xmrig | 625ba2b2607ed91e7bcce34d0a1e08c466e0dcca6181b3184bb295091151ba41

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28/07/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
Size

1.3MB
MD5

044f6a53b26236305a435529cd7be248
SHA1

07d8cce6d9db06e6350cae25527fea4dc796c475
SHA256

625ba2b2607ed91e7bcce34d0a1e08c466e0dcca6181b3184bb295091151ba41
SHA512

c043886d44056c1274c4e848efec3fba3e4bea47bcf0918a37586bdf473ba53a9abb27b75f162119bf4210aa7795cce315e689df7e6b1d57065346ad2f1a0bad
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOVjnw:knw9oUUEEDlGUh+hNRw

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/2296-96-0x00007FF6F18B0000-0x00007FF6F1CA1000-memory.dmp	xmrig
behavioral2/memory/1488-119-0x00007FF79B2B0000-0x00007FF79B6A1000-memory.dmp	xmrig
behavioral2/memory/2812-131-0x00007FF6831A0000-0x00007FF683591000-memory.dmp	xmrig
behavioral2/memory/812-134-0x00007FF617AA0000-0x00007FF617E91000-memory.dmp	xmrig
behavioral2/memory/3616-168-0x00007FF64D140000-0x00007FF64D531000-memory.dmp	xmrig
behavioral2/memory/4480-174-0x00007FF6FDA40000-0x00007FF6FDE31000-memory.dmp	xmrig
behavioral2/memory/2756-180-0x00007FF6A2BC0000-0x00007FF6A2FB1000-memory.dmp	xmrig
behavioral2/memory/3112-175-0x00007FF718B30000-0x00007FF718F21000-memory.dmp	xmrig
behavioral2/memory/2100-171-0x00007FF722A40000-0x00007FF722E31000-memory.dmp	xmrig
behavioral2/memory/3644-167-0x00007FF6D1C10000-0x00007FF6D2001000-memory.dmp	xmrig
behavioral2/memory/1372-166-0x00007FF681B00000-0x00007FF681EF1000-memory.dmp	xmrig
behavioral2/memory/3728-1929-0x00007FF612C10000-0x00007FF613001000-memory.dmp	xmrig
behavioral2/memory/1600-1928-0x00007FF6F9410000-0x00007FF6F9801000-memory.dmp	xmrig
behavioral2/memory/1672-1955-0x00007FF7898E0000-0x00007FF789CD1000-memory.dmp	xmrig
behavioral2/memory/1620-1957-0x00007FF756E80000-0x00007FF757271000-memory.dmp	xmrig
behavioral2/memory/2264-1956-0x00007FF71A790000-0x00007FF71AB81000-memory.dmp	xmrig
behavioral2/memory/2648-1953-0x00007FF729E70000-0x00007FF72A261000-memory.dmp	xmrig
behavioral2/memory/1440-1966-0x00007FF618260000-0x00007FF618651000-memory.dmp	xmrig
behavioral2/memory/4280-1967-0x00007FF6E0940000-0x00007FF6E0D31000-memory.dmp	xmrig
behavioral2/memory/3464-155-0x00007FF6B7D30000-0x00007FF6B8121000-memory.dmp	xmrig
behavioral2/memory/3036-153-0x00007FF72B070000-0x00007FF72B461000-memory.dmp	xmrig
behavioral2/memory/4392-121-0x00007FF704690000-0x00007FF704A81000-memory.dmp	xmrig
behavioral2/memory/2492-114-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp	xmrig
behavioral2/memory/2044-112-0x00007FF6D60D0000-0x00007FF6D64C1000-memory.dmp	xmrig
behavioral2/memory/2840-105-0x00007FF764420000-0x00007FF764811000-memory.dmp	xmrig
behavioral2/memory/3728-12-0x00007FF612C10000-0x00007FF613001000-memory.dmp	xmrig
behavioral2/memory/1672-2014-0x00007FF7898E0000-0x00007FF789CD1000-memory.dmp	xmrig
behavioral2/memory/2492-2028-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp	xmrig
behavioral2/memory/4392-2032-0x00007FF704690000-0x00007FF704A81000-memory.dmp	xmrig
behavioral2/memory/3616-2038-0x00007FF64D140000-0x00007FF64D531000-memory.dmp	xmrig
behavioral2/memory/2100-2044-0x00007FF722A40000-0x00007FF722E31000-memory.dmp	xmrig
behavioral2/memory/4480-2042-0x00007FF6FDA40000-0x00007FF6FDE31000-memory.dmp	xmrig
behavioral2/memory/4280-2046-0x00007FF6E0940000-0x00007FF6E0D31000-memory.dmp	xmrig
behavioral2/memory/2756-2050-0x00007FF6A2BC0000-0x00007FF6A2FB1000-memory.dmp	xmrig
behavioral2/memory/3112-2041-0x00007FF718B30000-0x00007FF718F21000-memory.dmp	xmrig
behavioral2/memory/812-2036-0x00007FF617AA0000-0x00007FF617E91000-memory.dmp	xmrig
behavioral2/memory/2812-2034-0x00007FF6831A0000-0x00007FF683591000-memory.dmp	xmrig
behavioral2/memory/1620-2026-0x00007FF756E80000-0x00007FF757271000-memory.dmp	xmrig
behavioral2/memory/2840-2024-0x00007FF764420000-0x00007FF764811000-memory.dmp	xmrig
behavioral2/memory/1488-2030-0x00007FF79B2B0000-0x00007FF79B6A1000-memory.dmp	xmrig
behavioral2/memory/1372-2018-0x00007FF681B00000-0x00007FF681EF1000-memory.dmp	xmrig
behavioral2/memory/3644-2017-0x00007FF6D1C10000-0x00007FF6D2001000-memory.dmp	xmrig
behavioral2/memory/2264-2022-0x00007FF71A790000-0x00007FF71AB81000-memory.dmp	xmrig
behavioral2/memory/2044-2020-0x00007FF6D60D0000-0x00007FF6D64C1000-memory.dmp	xmrig
behavioral2/memory/3036-2010-0x00007FF72B070000-0x00007FF72B461000-memory.dmp	xmrig
behavioral2/memory/3464-2012-0x00007FF6B7D30000-0x00007FF6B8121000-memory.dmp	xmrig
behavioral2/memory/2296-2008-0x00007FF6F18B0000-0x00007FF6F1CA1000-memory.dmp	xmrig
behavioral2/memory/1440-2006-0x00007FF618260000-0x00007FF618651000-memory.dmp	xmrig
behavioral2/memory/2648-2004-0x00007FF729E70000-0x00007FF72A261000-memory.dmp	xmrig
behavioral2/memory/3728-2002-0x00007FF612C10000-0x00007FF613001000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3728	kuZjLsO.exe
2648	aMVgTlh.exe
3036	OSynSmP.exe
1440	FVmdZVU.exe
1672	jDchtBs.exe
3464	iPbQnIH.exe
2264	zKYTpdM.exe
1620	yxjVHZo.exe
2296	xslUlpQ.exe
1372	yxUProi.exe
2840	JZySxSx.exe
2044	cgIJnUf.exe
2492	Wthevnk.exe
1488	AyjxvBZ.exe
4392	NElasad.exe
3644	TotRVTt.exe
2812	lbhYqvx.exe
3616	FzAhAIS.exe
2100	hXklMoa.exe
812	cGgOMmD.exe
4480	hNYqrLh.exe
3112	OPNhGAu.exe
2756	slcOUfM.exe
4280	bNwNwqG.exe
3380	OYzhbkV.exe
756	XDeeCsE.exe
3176	eImRzhn.exe
3744	bgWSYiY.exe
2728	moNsCKn.exe
2636	JdNKdGR.exe
4752	AVQUbKn.exe
3068	Vtnhwgm.exe
2108	LcUfRRv.exe
2540	BkTGOzc.exe
860	YfmnEQD.exe
3536	uCloDte.exe
3392	kIIdADI.exe
692	fDcChEE.exe
2020	bKXGnUp.exe
1496	EVEweAF.exe
4956	CxZKgqB.exe
744	QBPMJRN.exe
3596	eRWKEyV.exe
1208	mwBLrTB.exe
244	kGOALNV.exe
4380	CGAoUnV.exe
116	FtQvWUA.exe
4368	sDGIaMP.exe
3592	lmpjAbv.exe
3924	fJcpxVW.exe
2976	gAHAdet.exe
3828	zdSiyxk.exe
4536	ynUUtop.exe
1100	NcspjpK.exe
3576	QPvEfoF.exe
1156	dCGPptp.exe
4828	pJmkeqM.exe
4512	ukrEbmC.exe
4324	mQAZgOG.exe
4808	yfNBvRk.exe
4032	BLMQseL.exe
3752	iYEFmNY.exe
3396	jNDXRNz.exe
3768	FtzeEUQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1600-0-0x00007FF6F9410000-0x00007FF6F9801000-memory.dmp	upx
behavioral2/files/0x00070000000234c7-19.dat	upx
behavioral2/memory/2648-26-0x00007FF729E70000-0x00007FF72A261000-memory.dmp	upx
behavioral2/files/0x00070000000234c9-55.dat	upx
behavioral2/memory/2264-66-0x00007FF71A790000-0x00007FF71AB81000-memory.dmp	upx
behavioral2/files/0x00070000000234d5-83.dat	upx
behavioral2/memory/2296-96-0x00007FF6F18B0000-0x00007FF6F1CA1000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-107.dat	upx
behavioral2/files/0x00070000000234d9-110.dat	upx
behavioral2/memory/1488-119-0x00007FF79B2B0000-0x00007FF79B6A1000-memory.dmp	upx
behavioral2/files/0x00070000000234dc-128.dat	upx
behavioral2/memory/2812-131-0x00007FF6831A0000-0x00007FF683591000-memory.dmp	upx
behavioral2/memory/812-134-0x00007FF617AA0000-0x00007FF617E91000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-157.dat	upx
behavioral2/files/0x00070000000234e1-165.dat	upx
behavioral2/memory/3616-168-0x00007FF64D140000-0x00007FF64D531000-memory.dmp	upx
behavioral2/memory/4480-174-0x00007FF6FDA40000-0x00007FF6FDE31000-memory.dmp	upx
behavioral2/files/0x00070000000234e2-178.dat	upx
behavioral2/files/0x00070000000234e3-183.dat	upx
behavioral2/memory/2756-180-0x00007FF6A2BC0000-0x00007FF6A2FB1000-memory.dmp	upx
behavioral2/memory/3112-175-0x00007FF718B30000-0x00007FF718F21000-memory.dmp	upx
behavioral2/memory/2100-171-0x00007FF722A40000-0x00007FF722E31000-memory.dmp	upx
behavioral2/memory/3644-167-0x00007FF6D1C10000-0x00007FF6D2001000-memory.dmp	upx
behavioral2/memory/1372-166-0x00007FF681B00000-0x00007FF681EF1000-memory.dmp	upx
behavioral2/memory/3728-1929-0x00007FF612C10000-0x00007FF613001000-memory.dmp	upx
behavioral2/memory/1600-1928-0x00007FF6F9410000-0x00007FF6F9801000-memory.dmp	upx
behavioral2/memory/1672-1955-0x00007FF7898E0000-0x00007FF789CD1000-memory.dmp	upx
behavioral2/memory/1620-1957-0x00007FF756E80000-0x00007FF757271000-memory.dmp	upx
behavioral2/memory/2264-1956-0x00007FF71A790000-0x00007FF71AB81000-memory.dmp	upx
behavioral2/memory/2648-1953-0x00007FF729E70000-0x00007FF72A261000-memory.dmp	upx
behavioral2/memory/1440-1966-0x00007FF618260000-0x00007FF618651000-memory.dmp	upx
behavioral2/memory/4280-1967-0x00007FF6E0940000-0x00007FF6E0D31000-memory.dmp	upx
behavioral2/files/0x00070000000234de-161.dat	upx
behavioral2/files/0x00070000000234df-159.dat	upx
behavioral2/memory/3464-155-0x00007FF6B7D30000-0x00007FF6B8121000-memory.dmp	upx
behavioral2/memory/3036-153-0x00007FF72B070000-0x00007FF72B461000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-145.dat	upx
behavioral2/files/0x00080000000234c4-144.dat	upx
behavioral2/memory/4280-143-0x00007FF6E0940000-0x00007FF6E0D31000-memory.dmp	upx
behavioral2/files/0x00070000000234db-132.dat	upx
behavioral2/files/0x00070000000234da-122.dat	upx
behavioral2/memory/4392-121-0x00007FF704690000-0x00007FF704A81000-memory.dmp	upx
behavioral2/memory/2492-114-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp	upx
behavioral2/files/0x00070000000234d7-113.dat	upx
behavioral2/memory/2044-112-0x00007FF6D60D0000-0x00007FF6D64C1000-memory.dmp	upx
behavioral2/memory/2840-105-0x00007FF764420000-0x00007FF764811000-memory.dmp	upx
behavioral2/files/0x00070000000234d8-104.dat	upx
behavioral2/memory/1620-91-0x00007FF756E80000-0x00007FF757271000-memory.dmp	upx
behavioral2/files/0x00070000000234d3-89.dat	upx
behavioral2/files/0x00070000000234cf-80.dat	upx
behavioral2/files/0x00070000000234d4-77.dat	upx
behavioral2/files/0x00070000000234d0-76.dat	upx
behavioral2/files/0x00070000000234d1-74.dat	upx
behavioral2/files/0x00070000000234d2-87.dat	upx
behavioral2/files/0x00070000000234ce-71.dat	upx
behavioral2/files/0x00070000000234cb-70.dat	upx
behavioral2/files/0x00070000000234cc-59.dat	upx
behavioral2/memory/1672-51-0x00007FF7898E0000-0x00007FF789CD1000-memory.dmp	upx
behavioral2/files/0x00070000000234cd-45.dat	upx
behavioral2/files/0x00070000000234ca-57.dat	upx
behavioral2/files/0x00070000000234c8-37.dat	upx
behavioral2/memory/1440-31-0x00007FF618260000-0x00007FF618651000-memory.dmp	upx
behavioral2/files/0x00080000000234c3-18.dat	upx
behavioral2/memory/3728-12-0x00007FF612C10000-0x00007FF613001000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\csaJKKK.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\RrzxagP.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\Mxkniva.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\OYzhbkV.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\mwBLrTB.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\nooIxee.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\dejwJnY.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\WJXAiEo.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\RhgBDeH.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\zBfMrYY.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\inwTDRD.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\BqoalOw.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\zBGkzqQ.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\Wthevnk.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\QBPMJRN.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\UpWjNOZ.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\SBhtLSu.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\hmcohBN.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\FnHXFmT.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\XvSKWFg.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\rJEFLpc.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\NNSQIyz.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\VyzdwrK.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\UVKtLjv.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\rHxkwWI.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\RvUlrLf.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\rqwcSeX.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\tyqfcGJ.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\qppecPu.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\UtxqOQT.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\BXrOSAm.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\XlwNhux.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\QcleBVL.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\HBnSSUH.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\LEpWPIm.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\yHShiHi.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\OPNhGAu.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\HAUmQAM.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\luUiisn.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\dCGPptp.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\iWnqRCJ.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\zajLVwc.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\iKuQrRH.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\mskIyPr.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\WGzHYjj.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\KhRHeYx.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\pJmkeqM.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\nBJqASs.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\dNJsgEy.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\AugSSBI.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\XGoMJdk.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\LCoNAyK.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\OPOtjbK.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\PaQdTqq.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\OKXGoKm.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\hIsbXge.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\PwESiZw.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\XtTHEGE.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\veVqwvx.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\PntXgIE.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\NDRrqEc.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\iYEFmNY.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\eyHooFx.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
File created	C:\Windows\System32\KJuRhqR.exe	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13252	dwm.exe
Token: SeChangeNotifyPrivilege	13252	dwm.exe
Token: 33	13252	dwm.exe
Token: SeIncBasePriorityPrivilege	13252	dwm.exe
Token: SeShutdownPrivilege	13252	dwm.exe
Token: SeCreatePagefilePrivilege	13252	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3728	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	85
PID 1600 wrote to memory of 3728	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	85
PID 1600 wrote to memory of 2648	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	86
PID 1600 wrote to memory of 2648	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	86
PID 1600 wrote to memory of 3036	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	87
PID 1600 wrote to memory of 3036	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	87
PID 1600 wrote to memory of 1440	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	88
PID 1600 wrote to memory of 1440	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	88
PID 1600 wrote to memory of 1672	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	89
PID 1600 wrote to memory of 1672	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	89
PID 1600 wrote to memory of 3464	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	90
PID 1600 wrote to memory of 3464	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	90
PID 1600 wrote to memory of 2264	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	91
PID 1600 wrote to memory of 2264	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	91
PID 1600 wrote to memory of 1620	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	92
PID 1600 wrote to memory of 1620	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	92
PID 1600 wrote to memory of 2296	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	93
PID 1600 wrote to memory of 2296	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	93
PID 1600 wrote to memory of 1372	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	94
PID 1600 wrote to memory of 1372	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	94
PID 1600 wrote to memory of 2840	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	95
PID 1600 wrote to memory of 2840	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	95
PID 1600 wrote to memory of 2044	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	96
PID 1600 wrote to memory of 2044	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	96
PID 1600 wrote to memory of 2492	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	97
PID 1600 wrote to memory of 2492	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	97
PID 1600 wrote to memory of 1488	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	98
PID 1600 wrote to memory of 1488	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	98
PID 1600 wrote to memory of 4392	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	99
PID 1600 wrote to memory of 4392	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	99
PID 1600 wrote to memory of 3644	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	100
PID 1600 wrote to memory of 3644	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	100
PID 1600 wrote to memory of 2812	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	101
PID 1600 wrote to memory of 2812	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	101
PID 1600 wrote to memory of 3616	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	102
PID 1600 wrote to memory of 3616	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	102
PID 1600 wrote to memory of 2100	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	103
PID 1600 wrote to memory of 2100	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	103
PID 1600 wrote to memory of 812	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	104
PID 1600 wrote to memory of 812	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	104
PID 1600 wrote to memory of 4480	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	105
PID 1600 wrote to memory of 4480	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	105
PID 1600 wrote to memory of 3112	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	106
PID 1600 wrote to memory of 3112	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	106
PID 1600 wrote to memory of 2756	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	107
PID 1600 wrote to memory of 2756	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	107
PID 1600 wrote to memory of 4280	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	108
PID 1600 wrote to memory of 4280	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	108
PID 1600 wrote to memory of 3380	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	109
PID 1600 wrote to memory of 3380	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	109
PID 1600 wrote to memory of 756	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	110
PID 1600 wrote to memory of 756	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	110
PID 1600 wrote to memory of 3176	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	111
PID 1600 wrote to memory of 3176	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	111
PID 1600 wrote to memory of 3744	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	112
PID 1600 wrote to memory of 3744	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	112
PID 1600 wrote to memory of 2728	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	113
PID 1600 wrote to memory of 2728	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	113
PID 1600 wrote to memory of 2636	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	114
PID 1600 wrote to memory of 2636	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	114
PID 1600 wrote to memory of 4752	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	115
PID 1600 wrote to memory of 4752	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	115
PID 1600 wrote to memory of 3068	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	116
PID 1600 wrote to memory of 3068	1600	044f6a53b26236305a435529cd7be248_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\1713232287\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\1713232287\zmstage.exe
1⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\044f6a53b26236305a435529cd7be248_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\044f6a53b26236305a435529cd7be248_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\System32\kuZjLsO.exe
  C:\Windows\System32\kuZjLsO.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System32\aMVgTlh.exe
  C:\Windows\System32\aMVgTlh.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\OSynSmP.exe
  C:\Windows\System32\OSynSmP.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\FVmdZVU.exe
  C:\Windows\System32\FVmdZVU.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System32\jDchtBs.exe
  C:\Windows\System32\jDchtBs.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\iPbQnIH.exe
  C:\Windows\System32\iPbQnIH.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System32\zKYTpdM.exe
  C:\Windows\System32\zKYTpdM.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System32\yxjVHZo.exe
  C:\Windows\System32\yxjVHZo.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System32\xslUlpQ.exe
  C:\Windows\System32\xslUlpQ.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\yxUProi.exe
  C:\Windows\System32\yxUProi.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System32\JZySxSx.exe
  C:\Windows\System32\JZySxSx.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System32\cgIJnUf.exe
  C:\Windows\System32\cgIJnUf.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\Wthevnk.exe
  C:\Windows\System32\Wthevnk.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System32\AyjxvBZ.exe
  C:\Windows\System32\AyjxvBZ.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System32\NElasad.exe
  C:\Windows\System32\NElasad.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\TotRVTt.exe
  C:\Windows\System32\TotRVTt.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System32\lbhYqvx.exe
  C:\Windows\System32\lbhYqvx.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System32\FzAhAIS.exe
  C:\Windows\System32\FzAhAIS.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System32\hXklMoa.exe
  C:\Windows\System32\hXklMoa.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System32\cGgOMmD.exe
  C:\Windows\System32\cGgOMmD.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System32\hNYqrLh.exe
  C:\Windows\System32\hNYqrLh.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System32\OPNhGAu.exe
  C:\Windows\System32\OPNhGAu.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System32\slcOUfM.exe
  C:\Windows\System32\slcOUfM.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System32\bNwNwqG.exe
  C:\Windows\System32\bNwNwqG.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System32\OYzhbkV.exe
  C:\Windows\System32\OYzhbkV.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System32\XDeeCsE.exe
  C:\Windows\System32\XDeeCsE.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\eImRzhn.exe
  C:\Windows\System32\eImRzhn.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\bgWSYiY.exe
  C:\Windows\System32\bgWSYiY.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\moNsCKn.exe
  C:\Windows\System32\moNsCKn.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\JdNKdGR.exe
  C:\Windows\System32\JdNKdGR.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System32\AVQUbKn.exe
  C:\Windows\System32\AVQUbKn.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System32\Vtnhwgm.exe
  C:\Windows\System32\Vtnhwgm.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System32\LcUfRRv.exe
  C:\Windows\System32\LcUfRRv.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System32\BkTGOzc.exe
  C:\Windows\System32\BkTGOzc.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System32\YfmnEQD.exe
  C:\Windows\System32\YfmnEQD.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System32\uCloDte.exe
  C:\Windows\System32\uCloDte.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\kIIdADI.exe
  C:\Windows\System32\kIIdADI.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System32\fDcChEE.exe
  C:\Windows\System32\fDcChEE.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System32\bKXGnUp.exe
  C:\Windows\System32\bKXGnUp.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\EVEweAF.exe
  C:\Windows\System32\EVEweAF.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System32\CxZKgqB.exe
  C:\Windows\System32\CxZKgqB.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\QBPMJRN.exe
  C:\Windows\System32\QBPMJRN.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\eRWKEyV.exe
  C:\Windows\System32\eRWKEyV.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System32\mwBLrTB.exe
  C:\Windows\System32\mwBLrTB.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System32\kGOALNV.exe
  C:\Windows\System32\kGOALNV.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System32\FtQvWUA.exe
  C:\Windows\System32\FtQvWUA.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\CGAoUnV.exe
  C:\Windows\System32\CGAoUnV.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\sDGIaMP.exe
  C:\Windows\System32\sDGIaMP.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System32\lmpjAbv.exe
  C:\Windows\System32\lmpjAbv.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System32\fJcpxVW.exe
  C:\Windows\System32\fJcpxVW.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System32\gAHAdet.exe
  C:\Windows\System32\gAHAdet.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System32\zdSiyxk.exe
  C:\Windows\System32\zdSiyxk.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\ynUUtop.exe
  C:\Windows\System32\ynUUtop.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\NcspjpK.exe
  C:\Windows\System32\NcspjpK.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System32\QPvEfoF.exe
  C:\Windows\System32\QPvEfoF.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System32\dCGPptp.exe
  C:\Windows\System32\dCGPptp.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System32\pJmkeqM.exe
  C:\Windows\System32\pJmkeqM.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\ukrEbmC.exe
  C:\Windows\System32\ukrEbmC.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\mQAZgOG.exe
  C:\Windows\System32\mQAZgOG.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\yfNBvRk.exe
  C:\Windows\System32\yfNBvRk.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\BLMQseL.exe
  C:\Windows\System32\BLMQseL.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\ewboFAU.exe
  C:\Windows\System32\ewboFAU.exe
  2⤵
  PID:4396
- C:\Windows\System32\iYEFmNY.exe
  C:\Windows\System32\iYEFmNY.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System32\jNDXRNz.exe
  C:\Windows\System32\jNDXRNz.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System32\FtzeEUQ.exe
  C:\Windows\System32\FtzeEUQ.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System32\bymaGEI.exe
  C:\Windows\System32\bymaGEI.exe
  2⤵
  PID:1424
- C:\Windows\System32\uhigCyA.exe
  C:\Windows\System32\uhigCyA.exe
  2⤵
  PID:1344
- C:\Windows\System32\vOozQSs.exe
  C:\Windows\System32\vOozQSs.exe
  2⤵
  PID:2356
- C:\Windows\System32\zQkumjJ.exe
  C:\Windows\System32\zQkumjJ.exe
  2⤵
  PID:3740
- C:\Windows\System32\UVuGRVe.exe
  C:\Windows\System32\UVuGRVe.exe
  2⤵
  PID:4500
- C:\Windows\System32\NMhizIP.exe
  C:\Windows\System32\NMhizIP.exe
  2⤵
  PID:228
- C:\Windows\System32\MHrvsVl.exe
  C:\Windows\System32\MHrvsVl.exe
  2⤵
  PID:4344
- C:\Windows\System32\keszrmw.exe
  C:\Windows\System32\keszrmw.exe
  2⤵
  PID:2140
- C:\Windows\System32\TksEJWS.exe
  C:\Windows\System32\TksEJWS.exe
  2⤵
  PID:3416
- C:\Windows\System32\kBRieQV.exe
  C:\Windows\System32\kBRieQV.exe
  2⤵
  PID:2792
- C:\Windows\System32\KNduduL.exe
  C:\Windows\System32\KNduduL.exe
  2⤵
  PID:1528
- C:\Windows\System32\XtTHEGE.exe
  C:\Windows\System32\XtTHEGE.exe
  2⤵
  PID:4864
- C:\Windows\System32\XrqWFVN.exe
  C:\Windows\System32\XrqWFVN.exe
  2⤵
  PID:2384
- C:\Windows\System32\YoBqRYg.exe
  C:\Windows\System32\YoBqRYg.exe
  2⤵
  PID:4436
- C:\Windows\System32\NxVCVHL.exe
  C:\Windows\System32\NxVCVHL.exe
  2⤵
  PID:2984
- C:\Windows\System32\eqEDkuo.exe
  C:\Windows\System32\eqEDkuo.exe
  2⤵
  PID:2580
- C:\Windows\System32\ibYdsUn.exe
  C:\Windows\System32\ibYdsUn.exe
  2⤵
  PID:5096
- C:\Windows\System32\ILgGjfI.exe
  C:\Windows\System32\ILgGjfI.exe
  2⤵
  PID:1740
- C:\Windows\System32\UtxqOQT.exe
  C:\Windows\System32\UtxqOQT.exe
  2⤵
  PID:2632
- C:\Windows\System32\YnRkksf.exe
  C:\Windows\System32\YnRkksf.exe
  2⤵
  PID:3844
- C:\Windows\System32\ktBPVSA.exe
  C:\Windows\System32\ktBPVSA.exe
  2⤵
  PID:2228
- C:\Windows\System32\LMjKXMF.exe
  C:\Windows\System32\LMjKXMF.exe
  2⤵
  PID:3088
- C:\Windows\System32\eFdVCzp.exe
  C:\Windows\System32\eFdVCzp.exe
  2⤵
  PID:5176
- C:\Windows\System32\yztsLgv.exe
  C:\Windows\System32\yztsLgv.exe
  2⤵
  PID:5192
- C:\Windows\System32\jxAKqTA.exe
  C:\Windows\System32\jxAKqTA.exe
  2⤵
  PID:5220
- C:\Windows\System32\TLYLWwP.exe
  C:\Windows\System32\TLYLWwP.exe
  2⤵
  PID:5268
- C:\Windows\System32\iZigfHq.exe
  C:\Windows\System32\iZigfHq.exe
  2⤵
  PID:5300
- C:\Windows\System32\UCFEYBd.exe
  C:\Windows\System32\UCFEYBd.exe
  2⤵
  PID:5324
- C:\Windows\System32\RanYFKI.exe
  C:\Windows\System32\RanYFKI.exe
  2⤵
  PID:5344
- C:\Windows\System32\zYRBhBL.exe
  C:\Windows\System32\zYRBhBL.exe
  2⤵
  PID:5364
- C:\Windows\System32\TiYtAAJ.exe
  C:\Windows\System32\TiYtAAJ.exe
  2⤵
  PID:5388
- C:\Windows\System32\iYbTyEW.exe
  C:\Windows\System32\iYbTyEW.exe
  2⤵
  PID:5408
- C:\Windows\System32\UpWjNOZ.exe
  C:\Windows\System32\UpWjNOZ.exe
  2⤵
  PID:5424
- C:\Windows\System32\cxXukwS.exe
  C:\Windows\System32\cxXukwS.exe
  2⤵
  PID:5448
- C:\Windows\System32\PEDkJJr.exe
  C:\Windows\System32\PEDkJJr.exe
  2⤵
  PID:5488
- C:\Windows\System32\ZNgCrGi.exe
  C:\Windows\System32\ZNgCrGi.exe
  2⤵
  PID:5544
- C:\Windows\System32\vWMOqXN.exe
  C:\Windows\System32\vWMOqXN.exe
  2⤵
  PID:5600
- C:\Windows\System32\tPaYqbw.exe
  C:\Windows\System32\tPaYqbw.exe
  2⤵
  PID:5616
- C:\Windows\System32\eVFgIQp.exe
  C:\Windows\System32\eVFgIQp.exe
  2⤵
  PID:5640
- C:\Windows\System32\CTUAHwA.exe
  C:\Windows\System32\CTUAHwA.exe
  2⤵
  PID:5680
- C:\Windows\System32\HhuiNrm.exe
  C:\Windows\System32\HhuiNrm.exe
  2⤵
  PID:5696
- C:\Windows\System32\uxdGbNG.exe
  C:\Windows\System32\uxdGbNG.exe
  2⤵
  PID:5764
- C:\Windows\System32\ALVbaJY.exe
  C:\Windows\System32\ALVbaJY.exe
  2⤵
  PID:5780
- C:\Windows\System32\ZAaAsaL.exe
  C:\Windows\System32\ZAaAsaL.exe
  2⤵
  PID:5804
- C:\Windows\System32\BIiERFc.exe
  C:\Windows\System32\BIiERFc.exe
  2⤵
  PID:5828
- C:\Windows\System32\veVqwvx.exe
  C:\Windows\System32\veVqwvx.exe
  2⤵
  PID:5872
- C:\Windows\System32\nwHXMBi.exe
  C:\Windows\System32\nwHXMBi.exe
  2⤵
  PID:5888
- C:\Windows\System32\sqJMRrE.exe
  C:\Windows\System32\sqJMRrE.exe
  2⤵
  PID:5904
- C:\Windows\System32\TMuZtdu.exe
  C:\Windows\System32\TMuZtdu.exe
  2⤵
  PID:5928
- C:\Windows\System32\OZVoEBJ.exe
  C:\Windows\System32\OZVoEBJ.exe
  2⤵
  PID:5944
- C:\Windows\System32\yJIbzlq.exe
  C:\Windows\System32\yJIbzlq.exe
  2⤵
  PID:5960
- C:\Windows\System32\nBJqASs.exe
  C:\Windows\System32\nBJqASs.exe
  2⤵
  PID:5984
- C:\Windows\System32\xvdhZOA.exe
  C:\Windows\System32\xvdhZOA.exe
  2⤵
  PID:6004
- C:\Windows\System32\DQtrcmn.exe
  C:\Windows\System32\DQtrcmn.exe
  2⤵
  PID:6028
- C:\Windows\System32\jUVVwRP.exe
  C:\Windows\System32\jUVVwRP.exe
  2⤵
  PID:6048
- C:\Windows\System32\mjzHnue.exe
  C:\Windows\System32\mjzHnue.exe
  2⤵
  PID:6064
- C:\Windows\System32\ibFxNbf.exe
  C:\Windows\System32\ibFxNbf.exe
  2⤵
  PID:6088
- C:\Windows\System32\MHmoFLb.exe
  C:\Windows\System32\MHmoFLb.exe
  2⤵
  PID:6120
- C:\Windows\System32\ibjXAvS.exe
  C:\Windows\System32\ibjXAvS.exe
  2⤵
  PID:6140
- C:\Windows\System32\KrSLmxH.exe
  C:\Windows\System32\KrSLmxH.exe
  2⤵
  PID:5276
- C:\Windows\System32\XVbdPcv.exe
  C:\Windows\System32\XVbdPcv.exe
  2⤵
  PID:5384
- C:\Windows\System32\bcaTXum.exe
  C:\Windows\System32\bcaTXum.exe
  2⤵
  PID:5404
- C:\Windows\System32\yXRLPNE.exe
  C:\Windows\System32\yXRLPNE.exe
  2⤵
  PID:5464
- C:\Windows\System32\eyHooFx.exe
  C:\Windows\System32\eyHooFx.exe
  2⤵
  PID:5536
- C:\Windows\System32\OpwGFSk.exe
  C:\Windows\System32\OpwGFSk.exe
  2⤵
  PID:5556
- C:\Windows\System32\BVuaKda.exe
  C:\Windows\System32\BVuaKda.exe
  2⤵
  PID:5608
- C:\Windows\System32\WJXAiEo.exe
  C:\Windows\System32\WJXAiEo.exe
  2⤵
  PID:5632
- C:\Windows\System32\WtAbrnT.exe
  C:\Windows\System32\WtAbrnT.exe
  2⤵
  PID:5728
- C:\Windows\System32\muzEOyx.exe
  C:\Windows\System32\muzEOyx.exe
  2⤵
  PID:5712
- C:\Windows\System32\MEjgAqh.exe
  C:\Windows\System32\MEjgAqh.exe
  2⤵
  PID:5760
- C:\Windows\System32\RdaFSkQ.exe
  C:\Windows\System32\RdaFSkQ.exe
  2⤵
  PID:5820
- C:\Windows\System32\sfVpAve.exe
  C:\Windows\System32\sfVpAve.exe
  2⤵
  PID:4960
- C:\Windows\System32\TELSvtN.exe
  C:\Windows\System32\TELSvtN.exe
  2⤵
  PID:5956
- C:\Windows\System32\uxouUxn.exe
  C:\Windows\System32\uxouUxn.exe
  2⤵
  PID:6044
- C:\Windows\System32\BXrOSAm.exe
  C:\Windows\System32\BXrOSAm.exe
  2⤵
  PID:6012
- C:\Windows\System32\vpBTFeZ.exe
  C:\Windows\System32\vpBTFeZ.exe
  2⤵
  PID:6084
- C:\Windows\System32\XNbSuyZ.exe
  C:\Windows\System32\XNbSuyZ.exe
  2⤵
  PID:1476
- C:\Windows\System32\XybSNhO.exe
  C:\Windows\System32\XybSNhO.exe
  2⤵
  PID:2252
- C:\Windows\System32\aJGhtEf.exe
  C:\Windows\System32\aJGhtEf.exe
  2⤵
  PID:5336
- C:\Windows\System32\PutNoYD.exe
  C:\Windows\System32\PutNoYD.exe
  2⤵
  PID:5484
- C:\Windows\System32\WYjLoLa.exe
  C:\Windows\System32\WYjLoLa.exe
  2⤵
  PID:5656
- C:\Windows\System32\uHYYvsr.exe
  C:\Windows\System32\uHYYvsr.exe
  2⤵
  PID:5796
- C:\Windows\System32\RhgBDeH.exe
  C:\Windows\System32\RhgBDeH.exe
  2⤵
  PID:5900
- C:\Windows\System32\eReTVQj.exe
  C:\Windows\System32\eReTVQj.exe
  2⤵
  PID:408
- C:\Windows\System32\XdTgblY.exe
  C:\Windows\System32\XdTgblY.exe
  2⤵
  PID:5552
- C:\Windows\System32\nooIxee.exe
  C:\Windows\System32\nooIxee.exe
  2⤵
  PID:5692
- C:\Windows\System32\fJWapiW.exe
  C:\Windows\System32\fJWapiW.exe
  2⤵
  PID:3484
- C:\Windows\System32\rIYXSIU.exe
  C:\Windows\System32\rIYXSIU.exe
  2⤵
  PID:5340
- C:\Windows\System32\ssuknsG.exe
  C:\Windows\System32\ssuknsG.exe
  2⤵
  PID:4748
- C:\Windows\System32\GaxfJGZ.exe
  C:\Windows\System32\GaxfJGZ.exe
  2⤵
  PID:6000
- C:\Windows\System32\aEWVVwo.exe
  C:\Windows\System32\aEWVVwo.exe
  2⤵
  PID:4416
- C:\Windows\System32\JQpRimQ.exe
  C:\Windows\System32\JQpRimQ.exe
  2⤵
  PID:6160
- C:\Windows\System32\rxXJjWi.exe
  C:\Windows\System32\rxXJjWi.exe
  2⤵
  PID:6184
- C:\Windows\System32\DOIwVBH.exe
  C:\Windows\System32\DOIwVBH.exe
  2⤵
  PID:6204
- C:\Windows\System32\AQpBZND.exe
  C:\Windows\System32\AQpBZND.exe
  2⤵
  PID:6220
- C:\Windows\System32\RGLndWF.exe
  C:\Windows\System32\RGLndWF.exe
  2⤵
  PID:6244
- C:\Windows\System32\LiaNhKV.exe
  C:\Windows\System32\LiaNhKV.exe
  2⤵
  PID:6304
- C:\Windows\System32\yKVfVpE.exe
  C:\Windows\System32\yKVfVpE.exe
  2⤵
  PID:6348
- C:\Windows\System32\kBYHqxJ.exe
  C:\Windows\System32\kBYHqxJ.exe
  2⤵
  PID:6364
- C:\Windows\System32\lKjwDvB.exe
  C:\Windows\System32\lKjwDvB.exe
  2⤵
  PID:6380
- C:\Windows\System32\csaJKKK.exe
  C:\Windows\System32\csaJKKK.exe
  2⤵
  PID:6396
- C:\Windows\System32\lzvSwiS.exe
  C:\Windows\System32\lzvSwiS.exe
  2⤵
  PID:6412
- C:\Windows\System32\lJhNCde.exe
  C:\Windows\System32\lJhNCde.exe
  2⤵
  PID:6432
- C:\Windows\System32\yijxupL.exe
  C:\Windows\System32\yijxupL.exe
  2⤵
  PID:6472
- C:\Windows\System32\MkxtKkG.exe
  C:\Windows\System32\MkxtKkG.exe
  2⤵
  PID:6524
- C:\Windows\System32\pdHOXKd.exe
  C:\Windows\System32\pdHOXKd.exe
  2⤵
  PID:6544
- C:\Windows\System32\AdCTkHz.exe
  C:\Windows\System32\AdCTkHz.exe
  2⤵
  PID:6576
- C:\Windows\System32\VLdOmKP.exe
  C:\Windows\System32\VLdOmKP.exe
  2⤵
  PID:6600
- C:\Windows\System32\iKuQrRH.exe
  C:\Windows\System32\iKuQrRH.exe
  2⤵
  PID:6632
- C:\Windows\System32\tFzHTqN.exe
  C:\Windows\System32\tFzHTqN.exe
  2⤵
  PID:6676
- C:\Windows\System32\uEiiroq.exe
  C:\Windows\System32\uEiiroq.exe
  2⤵
  PID:6696
- C:\Windows\System32\sTzvlop.exe
  C:\Windows\System32\sTzvlop.exe
  2⤵
  PID:6720
- C:\Windows\System32\KTHRquE.exe
  C:\Windows\System32\KTHRquE.exe
  2⤵
  PID:6740
- C:\Windows\System32\PDmgcFj.exe
  C:\Windows\System32\PDmgcFj.exe
  2⤵
  PID:6760
- C:\Windows\System32\drTEbpD.exe
  C:\Windows\System32\drTEbpD.exe
  2⤵
  PID:6800
- C:\Windows\System32\GzBOkvh.exe
  C:\Windows\System32\GzBOkvh.exe
  2⤵
  PID:6816
- C:\Windows\System32\mskIyPr.exe
  C:\Windows\System32\mskIyPr.exe
  2⤵
  PID:6840
- C:\Windows\System32\HAUmQAM.exe
  C:\Windows\System32\HAUmQAM.exe
  2⤵
  PID:6924
- C:\Windows\System32\HTsEHbz.exe
  C:\Windows\System32\HTsEHbz.exe
  2⤵
  PID:6972
- C:\Windows\System32\vLpBDOD.exe
  C:\Windows\System32\vLpBDOD.exe
  2⤵
  PID:6988
- C:\Windows\System32\NVbbsJG.exe
  C:\Windows\System32\NVbbsJG.exe
  2⤵
  PID:7028
- C:\Windows\System32\oenMPyB.exe
  C:\Windows\System32\oenMPyB.exe
  2⤵
  PID:7052
- C:\Windows\System32\zBfMrYY.exe
  C:\Windows\System32\zBfMrYY.exe
  2⤵
  PID:7072
- C:\Windows\System32\ecjPBNl.exe
  C:\Windows\System32\ecjPBNl.exe
  2⤵
  PID:7088
- C:\Windows\System32\JbKKbYp.exe
  C:\Windows\System32\JbKKbYp.exe
  2⤵
  PID:7132
- C:\Windows\System32\ByeAPsE.exe
  C:\Windows\System32\ByeAPsE.exe
  2⤵
  PID:7148
- C:\Windows\System32\wohvWfO.exe
  C:\Windows\System32\wohvWfO.exe
  2⤵
  PID:1048
- C:\Windows\System32\kZgZDRS.exe
  C:\Windows\System32\kZgZDRS.exe
  2⤵
  PID:6168
- C:\Windows\System32\nkNehCq.exe
  C:\Windows\System32\nkNehCq.exe
  2⤵
  PID:6228
- C:\Windows\System32\SBhtLSu.exe
  C:\Windows\System32\SBhtLSu.exe
  2⤵
  PID:6176
- C:\Windows\System32\ZPEwbyP.exe
  C:\Windows\System32\ZPEwbyP.exe
  2⤵
  PID:4108
- C:\Windows\System32\jSnGpFT.exe
  C:\Windows\System32\jSnGpFT.exe
  2⤵
  PID:6376
- C:\Windows\System32\lUpJmLM.exe
  C:\Windows\System32\lUpJmLM.exe
  2⤵
  PID:6588
- C:\Windows\System32\nyTNXRP.exe
  C:\Windows\System32\nyTNXRP.exe
  2⤵
  PID:6660
- C:\Windows\System32\QQcRgMQ.exe
  C:\Windows\System32\QQcRgMQ.exe
  2⤵
  PID:6652
- C:\Windows\System32\FOfSIMd.exe
  C:\Windows\System32\FOfSIMd.exe
  2⤵
  PID:6712
- C:\Windows\System32\WjiGPrl.exe
  C:\Windows\System32\WjiGPrl.exe
  2⤵
  PID:6688
- C:\Windows\System32\eRCXaPv.exe
  C:\Windows\System32\eRCXaPv.exe
  2⤵
  PID:6788
- C:\Windows\System32\hkfqlKY.exe
  C:\Windows\System32\hkfqlKY.exe
  2⤵
  PID:6904
- C:\Windows\System32\qhbDnVH.exe
  C:\Windows\System32\qhbDnVH.exe
  2⤵
  PID:6876
- C:\Windows\System32\UuCBmXI.exe
  C:\Windows\System32\UuCBmXI.exe
  2⤵
  PID:7008
- C:\Windows\System32\khmhnnv.exe
  C:\Windows\System32\khmhnnv.exe
  2⤵
  PID:7104
- C:\Windows\System32\ieJVygA.exe
  C:\Windows\System32\ieJVygA.exe
  2⤵
  PID:7164
- C:\Windows\System32\ldTiIvW.exe
  C:\Windows\System32\ldTiIvW.exe
  2⤵
  PID:1216
- C:\Windows\System32\YdKWVnO.exe
  C:\Windows\System32\YdKWVnO.exe
  2⤵
  PID:6252
- C:\Windows\System32\SvncAnz.exe
  C:\Windows\System32\SvncAnz.exe
  2⤵
  PID:6440
- C:\Windows\System32\uIlPqcS.exe
  C:\Windows\System32\uIlPqcS.exe
  2⤵
  PID:6644
- C:\Windows\System32\PjeXgmN.exe
  C:\Windows\System32\PjeXgmN.exe
  2⤵
  PID:6640
- C:\Windows\System32\mvbtbgZ.exe
  C:\Windows\System32\mvbtbgZ.exe
  2⤵
  PID:6996
- C:\Windows\System32\ALGmekf.exe
  C:\Windows\System32\ALGmekf.exe
  2⤵
  PID:1124
- C:\Windows\System32\bJOcxfx.exe
  C:\Windows\System32\bJOcxfx.exe
  2⤵
  PID:7068
- C:\Windows\System32\tPNZLgu.exe
  C:\Windows\System32\tPNZLgu.exe
  2⤵
  PID:6388
- C:\Windows\System32\kDQiQcm.exe
  C:\Windows\System32\kDQiQcm.exe
  2⤵
  PID:6272
- C:\Windows\System32\ERTshak.exe
  C:\Windows\System32\ERTshak.exe
  2⤵
  PID:6552
- C:\Windows\System32\bdRWCNq.exe
  C:\Windows\System32\bdRWCNq.exe
  2⤵
  PID:948
- C:\Windows\System32\hmcohBN.exe
  C:\Windows\System32\hmcohBN.exe
  2⤵
  PID:6948
- C:\Windows\System32\tfwdBCg.exe
  C:\Windows\System32\tfwdBCg.exe
  2⤵
  PID:7204
- C:\Windows\System32\DNFnwcS.exe
  C:\Windows\System32\DNFnwcS.exe
  2⤵
  PID:7236
- C:\Windows\System32\npKaLNq.exe
  C:\Windows\System32\npKaLNq.exe
  2⤵
  PID:7276
- C:\Windows\System32\yLtmHNT.exe
  C:\Windows\System32\yLtmHNT.exe
  2⤵
  PID:7300
- C:\Windows\System32\jLYgVZB.exe
  C:\Windows\System32\jLYgVZB.exe
  2⤵
  PID:7336
- C:\Windows\System32\vsKgmhj.exe
  C:\Windows\System32\vsKgmhj.exe
  2⤵
  PID:7364
- C:\Windows\System32\ObmhKlK.exe
  C:\Windows\System32\ObmhKlK.exe
  2⤵
  PID:7380
- C:\Windows\System32\wjWcDOK.exe
  C:\Windows\System32\wjWcDOK.exe
  2⤵
  PID:7404
- C:\Windows\System32\BbFPdZu.exe
  C:\Windows\System32\BbFPdZu.exe
  2⤵
  PID:7428
- C:\Windows\System32\IMWCFNI.exe
  C:\Windows\System32\IMWCFNI.exe
  2⤵
  PID:7444
- C:\Windows\System32\MxmUgxx.exe
  C:\Windows\System32\MxmUgxx.exe
  2⤵
  PID:7472
- C:\Windows\System32\nMVWTmB.exe
  C:\Windows\System32\nMVWTmB.exe
  2⤵
  PID:7496
- C:\Windows\System32\wAAdsPC.exe
  C:\Windows\System32\wAAdsPC.exe
  2⤵
  PID:7532
- C:\Windows\System32\qVpgDqF.exe
  C:\Windows\System32\qVpgDqF.exe
  2⤵
  PID:7556
- C:\Windows\System32\MIlCgFN.exe
  C:\Windows\System32\MIlCgFN.exe
  2⤵
  PID:7576
- C:\Windows\System32\bldlYEE.exe
  C:\Windows\System32\bldlYEE.exe
  2⤵
  PID:7644
- C:\Windows\System32\zSwXoeu.exe
  C:\Windows\System32\zSwXoeu.exe
  2⤵
  PID:7676
- C:\Windows\System32\wiTvZGl.exe
  C:\Windows\System32\wiTvZGl.exe
  2⤵
  PID:7724
- C:\Windows\System32\XdCnDlF.exe
  C:\Windows\System32\XdCnDlF.exe
  2⤵
  PID:7748
- C:\Windows\System32\cHOeQsl.exe
  C:\Windows\System32\cHOeQsl.exe
  2⤵
  PID:7776
- C:\Windows\System32\wWHOLlT.exe
  C:\Windows\System32\wWHOLlT.exe
  2⤵
  PID:7808
- C:\Windows\System32\rZPOtvm.exe
  C:\Windows\System32\rZPOtvm.exe
  2⤵
  PID:7832
- C:\Windows\System32\hnYoCJM.exe
  C:\Windows\System32\hnYoCJM.exe
  2⤵
  PID:7848
- C:\Windows\System32\hNxbQdj.exe
  C:\Windows\System32\hNxbQdj.exe
  2⤵
  PID:7872
- C:\Windows\System32\TfMKhkx.exe
  C:\Windows\System32\TfMKhkx.exe
  2⤵
  PID:7892
- C:\Windows\System32\UOpXGaE.exe
  C:\Windows\System32\UOpXGaE.exe
  2⤵
  PID:7948
- C:\Windows\System32\KpCBDPs.exe
  C:\Windows\System32\KpCBDPs.exe
  2⤵
  PID:7968
- C:\Windows\System32\VJdOGjM.exe
  C:\Windows\System32\VJdOGjM.exe
  2⤵
  PID:7984
- C:\Windows\System32\jskGMJC.exe
  C:\Windows\System32\jskGMJC.exe
  2⤵
  PID:8000
- C:\Windows\System32\XlwNhux.exe
  C:\Windows\System32\XlwNhux.exe
  2⤵
  PID:8044
- C:\Windows\System32\gJILdxB.exe
  C:\Windows\System32\gJILdxB.exe
  2⤵
  PID:8068
- C:\Windows\System32\pYwwcrl.exe
  C:\Windows\System32\pYwwcrl.exe
  2⤵
  PID:8088
- C:\Windows\System32\XgOhtcn.exe
  C:\Windows\System32\XgOhtcn.exe
  2⤵
  PID:8112
- C:\Windows\System32\MekcZGp.exe
  C:\Windows\System32\MekcZGp.exe
  2⤵
  PID:8132
- C:\Windows\System32\xCWVaAC.exe
  C:\Windows\System32\xCWVaAC.exe
  2⤵
  PID:8156
- C:\Windows\System32\yLSaIOu.exe
  C:\Windows\System32\yLSaIOu.exe
  2⤵
  PID:8184
- C:\Windows\System32\zbdIWIq.exe
  C:\Windows\System32\zbdIWIq.exe
  2⤵
  PID:7172
- C:\Windows\System32\PJbFZBs.exe
  C:\Windows\System32\PJbFZBs.exe
  2⤵
  PID:7284
- C:\Windows\System32\VGrcyIG.exe
  C:\Windows\System32\VGrcyIG.exe
  2⤵
  PID:7360
- C:\Windows\System32\rbOOoGN.exe
  C:\Windows\System32\rbOOoGN.exe
  2⤵
  PID:7388
- C:\Windows\System32\dNJsgEy.exe
  C:\Windows\System32\dNJsgEy.exe
  2⤵
  PID:7412
- C:\Windows\System32\HLYlVcg.exe
  C:\Windows\System32\HLYlVcg.exe
  2⤵
  PID:1248
- C:\Windows\System32\ReWSXHN.exe
  C:\Windows\System32\ReWSXHN.exe
  2⤵
  PID:7592
- C:\Windows\System32\WyTaiWn.exe
  C:\Windows\System32\WyTaiWn.exe
  2⤵
  PID:7552
- C:\Windows\System32\bnoKKDK.exe
  C:\Windows\System32\bnoKKDK.exe
  2⤵
  PID:7668
- C:\Windows\System32\JdIqMDc.exe
  C:\Windows\System32\JdIqMDc.exe
  2⤵
  PID:7744
- C:\Windows\System32\xKloexK.exe
  C:\Windows\System32\xKloexK.exe
  2⤵
  PID:7884
- C:\Windows\System32\rqwcSeX.exe
  C:\Windows\System32\rqwcSeX.exe
  2⤵
  PID:7880
- C:\Windows\System32\KRmQAkr.exe
  C:\Windows\System32\KRmQAkr.exe
  2⤵
  PID:7980
- C:\Windows\System32\ljDDwlh.exe
  C:\Windows\System32\ljDDwlh.exe
  2⤵
  PID:8052
- C:\Windows\System32\ouJDMzg.exe
  C:\Windows\System32\ouJDMzg.exe
  2⤵
  PID:8128
- C:\Windows\System32\AugSSBI.exe
  C:\Windows\System32\AugSSBI.exe
  2⤵
  PID:8164
- C:\Windows\System32\luIObhs.exe
  C:\Windows\System32\luIObhs.exe
  2⤵
  PID:8180
- C:\Windows\System32\pCxwttB.exe
  C:\Windows\System32\pCxwttB.exe
  2⤵
  PID:7352
- C:\Windows\System32\oKLJLGN.exe
  C:\Windows\System32\oKLJLGN.exe
  2⤵
  PID:7436
- C:\Windows\System32\rJuIOWI.exe
  C:\Windows\System32\rJuIOWI.exe
  2⤵
  PID:7268
- C:\Windows\System32\urMMGTJ.exe
  C:\Windows\System32\urMMGTJ.exe
  2⤵
  PID:7596
- C:\Windows\System32\xomfqKY.exe
  C:\Windows\System32\xomfqKY.exe
  2⤵
  PID:7760
- C:\Windows\System32\JGvvpul.exe
  C:\Windows\System32\JGvvpul.exe
  2⤵
  PID:7964
- C:\Windows\System32\wFgtDhn.exe
  C:\Windows\System32\wFgtDhn.exe
  2⤵
  PID:8140
- C:\Windows\System32\LRFGiFL.exe
  C:\Windows\System32\LRFGiFL.exe
  2⤵
  PID:7664
- C:\Windows\System32\AoguKkc.exe
  C:\Windows\System32\AoguKkc.exe
  2⤵
  PID:7908
- C:\Windows\System32\hQpZFXP.exe
  C:\Windows\System32\hQpZFXP.exe
  2⤵
  PID:7212
- C:\Windows\System32\PZvHNyM.exe
  C:\Windows\System32\PZvHNyM.exe
  2⤵
  PID:7604
- C:\Windows\System32\waPgkKy.exe
  C:\Windows\System32\waPgkKy.exe
  2⤵
  PID:8196
- C:\Windows\System32\YefEdcd.exe
  C:\Windows\System32\YefEdcd.exe
  2⤵
  PID:8212
- C:\Windows\System32\lryRsqS.exe
  C:\Windows\System32\lryRsqS.exe
  2⤵
  PID:8232
- C:\Windows\System32\KRMIIIe.exe
  C:\Windows\System32\KRMIIIe.exe
  2⤵
  PID:8280
- C:\Windows\System32\XkTpeGU.exe
  C:\Windows\System32\XkTpeGU.exe
  2⤵
  PID:8336
- C:\Windows\System32\qyCPwfj.exe
  C:\Windows\System32\qyCPwfj.exe
  2⤵
  PID:8360
- C:\Windows\System32\QcleBVL.exe
  C:\Windows\System32\QcleBVL.exe
  2⤵
  PID:8380
- C:\Windows\System32\BEdEogc.exe
  C:\Windows\System32\BEdEogc.exe
  2⤵
  PID:8400
- C:\Windows\System32\rxGsXke.exe
  C:\Windows\System32\rxGsXke.exe
  2⤵
  PID:8424
- C:\Windows\System32\JHKmEsh.exe
  C:\Windows\System32\JHKmEsh.exe
  2⤵
  PID:8440
- C:\Windows\System32\tyqfcGJ.exe
  C:\Windows\System32\tyqfcGJ.exe
  2⤵
  PID:8460
- C:\Windows\System32\pwEFGAn.exe
  C:\Windows\System32\pwEFGAn.exe
  2⤵
  PID:8484
- C:\Windows\System32\ToSyiIh.exe
  C:\Windows\System32\ToSyiIh.exe
  2⤵
  PID:8528
- C:\Windows\System32\StnQZjv.exe
  C:\Windows\System32\StnQZjv.exe
  2⤵
  PID:8564
- C:\Windows\System32\AeRsLUL.exe
  C:\Windows\System32\AeRsLUL.exe
  2⤵
  PID:8616
- C:\Windows\System32\rocZvPL.exe
  C:\Windows\System32\rocZvPL.exe
  2⤵
  PID:8640
- C:\Windows\System32\NAPNgbV.exe
  C:\Windows\System32\NAPNgbV.exe
  2⤵
  PID:8664
- C:\Windows\System32\HZtLhCU.exe
  C:\Windows\System32\HZtLhCU.exe
  2⤵
  PID:8680
- C:\Windows\System32\aStlTEx.exe
  C:\Windows\System32\aStlTEx.exe
  2⤵
  PID:8704
- C:\Windows\System32\VlnDldZ.exe
  C:\Windows\System32\VlnDldZ.exe
  2⤵
  PID:8724
- C:\Windows\System32\clktljo.exe
  C:\Windows\System32\clktljo.exe
  2⤵
  PID:8772
- C:\Windows\System32\RrzxagP.exe
  C:\Windows\System32\RrzxagP.exe
  2⤵
  PID:8788
- C:\Windows\System32\JxXundR.exe
  C:\Windows\System32\JxXundR.exe
  2⤵
  PID:8808
- C:\Windows\System32\hHscKSH.exe
  C:\Windows\System32\hHscKSH.exe
  2⤵
  PID:8828
- C:\Windows\System32\eoCrbCD.exe
  C:\Windows\System32\eoCrbCD.exe
  2⤵
  PID:8888
- C:\Windows\System32\OqoIrMt.exe
  C:\Windows\System32\OqoIrMt.exe
  2⤵
  PID:8912
- C:\Windows\System32\gMMHjRr.exe
  C:\Windows\System32\gMMHjRr.exe
  2⤵
  PID:8932
- C:\Windows\System32\gFOqPLB.exe
  C:\Windows\System32\gFOqPLB.exe
  2⤵
  PID:8956
- C:\Windows\System32\PntXgIE.exe
  C:\Windows\System32\PntXgIE.exe
  2⤵
  PID:8984
- C:\Windows\System32\RpVQQlu.exe
  C:\Windows\System32\RpVQQlu.exe
  2⤵
  PID:9024
- C:\Windows\System32\CDnyWnG.exe
  C:\Windows\System32\CDnyWnG.exe
  2⤵
  PID:9052
- C:\Windows\System32\qppecPu.exe
  C:\Windows\System32\qppecPu.exe
  2⤵
  PID:9088
- C:\Windows\System32\SiLgSog.exe
  C:\Windows\System32\SiLgSog.exe
  2⤵
  PID:9120
- C:\Windows\System32\gFTjKEG.exe
  C:\Windows\System32\gFTjKEG.exe
  2⤵
  PID:9144
- C:\Windows\System32\MASIiPn.exe
  C:\Windows\System32\MASIiPn.exe
  2⤵
  PID:9164
- C:\Windows\System32\VyzdwrK.exe
  C:\Windows\System32\VyzdwrK.exe
  2⤵
  PID:9184
- C:\Windows\System32\quJffsv.exe
  C:\Windows\System32\quJffsv.exe
  2⤵
  PID:9204
- C:\Windows\System32\CJezESX.exe
  C:\Windows\System32\CJezESX.exe
  2⤵
  PID:1824
- C:\Windows\System32\aIfyfnt.exe
  C:\Windows\System32\aIfyfnt.exe
  2⤵
  PID:8292
- C:\Windows\System32\hVQjXYk.exe
  C:\Windows\System32\hVQjXYk.exe
  2⤵
  PID:8356
- C:\Windows\System32\FnHXFmT.exe
  C:\Windows\System32\FnHXFmT.exe
  2⤵
  PID:8376
- C:\Windows\System32\ohHhBHK.exe
  C:\Windows\System32\ohHhBHK.exe
  2⤵
  PID:8472
- C:\Windows\System32\yhoIWjt.exe
  C:\Windows\System32\yhoIWjt.exe
  2⤵
  PID:8536
- C:\Windows\System32\YRBRTEp.exe
  C:\Windows\System32\YRBRTEp.exe
  2⤵
  PID:8612
- C:\Windows\System32\HbOcDRG.exe
  C:\Windows\System32\HbOcDRG.exe
  2⤵
  PID:8652
- C:\Windows\System32\uaeyYiX.exe
  C:\Windows\System32\uaeyYiX.exe
  2⤵
  PID:8736
- C:\Windows\System32\CPcibDI.exe
  C:\Windows\System32\CPcibDI.exe
  2⤵
  PID:8804
- C:\Windows\System32\fqwaNtl.exe
  C:\Windows\System32\fqwaNtl.exe
  2⤵
  PID:8868
- C:\Windows\System32\wrkFlVR.exe
  C:\Windows\System32\wrkFlVR.exe
  2⤵
  PID:8968
- C:\Windows\System32\qjBonqZ.exe
  C:\Windows\System32\qjBonqZ.exe
  2⤵
  PID:9032
- C:\Windows\System32\RDElmTA.exe
  C:\Windows\System32\RDElmTA.exe
  2⤵
  PID:9068
- C:\Windows\System32\vlVyuoG.exe
  C:\Windows\System32\vlVyuoG.exe
  2⤵
  PID:9156
- C:\Windows\System32\oHqLNig.exe
  C:\Windows\System32\oHqLNig.exe
  2⤵
  PID:8064
- C:\Windows\System32\mDgKyIp.exe
  C:\Windows\System32\mDgKyIp.exe
  2⤵
  PID:8244
- C:\Windows\System32\HFitYIg.exe
  C:\Windows\System32\HFitYIg.exe
  2⤵
  PID:8412
- C:\Windows\System32\NDRrqEc.exe
  C:\Windows\System32\NDRrqEc.exe
  2⤵
  PID:8560
- C:\Windows\System32\GxHvDHU.exe
  C:\Windows\System32\GxHvDHU.exe
  2⤵
  PID:8756
- C:\Windows\System32\zTXwsoo.exe
  C:\Windows\System32\zTXwsoo.exe
  2⤵
  PID:8820
- C:\Windows\System32\GSinRzm.exe
  C:\Windows\System32\GSinRzm.exe
  2⤵
  PID:8948
- C:\Windows\System32\vswdOKP.exe
  C:\Windows\System32\vswdOKP.exe
  2⤵
  PID:9096
- C:\Windows\System32\pYaPhdF.exe
  C:\Windows\System32\pYaPhdF.exe
  2⤵
  PID:9192
- C:\Windows\System32\HTcJgYO.exe
  C:\Windows\System32\HTcJgYO.exe
  2⤵
  PID:8372
- C:\Windows\System32\btzQjNf.exe
  C:\Windows\System32\btzQjNf.exe
  2⤵
  PID:8880
- C:\Windows\System32\vcSIFGE.exe
  C:\Windows\System32\vcSIFGE.exe
  2⤵
  PID:8636
- C:\Windows\System32\LArazCz.exe
  C:\Windows\System32\LArazCz.exe
  2⤵
  PID:8648
- C:\Windows\System32\GSzBOAI.exe
  C:\Windows\System32\GSzBOAI.exe
  2⤵
  PID:9224
- C:\Windows\System32\pFScDaw.exe
  C:\Windows\System32\pFScDaw.exe
  2⤵
  PID:9252
- C:\Windows\System32\UVKtLjv.exe
  C:\Windows\System32\UVKtLjv.exe
  2⤵
  PID:9276
- C:\Windows\System32\VxNGzlE.exe
  C:\Windows\System32\VxNGzlE.exe
  2⤵
  PID:9312
- C:\Windows\System32\sgGPLXN.exe
  C:\Windows\System32\sgGPLXN.exe
  2⤵
  PID:9360
- C:\Windows\System32\XvSKWFg.exe
  C:\Windows\System32\XvSKWFg.exe
  2⤵
  PID:9388
- C:\Windows\System32\QxLOKXo.exe
  C:\Windows\System32\QxLOKXo.exe
  2⤵
  PID:9428
- C:\Windows\System32\ioAlHwy.exe
  C:\Windows\System32\ioAlHwy.exe
  2⤵
  PID:9448
- C:\Windows\System32\WRARWrW.exe
  C:\Windows\System32\WRARWrW.exe
  2⤵
  PID:9468
- C:\Windows\System32\MyyALqU.exe
  C:\Windows\System32\MyyALqU.exe
  2⤵
  PID:9492
- C:\Windows\System32\XGoMJdk.exe
  C:\Windows\System32\XGoMJdk.exe
  2⤵
  PID:9512
- C:\Windows\System32\skEAZfd.exe
  C:\Windows\System32\skEAZfd.exe
  2⤵
  PID:9556
- C:\Windows\System32\xytsuvn.exe
  C:\Windows\System32\xytsuvn.exe
  2⤵
  PID:9580
- C:\Windows\System32\iWnqRCJ.exe
  C:\Windows\System32\iWnqRCJ.exe
  2⤵
  PID:9604
- C:\Windows\System32\vuaaXRE.exe
  C:\Windows\System32\vuaaXRE.exe
  2⤵
  PID:9632
- C:\Windows\System32\HBnSSUH.exe
  C:\Windows\System32\HBnSSUH.exe
  2⤵
  PID:9700
- C:\Windows\System32\LCoNAyK.exe
  C:\Windows\System32\LCoNAyK.exe
  2⤵
  PID:9716
- C:\Windows\System32\wiUQPqG.exe
  C:\Windows\System32\wiUQPqG.exe
  2⤵
  PID:9732
- C:\Windows\System32\SZyMlyl.exe
  C:\Windows\System32\SZyMlyl.exe
  2⤵
  PID:9756
- C:\Windows\System32\fQQYYjL.exe
  C:\Windows\System32\fQQYYjL.exe
  2⤵
  PID:9784
- C:\Windows\System32\FRbyUCm.exe
  C:\Windows\System32\FRbyUCm.exe
  2⤵
  PID:9812
- C:\Windows\System32\SZUgfGl.exe
  C:\Windows\System32\SZUgfGl.exe
  2⤵
  PID:9836
- C:\Windows\System32\pqkzfNQ.exe
  C:\Windows\System32\pqkzfNQ.exe
  2⤵
  PID:9856
- C:\Windows\System32\EbacAvI.exe
  C:\Windows\System32\EbacAvI.exe
  2⤵
  PID:9876
- C:\Windows\System32\YIYHKmE.exe
  C:\Windows\System32\YIYHKmE.exe
  2⤵
  PID:9892
- C:\Windows\System32\cSqicZj.exe
  C:\Windows\System32\cSqicZj.exe
  2⤵
  PID:9912
- C:\Windows\System32\LEpWPIm.exe
  C:\Windows\System32\LEpWPIm.exe
  2⤵
  PID:9932
- C:\Windows\System32\yKScpRb.exe
  C:\Windows\System32\yKScpRb.exe
  2⤵
  PID:9956
- C:\Windows\System32\BAtTAXl.exe
  C:\Windows\System32\BAtTAXl.exe
  2⤵
  PID:10016
- C:\Windows\System32\UXPYJQr.exe
  C:\Windows\System32\UXPYJQr.exe
  2⤵
  PID:10044
- C:\Windows\System32\KJuRhqR.exe
  C:\Windows\System32\KJuRhqR.exe
  2⤵
  PID:10084
- C:\Windows\System32\Gfimukp.exe
  C:\Windows\System32\Gfimukp.exe
  2⤵
  PID:10116
- C:\Windows\System32\wVsCRif.exe
  C:\Windows\System32\wVsCRif.exe
  2⤵
  PID:10136
- C:\Windows\System32\WWmlPsq.exe
  C:\Windows\System32\WWmlPsq.exe
  2⤵
  PID:10152
- C:\Windows\System32\hrBgCIe.exe
  C:\Windows\System32\hrBgCIe.exe
  2⤵
  PID:10196
- C:\Windows\System32\wtZnAmW.exe
  C:\Windows\System32\wtZnAmW.exe
  2⤵
  PID:10216
- C:\Windows\System32\rJEFLpc.exe
  C:\Windows\System32\rJEFLpc.exe
  2⤵
  PID:9352
- C:\Windows\System32\rIRUsdz.exe
  C:\Windows\System32\rIRUsdz.exe
  2⤵
  PID:9464
- C:\Windows\System32\yeOhXNd.exe
  C:\Windows\System32\yeOhXNd.exe
  2⤵
  PID:9484
- C:\Windows\System32\OQCRwbJ.exe
  C:\Windows\System32\OQCRwbJ.exe
  2⤵
  PID:9504
- C:\Windows\System32\FisDdDa.exe
  C:\Windows\System32\FisDdDa.exe
  2⤵
  PID:9576
- C:\Windows\System32\VTqbPyG.exe
  C:\Windows\System32\VTqbPyG.exe
  2⤵
  PID:9588
- C:\Windows\System32\GCxTXVK.exe
  C:\Windows\System32\GCxTXVK.exe
  2⤵
  PID:9656
- C:\Windows\System32\FzvfYKW.exe
  C:\Windows\System32\FzvfYKW.exe
  2⤵
  PID:9696
- C:\Windows\System32\WGzHYjj.exe
  C:\Windows\System32\WGzHYjj.exe
  2⤵
  PID:9728
- C:\Windows\System32\fKdHSSu.exe
  C:\Windows\System32\fKdHSSu.exe
  2⤵
  PID:9752
- C:\Windows\System32\WLFWlyw.exe
  C:\Windows\System32\WLFWlyw.exe
  2⤵
  PID:9800
- C:\Windows\System32\TmsCMKD.exe
  C:\Windows\System32\TmsCMKD.exe
  2⤵
  PID:9848
- C:\Windows\System32\MxlEugm.exe
  C:\Windows\System32\MxlEugm.exe
  2⤵
  PID:9924
- C:\Windows\System32\RUupidf.exe
  C:\Windows\System32\RUupidf.exe
  2⤵
  PID:9968
- C:\Windows\System32\TOBMxjv.exe
  C:\Windows\System32\TOBMxjv.exe
  2⤵
  PID:9248
- C:\Windows\System32\eYQNwBt.exe
  C:\Windows\System32\eYQNwBt.exe
  2⤵
  PID:9612
- C:\Windows\System32\GLClxOK.exe
  C:\Windows\System32\GLClxOK.exe
  2⤵
  PID:9244
- C:\Windows\System32\eSAgHHe.exe
  C:\Windows\System32\eSAgHHe.exe
  2⤵
  PID:9996
- C:\Windows\System32\luUiisn.exe
  C:\Windows\System32\luUiisn.exe
  2⤵
  PID:10012
- C:\Windows\System32\fGzdnOH.exe
  C:\Windows\System32\fGzdnOH.exe
  2⤵
  PID:9780
- C:\Windows\System32\pAOfRqr.exe
  C:\Windows\System32\pAOfRqr.exe
  2⤵
  PID:9952
- C:\Windows\System32\OPOtjbK.exe
  C:\Windows\System32\OPOtjbK.exe
  2⤵
  PID:9412
- C:\Windows\System32\WaSQjCs.exe
  C:\Windows\System32\WaSQjCs.exe
  2⤵
  PID:10072
- C:\Windows\System32\NruFELh.exe
  C:\Windows\System32\NruFELh.exe
  2⤵
  PID:9864
- C:\Windows\System32\pbEVqCK.exe
  C:\Windows\System32\pbEVqCK.exe
  2⤵
  PID:9436
- C:\Windows\System32\dZeNAqo.exe
  C:\Windows\System32\dZeNAqo.exe
  2⤵
  PID:9268
- C:\Windows\System32\SeAWabW.exe
  C:\Windows\System32\SeAWabW.exe
  2⤵
  PID:10208
- C:\Windows\System32\fMBsQaQ.exe
  C:\Windows\System32\fMBsQaQ.exe
  2⤵
  PID:9272
- C:\Windows\System32\YHdNMYr.exe
  C:\Windows\System32\YHdNMYr.exe
  2⤵
  PID:10256
- C:\Windows\System32\BPeJGcE.exe
  C:\Windows\System32\BPeJGcE.exe
  2⤵
  PID:10280
- C:\Windows\System32\ywUVtOR.exe
  C:\Windows\System32\ywUVtOR.exe
  2⤵
  PID:10304
- C:\Windows\System32\SGjUaDy.exe
  C:\Windows\System32\SGjUaDy.exe
  2⤵
  PID:10352
- C:\Windows\System32\RaKcLyZ.exe
  C:\Windows\System32\RaKcLyZ.exe
  2⤵
  PID:10372
- C:\Windows\System32\CwplRWY.exe
  C:\Windows\System32\CwplRWY.exe
  2⤵
  PID:10404
- C:\Windows\System32\LLdtIBC.exe
  C:\Windows\System32\LLdtIBC.exe
  2⤵
  PID:10460
- C:\Windows\System32\ZycJlzN.exe
  C:\Windows\System32\ZycJlzN.exe
  2⤵
  PID:10484
- C:\Windows\System32\jYzLeqr.exe
  C:\Windows\System32\jYzLeqr.exe
  2⤵
  PID:10504
- C:\Windows\System32\fLVlocn.exe
  C:\Windows\System32\fLVlocn.exe
  2⤵
  PID:10536
- C:\Windows\System32\uaaKqLx.exe
  C:\Windows\System32\uaaKqLx.exe
  2⤵
  PID:10556
- C:\Windows\System32\MwBkIwO.exe
  C:\Windows\System32\MwBkIwO.exe
  2⤵
  PID:10576
- C:\Windows\System32\qGShEto.exe
  C:\Windows\System32\qGShEto.exe
  2⤵
  PID:10600
- C:\Windows\System32\vcLChFq.exe
  C:\Windows\System32\vcLChFq.exe
  2⤵
  PID:10620
- C:\Windows\System32\YZQgbRK.exe
  C:\Windows\System32\YZQgbRK.exe
  2⤵
  PID:10640
- C:\Windows\System32\WbeyPiV.exe
  C:\Windows\System32\WbeyPiV.exe
  2⤵
  PID:10656
- C:\Windows\System32\vRNXxmN.exe
  C:\Windows\System32\vRNXxmN.exe
  2⤵
  PID:10748
- C:\Windows\System32\VTzExxC.exe
  C:\Windows\System32\VTzExxC.exe
  2⤵
  PID:10772
- C:\Windows\System32\YDqgrLw.exe
  C:\Windows\System32\YDqgrLw.exe
  2⤵
  PID:10796
- C:\Windows\System32\oHXdvUb.exe
  C:\Windows\System32\oHXdvUb.exe
  2⤵
  PID:10824
- C:\Windows\System32\JrjPrzS.exe
  C:\Windows\System32\JrjPrzS.exe
  2⤵
  PID:10848
- C:\Windows\System32\wwCNNmR.exe
  C:\Windows\System32\wwCNNmR.exe
  2⤵
  PID:10864
- C:\Windows\System32\nkGLqqk.exe
  C:\Windows\System32\nkGLqqk.exe
  2⤵
  PID:10888
- C:\Windows\System32\YcXHnIF.exe
  C:\Windows\System32\YcXHnIF.exe
  2⤵
  PID:10936
- C:\Windows\System32\XEeSEws.exe
  C:\Windows\System32\XEeSEws.exe
  2⤵
  PID:10956
- C:\Windows\System32\jNfJeAG.exe
  C:\Windows\System32\jNfJeAG.exe
  2⤵
  PID:10976
- C:\Windows\System32\TZSBqpC.exe
  C:\Windows\System32\TZSBqpC.exe
  2⤵
  PID:10996
- C:\Windows\System32\DtinrTo.exe
  C:\Windows\System32\DtinrTo.exe
  2⤵
  PID:11040
- C:\Windows\System32\QcJIliu.exe
  C:\Windows\System32\QcJIliu.exe
  2⤵
  PID:11060
- C:\Windows\System32\neqqjKr.exe
  C:\Windows\System32\neqqjKr.exe
  2⤵
  PID:11076
- C:\Windows\System32\UaiKiSu.exe
  C:\Windows\System32\UaiKiSu.exe
  2⤵
  PID:11104
- C:\Windows\System32\iCDnBEa.exe
  C:\Windows\System32\iCDnBEa.exe
  2⤵
  PID:11140
- C:\Windows\System32\IAKLDIv.exe
  C:\Windows\System32\IAKLDIv.exe
  2⤵
  PID:11168
- C:\Windows\System32\CYBSZLD.exe
  C:\Windows\System32\CYBSZLD.exe
  2⤵
  PID:11188
- C:\Windows\System32\NDkqPtV.exe
  C:\Windows\System32\NDkqPtV.exe
  2⤵
  PID:11252
- C:\Windows\System32\scZQLvP.exe
  C:\Windows\System32\scZQLvP.exe
  2⤵
  PID:10288
- C:\Windows\System32\nVdtrWX.exe
  C:\Windows\System32\nVdtrWX.exe
  2⤵
  PID:10300
- C:\Windows\System32\pWdFbct.exe
  C:\Windows\System32\pWdFbct.exe
  2⤵
  PID:10380
- C:\Windows\System32\uEcMMzA.exe
  C:\Windows\System32\uEcMMzA.exe
  2⤵
  PID:10424
- C:\Windows\System32\oreuqlW.exe
  C:\Windows\System32\oreuqlW.exe
  2⤵
  PID:10512
- C:\Windows\System32\DluViWj.exe
  C:\Windows\System32\DluViWj.exe
  2⤵
  PID:10548
- C:\Windows\System32\yWvrDPo.exe
  C:\Windows\System32\yWvrDPo.exe
  2⤵
  PID:10588
- C:\Windows\System32\RFKdhDn.exe
  C:\Windows\System32\RFKdhDn.exe
  2⤵
  PID:10736
- C:\Windows\System32\ePpvaAF.exe
  C:\Windows\System32\ePpvaAF.exe
  2⤵
  PID:10780
- C:\Windows\System32\dLkVgNt.exe
  C:\Windows\System32\dLkVgNt.exe
  2⤵
  PID:10820
- C:\Windows\System32\inwTDRD.exe
  C:\Windows\System32\inwTDRD.exe
  2⤵
  PID:10928
- C:\Windows\System32\jElLlhB.exe
  C:\Windows\System32\jElLlhB.exe
  2⤵
  PID:10988
- C:\Windows\System32\WDNqGbV.exe
  C:\Windows\System32\WDNqGbV.exe
  2⤵
  PID:11056
- C:\Windows\System32\HSLDyTG.exe
  C:\Windows\System32\HSLDyTG.exe
  2⤵
  PID:11084
- C:\Windows\System32\jRdNxaX.exe
  C:\Windows\System32\jRdNxaX.exe
  2⤵
  PID:11052
- C:\Windows\System32\vVuiHSA.exe
  C:\Windows\System32\vVuiHSA.exe
  2⤵
  PID:11200
- C:\Windows\System32\XCNokGI.exe
  C:\Windows\System32\XCNokGI.exe
  2⤵
  PID:10296
- C:\Windows\System32\BnPpLaF.exe
  C:\Windows\System32\BnPpLaF.exe
  2⤵
  PID:10524
- C:\Windows\System32\CCjTkdc.exe
  C:\Windows\System32\CCjTkdc.exe
  2⤵
  PID:10724
- C:\Windows\System32\xcbLPyz.exe
  C:\Windows\System32\xcbLPyz.exe
  2⤵
  PID:10812
- C:\Windows\System32\FUGyiWy.exe
  C:\Windows\System32\FUGyiWy.exe
  2⤵
  PID:10992
- C:\Windows\System32\QDfFAhz.exe
  C:\Windows\System32\QDfFAhz.exe
  2⤵
  PID:11068
- C:\Windows\System32\wYlLFEj.exe
  C:\Windows\System32\wYlLFEj.exe
  2⤵
  PID:11164
- C:\Windows\System32\LZlfPXf.exe
  C:\Windows\System32\LZlfPXf.exe
  2⤵
  PID:10268
- C:\Windows\System32\keKUArT.exe
  C:\Windows\System32\keKUArT.exe
  2⤵
  PID:10232
- C:\Windows\System32\BqoalOw.exe
  C:\Windows\System32\BqoalOw.exe
  2⤵
  PID:11088
- C:\Windows\System32\xqLCngw.exe
  C:\Windows\System32\xqLCngw.exe
  2⤵
  PID:10468
- C:\Windows\System32\IZqRQXB.exe
  C:\Windows\System32\IZqRQXB.exe
  2⤵
  PID:11276
- C:\Windows\System32\HOZUoKE.exe
  C:\Windows\System32\HOZUoKE.exe
  2⤵
  PID:11300
- C:\Windows\System32\fzIYGAh.exe
  C:\Windows\System32\fzIYGAh.exe
  2⤵
  PID:11316
- C:\Windows\System32\KhRHeYx.exe
  C:\Windows\System32\KhRHeYx.exe
  2⤵
  PID:11348
- C:\Windows\System32\IxZJZBG.exe
  C:\Windows\System32\IxZJZBG.exe
  2⤵
  PID:11372
- C:\Windows\System32\VcUoYCJ.exe
  C:\Windows\System32\VcUoYCJ.exe
  2⤵
  PID:11392
- C:\Windows\System32\NxWaPii.exe
  C:\Windows\System32\NxWaPii.exe
  2⤵
  PID:11412
- C:\Windows\System32\aPdLMev.exe
  C:\Windows\System32\aPdLMev.exe
  2⤵
  PID:11432
- C:\Windows\System32\oFjtXUp.exe
  C:\Windows\System32\oFjtXUp.exe
  2⤵
  PID:11448
- C:\Windows\System32\dWJrjvb.exe
  C:\Windows\System32\dWJrjvb.exe
  2⤵
  PID:11472
- C:\Windows\System32\hGQYFij.exe
  C:\Windows\System32\hGQYFij.exe
  2⤵
  PID:11512
- C:\Windows\System32\XQkANkB.exe
  C:\Windows\System32\XQkANkB.exe
  2⤵
  PID:11540
- C:\Windows\System32\dAynxpW.exe
  C:\Windows\System32\dAynxpW.exe
  2⤵
  PID:11592
- C:\Windows\System32\SgGMMES.exe
  C:\Windows\System32\SgGMMES.exe
  2⤵
  PID:11620
- C:\Windows\System32\uzCAjNn.exe
  C:\Windows\System32\uzCAjNn.exe
  2⤵
  PID:11640
- C:\Windows\System32\CEYegob.exe
  C:\Windows\System32\CEYegob.exe
  2⤵
  PID:11672
- C:\Windows\System32\BgWXHYO.exe
  C:\Windows\System32\BgWXHYO.exe
  2⤵
  PID:11696
- C:\Windows\System32\yHShiHi.exe
  C:\Windows\System32\yHShiHi.exe
  2⤵
  PID:11720
- C:\Windows\System32\gmIEhiO.exe
  C:\Windows\System32\gmIEhiO.exe
  2⤵
  PID:11760
- C:\Windows\System32\ddhpnHK.exe
  C:\Windows\System32\ddhpnHK.exe
  2⤵
  PID:11780
- C:\Windows\System32\XbYXZUL.exe
  C:\Windows\System32\XbYXZUL.exe
  2⤵
  PID:11816
- C:\Windows\System32\ovbPnMQ.exe
  C:\Windows\System32\ovbPnMQ.exe
  2⤵
  PID:11840
- C:\Windows\System32\TSOtOKc.exe
  C:\Windows\System32\TSOtOKc.exe
  2⤵
  PID:11864
- C:\Windows\System32\OAWpuXJ.exe
  C:\Windows\System32\OAWpuXJ.exe
  2⤵
  PID:11880
- C:\Windows\System32\DjBklug.exe
  C:\Windows\System32\DjBklug.exe
  2⤵
  PID:11916
- C:\Windows\System32\sQOBtie.exe
  C:\Windows\System32\sQOBtie.exe
  2⤵
  PID:11968
- C:\Windows\System32\OeacxPT.exe
  C:\Windows\System32\OeacxPT.exe
  2⤵
  PID:11984
- C:\Windows\System32\wYwroch.exe
  C:\Windows\System32\wYwroch.exe
  2⤵
  PID:12024
- C:\Windows\System32\cvMuXuR.exe
  C:\Windows\System32\cvMuXuR.exe
  2⤵
  PID:12052
- C:\Windows\System32\zwamJIr.exe
  C:\Windows\System32\zwamJIr.exe
  2⤵
  PID:12072
- C:\Windows\System32\ijdGGHM.exe
  C:\Windows\System32\ijdGGHM.exe
  2⤵
  PID:12112
- C:\Windows\System32\bOxaoMr.exe
  C:\Windows\System32\bOxaoMr.exe
  2⤵
  PID:12148
- C:\Windows\System32\mXJDIxc.exe
  C:\Windows\System32\mXJDIxc.exe
  2⤵
  PID:12168
- C:\Windows\System32\DzefSMP.exe
  C:\Windows\System32\DzefSMP.exe
  2⤵
  PID:12208
- C:\Windows\System32\NNSQIyz.exe
  C:\Windows\System32\NNSQIyz.exe
  2⤵
  PID:12232
- C:\Windows\System32\ZmIgLQZ.exe
  C:\Windows\System32\ZmIgLQZ.exe
  2⤵
  PID:12252
- C:\Windows\System32\iVhnzyg.exe
  C:\Windows\System32\iVhnzyg.exe
  2⤵
  PID:11072
- C:\Windows\System32\ygUCmVZ.exe
  C:\Windows\System32\ygUCmVZ.exe
  2⤵
  PID:10532
- C:\Windows\System32\miTZjGj.exe
  C:\Windows\System32\miTZjGj.exe
  2⤵
  PID:11296
- C:\Windows\System32\DmypoKn.exe
  C:\Windows\System32\DmypoKn.exe
  2⤵
  PID:11356
- C:\Windows\System32\QuNxRgw.exe
  C:\Windows\System32\QuNxRgw.exe
  2⤵
  PID:11484
- C:\Windows\System32\SQBrTOK.exe
  C:\Windows\System32\SQBrTOK.exe
  2⤵
  PID:11444
- C:\Windows\System32\qhOKPqn.exe
  C:\Windows\System32\qhOKPqn.exe
  2⤵
  PID:11532
- C:\Windows\System32\StokdGY.exe
  C:\Windows\System32\StokdGY.exe
  2⤵
  PID:11648
- C:\Windows\System32\pDExexL.exe
  C:\Windows\System32\pDExexL.exe
  2⤵
  PID:11708
- C:\Windows\System32\OvRkYwN.exe
  C:\Windows\System32\OvRkYwN.exe
  2⤵
  PID:11776
- C:\Windows\System32\abMYxiF.exe
  C:\Windows\System32\abMYxiF.exe
  2⤵
  PID:11796
- C:\Windows\System32\gCAKXYY.exe
  C:\Windows\System32\gCAKXYY.exe
  2⤵
  PID:11852
- C:\Windows\System32\nZkRyGw.exe
  C:\Windows\System32\nZkRyGw.exe
  2⤵
  PID:11900
- C:\Windows\System32\GrUxXpW.exe
  C:\Windows\System32\GrUxXpW.exe
  2⤵
  PID:11924
- C:\Windows\System32\egWZiJO.exe
  C:\Windows\System32\egWZiJO.exe
  2⤵
  PID:12016
- C:\Windows\System32\zajLVwc.exe
  C:\Windows\System32\zajLVwc.exe
  2⤵
  PID:12064
- C:\Windows\System32\EesaEKF.exe
  C:\Windows\System32\EesaEKF.exe
  2⤵
  PID:12156
- C:\Windows\System32\qnjVkFI.exe
  C:\Windows\System32\qnjVkFI.exe
  2⤵
  PID:12180
- C:\Windows\System32\SoUWzMO.exe
  C:\Windows\System32\SoUWzMO.exe
  2⤵
  PID:12276
- C:\Windows\System32\nPLRlwV.exe
  C:\Windows\System32\nPLRlwV.exe
  2⤵
  PID:11324
- C:\Windows\System32\rHxkwWI.exe
  C:\Windows\System32\rHxkwWI.exe
  2⤵
  PID:11440
- C:\Windows\System32\XNFCzBl.exe
  C:\Windows\System32\XNFCzBl.exe
  2⤵
  PID:11524
- C:\Windows\System32\URVPKbC.exe
  C:\Windows\System32\URVPKbC.exe
  2⤵
  PID:808
- C:\Windows\System32\ZpPXnIF.exe
  C:\Windows\System32\ZpPXnIF.exe
  2⤵
  PID:11888
- C:\Windows\System32\XXWAlsb.exe
  C:\Windows\System32\XXWAlsb.exe
  2⤵
  PID:12032
- C:\Windows\System32\Zeqlhhv.exe
  C:\Windows\System32\Zeqlhhv.exe
  2⤵
  PID:2352
- C:\Windows\System32\IOLEwBv.exe
  C:\Windows\System32\IOLEwBv.exe
  2⤵
  PID:2736
- C:\Windows\System32\FKRuVSr.exe
  C:\Windows\System32\FKRuVSr.exe
  2⤵
  PID:11536
- C:\Windows\System32\FgzJOhG.exe
  C:\Windows\System32\FgzJOhG.exe
  2⤵
  PID:11552
- C:\Windows\System32\ceCkKHp.exe
  C:\Windows\System32\ceCkKHp.exe
  2⤵
  PID:12096
- C:\Windows\System32\HNpqyhG.exe
  C:\Windows\System32\HNpqyhG.exe
  2⤵
  PID:11288
- C:\Windows\System32\zbwyTaB.exe
  C:\Windows\System32\zbwyTaB.exe
  2⤵
  PID:11860
- C:\Windows\System32\TIDjEMa.exe
  C:\Windows\System32\TIDjEMa.exe
  2⤵
  PID:12292
- C:\Windows\System32\TFphgcG.exe
  C:\Windows\System32\TFphgcG.exe
  2⤵
  PID:12324
- C:\Windows\System32\HvVmvxW.exe
  C:\Windows\System32\HvVmvxW.exe
  2⤵
  PID:12348
- C:\Windows\System32\rIDZhfz.exe
  C:\Windows\System32\rIDZhfz.exe
  2⤵
  PID:12372
- C:\Windows\System32\PaQdTqq.exe
  C:\Windows\System32\PaQdTqq.exe
  2⤵
  PID:12388
- C:\Windows\System32\BkFpuPu.exe
  C:\Windows\System32\BkFpuPu.exe
  2⤵
  PID:12408
- C:\Windows\System32\YmzdzlX.exe
  C:\Windows\System32\YmzdzlX.exe
  2⤵
  PID:12456
- C:\Windows\System32\zBGkzqQ.exe
  C:\Windows\System32\zBGkzqQ.exe
  2⤵
  PID:12484
- C:\Windows\System32\NRUzTnG.exe
  C:\Windows\System32\NRUzTnG.exe
  2⤵
  PID:12504
- C:\Windows\System32\LkLedFv.exe
  C:\Windows\System32\LkLedFv.exe
  2⤵
  PID:12528
- C:\Windows\System32\FgfgPTD.exe
  C:\Windows\System32\FgfgPTD.exe
  2⤵
  PID:12544
- C:\Windows\System32\dejwJnY.exe
  C:\Windows\System32\dejwJnY.exe
  2⤵
  PID:12560
- C:\Windows\System32\MTfjlMn.exe
  C:\Windows\System32\MTfjlMn.exe
  2⤵
  PID:12584
- C:\Windows\System32\CaAEEMD.exe
  C:\Windows\System32\CaAEEMD.exe
  2⤵
  PID:12600
- C:\Windows\System32\ymgIsTw.exe
  C:\Windows\System32\ymgIsTw.exe
  2⤵
  PID:12624
- C:\Windows\System32\rmLbVOZ.exe
  C:\Windows\System32\rmLbVOZ.exe
  2⤵
  PID:12688
- C:\Windows\System32\OKXGoKm.exe
  C:\Windows\System32\OKXGoKm.exe
  2⤵
  PID:12740
- C:\Windows\System32\bWhuPiI.exe
  C:\Windows\System32\bWhuPiI.exe
  2⤵
  PID:12760
- C:\Windows\System32\kgZhmvP.exe
  C:\Windows\System32\kgZhmvP.exe
  2⤵
  PID:12824
- C:\Windows\System32\ZXnFpIo.exe
  C:\Windows\System32\ZXnFpIo.exe
  2⤵
  PID:12848
- C:\Windows\System32\ambrZrT.exe
  C:\Windows\System32\ambrZrT.exe
  2⤵
  PID:12872
- C:\Windows\System32\oWLTuAy.exe
  C:\Windows\System32\oWLTuAy.exe
  2⤵
  PID:12896
- C:\Windows\System32\WTDdQKu.exe
  C:\Windows\System32\WTDdQKu.exe
  2⤵
  PID:12912
- C:\Windows\System32\RvUlrLf.exe
  C:\Windows\System32\RvUlrLf.exe
  2⤵
  PID:12932
- C:\Windows\System32\poYjrPh.exe
  C:\Windows\System32\poYjrPh.exe
  2⤵
  PID:12956
- C:\Windows\System32\yTGnYHv.exe
  C:\Windows\System32\yTGnYHv.exe
  2⤵
  PID:12980
- C:\Windows\System32\Mxkniva.exe
  C:\Windows\System32\Mxkniva.exe
  2⤵
  PID:13084
- C:\Windows\System32\sLDFFWp.exe
  C:\Windows\System32\sLDFFWp.exe
  2⤵
  PID:13100

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AVQUbKn.exe

Filesize
1.3MB

MD5
41d344a72528b3de54cfa03b572582ef

SHA1
a63bea98d243c4b49ac0edc747e25079a3f7b6fd

SHA256
ffbe134618cbf3082ac99fb8347c89d9dbaed23ae6efa7556196168926b2c9be

SHA512
9503f3018fa7c5a93666896bccb5e6be08382c6202b97f2af8fe2e8ff5769bac160e317e7bd350ae7c9c12a62fedbb93f6fd77c735a3c6c606a5972177446284

Download Submit
C:\Windows\System32\AyjxvBZ.exe

Filesize
1.3MB

MD5
ea76235e5428a20d84dc1c5bb8aa9583

SHA1
df66ef9619cf96f7e228f3a40004e37b9188a169

SHA256
d175043c825e586a0ca87da3d72075e4c38af66bb3e4ef2b220a2d051e11f1ce

SHA512
0d090bf2ed3943fdcebd8788fc0fecfb3281c96609beafaccb19d8e9404d22632de272b7f146c38020cb8ce363e81d400b00ba18f0dd4f8b35799078319a48c1

Download Submit
C:\Windows\System32\FVmdZVU.exe

Filesize
1.3MB

MD5
ce2f6b754535c8f6895ae12a4773cbbb

SHA1
596915f1a55b263fe2cc0b3e32cd8f65c5ae4b4c

SHA256
a4589e05a6db1a60975734f2e9378239a7a556fb3dfbaa08408111e791a98b8d

SHA512
e5249a0cfa0d114e95d9f69eeb2162400ce937d6d4b292e90bc17ae70cb8b46008cd044b6c2d77f9c1db7a74e77b0d164e6dfaf84a248ce47dddca63c209f1bf

Download Submit
C:\Windows\System32\FzAhAIS.exe

Filesize
1.3MB

MD5
d96597b4b44833137078f073db137a5f

SHA1
4ba4239c250f9c472498304d253e45215c8c3df2

SHA256
a264024cd75884401739eb3a23ac87375a499a66719d9b7b462296259cf07b90

SHA512
205f855d91623367b75a4ce0e28e62dded94f748a9d3d02b5c80616f1411e3c3f012ff25f25f991a441b710c8cf0df42bee0ef7d9f298b4720c294a6ed7bcba9

Download Submit
C:\Windows\System32\JZySxSx.exe

Filesize
1.3MB

MD5
711b437520bb0748980dd5734ca7df03

SHA1
ff570d847ccc86f6f8a2277d01abb9b01e0b92d5

SHA256
ddb363b2ee06b681096210dc97407f01718c05205aa0c34ee93d8ad77c2c4728

SHA512
f1d929fd6067d560325eda9c53fcd80611cf0213daf86a39c2d163e9b29f544bd6eded0755c051166a3ee927edeb2d465665d6e9c9e745ee8b572adb4dfc6fda

Download Submit
C:\Windows\System32\JdNKdGR.exe

Filesize
1.3MB

MD5
2b586fdb2769dc7804d552dd26db59dd

SHA1
03d26161e6cb5b91f36d8c9c313243495dc3cf63

SHA256
9fbaeb8e79843373001c251cd2922895cfe043eee44afecc1971bb7121804383

SHA512
7e23ab9df250815ebea8981ca3039eedb48fd0f4f2176ef70be1b57ddda05c5f489acfb6455710e1ca100aa7cbb779bb9601c856c55d31d146f14d2b38a1585a

Download Submit
C:\Windows\System32\NElasad.exe

Filesize
1.3MB

MD5
6c7dece8b9d00afae2f2d6c27293e067

SHA1
d1378e275c86a69e9f060e70263cb4f23fe73537

SHA256
c4753a4bb786db098a7beae378c4b39d0d5c2b88996b3ae85eeafffa486e3c6b

SHA512
9155a371f9482e8d7d3bd28e85e351671175fcdb7162e81934731346b4f1c5f7bea6d8749e430186ed57bc25bad56c829380e363edf840237242a7bce9367c13

Download Submit
C:\Windows\System32\OPNhGAu.exe

Filesize
1.3MB

MD5
304870660da77f041e27b9068382e95b

SHA1
9feccc77e718cd7f8076eb76eb95f8182b823620

SHA256
83043f6a170a84818902e60ec96f388cb995b4fb1d09e1e847b5b1abf3e19fcd

SHA512
241bd3853edb9f2c093fbd5cebc478262c00da1257ce14221a79c60a90fa9261df82744a0db24a29aff22e3a87de0ae615c76b84391fec93fe35c9b6a3833901

Download Submit
C:\Windows\System32\OSynSmP.exe

Filesize
1.3MB

MD5
878b439f4bbbcc9606d667a3d067b955

SHA1
49af98df9a12f1b05e12c664e24f1cfdeb19d221

SHA256
d9f3d121ccc88b8e48f20adb39f5935804bdde70c703023be3c96ffde7fdc465

SHA512
1714f0d66180cdd2f3efb1f5b95d6f682ce08e7ef62d0a013df626be687ab309421b55b8d0f4d5868ae68ae256eb9d966887aeb80b4d39ee5017010e6fb8856c

Download Submit
C:\Windows\System32\OYzhbkV.exe

Filesize
1.3MB

MD5
d3e2bf8e099c83ed086f73a54c5e4df1

SHA1
d813c803effc064d27adb6ea6511ff8809d67c60

SHA256
58700b87029b94f24a8786c49526984b46a0f885d2627012c70a71b9a64819cd

SHA512
d209a21a3df5de8fc6e85b84e6f499f9a92626c9948f5e731ea18e89334e00945c14a40cbf6d565d4f2dc9116e14cfa1ba8f2b3e12d664df7c7f54f604a2d894

Download Submit
C:\Windows\System32\TotRVTt.exe

Filesize
1.3MB

MD5
148233ca65e7d5883070265b422a9d46

SHA1
d1d4063578eb4b6e0ed9ae958467a366daa7ff1a

SHA256
30e3af3ac63737986cab95ea92be3be0f751192c0a67808b7c915a2da0ea601f

SHA512
c7ac335f4f38e34aee8eb02e73e04d34990ebb20e96b7cc1987e45f0b2db8b507aed1fe7e330220b9c4c37c33e9cf807e8558e7aa5f6a953d4bc81026ca848e7

Download Submit
C:\Windows\System32\Vtnhwgm.exe

Filesize
1.3MB

MD5
eda1ed5af262f199cede7a462e1b6621

SHA1
841e815ca7679e5a3af8a3d2ace5aa4a1b0f8f49

SHA256
48c8102ab372b76176049613bd439f010a09ff91ad295e5f132cd23e426ff15f

SHA512
014a4dcbd888f164298d2634b2bae241ac427ef2cf2607d3cad4457e1f77124ae63522d776abcb30330fb684d0ce96d96bdbe835b3654ad4e3b8ffb813e87223

Download Submit
C:\Windows\System32\Wthevnk.exe

Filesize
1.3MB

MD5
b36b0f29b4e5056ce47802d5201c5e6c

SHA1
2e3071efcdc68c76c4e6fe42afb2286c9a4500e0

SHA256
995df1e0c6673dbdce178f9f902b7b6beaef512ed91d452bca26b019da9515ef

SHA512
659a09d05afabbfb621e2d832de1eeb4ccf3a678a96cdd67b4e6021937b958ede2745ec8e6afa8cf8ee7779454c8e0cfdf9cf00fee2f4fe53edcd53a8474bca9

Download Submit
C:\Windows\System32\XDeeCsE.exe

Filesize
1.3MB

MD5
63bb025dce9f5c88171618ad3f14c88e

SHA1
111d31c8bba91631152c81400e6cf23260bf9f01

SHA256
6279c5c9ee8cec17d21e7b7a56ea7b3ae74e3803c8a47540563b67527a707757

SHA512
fd4778fe99dab4d135c7a688133cdc256b2c6e4ce5d1ecd80a6f2ddd6271c909651acae5b8f4ccbb4ac39626e5ffde2d12b7221469c9a62ae1a1e7595c6569ea

Download Submit
C:\Windows\System32\aMVgTlh.exe

Filesize
1.3MB

MD5
172f566945646da9b082ac35dd883f32

SHA1
dcb09fe7cd308e6d702c85a489cf75a004440f64

SHA256
39b9c795f0fb0c9a5d3c806779ca81247ed337c2b93c05505d5beed508c755e9

SHA512
1ea68e2700f43c2a1c71364a4ba6b612313d0681f49c3dfc5049f235beae53f84a2b94606e206c527111afe120284e81c1add463780f410477c2df8010a1c767

Download Submit
C:\Windows\System32\bNwNwqG.exe

Filesize
1.3MB

MD5
790216e9ae524210d3da855616613e13

SHA1
9fee04cbe56078c679c2913825ea102afdba9e1d

SHA256
0d1e524add8975ff9c31f4ddd2d018ef94e0c34722646f84ab44f6ff394f7b2a

SHA512
8f88951cb858c0436b6702c510e870658a787ffb785d823a99fcbf83d3301f99828b6314745ce3a737582b92c7a4c78c9d66a4e3ef5d17d026830b015fd3f398

Download Submit
C:\Windows\System32\bgWSYiY.exe

Filesize
1.3MB

MD5
dc33a6de9486e04a6e7e4c51b4e3a4da

SHA1
dd9d7ddb09cc3d5c398f379413cb170548557a7e

SHA256
e927b288ff0a578e8da6a300d9d1b92ce83bf8ffee1fdd7c210a997584f2aa16

SHA512
035dc2f44ccbca414794f6bac2042908bd81a9f4388ad380159c40126af2fdcf8f1d31837891d67c0a75dc363490c199718425ee3f075686b76ccd206d76d0e2

Download Submit
C:\Windows\System32\cGgOMmD.exe

Filesize
1.3MB

MD5
1227aa9183e7fc4df90a49eb34309dbc

SHA1
3c51c492188b21241c77654a69d20e8ba2ca49f8

SHA256
384e5d8bc8d9d49d2ce7612a1a0d78c6757f18dcc475fdb69645b6abf46fca96

SHA512
f389e8848591bde9144620a35247d919142efee6583ba03c66cd067e2a024a079b92a1025acf0d14e39b307bea5b2e345036b545dad36df016ca46e1b0fbd48c

Download Submit
C:\Windows\System32\cgIJnUf.exe

Filesize
1.3MB

MD5
dbffded9eb1c8af014b2592c683df71c

SHA1
9604192be9b0630670c4fd949886ea26d25c4cc4

SHA256
ca82a9db45619a79727a9328d12085cfd79428548a6ca4abcd24714d088ae70f

SHA512
2356718b804ca30ca659eb15abf459c6b3338075ac25c3ce264cf36361d61d822404d18b876e4539ba10c94a7053717cd4726dbac2e88e3533aef6c9747752e4

Download Submit
C:\Windows\System32\eImRzhn.exe

Filesize
1.3MB

MD5
5f3790e9f446313828fde161e660dfd5

SHA1
57b3546b1e9298f4376f35d99e2d685d1e5db1fa

SHA256
83053cd62235d610ee7268fdf5a04eeae811128759016ca80bd556238ab93a6c

SHA512
f5bcc2198ee27d1af8aa8492c20fc7058e92c8b0518c0b67a84eaf39e59c6d4e49fdb7e48e72b6edf3e59d62588c9faae054e7a56b19903d4c46c138b20ddf79

Download Submit
C:\Windows\System32\hNYqrLh.exe

Filesize
1.3MB

MD5
4ce71df88ef75ee3a3125a465345fa0d

SHA1
5f48bf61ee4794b430b16bbbc5d297eb6589aa44

SHA256
069d1b6b339dbf280af48dabd7a85a7a440d5ee31b73a53261f69690e1e0c67a

SHA512
98c8985b115a765df2e1fdcce522ceb1aefb29ad1184878031a797a9272a5811184f8d2d013fd331d146af18648dd5e85fb41a1cd7d1a75736870cbec6a9259b

Download Submit
C:\Windows\System32\hXklMoa.exe

Filesize
1.3MB

MD5
951d42afa92c95bc9f440c6a4d6082f6

SHA1
578dd1547a80377015d888cbb086188c2cdbb2d5

SHA256
7a5f930ced9174c28b965781de55b22630705025bf99446f6234fefafa4b5b3e

SHA512
5c4d50844e35233b2c5fba09faed50997024a1193084619b86a4807ec7ce27ddbf119b7b468ba7b6bdae85e96e221be5667141e66d051b763a21b9e6ed2cb022

Download Submit
C:\Windows\System32\iPbQnIH.exe

Filesize
1.3MB

MD5
08e7e773fa44f7037c1f7e5ea555681d

SHA1
8e543112538fe04f6e863b42ff4340d00bdeb9c2

SHA256
442404baa90eca14486f22c0c867d99f9d6daed5b3568a3cfc1944c7de22b30a

SHA512
a9da83a3ce0aef247101df771ee531cfe7cdce2cd6dc055a15776e929d0cc5b0ad6fed39cbd77886b645a3fa319c27b827765c6c05fe3a42126ca5e3e4baee80

Download Submit
C:\Windows\System32\jDchtBs.exe

Filesize
1.3MB

MD5
3ddc04edb416cbd5d72885805d654933

SHA1
156f8c0d7bbbc36ce5c800ddf91e514ff4fd2a83

SHA256
690da4e433df36f866abfc6a6039df459b9251ea6eb8ef7f32f3950f8cadf48e

SHA512
a9d81ced1ccf8d4e0a815ba6084e1d962479899cd94a9bc2c7dbd0cd43d87a418c509b498852f2bcb37561bf2fac37458a7ec3175dd668ff9e8ae5d56ed712a7

Download Submit
C:\Windows\System32\kuZjLsO.exe

Filesize
1.3MB

MD5
a2260417c744438ee584d138f29870f5

SHA1
b991a9a9159c474c70731a2a05f3035ef0a01562

SHA256
b55348ccbce3eb41d4a7956213718619b497bad1ff35e8af47a4b684568a1cd2

SHA512
6460a04a9beb99bf2db711120b9427ba5789f072873597df902acd8a3f267d64636665f509afcdccdc61517758e160949cb24d957903a3c2adc975dd472d1e29

Download Submit
C:\Windows\System32\lbhYqvx.exe

Filesize
1.3MB

MD5
1411c7d0495c039a229720025962ec5a

SHA1
ca567fc83966e4cf0c57f5b16134a502a1f455df

SHA256
96859418b63a6393840492d3890b40be9a433c2bf3719876da262c114f3d1d1a

SHA512
8820dce8d232b0ce19f2d95d0831fb09070ce2970c0f4b2c7c1e7ceedb4332ab480c9f9a2a1da5923707f5a921d11e0733275b078b3db09274ec0da68410e040

Download Submit
C:\Windows\System32\moNsCKn.exe

Filesize
1.3MB

MD5
da4806c4ad6f44a2309e5d6679cbaef0

SHA1
b3175ba047cf6d4f60b75369b487bea154d77a90

SHA256
bf73615f6b56f7a425ef4e59045e63d7f57dcb876f74869f682a00a62debb6ab

SHA512
da5f91fe06f12d62b0a250c192efe664e6092f7a768f1f97082fd82c060e1575d701b1ef9b58a51150d7639fa6a122d9cee94858eee11c2a0288404a40aa3d2d

Download Submit
C:\Windows\System32\slcOUfM.exe

Filesize
1.3MB

MD5
09ba2a099aa4445903766f33a774ec15

SHA1
5194d67127ab3f8d54036fae22f843f6f5225c1b

SHA256
4430c7c67721b92536bcac261d59f4226d29713180bacefde295ac0f8a105b74

SHA512
2e7edb07832a6001565c826fb69cf72ff0ba69c1c1edd8183435696fe805ea36b70236491540ff04c84a1891b68cbecc59e9414838ef408f35ae804fac3d856d

Download Submit
C:\Windows\System32\xslUlpQ.exe

Filesize
1.3MB

MD5
02642259c1bc221f6a0aade5726d329a

SHA1
bd236550d4b33e52e2109eae8baa24e8b82bd3e6

SHA256
6616bbad15ca0439ae284ce764a6e2567a28c85dc771746af01e04b45e0d30da

SHA512
acbb54c31a4b7984cf66ac36a10dd80997a28ae266f3d5f191d1c94c40a1f50ad6611d8c11b5b71604f6a00d064e02c9657202082f66585294a43fa32c6a9866

Download Submit
C:\Windows\System32\yxUProi.exe

Filesize
1.3MB

MD5
0cc8efed4da90c1255fdfeaad9827b2e

SHA1
289773296d18e8a24736d7a8603b57c2c0d1612a

SHA256
1672c1ec4f9a18e96839d96281813632b78773c312857762ea7201893b7ce5ca

SHA512
9cf60de7df8c8b8bc52fba12af9066a0d5c4b6538f95aad834f8e9ba6bab63fad7f277beb84c4fc03276a73aa50c22adfc27966111fac8c345bc092b75ecd80b

Download Submit
C:\Windows\System32\yxjVHZo.exe

Filesize
1.3MB

MD5
c90b7c19b7b5b49638cc796e991c7965

SHA1
a8442a5e6b33f69dbd1d836eefe3426377f4d18a

SHA256
4daf9bfa73e2bd4a7c0fd27ea8c78c6bed3db85aa9d6804492a77c249ef2130a

SHA512
1b7694ba3d29a232306d53b5842d170bec60c4fdd82daf25647fa5e24aa33f950b496ce05cd023ea80d8d13a3fb326b3e6842c920058aff748c93230cec02e0f

Download Submit
C:\Windows\System32\zKYTpdM.exe

Filesize
1.3MB

MD5
a0ea0b4c049d9272a2a413c9db5c1717

SHA1
5e9b41193c49d98a4747124d431c3fd45a8da3da

SHA256
73054cc053722d21affa27e823d8497c6c702f66fd3bf3da63f1b2c6073e70b7

SHA512
ce8ab580b34099fe32ba17d0df9c876f187ff0fbdfcdcb74a068fc7c37e9a7e0afb31db0771733a26195039a2b4cfd74ddf897504892f6945529dd91b6180c7a

Download Submit
memory/812-134-0x00007FF617AA0000-0x00007FF617E91000-memory.dmp

Filesize
3.9MB

Download
memory/812-2036-0x00007FF617AA0000-0x00007FF617E91000-memory.dmp

Filesize
3.9MB

Download
memory/1372-2018-0x00007FF681B00000-0x00007FF681EF1000-memory.dmp

Filesize
3.9MB

Download
memory/1372-166-0x00007FF681B00000-0x00007FF681EF1000-memory.dmp

Filesize
3.9MB

Download
memory/1440-1966-0x00007FF618260000-0x00007FF618651000-memory.dmp

Filesize
3.9MB

Download
memory/1440-2006-0x00007FF618260000-0x00007FF618651000-memory.dmp

Filesize
3.9MB

Download
memory/1440-31-0x00007FF618260000-0x00007FF618651000-memory.dmp

Filesize
3.9MB

Download
memory/1488-2030-0x00007FF79B2B0000-0x00007FF79B6A1000-memory.dmp

Filesize
3.9MB

Download
memory/1488-119-0x00007FF79B2B0000-0x00007FF79B6A1000-memory.dmp

Filesize
3.9MB

Download
memory/1600-1928-0x00007FF6F9410000-0x00007FF6F9801000-memory.dmp

Filesize
3.9MB

Download
memory/1600-0-0x00007FF6F9410000-0x00007FF6F9801000-memory.dmp

Filesize
3.9MB

Download
memory/1600-1-0x000001269C750000-0x000001269C760000-memory.dmp

Filesize
64KB

Download
memory/1620-2026-0x00007FF756E80000-0x00007FF757271000-memory.dmp

Filesize
3.9MB

Download
memory/1620-91-0x00007FF756E80000-0x00007FF757271000-memory.dmp

Filesize
3.9MB

Download
memory/1620-1957-0x00007FF756E80000-0x00007FF757271000-memory.dmp

Filesize
3.9MB

Download
memory/1672-2014-0x00007FF7898E0000-0x00007FF789CD1000-memory.dmp

Filesize
3.9MB

Download
memory/1672-51-0x00007FF7898E0000-0x00007FF789CD1000-memory.dmp

Filesize
3.9MB

Download
memory/1672-1955-0x00007FF7898E0000-0x00007FF789CD1000-memory.dmp

Filesize
3.9MB

Download
memory/2044-112-0x00007FF6D60D0000-0x00007FF6D64C1000-memory.dmp

Filesize
3.9MB

Download
memory/2044-2020-0x00007FF6D60D0000-0x00007FF6D64C1000-memory.dmp

Filesize
3.9MB

Download
memory/2100-2044-0x00007FF722A40000-0x00007FF722E31000-memory.dmp

Filesize
3.9MB

Download
memory/2100-171-0x00007FF722A40000-0x00007FF722E31000-memory.dmp

Filesize
3.9MB

Download
memory/2264-1956-0x00007FF71A790000-0x00007FF71AB81000-memory.dmp

Filesize
3.9MB

Download
memory/2264-66-0x00007FF71A790000-0x00007FF71AB81000-memory.dmp

Filesize
3.9MB

Download
memory/2264-2022-0x00007FF71A790000-0x00007FF71AB81000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2008-0x00007FF6F18B0000-0x00007FF6F1CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2296-96-0x00007FF6F18B0000-0x00007FF6F1CA1000-memory.dmp

Filesize
3.9MB

Download
memory/2492-2028-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp

Filesize
3.9MB

Download
memory/2492-114-0x00007FF7815C0000-0x00007FF7819B1000-memory.dmp

Filesize
3.9MB

Download
memory/2648-26-0x00007FF729E70000-0x00007FF72A261000-memory.dmp

Filesize
3.9MB

Download
memory/2648-1953-0x00007FF729E70000-0x00007FF72A261000-memory.dmp

Filesize
3.9MB

Download
memory/2648-2004-0x00007FF729E70000-0x00007FF72A261000-memory.dmp

Filesize
3.9MB

Download
memory/2756-180-0x00007FF6A2BC0000-0x00007FF6A2FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2756-2050-0x00007FF6A2BC0000-0x00007FF6A2FB1000-memory.dmp

Filesize
3.9MB

Download
memory/2812-2034-0x00007FF6831A0000-0x00007FF683591000-memory.dmp

Filesize
3.9MB

Download
memory/2812-131-0x00007FF6831A0000-0x00007FF683591000-memory.dmp

Filesize
3.9MB

Download
memory/2840-105-0x00007FF764420000-0x00007FF764811000-memory.dmp

Filesize
3.9MB

Download
memory/2840-2024-0x00007FF764420000-0x00007FF764811000-memory.dmp

Filesize
3.9MB

Download
memory/3036-2010-0x00007FF72B070000-0x00007FF72B461000-memory.dmp

Filesize
3.9MB

Download
memory/3036-153-0x00007FF72B070000-0x00007FF72B461000-memory.dmp

Filesize
3.9MB

Download
memory/3112-175-0x00007FF718B30000-0x00007FF718F21000-memory.dmp

Filesize
3.9MB

Download
memory/3112-2041-0x00007FF718B30000-0x00007FF718F21000-memory.dmp

Filesize
3.9MB

Download
memory/3464-155-0x00007FF6B7D30000-0x00007FF6B8121000-memory.dmp

Filesize
3.9MB

Download
memory/3464-2012-0x00007FF6B7D30000-0x00007FF6B8121000-memory.dmp

Filesize
3.9MB

Download
memory/3616-2038-0x00007FF64D140000-0x00007FF64D531000-memory.dmp

Filesize
3.9MB

Download
memory/3616-168-0x00007FF64D140000-0x00007FF64D531000-memory.dmp

Filesize
3.9MB

Download
memory/3644-2017-0x00007FF6D1C10000-0x00007FF6D2001000-memory.dmp

Filesize
3.9MB

Download
memory/3644-167-0x00007FF6D1C10000-0x00007FF6D2001000-memory.dmp

Filesize
3.9MB

Download
memory/3728-12-0x00007FF612C10000-0x00007FF613001000-memory.dmp

Filesize
3.9MB

Download
memory/3728-2002-0x00007FF612C10000-0x00007FF613001000-memory.dmp

Filesize
3.9MB

Download
memory/3728-1929-0x00007FF612C10000-0x00007FF613001000-memory.dmp

Filesize
3.9MB

Download
memory/4280-1967-0x00007FF6E0940000-0x00007FF6E0D31000-memory.dmp

Filesize
3.9MB

Download
memory/4280-143-0x00007FF6E0940000-0x00007FF6E0D31000-memory.dmp

Filesize
3.9MB

Download
memory/4280-2046-0x00007FF6E0940000-0x00007FF6E0D31000-memory.dmp

Filesize
3.9MB

Download
memory/4392-2032-0x00007FF704690000-0x00007FF704A81000-memory.dmp

Filesize
3.9MB

Download
memory/4392-121-0x00007FF704690000-0x00007FF704A81000-memory.dmp

Filesize
3.9MB

Download
memory/4480-174-0x00007FF6FDA40000-0x00007FF6FDE31000-memory.dmp

Filesize
3.9MB

Download
memory/4480-2042-0x00007FF6FDA40000-0x00007FF6FDE31000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads