\MatvBXP.exe
  C:\Windows\System32\MatvBXP.exe
  2⤵
  PID:11076
- C:\Windows\System32\ODDcGBH.exe
  C:\Windows\System32\ODDcGBH.exe
  2⤵
  PID:11164
- C:\Windows\System32\gGGPjzL.exe
  C:\Windows\System32\gGGPjzL.exe
  2⤵
  PID:11236
- C:\Windows\System32\JjrHxYC.exe
  C:\Windows\System32\JjrHxYC.exe
  2⤵
  PID:10376
- C:\Windows\System32\LzzIYdF.exe
  C:\Windows\System32\LzzIYdF.exe
  2⤵
  PID:10528
- C:\Windows\System32\XxXWMst.exe
  C:\Windows\System32\XxXWMst.exe
  2⤵
  PID:10540
- C:\Windows\System32\NqPYoFe.exe
  C:\Windows\System32\NqPYoFe.exe
  2⤵
  PID:10632
- C:\Windows\System32\aSpVpZw.exe
  C:\Windows\System32\aSpVpZw.exe
  2⤵
  PID:10848
- C:\Windows\System32\YkMCDYi.exe
  C:\Windows\System32\YkMCDYi.exe
  2⤵
  PID:10972
- C:\Windows\System32\vGUeOlm.exe
  C:\Windows\System32\vGUeOlm.exe
  2⤵
  PID:11212
- C:\Windows\System32\VPHzMsE.exe
  C:\Windows\System32\VPHzMsE.exe
  2⤵
  PID:10404
- C:\Windows\System32\NJJByUC.exe
  C:\Windows\System32\NJJByUC.exe
  2⤵
  PID:4996
- C:\Windows\System32\WzkymaP.exe
  C:\Windows\System32\WzkymaP.exe
  2⤵
  PID:10920
- C:\Windows\System32\DeGPewV.exe
  C:\Windows\System32\DeGPewV.exe
  2⤵
  PID:11256
- C:\Windows\System32\dXxmckS.exe
  C:\Windows\System32\dXxmckS.exe
  2⤵
  PID:11200
- C:\Windows\System32\UyhsvFK.exe
  C:\Windows\System32\UyhsvFK.exe
  2⤵
  PID:11276
- C:\Windows\System32\HwIXHFB.exe
  C:\Windows\System32\HwIXHFB.exe
  2⤵
  PID:11300
- C:\Windows\System32\qXacoQt.exe
  C:\Windows\System32\qXacoQt.exe
  2⤵
  PID:11316
- C:\Windows\System32\HWxlRUR.exe
  C:\Windows\System32\HWxlRUR.exe
  2⤵
  PID:11348
- C:\Windows\System32\IURSFjj.exe
  C:\Windows\System32\IURSFjj.exe
  2⤵
  PID:11380
- C:\Windows\System32\kCudPqh.exe
  C:\Windows\System32\kCudPqh.exe
  2⤵
  PID:11424
- C:\Windows\System32\oTEqlvu.exe
  C:\Windows\System32\oTEqlvu.exe
  2⤵
  PID:11448
- C:\Windows\System32\RrOpXGV.exe
  C:\Windows\System32\RrOpXGV.exe
  2⤵
  PID:11472
- C:\Windows\System32\JwjYeWj.exe
  C:\Windows\System32\JwjYeWj.exe
  2⤵
  PID:11488
- C:\Windows\System32\HZFVvIm.exe
  C:\Windows\System32\HZFVvIm.exe
  2⤵
  PID:11508
- C:\Windows\System32\elEPatd.exe
  C:\Windows\System32\elEPatd.exe
  2⤵
  PID:11568
- C:\Windows\System32\EoPGEwV.exe
  C:\Windows\System32\EoPGEwV.exe
  2⤵
  PID:11604
- C:\Windows\System32\dTCRrGM.exe
  C:\Windows\System32\dTCRrGM.exe
  2⤵
  PID:11624
- C:\Windows\System32\lxEHxTG.exe
  C:\Windows\System32\lxEHxTG.exe
  2⤵
  PID:11652
- C:\Windows\System32\VlUtsJQ.exe
  C:\Windows\System32\VlUtsJQ.exe
  2⤵
  PID:11680
- C:\Windows\System32\fEaXfQy.exe
  C:\Windows\System32\fEaXfQy.exe
  2⤵
  PID:11708
- C:\Windows\System32\HfLxUlm.exe
  C:\Windows\System32\HfLxUlm.exe
  2⤵
  PID:11740
- C:\Windows\System32\axLHMls.exe
  C:\Windows\System32\axLHMls.exe
  2⤵
  PID:11764
- C:\Windows\System32\CerLeuM.exe
  C:\Windows\System32\CerLeuM.exe
  2⤵
  PID:11792
- C:\Windows\System32\MioTnbF.exe
  C:\Windows\System32\MioTnbF.exe
  2⤵
  PID:11820
- C:\Windows\System32\kcktKyY.exe
  C:\Windows\System32\kcktKyY.exe
  2⤵
  PID:11840
- C:\Windows\System32\vkiTdgg.exe
  C:\Windows\System32\vkiTdgg.exe
  2⤵
  PID:11872
- C:\Windows\System32\xukhUmx.exe
  C:\Windows\System32\xukhUmx.exe
  2⤵
  PID:11908
- C:\Windows\System32\GHrIdIz.exe
  C:\Windows\System32\GHrIdIz.exe
  2⤵
  PID:11936
- C:\Windows\System32\iRJhIQS.exe
  C:\Windows\System32\iRJhIQS.exe
  2⤵
  PID:11976
- C:\Windows\System32\coQJxws.exe
  C:\Windows\System32\coQJxws.exe
  2⤵
  PID:12008
- C:\Windows\System32\yIxjgan.exe
  C:\Windows\System32\yIxjgan.exe
  2⤵
  PID:12044
- C:\Windows\System32\ROKsorz.exe
  C:\Windows\System32\ROKsorz.exe
  2⤵
  PID:12068
- C:\Windows\System32\eUPufGS.exe
  C:\Windows\System32\eUPufGS.exe
  2⤵
  PID:12112
- C:\Windows\System32\iIIKIcQ.exe
  C:\Windows\System32\iIIKIcQ.exe
  2⤵
  PID:12136
- C:\Windows\System32\AJxphBo.exe
  C:\Windows\System32\AJxphBo.exe
  2⤵
  PID:12152
- C:\Windows\System32\qSsPUUN.exe
  C:\Windows\System32\qSsPUUN.exe
  2⤵
  PID:12176
- C:\Windows\System32\XnmABVr.exe
  C:\Windows\System32\XnmABVr.exe
  2⤵
  PID:12224
- C:\Windows\System32\oPetcGM.exe
  C:\Windows\System32\oPetcGM.exe
  2⤵
  PID:12240
- C:\Windows\System32\aKMioMq.exe
  C:\Windows\System32\aKMioMq.exe
  2⤵
  PID:11272
- C:\Windows\System32\NzlkEhX.exe
  C:\Windows\System32\NzlkEhX.exe
  2⤵
  PID:11308
- C:\Windows\System32\fZlPTgG.exe
  C:\Windows\System32\fZlPTgG.exe
  2⤵
  PID:11376
- C:\Windows\System32\CTipWvb.exe
  C:\Windows\System32\CTipWvb.exe
  2⤵
  PID:11444
- C:\Windows\System32\CyhNeLc.exe
  C:\Windows\System32\CyhNeLc.exe
  2⤵
  PID:11436
- C:\Windows\System32\GIkcsEK.exe
  C:\Windows\System32\GIkcsEK.exe
  2⤵
  PID:11540
- C:\Windows\System32\cPVYoAX.exe
  C:\Windows\System32\cPVYoAX.exe
  2⤵
  PID:11612
- C:\Windows\System32\rpJjqLe.exe
  C:\Windows\System32\rpJjqLe.exe
  2⤵
  PID:11688
- C:\Windows\System32\WNAquZA.exe
  C:\Windows\System32\WNAquZA.exe
  2⤵
  PID:11780
- C:\Windows\System32\ndBmIDi.exe
  C:\Windows\System32\ndBmIDi.exe
  2⤵
  PID:11808
- C:\Windows\System32\jRgXaJJ.exe
  C:\Windows\System32\jRgXaJJ.exe
  2⤵
  PID:11864
- C:\Windows\System32\PgRqxCr.exe
  C:\Windows\System32\PgRqxCr.exe
  2⤵
  PID:11900
- C:\Windows\System32\eJOXfWY.exe
  C:\Windows\System32\eJOXfWY.exe
  2⤵
  PID:12052
- C:\Windows\System32\YQWgrzt.exe
  C:\Windows\System32\YQWgrzt.exe
  2⤵
  PID:12096
- C:\Windows\System32\rUtukzf.exe
  C:\Windows\System32\rUtukzf.exe
  2⤵
  PID:12144
- C:\Windows\System32\rpOltnC.exe
  C:\Windows\System32\rpOltnC.exe
  2⤵
  PID:12212
- C:\Windows\System32\NzSrOUg.exe
  C:\Windows\System32\NzSrOUg.exe
  2⤵
  PID:12252
- C:\Windows\System32\rEQMysC.exe
  C:\Windows\System32\rEQMysC.exe
  2⤵
  PID:11324
- C:\Windows\System32\ZLbiLri.exe
  C:\Windows\System32\ZLbiLri.exe
  2⤵
  PID:1880
- C:\Windows\System32\PGMwnZj.exe
  C:\Windows\System32\PGMwnZj.exe
  2⤵
  PID:11732
- C:\Windows\System32\PuIGROY.exe
  C:\Windows\System32\PuIGROY.exe
  2⤵
  PID:11880
- C:\Windows\System32\yGChGRz.exe
  C:\Windows\System32\yGChGRz.exe
  2⤵
  PID:12056
- C:\Windows\System32\VhXlWsM.exe
  C:\Windows\System32\VhXlWsM.exe
  2⤵
  PID:12088
- C:\Windows\System32\DZHvPEK.exe
  C:\Windows\System32\DZHvPEK.exe
  2⤵
  PID:4072
- C:\Windows\System32\jyUGYPH.exe
  C:\Windows\System32\jyUGYPH.exe
  2⤵
  PID:11644
- C:\Windows\System32\HEqqDzR.exe
  C:\Windows\System32\HEqqDzR.exe
  2⤵
  PID:11856
- C:\Windows\System32\maIrwkp.exe
  C:\Windows\System32\maIrwkp.exe
  2⤵
  PID:4560
- C:\Windows\System32\XfgVSuW.exe
  C:\Windows\System32\XfgVSuW.exe
  2⤵
  PID:12148
- C:\Windows\System32\UEpgcIF.exe
  C:\Windows\System32\UEpgcIF.exe
  2⤵
  PID:11800
- C:\Windows\System32\OWJnnqf.exe
  C:\Windows\System32\OWJnnqf.exe
  2⤵
  PID:12200
- C:\Windows\System32\hEKDnPP.exe
  C:\Windows\System32\hEKDnPP.exe
  2⤵
  PID:12352
- C:\Windows\System32\eNXpHVX.exe
  C:\Windows\System32\eNXpHVX.exe
  2⤵
  PID:12400
- C:\Windows\System32\jkmjPbF.exe
  C:\Windows\System32\jkmjPbF.exe
  2⤵
  PID:12420
- C:\Windows\System32\QyxbjOp.exe
  C:\Windows\System32\QyxbjOp.exe
  2⤵
  PID:12464
- C:\Windows\System32\IDwWTYD.exe
  C:\Windows\System32\IDwWTYD.exe
  2⤵
  PID:12516
- C:\Windows\System32\iezUzFb.exe
  C:\Windows\System32\iezUzFb.exe
  2⤵
  PID:12544
- C:\Windows\System32\rnLLpsn.exe
  C:\Windows\System32\rnLLpsn.exe
  2⤵
  PID:12564
- C:\Windows\System32\lFLpUtd.exe
  C:\Windows\System32\lFLpUtd.exe
  2⤵
  PID:12596
- C:\Windows\System32\sUbLEdn.exe
  C:\Windows\System32\sUbLEdn.exe
  2⤵
  PID:12624
- C:\Windows\System32\ZpVTnli.exe
  C:\Windows\System32\ZpVTnli.exe
  2⤵
  PID:12668
- C:\Windows\System32\jcQWPSP.exe
  C:\Windows\System32\jcQWPSP.exe
  2⤵
  PID:12708
- C:\Windows\System32\raSIkGf.exe
  C:\Windows\System32\raSIkGf.exe
  2⤵
  PID:12776
- C:\Windows\System32\HzfMQQc.exe
  C:\Windows\System32\HzfMQQc.exe
  2⤵
  PID:12804
- C:\Windows\System32\kWlXgbn.exe
  C:\Windows\System32\kWlXgbn.exe
  2⤵
  PID:12828
- C:\Windows\System32\zaQWkSl.exe
  C:\Windows\System32\zaQWkSl.exe
  2⤵
  PID:12848
- C:\Windows\System32\SXeiwIo.exe
  C:\Windows\System32\SXeiwIo.exe
  2⤵
  PID:12868
- C:\Windows\System32\JDQLJiB.exe
  C:\Windows\System32\JDQLJiB.exe
  2⤵
  PID:12920
- C:\Windows\System32\qOSbVDP.exe
  C:\Windows\System32\qOSbVDP.exe
  2⤵
  PID:12948
- C:\Windows\System32\AmYzqyf.exe
  C:\Windows\System32\AmYzqyf.exe
  2⤵
  PID:13008
- C:\Windows\System32\RnGGBTN.exe
  C:\Windows\System32\RnGGBTN.exe
  2⤵
  PID:13040
- C:\Windows\System32\fgEQfyb.exe
  C:\Windows\System32\fgEQfyb.exe
  2⤵
  PID:13064
- C:\Windows\System32\jXaftNG.exe
  C:\Windows\System32\jXaftNG.exe
  2⤵
  PID:13080
- C:\Windows\System32\gLDdRSD.exe
  C:\Windows\System32\gLDdRSD.exe
  2⤵
  PID:13112
- C:\Windows\System32\NPEVXBz.exe
  C:\Windows\System32\NPEVXBz.exe
  2⤵
  PID:13144
- C:\Windows\System32\HTzowvg.exe
  C:\Windows\System32\HTzowvg.exe
  2⤵
  PID:13160
- C:\Windows\System32\lQhVgVr.exe
  C:\Windows\System32\lQhVgVr.exe
  2⤵
  PID:13192
- C:\Windows\System32\vhtBIzV.exe
  C:\Windows\System32\vhtBIzV.exe
  2⤵
  PID:13212
- C:\Windows\System32\DIjfIDY.exe
  C:\Windows\System32\DIjfIDY.exe
  2⤵
  PID:13228
- C:\Windows\System32\IySdfot.exe
  C:\Windows\System32\IySdfot.exe
  2⤵
  PID:13268
- C:\Windows\System32\degErbc.exe
  C:\Windows\System32\degErbc.exe
  2⤵
  PID:13292
- C:\Windows\System32\iuEMaYN.exe
  C:\Windows\System32\iuEMaYN.exe
  2⤵
  PID:11660
- C:\Windows\System32\wrjBBQG.exe
  C:\Windows\System32\wrjBBQG.exe
  2⤵
  PID:12324
- C:\Windows\System32\jypMdIg.exe
  C:\Windows\System32\jypMdIg.exe
  2⤵
  PID:12536
- C:\Windows\System32\TJktChi.exe
  C:\Windows\System32\TJktChi.exe
  2⤵
  PID:12584
- C:\Windows\System32\qKKJYXk.exe
  C:\Windows\System32\qKKJYXk.exe
  2⤵
  PID:12684
- C:\Windows\System32\ILtcAWU.exe
  C:\Windows\System32\ILtcAWU.exe
  2⤵
  PID:12716
- C:\Windows\System32\TMBzZOQ.exe
  C:\Windows\System32\TMBzZOQ.exe
  2⤵
  PID:12796
- C:\Windows\System32\TjKdLcx.exe
  C:\Windows\System32\TjKdLcx.exe
  2⤵
  PID:12840
- C:\Windows\System32\BeeeTFA.exe
  C:\Windows\System32\BeeeTFA.exe
  2⤵
  PID:13076
- C:\Windows\System32\FdvIOkA.exe
  C:\Windows\System32\FdvIOkA.exe
  2⤵
  PID:13140
- C:\Windows\System32\NJKCppw.exe
  C:\Windows\System32\NJKCppw.exe
  2⤵
  PID:13208
- C:\Windows\System32\NQhReCY.exe
  C:\Windows\System32\NQhReCY.exe
  2⤵
  PID:13284

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BeSTjUr.exe

Filesize
1.1MB

MD5
0081fd0531e43613d53eec55c570f0ef

SHA1
e5eb9e6e3c7906cc6bfded6cb11b91b9cf6cd912

SHA256
e937981650ea1224a8bddad19e4e5707b43ad73170b99c020391cc047df55b4c

SHA512
50b948238e862000115f4a158e0667cc97d74bbae4285968466f7ff31d9c583367dc646afb097feefdfe5265047a3aed5f6a7b73919bdb0b2c42a89c5f30df90

Download Submit
C:\Windows\System32\KkXgZPG.exe

Filesize
1.1MB

MD5
88ec4c7078c405d6de8ce7a52ddce591

SHA1
109bac76d508994f958ee1c5e3db2bc48009635f

SHA256
42181d8b5bb685023c8e6101bcbceba07df753c5db693ac09da449bc709c7117

SHA512
008567971af9833be0ad6cfde92975fbaee4a915ed74c23ac185f2597fb341969e588153470fffab4c49bea537aae924c3074f1e3c118138aac9591748b23ed7

Download Submit
C:\Windows\System32\MTtwbrL.exe

Filesize
1.1MB

MD5
a06a9c24d74edf7f1189ecc4a8791294

SHA1
753c26b2deca7bc3d356acbf73d6f7b996adaf82

SHA256
2c4bad0d784151aebcb9a0ffc184664911e65d7ed6793dd29268af64f4ee943d

SHA512
9136afdd8acecdd564ca82597df406b2087c826f8c4808078ca84618027b4c32de5490024fc561eb275debbd57908b431a87ee1f2b0c2df8ada02a625bcc469e

Download Submit
C:\Windows\System32\NefVvSy.exe

Filesize
1.1MB

MD5
40f94538f6fc2c39654cf0a8bf8b679a

SHA1
37a39bd9c77acf8366f8d175e4d31286b5662e3e

SHA256
00722afb4de89fdab5bf4c1935f4485bb305dbe4dbffe43766cdcb3dda5b0bf3

SHA512
f50e32e9b808b2217df771ac605dded1bf0e3e53eea669c89a68db866a20621b4c64e129f1c8c1ae20eaf47b9a8123ea7c45c0bf843e19b61642398091af9b11

Download Submit
C:\Windows\System32\NyHTmmU.exe

Filesize
1.1MB

MD5
3a382907213ec5ad288d4959e35e7d1f

SHA1
d9339175aa261bd325721351c373c29251e60f6f

SHA256
c3fbdb774870bcf84dcf58c7e3f3331f5939599d4863de8148978c5b9cfe6c80

SHA512
0acfc74374eac10cce0ea4060a5ecc75852ac23ed4215cbf910a0a862fa4bb16ee1ba9677e877b16439bd525f65d6cf7b37478c38b9db598ad9943cc1172cedc

Download Submit
C:\Windows\System32\OPqfpsJ.exe

Filesize
1.1MB

MD5
704fa6567c14cbf631ca8d9455a3ef8e

SHA1
0c30021c118f962cc302a2b156cde69294c683d7

SHA256
772decfddd89699599bb489f12645c23a153fcdb2529e3132fda8de90b7d0a0e

SHA512
5ffb600ede74f7120088c2b9f3f8eb525c2a143013284379e731adcbcb56a21ee9f829beadbbab1d96b41884ca93cc19f19f9417d0f9c41d9b4887ca2169f3db

Download Submit
C:\Windows\System32\QLyNhHR.exe

Filesize
1.1MB

MD5
3c8e5c3b2d5a8e9614a5ccd1a2266f1d

SHA1
b7a2b50b99368e1a37aed28f67ddc8b4a75d41be

SHA256
5321629371dfdac369f0af7393b1cf0c212efbe7c6090c45a6f0aae2e87d8fb0

SHA512
451f26dfb70d62a7d5c521ea3afe6c8aee99a99b64cbef0bafdabab87eb2f5fed4e1658d63d67ebcd17aed4ee3f65e26d74138690c6d0f55a93640237955605e

Download Submit
C:\Windows\System32\YPlxEWW.exe

Filesize
1.1MB

MD5
259ea53891ef978dd93c1b02c072d8e1

SHA1
e694a73758c8a532ad59d80ff74ccba1d4b97b08

SHA256
6bb32f7f212dc2673eb105d355238bc3f7a94180abf9c4e3479d3d4d2e39ddaa

SHA512
8752f0882f916923c0d0c93bb91509d7c5e0658d8c44387ef5b86b0cc276e8b491faac19670868986642f185659eb375f6cc7eb4a718bea87744cd4106a847f9

Download Submit
C:\Windows\System32\YYhgfWu.exe

Filesize
1.1MB

MD5
d7637bc8ca91d27df5193d281356c24e

SHA1
73a0b84adc14c01dbf20729d26ecfbbebd424fcf

SHA256
c74190fe3be4659ead6050406e30cc9c9b4c38fc764a4432393fd3239aa5dc72

SHA512
27d1ef06d916f3614fbfb5bcc4e500b4716deebc67fffc20081bbfcf4f07c4c52c5da883b76e9f8ee3bd44d06ace864a696d2dcc59dd5c0bab2a7124d5b8cac4

Download Submit
C:\Windows\System32\YlfUFDT.exe

Filesize
1.1MB

MD5
2920939d643d4da76d96fdbbc9fcd4d1

SHA1
2580279dec5ce040bd31b00319c1d0da4612fd38

SHA256
0f667a11681af3079b19c044404b83676425aca737f35cde27866436b83eaa6f

SHA512
f2156e2037c0422a8ef5951e13515d2db980ffbd9b459fb4dfde0df834371a00e62e38a6a7e586ec2e6491eded9dbbc853708feb431ee7882d3d96ee582557c4

Download Submit
C:\Windows\System32\aSWOlun.exe

Filesize
1.1MB

MD5
a8c2cf704b33d04e2a11f24f949d1d6f

SHA1
5b763f59b3b4129fc4979e29e21693ed7612a3ad

SHA256
d24de1ff8bc3d35c4298b20ad3d1195f2777f0285a0fe7de51bae04605b776a9

SHA512
373ae174c4a83029ba3eb0c9572dcd5950a65cb0d41c7f207b4ebdfad1b2abc661ff9c51ccb32b99ea4a60fa481bbddb9f1f5379baadcdba4028aeecf2672bac

Download Submit
C:\Windows\System32\dRPOjup.exe

Filesize
1.1MB

MD5
a2f7d00725aa3fd7cfcc73923c493144

SHA1
57416d62271e4c0c3002bdfddff60369c2a3603b

SHA256
e3690c018ebae3c3aae996faeafbe9a90db49465578e8f05f31a9a5b151a2887

SHA512
6c1a45168a2bd7af448ed9a46f5be41ec4f22aae1a69e80747ca353501514646480c3815bf8654899e34fe217d775d7fc301a76334d69beaaa81a2b25d059961

Download Submit
C:\Windows\System32\dtPGTPQ.exe

Filesize
1.1MB

MD5
abfd96bc7bf2863bb0ff07bbd8beaefb

SHA1
9bc3d661830d4c5d2f2925ee9f0f05e90f8aff76

SHA256
54b1b819da4665165dad5e5d6ca72ef08db0f3ce5f52451a5e12b8e811b5d098

SHA512
753bd95b011a08c56071905dd7a4101fe17c74df79ed07834c32f16f32d85644f427f42225cb9a7ccf348230ee74aef11284320731e3a0dfb6229bef2a53b322

Download Submit
C:\Windows\System32\emIwfQd.exe

Filesize
1.1MB

MD5
a1dc38000e25b45e67bf7ad511936cd9

SHA1
053815444599d3d1f92046edec6a4da0f86f91fa

SHA256
3209d7d1e6596832721d17b3fac9c14ad04cd5e233da11dcbe36c7aedcc3bfee

SHA512
883a4550f7ac432cefd81af30040fcdecfac4962920b90ce3007a35b4377d4e6b707892dc21a46d0e0c37cfdcf0cb86c7c710f866f85c99e5ab3ce6525799560

Download Submit
C:\Windows\System32\ggjcAjW.exe

Filesize
1.1MB

MD5
7d69fa44fe1551cdf729a6a5d2aa1c5d

SHA1
acbcaf09ec674a99eaa594770daaa560445c4c16

SHA256
6a4a5470e05a2f5d3287c17fc789cd4b74e7636d608958fde3abff1d8e799d54

SHA512
edb0f91b51edf73235b8ea360626a0aab14f4df02645eb3fc188d506cb9ea448df0a3dcaf25fbed6bfa8efae4fbe23b6aecd80e6f30358e898368bae878c6bd0

Download Submit
C:\Windows\System32\ghnusbc.exe

Filesize
1.1MB

MD5
e1144382c2467f6104f42168f85fb35c

SHA1
9333e07ccee2cf4bcac49abd741b87ad2b4d75f0

SHA256
bb78e60baa32f61016bb207818e39e234000c1dd6be73889b299a4dd1df0cef5

SHA512
3c94dacf15e8eb3bd1dbac49e4b121428b0574f195196d811d8e46fe12cc63262269f74fc6e401afa21572e10f9031487b0f27727678cc00056e68adc36b7d21

Download Submit
C:\Windows\System32\hImjVai.exe

Filesize
1.1MB

MD5
86cbf91b5b1c9791d1a87cb16c0286af

SHA1
87a1010457d73203c973cbdff4959a41c9e6bdce

SHA256
e7c9f92a28a759edd5bbe1a29ac0de7f8a54ed072a63baf11fc24c27e36b4f61

SHA512
64293adcb9319151a55209b02e0a60a0389365b71e6b7346fd042a6ca57ab3ed373d522bc4c5869a18a2e954b6920a2187d1644b471f822a49c472dd70115e91

Download Submit
C:\Windows\System32\iJqzvem.exe

Filesize
1.1MB

MD5
b7eb72b744023a3efc6246693a9d662a

SHA1
005fd5866344a1e8b821206d20cf151ddd166d2a

SHA256
73d53bf780a046ceb51f9c2565908f6175323b0212b88904abe51688e11379af

SHA512
4426401882e8a7316e58d41bfc159cd2fdf0621f988b164978ea3bc6b0e576209af35834034292349fd52f7a8b91fba873d84a5888dadf9ff2e5751b5f2d655f

Download Submit
C:\Windows\System32\jVWsEFj.exe

Filesize
1.1MB

MD5
f3a627abc888c7b37a352d2454ae1fbe

SHA1
389d2d5f90713d0a8bc79d1651e62bd9fd3005eb

SHA256
07d03c35b790776b56b10f716fc3685f70f164bc22ea7be5f38f6cbd0ece20bd

SHA512
90aac52fad369228d3211e054ed96285237533ff5599f08240ea429c0db626e2fdb709e81cea26b62c575110a48cfd7870657657e810b6f54011a77715f92ef5

Download Submit
C:\Windows\System32\jZgqHan.exe

Filesize
1.1MB

MD5
a6f53473d27fdcf530721d971e786444

SHA1
b10a08b409be83a714f8374e908bfa749405976e

SHA256
06c984bfb95c5061155a6ee058aadbf70901c24324766c42f88fed359c6f8e2e

SHA512
57fdf402defefdededaefd7a1de63b52f08421fabec3ce30c26d0a716e53b14561009a9464f2b66514dd42c1fefc0bda3e4c0e12b55fdc33f792957b0005e0d8

Download Submit
C:\Windows\System32\mrMCTwi.exe

Filesize
1.1MB

MD5
5598d89d6da9ff60d0a6a3a5ec0a1ffa

SHA1
12a7858bb69eed8bf42ed61a9d5c909f9cf50285

SHA256
272c2d655880e1a4ee997a0bf4244f0d2de98f915ad93bbfd64daaa3c9b87a98

SHA512
af0373d290357923927b7111f4060b6a239cb8b09c2ce5c20651f244b31beab9a4a9525ebbbf7a14f1326bf9b2457b21cd03eb3a48602134cc5e5913b4a4d4fe

Download Submit
C:\Windows\System32\nzgKEdP.exe

Filesize
1.1MB

MD5
1f7d6f91291eac0324c020dfb2d30791

SHA1
4b4cdee25c9beea710d82a8a554d92aa7f93d345

SHA256
a7ad53c3c97200ce15155de7ce6f1bbb8df6aec2ddce3ebbb1ea54238e675cfd

SHA512
37ca04a0b7df3472c83760f978d368e9b5d1c1a486c56b4614ffb7914c40649e690648bf01b5d10f2a761c17c192fa343651ecfa11b18f723e7b7010f197591f

Download Submit
C:\Windows\System32\oYjBKYD.exe

Filesize
1.1MB

MD5
5b52f60cf97fa929c6c4b704cf491c70

SHA1
b72bee977f69953744a596a5233f9e08347f4afb

SHA256
ec09ceaf15d352c9ccc4cbcdb5e3613bc9a2098cc49f0e00b6c41b0a3b010e46

SHA512
c423f26713499e9b9c06fd758c75e8be8cc21080fd80275877bae102a547002f924a97b82dc764c60a5dda4d2dc3d3d6b6024148b5ebc6edc31d3d529cb46222

Download Submit
C:\Windows\System32\pOjhVGA.exe

Filesize
1.1MB

MD5
872b13890631315d0e72cbf5ad076da6

SHA1
ea33e084c3952af47059b21e20835438f4299cd2

SHA256
19645b5c18df041734c14373215308712c33023cf0f97dc9c7a50159a81e4ba3

SHA512
b5a8749afcba6d57cbf64ba11fd6021442adbbfa017bc2300ffd911542457809fbcf9830802b1fbcc00b3b4eafcc2df38762536a3b38706a3492487d97fa170a

Download Submit
C:\Windows\System32\qYLUNwF.exe

Filesize
1.1MB

MD5
ba2fb61a93f88910054284d651b7dbd7

SHA1
7d6e84e69b97cb6c57b5a7b2e7671cdf7345892c

SHA256
baa384df53b78a79080808f350d7129ae1b1c27bba59ac659ab74dfae20d1fed

SHA512
fc9a51d793cd8084dc650b7efbe391f5c0962a6bae5dbcf479b40fcff7722eb46debfa1fffadfd87404f37fb43a6275f3cfff545553302a1b4c38271aa5cb477

Download Submit
C:\Windows\System32\scIEEpz.exe

Filesize
1.1MB

MD5
d112393f083e8b888841776c20474bda

SHA1
7b82abd54a19b7ea1eb709e834d886d3cc095477

SHA256
9cf5b988263e3c9d2af34ac58f91b569b3bdad34831115b911d96ef2873b52ae

SHA512
62cc99a8b0526c61d352671697408e0fddeb017aaa144d51580f7ece16c793136ff707ad52be1c9498ff1d900f9ab1e6a1de1916044e6aa8eb60503d6ec6c574

Download Submit
C:\Windows\System32\tJYLItV.exe

Filesize
1.1MB

MD5
c4640d826bed0d88e13e8a9696c5983d

SHA1
f858fc6ca4227b4ed13be7696609ed0f4c1b12e6

SHA256
dbb0bb537567b7b0c67389dc2b3803914c06b330524875fa3836f895cea25cce

SHA512
c38fed481965eb082f1607a74035580caff76d8acb853d99955c98d7ee949698461cb1e3eada6e9d3f395ad5cce55d4742febccb9139421e89acc32513ebdbf8

Download Submit
C:\Windows\System32\uOIZAnu.exe

Filesize
1.1MB

MD5
b24f2215f21efb7423994f31bb1dd997

SHA1
4365be029472ea67c339fe3feef49399096d0b58

SHA256
909151badca417b8aa89647207d1df24765d9f94a6e27aa26f2a896d06a6216f

SHA512
72870b58a8665dff7391786156789453f9b773337af0d932ee87cf21dfd268fee6e8572673bf3a5c99e9d90ff621cf852fcb9bc8c58ed621d927044397cfadf6

Download Submit
C:\Windows\System32\ufkeuXT.exe

Filesize
1.1MB

MD5
6779d14347642a1542375082fc4ddbd0

SHA1
8d24943787094123e8e1ad846e22f147da513842

SHA256
160aae8db8dc813094f426c5dde23836a5058c980e3e70aa05ac233e2a92db1e

SHA512
936548a02d2c756f82b6a3e9ae3ed00053fa9a0cb2df0734b833aa86c4fec4f6906eee88fc6c5f12564d71f708ede8ff56193cd806646f711765689322c3c843

Download Submit
C:\Windows\System32\wSMqJJv.exe

Filesize
1.1MB

MD5
55b7258645a514e8ff3a237493dbed84

SHA1
57061bbe64e9e9e9259ae029f472d1ad4a139dfd

SHA256
80af0fb649997c8e25c9f2dc5214bf5a63d1be47b45e6a70fea79f061cd67782

SHA512
0e8f7dde9791d5a36638b62a4dc4113ebc1e0f02205a48446a0e24a50dc7e5bfe5d577766f9a04d6a2a80a2eb5941b73156527736e3757f7228af11b6c9611da

Download Submit
C:\Windows\System32\yrEBccO.exe

Filesize
1.1MB

MD5
579e20a990336c51c3a9e6a4354f0a94

SHA1
b4292346cdeed7eeb0055baeec4df1c3c056a23f

SHA256
66025539ca24d442bd40814fe0d3e913d2633fa960ffeb60c486374f865c3c21

SHA512
7be31d66edcdce6f7680c9ddaf572bf1feb337bfbfe99ba8801c6096ff3dcbf3387de58942bc04b778f6b183b4a07efa44d941626e03e8e523210f09849647b5

Download Submit
C:\Windows\System32\ysZHSlX.exe

Filesize
1.1MB

MD5
644d57a090cfc4fec1201dc110228c47

SHA1
826abec88492e7e5bee14c09ba0e2ea14d205d26

SHA256
b67f780b67aab5a0994e9fc784f05669c4c60295355a8d50c16e3f2868e4bb55

SHA512
b97b3deb8801794348b053d8b6f68d2db49dc2285797b4635f040bfb3bf89199b78c67fc76adb22b3772aa63d233214be60af5b703c3e500f8eae076501ac648

Download Submit
memory/460-2057-0x00007FF6566E0000-0x00007FF656AD1000-memory.dmp

Filesize
3.9MB

Download
memory/460-101-0x00007FF6566E0000-0x00007FF656AD1000-memory.dmp

Filesize
3.9MB

Download
memory/636-281-0x00007FF74AAC0000-0x00007FF74AEB1000-memory.dmp

Filesize
3.9MB

Download
memory/636-2077-0x00007FF74AAC0000-0x00007FF74AEB1000-memory.dmp

Filesize
3.9MB

Download
memory/1048-98-0x00007FF7F39E0000-0x00007FF7F3DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1048-2049-0x00007FF7F39E0000-0x00007FF7F3DD1000-memory.dmp

Filesize
3.9MB

Download
memory/1416-2073-0x00007FF6418B0000-0x00007FF641CA1000-memory.dmp

Filesize
3.9MB

Download
memory/1416-279-0x00007FF6418B0000-0x00007FF641CA1000-memory.dmp

Filesize
3.9MB

Download
memory/1540-2061-0x00007FF6C4200000-0x00007FF6C45F1000-memory.dmp

Filesize
3.9MB

Download
memory/1540-104-0x00007FF6C4200000-0x00007FF6C45F1000-memory.dmp

Filesize
3.9MB

Download
memory/1648-2075-0x00007FF650840000-0x00007FF650C31000-memory.dmp

Filesize
3.9MB

Download
memory/1648-280-0x00007FF650840000-0x00007FF650C31000-memory.dmp

Filesize
3.9MB

Download
memory/1732-2004-0x00007FF6DC5C0000-0x00007FF6DC9B1000-memory.dmp

Filesize
3.9MB

Download
memory/1732-117-0x00007FF6DC5C0000-0x00007FF6DC9B1000-memory.dmp

Filesize
3.9MB

Download
memory/1732-2069-0x00007FF6DC5C0000-0x00007FF6DC9B1000-memory.dmp

Filesize
3.9MB

Download
memory/1920-2053-0x00007FF60D9D0000-0x00007FF60DDC1000-memory.dmp

Filesize
3.9MB

Download
memory/1920-90-0x00007FF60D9D0000-0x00007FF60DDC1000-memory.dmp

Filesize
3.9MB

Download
memory/1924-1652-0x00007FF68AEA0000-0x00007FF68B291000-memory.dmp

Filesize
3.9MB

Download
memory/1924-2013-0x00007FF68AEA0000-0x00007FF68B291000-memory.dmp

Filesize
3.9MB

Download
memory/1924-18-0x00007FF68AEA0000-0x00007FF68B291000-memory.dmp

Filesize
3.9MB

Download
memory/2396-2067-0x00007FF7F2D30000-0x00007FF7F3121000-memory.dmp

Filesize
3.9MB

Download
memory/2396-1971-0x00007FF7F2D30000-0x00007FF7F3121000-memory.dmp

Filesize
3.9MB

Download
memory/2396-116-0x00007FF7F2D30000-0x00007FF7F3121000-memory.dmp

Filesize
3.9MB

Download
memory/2644-84-0x00007FF6C4AA0000-0x00007FF6C4E91000-memory.dmp

Filesize
3.9MB

Download
memory/2644-2021-0x00007FF6C4AA0000-0x00007FF6C4E91000-memory.dmp

Filesize
3.9MB

Download
memory/2932-2042-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp

Filesize
3.9MB

Download
memory/2932-1955-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp

Filesize
3.9MB

Download
memory/2932-58-0x00007FF74DF30000-0x00007FF74E321000-memory.dmp

Filesize
3.9MB

Download
memory/2940-2051-0x00007FF76B030000-0x00007FF76B421000-memory.dmp

Filesize
3.9MB

Download
memory/2940-86-0x00007FF76B030000-0x00007FF76B421000-memory.dmp

Filesize
3.9MB

Download
memory/3096-2015-0x00007FF716E50000-0x00007FF717241000-memory.dmp

Filesize
3.9MB

Download
memory/3096-93-0x00007FF716E50000-0x00007FF717241000-memory.dmp

Filesize
3.9MB

Download
memory/3160-2045-0x00007FF7B8940000-0x00007FF7B8D31000-memory.dmp

Filesize
3.9MB

Download
memory/3160-39-0x00007FF7B8940000-0x00007FF7B8D31000-memory.dmp

Filesize
3.9MB

Download
memory/3160-1954-0x00007FF7B8940000-0x00007FF7B8D31000-memory.dmp

Filesize
3.9MB

Download
memory/3252-114-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-2065-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-1969-0x00007FF7007D0000-0x00007FF700BC1000-memory.dmp

Filesize
3.9MB

Download
memory/3316-2059-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp

Filesize
3.9MB

Download
memory/3316-89-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp

Filesize
3.9MB

Download
memory/3316-1957-0x00007FF62CFB0000-0x00007FF62D3A1000-memory.dmp

Filesize
3.9MB

Download
memory/3456-2019-0x00007FF643B50000-0x00007FF643F41000-memory.dmp

Filesize
3.9MB

Download
memory/3456-55-0x00007FF643B50000-0x00007FF643F41000-memory.dmp

Filesize
3.9MB

Download
memory/3788-1204-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp

Filesize
3.9MB

Download
memory/3788-0-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp

Filesize
3.9MB

Download
memory/3788-1-0x00000273D3D00000-0x00000273D3D10000-memory.dmp

Filesize
64KB

Download
memory/3788-2006-0x00007FF78E6E0000-0x00007FF78EAD1000-memory.dmp

Filesize
3.9MB

Download
memory/4060-1206-0x00007FF7C47E0000-0x00007FF7C4BD1000-memory.dmp

Filesize
3.9MB

Download
memory/4060-2011-0x00007FF7C47E0000-0x00007FF7C4BD1000-memory.dmp

Filesize
3.9MB

Download
memory/4060-11-0x00007FF7C47E0000-0x00007FF7C4BD1000-memory.dmp

Filesize
3.9MB

Download
memory/4100-278-0x00007FF793110000-0x00007FF793501000-memory.dmp

Filesize
3.9MB

Download
memory/4100-2071-0x00007FF793110000-0x00007FF793501000-memory.dmp

Filesize
3.9MB

Download
memory/4616-2017-0x00007FF70C290000-0x00007FF70C681000-memory.dmp

Filesize
3.9MB

Download
memory/4616-1953-0x00007FF70C290000-0x00007FF70C681000-memory.dmp

Filesize
3.9MB

Download
memory/4616-27-0x00007FF70C290000-0x00007FF70C681000-memory.dmp

Filesize
3.9MB

Download
memory/4960-2047-0x00007FF766200000-0x00007FF7665F1000-memory.dmp

Filesize
3.9MB

Download
memory/4960-95-0x00007FF766200000-0x00007FF7665F1000-memory.dmp

Filesize
3.9MB

Download
memory/5048-1956-0x00007FF71C2B0000-0x00007FF71C6A1000-memory.dmp

Filesize
3.9MB

Download
memory/5048-2055-0x00007FF71C2B0000-0x00007FF71C6A1000-memory.dmp

Filesize
3.9MB

Download
memory/5048-80-0x00007FF71C2B0000-0x00007FF71C6A1000-memory.dmp

Filesize
3.9MB

Download
memory/5100-2063-0x00007FF62A380000-0x00007FF62A771000-memory.dmp

Filesize
3.9MB

Download
memory/5100-108-0x00007FF62A380000-0x00007FF62A771000-memory.dmp

Filesize
3.9MB

Download
memory/5100-1970-0x00007FF62A380000-0x00007FF62A771000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads