xmrig | 6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
Size

2.2MB
MD5

acd44c15311947c542b60d62a8f5d0ce
SHA1

878fd6461cdea11f38a9ffa3335a732110f6e22a
SHA256

6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396
SHA512

ab2e40cc64f0214ee3c1d2fe343d2d7fc69d5e93d1c4843c8afa97ab857f8e0e8d37721a5498a056434c1cca553e26e98ea8e5d8a2d4799b4aca57e0be3d468f
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIQoyBcIKH0ksL:BemTLkNdfE0pZrQH

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4868-0-0x00007FF723110000-0x00007FF723464000-memory.dmp	UPX
behavioral2/files/0x000a000000023038-5.dat	UPX
behavioral2/files/0x00070000000231f9-7.dat	UPX
behavioral2/files/0x000a000000023038-8.dat	UPX
behavioral2/files/0x00080000000231f8-17.dat	UPX
behavioral2/files/0x00070000000231f9-16.dat	UPX
behavioral2/files/0x00070000000231f9-19.dat	UPX
behavioral2/files/0x00070000000231fb-27.dat	UPX
behavioral2/files/0x00070000000231ff-53.dat	UPX
behavioral2/files/0x0007000000023203-62.dat	UPX
behavioral2/files/0x0007000000023200-70.dat	UPX
behavioral2/files/0x0007000000023205-81.dat	UPX
behavioral2/files/0x0007000000023204-86.dat	UPX
behavioral2/files/0x0007000000023207-97.dat	UPX
behavioral2/files/0x0007000000023207-103.dat	UPX
behavioral2/files/0x0007000000023208-108.dat	UPX
behavioral2/files/0x000700000002320b-120.dat	UPX
behavioral2/files/0x000a0000000231ad-127.dat	UPX
behavioral2/memory/3468-135-0x00007FF7DE650000-0x00007FF7DE9A4000-memory.dmp	UPX
behavioral2/files/0x000700000002320c-137.dat	UPX
behavioral2/files/0x000700000002320e-146.dat	UPX
behavioral2/memory/2516-160-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	UPX
behavioral2/files/0x0007000000023212-164.dat	UPX
behavioral2/files/0x0007000000023212-168.dat	UPX
behavioral2/files/0x0007000000023214-183.dat	UPX
behavioral2/memory/5092-199-0x00007FF686F90000-0x00007FF6872E4000-memory.dmp	UPX
behavioral2/memory/404-207-0x00007FF612D90000-0x00007FF6130E4000-memory.dmp	UPX
behavioral2/memory/760-202-0x00007FF679F60000-0x00007FF67A2B4000-memory.dmp	UPX
behavioral2/memory/5088-198-0x00007FF6771B0000-0x00007FF677504000-memory.dmp	UPX
behavioral2/memory/2316-295-0x00007FF6CF4C0000-0x00007FF6CF814000-memory.dmp	UPX
behavioral2/memory/4876-296-0x00007FF7B6290000-0x00007FF7B65E4000-memory.dmp	UPX
behavioral2/memory/3264-297-0x00007FF68AEA0000-0x00007FF68B1F4000-memory.dmp	UPX
behavioral2/memory/4988-298-0x00007FF672120000-0x00007FF672474000-memory.dmp	UPX
behavioral2/memory/988-306-0x00007FF6CBAD0000-0x00007FF6CBE24000-memory.dmp	UPX
behavioral2/memory/5100-316-0x00007FF7C6700000-0x00007FF7C6A54000-memory.dmp	UPX
behavioral2/memory/1876-345-0x00007FF676030000-0x00007FF676384000-memory.dmp	UPX
behavioral2/memory/1956-353-0x00007FF6D6770000-0x00007FF6D6AC4000-memory.dmp	UPX
behavioral2/memory/4220-384-0x00007FF711C90000-0x00007FF711FE4000-memory.dmp	UPX
behavioral2/memory/1676-391-0x00007FF6BF440000-0x00007FF6BF794000-memory.dmp	UPX
behavioral2/memory/4724-419-0x00007FF6AE7E0000-0x00007FF6AEB34000-memory.dmp	UPX
behavioral2/memory/2044-436-0x00007FF798940000-0x00007FF798C94000-memory.dmp	UPX
behavioral2/memory/3180-438-0x00007FF6FBC60000-0x00007FF6FBFB4000-memory.dmp	UPX
behavioral2/memory/1536-455-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp	UPX
behavioral2/memory/3412-495-0x00007FF61E1E0000-0x00007FF61E534000-memory.dmp	UPX
behavioral2/memory/1752-508-0x00007FF673C60000-0x00007FF673FB4000-memory.dmp	UPX
behavioral2/memory/3340-546-0x00007FF60BAF0000-0x00007FF60BE44000-memory.dmp	UPX
behavioral2/memory/1020-623-0x00007FF755DC0000-0x00007FF756114000-memory.dmp	UPX
behavioral2/memory/1812-603-0x00007FF6EC6D0000-0x00007FF6ECA24000-memory.dmp	UPX
behavioral2/memory/4140-583-0x00007FF601F50000-0x00007FF6022A4000-memory.dmp	UPX
behavioral2/memory/3036-565-0x00007FF7E0610000-0x00007FF7E0964000-memory.dmp	UPX
behavioral2/memory/3068-556-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp	UPX
behavioral2/memory/3004-535-0x00007FF681BC0000-0x00007FF681F14000-memory.dmp	UPX
behavioral2/memory/2892-527-0x00007FF77B2B0000-0x00007FF77B604000-memory.dmp	UPX
behavioral2/memory/1540-502-0x00007FF64DA40000-0x00007FF64DD94000-memory.dmp	UPX
behavioral2/memory/4716-486-0x00007FF7E5200000-0x00007FF7E5554000-memory.dmp	UPX
behavioral2/memory/3820-464-0x00007FF686E30000-0x00007FF687184000-memory.dmp	UPX
behavioral2/memory/4472-465-0x00007FF69E9B0000-0x00007FF69ED04000-memory.dmp	UPX
behavioral2/memory/4436-443-0x00007FF64A240000-0x00007FF64A594000-memory.dmp	UPX
behavioral2/memory/3984-442-0x00007FF6B5AF0000-0x00007FF6B5E44000-memory.dmp	UPX
behavioral2/memory/2028-426-0x00007FF619410000-0x00007FF619764000-memory.dmp	UPX
behavioral2/memory/3020-408-0x00007FF63ACB0000-0x00007FF63B004000-memory.dmp	UPX
behavioral2/memory/388-368-0x00007FF693EE0000-0x00007FF694234000-memory.dmp	UPX
behavioral2/memory/2652-320-0x00007FF687E70000-0x00007FF6881C4000-memory.dmp	UPX
behavioral2/memory/4976-191-0x00007FF73D5C0000-0x00007FF73D914000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4868-0-0x00007FF723110000-0x00007FF723464000-memory.dmp	xmrig
behavioral2/files/0x000a000000023038-5.dat	xmrig
behavioral2/files/0x00070000000231f9-7.dat	xmrig
behavioral2/files/0x000a000000023038-8.dat	xmrig
behavioral2/files/0x00080000000231f8-17.dat	xmrig
behavioral2/files/0x00070000000231f9-16.dat	xmrig
behavioral2/files/0x00070000000231f9-19.dat	xmrig
behavioral2/files/0x00070000000231fb-27.dat	xmrig
behavioral2/files/0x00070000000231ff-53.dat	xmrig
behavioral2/files/0x0007000000023203-62.dat	xmrig
behavioral2/files/0x0007000000023200-70.dat	xmrig
behavioral2/files/0x0007000000023205-81.dat	xmrig
behavioral2/files/0x0007000000023204-86.dat	xmrig
behavioral2/files/0x0007000000023207-97.dat	xmrig
behavioral2/files/0x0007000000023207-103.dat	xmrig
behavioral2/files/0x0007000000023208-108.dat	xmrig
behavioral2/files/0x000700000002320b-120.dat	xmrig
behavioral2/files/0x000a0000000231ad-127.dat	xmrig
behavioral2/memory/3468-135-0x00007FF7DE650000-0x00007FF7DE9A4000-memory.dmp	xmrig
behavioral2/files/0x000700000002320c-137.dat	xmrig
behavioral2/files/0x000700000002320e-146.dat	xmrig
behavioral2/memory/2516-160-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	xmrig
behavioral2/files/0x0007000000023212-164.dat	xmrig
behavioral2/files/0x0007000000023212-168.dat	xmrig
behavioral2/files/0x0007000000023214-183.dat	xmrig
behavioral2/memory/5092-199-0x00007FF686F90000-0x00007FF6872E4000-memory.dmp	xmrig
behavioral2/memory/404-207-0x00007FF612D90000-0x00007FF6130E4000-memory.dmp	xmrig
behavioral2/memory/760-202-0x00007FF679F60000-0x00007FF67A2B4000-memory.dmp	xmrig
behavioral2/memory/5088-198-0x00007FF6771B0000-0x00007FF677504000-memory.dmp	xmrig
behavioral2/memory/2316-295-0x00007FF6CF4C0000-0x00007FF6CF814000-memory.dmp	xmrig
behavioral2/memory/4876-296-0x00007FF7B6290000-0x00007FF7B65E4000-memory.dmp	xmrig
behavioral2/memory/3264-297-0x00007FF68AEA0000-0x00007FF68B1F4000-memory.dmp	xmrig
behavioral2/memory/4988-298-0x00007FF672120000-0x00007FF672474000-memory.dmp	xmrig
behavioral2/memory/988-306-0x00007FF6CBAD0000-0x00007FF6CBE24000-memory.dmp	xmrig
behavioral2/memory/5100-316-0x00007FF7C6700000-0x00007FF7C6A54000-memory.dmp	xmrig
behavioral2/memory/1876-345-0x00007FF676030000-0x00007FF676384000-memory.dmp	xmrig
behavioral2/memory/1956-353-0x00007FF6D6770000-0x00007FF6D6AC4000-memory.dmp	xmrig
behavioral2/memory/4220-384-0x00007FF711C90000-0x00007FF711FE4000-memory.dmp	xmrig
behavioral2/memory/1676-391-0x00007FF6BF440000-0x00007FF6BF794000-memory.dmp	xmrig
behavioral2/memory/4724-419-0x00007FF6AE7E0000-0x00007FF6AEB34000-memory.dmp	xmrig
behavioral2/memory/2044-436-0x00007FF798940000-0x00007FF798C94000-memory.dmp	xmrig
behavioral2/memory/3180-438-0x00007FF6FBC60000-0x00007FF6FBFB4000-memory.dmp	xmrig
behavioral2/memory/1536-455-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp	xmrig
behavioral2/memory/3412-495-0x00007FF61E1E0000-0x00007FF61E534000-memory.dmp	xmrig
behavioral2/memory/1752-508-0x00007FF673C60000-0x00007FF673FB4000-memory.dmp	xmrig
behavioral2/memory/3340-546-0x00007FF60BAF0000-0x00007FF60BE44000-memory.dmp	xmrig
behavioral2/memory/1020-623-0x00007FF755DC0000-0x00007FF756114000-memory.dmp	xmrig
behavioral2/memory/1812-603-0x00007FF6EC6D0000-0x00007FF6ECA24000-memory.dmp	xmrig
behavioral2/memory/4140-583-0x00007FF601F50000-0x00007FF6022A4000-memory.dmp	xmrig
behavioral2/memory/3036-565-0x00007FF7E0610000-0x00007FF7E0964000-memory.dmp	xmrig
behavioral2/memory/3068-556-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp	xmrig
behavioral2/memory/3004-535-0x00007FF681BC0000-0x00007FF681F14000-memory.dmp	xmrig
behavioral2/memory/2892-527-0x00007FF77B2B0000-0x00007FF77B604000-memory.dmp	xmrig
behavioral2/memory/1540-502-0x00007FF64DA40000-0x00007FF64DD94000-memory.dmp	xmrig
behavioral2/memory/4716-486-0x00007FF7E5200000-0x00007FF7E5554000-memory.dmp	xmrig
behavioral2/memory/3820-464-0x00007FF686E30000-0x00007FF687184000-memory.dmp	xmrig
behavioral2/memory/4472-465-0x00007FF69E9B0000-0x00007FF69ED04000-memory.dmp	xmrig
behavioral2/memory/4436-443-0x00007FF64A240000-0x00007FF64A594000-memory.dmp	xmrig
behavioral2/memory/3984-442-0x00007FF6B5AF0000-0x00007FF6B5E44000-memory.dmp	xmrig
behavioral2/memory/2028-426-0x00007FF619410000-0x00007FF619764000-memory.dmp	xmrig
behavioral2/memory/3020-408-0x00007FF63ACB0000-0x00007FF63B004000-memory.dmp	xmrig
behavioral2/memory/388-368-0x00007FF693EE0000-0x00007FF694234000-memory.dmp	xmrig
behavioral2/memory/2652-320-0x00007FF687E70000-0x00007FF6881C4000-memory.dmp	xmrig
behavioral2/memory/4976-191-0x00007FF73D5C0000-0x00007FF73D914000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
548	TQBHGfE.exe
4892	ziakRkd.exe
2836	KbbUcSr.exe
2612	IARqtHI.exe
2556	lykXzrg.exe
3248	eDFMjnY.exe
2988	FlnrjdO.exe
5076	vFkRHRk.exe
872	aatrscV.exe
4052	HdSEJtg.exe
3244	pwVDCCo.exe
3604	npdKNMw.exe
2444	LWWGVaT.exe
4732	SYOKjVj.exe
3468	ebQPwma.exe
3524	aePirmn.exe
1380	YjeygeI.exe
2212	ZJlQnSJ.exe
2516	yXeDJTR.exe
2076	ZCRXPCL.exe
4380	IzFGHvf.exe
2636	NjMIYhD.exe
4976	hmxseOV.exe
5088	QcDfhQF.exe
5092	GJfkliq.exe
760	WBXuxgO.exe
4780	AGvQvbO.exe
4360	NNScqvX.exe
404	KZVpuWr.exe
2316	ARDBcjm.exe
4876	kqNVnwM.exe
1432	KFRPHID.exe
2536	rQYvFQW.exe
3356	awawVyi.exe
4964	nxusDLX.exe
3264	GrOpals.exe
1656	VBhRTnM.exe
4368	oiREkLB.exe
4988	pawdhcw.exe
988	ZJjBPqT.exe
5100	btpbfnr.exe
2652	uAxscmQ.exe
1876	OhVqBwn.exe
1956	vACRCpu.exe
388	mZAWvKD.exe
4220	KbCfDgG.exe
1676	itYmzVB.exe
3020	ZMbCVJA.exe
4724	mWJFhWq.exe
2028	ePylylf.exe
2044	SGdAFxv.exe
3180	wyyPUAI.exe
3984	iuGMFNw.exe
4436	XKfTkQs.exe
1536	pBeUbPf.exe
3820	hedyzCS.exe
4472	ekcOWQe.exe
4716	IcJTPhP.exe
3412	pCagRrl.exe
1540	IxwWBLX.exe
1752	kKedjrJ.exe
2892	UGbDQry.exe
3004	wEkDeuz.exe
3340	AiNsWtb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4868-0-0x00007FF723110000-0x00007FF723464000-memory.dmp	upx
behavioral2/files/0x000a000000023038-5.dat	upx
behavioral2/files/0x00070000000231f9-7.dat	upx
behavioral2/files/0x000a000000023038-8.dat	upx
behavioral2/files/0x00080000000231f8-17.dat	upx
behavioral2/files/0x00070000000231f9-16.dat	upx
behavioral2/files/0x00070000000231f9-19.dat	upx
behavioral2/files/0x00070000000231fb-27.dat	upx
behavioral2/files/0x00070000000231ff-53.dat	upx
behavioral2/files/0x0007000000023203-62.dat	upx
behavioral2/files/0x0007000000023200-70.dat	upx
behavioral2/files/0x0007000000023205-81.dat	upx
behavioral2/files/0x0007000000023204-86.dat	upx
behavioral2/files/0x0007000000023207-97.dat	upx
behavioral2/files/0x0007000000023207-103.dat	upx
behavioral2/files/0x0007000000023208-108.dat	upx
behavioral2/files/0x000700000002320b-120.dat	upx
behavioral2/files/0x000a0000000231ad-127.dat	upx
behavioral2/memory/3468-135-0x00007FF7DE650000-0x00007FF7DE9A4000-memory.dmp	upx
behavioral2/files/0x000700000002320c-137.dat	upx
behavioral2/files/0x000700000002320e-146.dat	upx
behavioral2/memory/2516-160-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	upx
behavioral2/files/0x0007000000023212-164.dat	upx
behavioral2/files/0x0007000000023212-168.dat	upx
behavioral2/files/0x0007000000023214-183.dat	upx
behavioral2/memory/5092-199-0x00007FF686F90000-0x00007FF6872E4000-memory.dmp	upx
behavioral2/memory/404-207-0x00007FF612D90000-0x00007FF6130E4000-memory.dmp	upx
behavioral2/memory/760-202-0x00007FF679F60000-0x00007FF67A2B4000-memory.dmp	upx
behavioral2/memory/5088-198-0x00007FF6771B0000-0x00007FF677504000-memory.dmp	upx
behavioral2/memory/2316-295-0x00007FF6CF4C0000-0x00007FF6CF814000-memory.dmp	upx
behavioral2/memory/4876-296-0x00007FF7B6290000-0x00007FF7B65E4000-memory.dmp	upx
behavioral2/memory/3264-297-0x00007FF68AEA0000-0x00007FF68B1F4000-memory.dmp	upx
behavioral2/memory/4988-298-0x00007FF672120000-0x00007FF672474000-memory.dmp	upx
behavioral2/memory/988-306-0x00007FF6CBAD0000-0x00007FF6CBE24000-memory.dmp	upx
behavioral2/memory/5100-316-0x00007FF7C6700000-0x00007FF7C6A54000-memory.dmp	upx
behavioral2/memory/1876-345-0x00007FF676030000-0x00007FF676384000-memory.dmp	upx
behavioral2/memory/1956-353-0x00007FF6D6770000-0x00007FF6D6AC4000-memory.dmp	upx
behavioral2/memory/4220-384-0x00007FF711C90000-0x00007FF711FE4000-memory.dmp	upx
behavioral2/memory/1676-391-0x00007FF6BF440000-0x00007FF6BF794000-memory.dmp	upx
behavioral2/memory/4724-419-0x00007FF6AE7E0000-0x00007FF6AEB34000-memory.dmp	upx
behavioral2/memory/2044-436-0x00007FF798940000-0x00007FF798C94000-memory.dmp	upx
behavioral2/memory/3180-438-0x00007FF6FBC60000-0x00007FF6FBFB4000-memory.dmp	upx
behavioral2/memory/1536-455-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp	upx
behavioral2/memory/3412-495-0x00007FF61E1E0000-0x00007FF61E534000-memory.dmp	upx
behavioral2/memory/1752-508-0x00007FF673C60000-0x00007FF673FB4000-memory.dmp	upx
behavioral2/memory/3340-546-0x00007FF60BAF0000-0x00007FF60BE44000-memory.dmp	upx
behavioral2/memory/1020-623-0x00007FF755DC0000-0x00007FF756114000-memory.dmp	upx
behavioral2/memory/1812-603-0x00007FF6EC6D0000-0x00007FF6ECA24000-memory.dmp	upx
behavioral2/memory/4140-583-0x00007FF601F50000-0x00007FF6022A4000-memory.dmp	upx
behavioral2/memory/3036-565-0x00007FF7E0610000-0x00007FF7E0964000-memory.dmp	upx
behavioral2/memory/3068-556-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp	upx
behavioral2/memory/3004-535-0x00007FF681BC0000-0x00007FF681F14000-memory.dmp	upx
behavioral2/memory/2892-527-0x00007FF77B2B0000-0x00007FF77B604000-memory.dmp	upx
behavioral2/memory/1540-502-0x00007FF64DA40000-0x00007FF64DD94000-memory.dmp	upx
behavioral2/memory/4716-486-0x00007FF7E5200000-0x00007FF7E5554000-memory.dmp	upx
behavioral2/memory/3820-464-0x00007FF686E30000-0x00007FF687184000-memory.dmp	upx
behavioral2/memory/4472-465-0x00007FF69E9B0000-0x00007FF69ED04000-memory.dmp	upx
behavioral2/memory/4436-443-0x00007FF64A240000-0x00007FF64A594000-memory.dmp	upx
behavioral2/memory/3984-442-0x00007FF6B5AF0000-0x00007FF6B5E44000-memory.dmp	upx
behavioral2/memory/2028-426-0x00007FF619410000-0x00007FF619764000-memory.dmp	upx
behavioral2/memory/3020-408-0x00007FF63ACB0000-0x00007FF63B004000-memory.dmp	upx
behavioral2/memory/388-368-0x00007FF693EE0000-0x00007FF694234000-memory.dmp	upx
behavioral2/memory/2652-320-0x00007FF687E70000-0x00007FF6881C4000-memory.dmp	upx
behavioral2/memory/4976-191-0x00007FF73D5C0000-0x00007FF73D914000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\LkLEBGt.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\JlnrhJn.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\klplkZq.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\pfaLNMX.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\DcEfhCK.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\foagpGn.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\XLOGHfK.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\SehZWtW.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\QAYaRRB.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\pWsIFyQ.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\wyyPUAI.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\QSRjvTr.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\foqKsjV.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\jbnpYcP.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\XKfTkQs.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\syvydaf.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\ZDyTOtp.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\BpRmObJ.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\EYvIfvI.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\qFZwgyn.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\UaGtdGZ.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\uviRDfD.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\zHvgaiS.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\itYmzVB.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\RoxrkjT.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\kzFKKCL.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\UrIGPMG.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\JIapaCf.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\NGKtKFb.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\UwiTHOw.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\kMoOXlk.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\iGYUECD.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\ZCsoGuN.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\XThlrSu.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\VJitFrR.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\kQXikBB.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\iOKXhcY.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\prHBToy.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\mZAWvKD.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\WmfAiPp.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\gcifHoP.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\ytqoiwV.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\EPHSxOH.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\oqnSjZk.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\VtkaLlb.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\lpvRSrs.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\ykaznwT.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\xlmUPGX.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\QyehPYr.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\uvVhmuU.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\DTXKlXc.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\SiqFzvM.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\NmdoVTb.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\yxZnIKE.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\UGbDQry.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\tSZJEeu.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\QCHbfUv.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\tuRflrt.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\FJSmNpm.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\sJSYejk.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\UqgfPhj.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\cEfvoZj.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\Vkyxvcd.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
File created	C:\Windows\System\fTxhWBq.exe	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	11728	dwm.exe
Token: SeChangeNotifyPrivilege	11728	dwm.exe
Token: 33	11728	dwm.exe
Token: SeIncBasePriorityPrivilege	11728	dwm.exe
Token: SeShutdownPrivilege	11728	dwm.exe
Token: SeCreatePagefilePrivilege	11728	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 548	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	90
PID 4868 wrote to memory of 548	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	90
PID 4868 wrote to memory of 4892	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	92
PID 4868 wrote to memory of 4892	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	92
PID 4868 wrote to memory of 2836	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	93
PID 4868 wrote to memory of 2836	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	93
PID 4868 wrote to memory of 2612	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	94
PID 4868 wrote to memory of 2612	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	94
PID 4868 wrote to memory of 2556	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	95
PID 4868 wrote to memory of 2556	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	95
PID 4868 wrote to memory of 3248	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	96
PID 4868 wrote to memory of 3248	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	96
PID 4868 wrote to memory of 2988	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	97
PID 4868 wrote to memory of 2988	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	97
PID 4868 wrote to memory of 5076	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	98
PID 4868 wrote to memory of 5076	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	98
PID 4868 wrote to memory of 872	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	99
PID 4868 wrote to memory of 872	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	99
PID 4868 wrote to memory of 4052	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	100
PID 4868 wrote to memory of 4052	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	100
PID 4868 wrote to memory of 3244	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	101
PID 4868 wrote to memory of 3244	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	101
PID 4868 wrote to memory of 3604	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	102
PID 4868 wrote to memory of 3604	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	102
PID 4868 wrote to memory of 2444	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	103
PID 4868 wrote to memory of 2444	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	103
PID 4868 wrote to memory of 4732	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	104
PID 4868 wrote to memory of 4732	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	104
PID 4868 wrote to memory of 3468	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	105
PID 4868 wrote to memory of 3468	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	105
PID 4868 wrote to memory of 2516	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	106
PID 4868 wrote to memory of 2516	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	106
PID 4868 wrote to memory of 3524	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	107
PID 4868 wrote to memory of 3524	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	107
PID 4868 wrote to memory of 1380	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	108
PID 4868 wrote to memory of 1380	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	108
PID 4868 wrote to memory of 2212	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	109
PID 4868 wrote to memory of 2212	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	109
PID 4868 wrote to memory of 2076	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	110
PID 4868 wrote to memory of 2076	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	110
PID 4868 wrote to memory of 4380	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	111
PID 4868 wrote to memory of 4380	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	111
PID 4868 wrote to memory of 2636	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	112
PID 4868 wrote to memory of 2636	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	112
PID 4868 wrote to memory of 4976	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	113
PID 4868 wrote to memory of 4976	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	113
PID 4868 wrote to memory of 5088	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	114
PID 4868 wrote to memory of 5088	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	114
PID 4868 wrote to memory of 5092	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	115
PID 4868 wrote to memory of 5092	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	115
PID 4868 wrote to memory of 4780	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	116
PID 4868 wrote to memory of 4780	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	116
PID 4868 wrote to memory of 760	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	117
PID 4868 wrote to memory of 760	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	117
PID 4868 wrote to memory of 4360	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	118
PID 4868 wrote to memory of 4360	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	118
PID 4868 wrote to memory of 404	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	119
PID 4868 wrote to memory of 404	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	119
PID 4868 wrote to memory of 2316	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	120
PID 4868 wrote to memory of 2316	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	120
PID 4868 wrote to memory of 4876	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	121
PID 4868 wrote to memory of 4876	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	121
PID 4868 wrote to memory of 1432	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	122
PID 4868 wrote to memory of 1432	4868	6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe	122

C:\Users\Admin\AppData\Local\Temp\6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe
"C:\Users\Admin\AppData\Local\Temp\6e2e2a9afc2927dba579f9c584b64a1c039f82559bcb5e9d2518356332c95396.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\System\TQBHGfE.exe
  C:\Windows\System\TQBHGfE.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\ziakRkd.exe
  C:\Windows\System\ziakRkd.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\KbbUcSr.exe
  C:\Windows\System\KbbUcSr.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\IARqtHI.exe
  C:\Windows\System\IARqtHI.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\lykXzrg.exe
  C:\Windows\System\lykXzrg.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\eDFMjnY.exe
  C:\Windows\System\eDFMjnY.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\FlnrjdO.exe
  C:\Windows\System\FlnrjdO.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\vFkRHRk.exe
  C:\Windows\System\vFkRHRk.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\aatrscV.exe
  C:\Windows\System\aatrscV.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\HdSEJtg.exe
  C:\Windows\System\HdSEJtg.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\pwVDCCo.exe
  C:\Windows\System\pwVDCCo.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\npdKNMw.exe
  C:\Windows\System\npdKNMw.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\LWWGVaT.exe
  C:\Windows\System\LWWGVaT.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\SYOKjVj.exe
  C:\Windows\System\SYOKjVj.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\ebQPwma.exe
  C:\Windows\System\ebQPwma.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\yXeDJTR.exe
  C:\Windows\System\yXeDJTR.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\aePirmn.exe
  C:\Windows\System\aePirmn.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\YjeygeI.exe
  C:\Windows\System\YjeygeI.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\ZJlQnSJ.exe
  C:\Windows\System\ZJlQnSJ.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\ZCRXPCL.exe
  C:\Windows\System\ZCRXPCL.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\IzFGHvf.exe
  C:\Windows\System\IzFGHvf.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\NjMIYhD.exe
  C:\Windows\System\NjMIYhD.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\hmxseOV.exe
  C:\Windows\System\hmxseOV.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\QcDfhQF.exe
  C:\Windows\System\QcDfhQF.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\GJfkliq.exe
  C:\Windows\System\GJfkliq.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\AGvQvbO.exe
  C:\Windows\System\AGvQvbO.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\WBXuxgO.exe
  C:\Windows\System\WBXuxgO.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\NNScqvX.exe
  C:\Windows\System\NNScqvX.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\KZVpuWr.exe
  C:\Windows\System\KZVpuWr.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\ARDBcjm.exe
  C:\Windows\System\ARDBcjm.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\kqNVnwM.exe
  C:\Windows\System\kqNVnwM.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\KFRPHID.exe
  C:\Windows\System\KFRPHID.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\rQYvFQW.exe
  C:\Windows\System\rQYvFQW.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\awawVyi.exe
  C:\Windows\System\awawVyi.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\nxusDLX.exe
  C:\Windows\System\nxusDLX.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\GrOpals.exe
  C:\Windows\System\GrOpals.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\VBhRTnM.exe
  C:\Windows\System\VBhRTnM.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\oiREkLB.exe
  C:\Windows\System\oiREkLB.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\pawdhcw.exe
  C:\Windows\System\pawdhcw.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\ZJjBPqT.exe
  C:\Windows\System\ZJjBPqT.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System\btpbfnr.exe
  C:\Windows\System\btpbfnr.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\uAxscmQ.exe
  C:\Windows\System\uAxscmQ.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\OhVqBwn.exe
  C:\Windows\System\OhVqBwn.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\vACRCpu.exe
  C:\Windows\System\vACRCpu.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\mZAWvKD.exe
  C:\Windows\System\mZAWvKD.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\KbCfDgG.exe
  C:\Windows\System\KbCfDgG.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\itYmzVB.exe
  C:\Windows\System\itYmzVB.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\ZMbCVJA.exe
  C:\Windows\System\ZMbCVJA.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\mWJFhWq.exe
  C:\Windows\System\mWJFhWq.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\ePylylf.exe
  C:\Windows\System\ePylylf.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\SGdAFxv.exe
  C:\Windows\System\SGdAFxv.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\wyyPUAI.exe
  C:\Windows\System\wyyPUAI.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\iuGMFNw.exe
  C:\Windows\System\iuGMFNw.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\XKfTkQs.exe
  C:\Windows\System\XKfTkQs.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\pBeUbPf.exe
  C:\Windows\System\pBeUbPf.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\hedyzCS.exe
  C:\Windows\System\hedyzCS.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\ekcOWQe.exe
  C:\Windows\System\ekcOWQe.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\IcJTPhP.exe
  C:\Windows\System\IcJTPhP.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\pCagRrl.exe
  C:\Windows\System\pCagRrl.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\IxwWBLX.exe
  C:\Windows\System\IxwWBLX.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\kKedjrJ.exe
  C:\Windows\System\kKedjrJ.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\UGbDQry.exe
  C:\Windows\System\UGbDQry.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\wEkDeuz.exe
  C:\Windows\System\wEkDeuz.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\AiNsWtb.exe
  C:\Windows\System\AiNsWtb.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\rxqKUga.exe
  C:\Windows\System\rxqKUga.exe
  2⤵
  PID:3068
- C:\Windows\System\QjzITrL.exe
  C:\Windows\System\QjzITrL.exe
  2⤵
  PID:3036
- C:\Windows\System\AtefTLw.exe
  C:\Windows\System\AtefTLw.exe
  2⤵
  PID:1832
- C:\Windows\System\lzOMyVq.exe
  C:\Windows\System\lzOMyVq.exe
  2⤵
  PID:4140
- C:\Windows\System\bubFIAS.exe
  C:\Windows\System\bubFIAS.exe
  2⤵
  PID:1812
- C:\Windows\System\wyhvRkD.exe
  C:\Windows\System\wyhvRkD.exe
  2⤵
  PID:1020
- C:\Windows\System\BfwOddj.exe
  C:\Windows\System\BfwOddj.exe
  2⤵
  PID:4536
- C:\Windows\System\UtkaLzk.exe
  C:\Windows\System\UtkaLzk.exe
  2⤵
  PID:3704
- C:\Windows\System\nOsaGBn.exe
  C:\Windows\System\nOsaGBn.exe
  2⤵
  PID:3360
- C:\Windows\System\hGTUaHK.exe
  C:\Windows\System\hGTUaHK.exe
  2⤵
  PID:3364
- C:\Windows\System\aIxrIwM.exe
  C:\Windows\System\aIxrIwM.exe
  2⤵
  PID:3672
- C:\Windows\System\DsgFWzI.exe
  C:\Windows\System\DsgFWzI.exe
  2⤵
  PID:3080
- C:\Windows\System\oqnSjZk.exe
  C:\Windows\System\oqnSjZk.exe
  2⤵
  PID:1060
- C:\Windows\System\UwiTHOw.exe
  C:\Windows\System\UwiTHOw.exe
  2⤵
  PID:2544
- C:\Windows\System\dyBXkYY.exe
  C:\Windows\System\dyBXkYY.exe
  2⤵
  PID:3256
- C:\Windows\System\ofayFDX.exe
  C:\Windows\System\ofayFDX.exe
  2⤵
  PID:3200
- C:\Windows\System\YWohheE.exe
  C:\Windows\System\YWohheE.exe
  2⤵
  PID:3772
- C:\Windows\System\FnibIZv.exe
  C:\Windows\System\FnibIZv.exe
  2⤵
  PID:2604
- C:\Windows\System\kMoOXlk.exe
  C:\Windows\System\kMoOXlk.exe
  2⤵
  PID:4452
- C:\Windows\System\ZSQzueB.exe
  C:\Windows\System\ZSQzueB.exe
  2⤵
  PID:3044
- C:\Windows\System\tMyTluZ.exe
  C:\Windows\System\tMyTluZ.exe
  2⤵
  PID:5032
- C:\Windows\System\BFcTdSY.exe
  C:\Windows\System\BFcTdSY.exe
  2⤵
  PID:5136
- C:\Windows\System\LkLEBGt.exe
  C:\Windows\System\LkLEBGt.exe
  2⤵
  PID:5188
- C:\Windows\System\JXplPii.exe
  C:\Windows\System\JXplPii.exe
  2⤵
  PID:5204
- C:\Windows\System\WsyTsgL.exe
  C:\Windows\System\WsyTsgL.exe
  2⤵
  PID:5224
- C:\Windows\System\HbUJAdq.exe
  C:\Windows\System\HbUJAdq.exe
  2⤵
  PID:5248
- C:\Windows\System\gtnzzuB.exe
  C:\Windows\System\gtnzzuB.exe
  2⤵
  PID:5280
- C:\Windows\System\RQJzYfG.exe
  C:\Windows\System\RQJzYfG.exe
  2⤵
  PID:5296
- C:\Windows\System\PIkavdR.exe
  C:\Windows\System\PIkavdR.exe
  2⤵
  PID:5316
- C:\Windows\System\wcpjOMT.exe
  C:\Windows\System\wcpjOMT.exe
  2⤵
  PID:5400
- C:\Windows\System\EPqRQOY.exe
  C:\Windows\System\EPqRQOY.exe
  2⤵
  PID:5416
- C:\Windows\System\IzjmVvZ.exe
  C:\Windows\System\IzjmVvZ.exe
  2⤵
  PID:5436
- C:\Windows\System\BQPUiBw.exe
  C:\Windows\System\BQPUiBw.exe
  2⤵
  PID:5456
- C:\Windows\System\igbDzXk.exe
  C:\Windows\System\igbDzXk.exe
  2⤵
  PID:5584
- C:\Windows\System\jXHGmSA.exe
  C:\Windows\System\jXHGmSA.exe
  2⤵
  PID:5604
- C:\Windows\System\VJitFrR.exe
  C:\Windows\System\VJitFrR.exe
  2⤵
  PID:5624
- C:\Windows\System\ofhXpLQ.exe
  C:\Windows\System\ofhXpLQ.exe
  2⤵
  PID:5648
- C:\Windows\System\EIzuAoz.exe
  C:\Windows\System\EIzuAoz.exe
  2⤵
  PID:5672
- C:\Windows\System\tSZJEeu.exe
  C:\Windows\System\tSZJEeu.exe
  2⤵
  PID:5692
- C:\Windows\System\AJuBGSf.exe
  C:\Windows\System\AJuBGSf.exe
  2⤵
  PID:5716
- C:\Windows\System\sFfNNOq.exe
  C:\Windows\System\sFfNNOq.exe
  2⤵
  PID:5784
- C:\Windows\System\EYvIfvI.exe
  C:\Windows\System\EYvIfvI.exe
  2⤵
  PID:5800
- C:\Windows\System\oIPawxR.exe
  C:\Windows\System\oIPawxR.exe
  2⤵
  PID:5828
- C:\Windows\System\jQIvfrv.exe
  C:\Windows\System\jQIvfrv.exe
  2⤵
  PID:5912
- C:\Windows\System\OtrGJDM.exe
  C:\Windows\System\OtrGJDM.exe
  2⤵
  PID:5972
- C:\Windows\System\YAyIYTY.exe
  C:\Windows\System\YAyIYTY.exe
  2⤵
  PID:5996
- C:\Windows\System\PrPcebS.exe
  C:\Windows\System\PrPcebS.exe
  2⤵
  PID:6072
- C:\Windows\System\UqgfPhj.exe
  C:\Windows\System\UqgfPhj.exe
  2⤵
  PID:6112
- C:\Windows\System\uJoemaC.exe
  C:\Windows\System\uJoemaC.exe
  2⤵
  PID:6136
- C:\Windows\System\CTKtjdl.exe
  C:\Windows\System\CTKtjdl.exe
  2⤵
  PID:4348
- C:\Windows\System\oardwNP.exe
  C:\Windows\System\oardwNP.exe
  2⤵
  PID:4196
- C:\Windows\System\WmfAiPp.exe
  C:\Windows\System\WmfAiPp.exe
  2⤵
  PID:920
- C:\Windows\System\VioqJDc.exe
  C:\Windows\System\VioqJDc.exe
  2⤵
  PID:1072
- C:\Windows\System\VrpwkZA.exe
  C:\Windows\System\VrpwkZA.exe
  2⤵
  PID:5184
- C:\Windows\System\vdggLxx.exe
  C:\Windows\System\vdggLxx.exe
  2⤵
  PID:5128
- C:\Windows\System\JlnrhJn.exe
  C:\Windows\System\JlnrhJn.exe
  2⤵
  PID:4460
- C:\Windows\System\GQTZFgU.exe
  C:\Windows\System\GQTZFgU.exe
  2⤵
  PID:5244
- C:\Windows\System\AfOVCHB.exe
  C:\Windows\System\AfOVCHB.exe
  2⤵
  PID:5392
- C:\Windows\System\kQXikBB.exe
  C:\Windows\System\kQXikBB.exe
  2⤵
  PID:5428
- C:\Windows\System\fVzBbeo.exe
  C:\Windows\System\fVzBbeo.exe
  2⤵
  PID:5304
- C:\Windows\System\HCBlIoH.exe
  C:\Windows\System\HCBlIoH.exe
  2⤵
  PID:5444
- C:\Windows\System\gjYlyjY.exe
  C:\Windows\System\gjYlyjY.exe
  2⤵
  PID:5352
- C:\Windows\System\moDdFoj.exe
  C:\Windows\System\moDdFoj.exe
  2⤵
  PID:5468
- C:\Windows\System\ueJYVjr.exe
  C:\Windows\System\ueJYVjr.exe
  2⤵
  PID:5572
- C:\Windows\System\ThzdLBn.exe
  C:\Windows\System\ThzdLBn.exe
  2⤵
  PID:5532
- C:\Windows\System\vYXekRM.exe
  C:\Windows\System\vYXekRM.exe
  2⤵
  PID:5796
- C:\Windows\System\eUGUmTM.exe
  C:\Windows\System\eUGUmTM.exe
  2⤵
  PID:5596
- C:\Windows\System\ltgigUJ.exe
  C:\Windows\System\ltgigUJ.exe
  2⤵
  PID:5704
- C:\Windows\System\TVIAfsZ.exe
  C:\Windows\System\TVIAfsZ.exe
  2⤵
  PID:5964
- C:\Windows\System\dPwOzfM.exe
  C:\Windows\System\dPwOzfM.exe
  2⤵
  PID:6064
- C:\Windows\System\wltBFhC.exe
  C:\Windows\System\wltBFhC.exe
  2⤵
  PID:4272
- C:\Windows\System\xyvRFNg.exe
  C:\Windows\System\xyvRFNg.exe
  2⤵
  PID:6104
- C:\Windows\System\DfjDFzn.exe
  C:\Windows\System\DfjDFzn.exe
  2⤵
  PID:1848
- C:\Windows\System\HkyZSno.exe
  C:\Windows\System\HkyZSno.exe
  2⤵
  PID:4248
- C:\Windows\System\skhwRkd.exe
  C:\Windows\System\skhwRkd.exe
  2⤵
  PID:4852
- C:\Windows\System\rVebjIC.exe
  C:\Windows\System\rVebjIC.exe
  2⤵
  PID:1400
- C:\Windows\System\uCGRxEJ.exe
  C:\Windows\System\uCGRxEJ.exe
  2⤵
  PID:5424
- C:\Windows\System\pKSoQwf.exe
  C:\Windows\System\pKSoQwf.exe
  2⤵
  PID:4660
- C:\Windows\System\DveDFTo.exe
  C:\Windows\System\DveDFTo.exe
  2⤵
  PID:5684
- C:\Windows\System\LPZMwuh.exe
  C:\Windows\System\LPZMwuh.exe
  2⤵
  PID:5960
- C:\Windows\System\qFZwgyn.exe
  C:\Windows\System\qFZwgyn.exe
  2⤵
  PID:6036
- C:\Windows\System\dvAZkuG.exe
  C:\Windows\System\dvAZkuG.exe
  2⤵
  PID:4584
- C:\Windows\System\BARlaSo.exe
  C:\Windows\System\BARlaSo.exe
  2⤵
  PID:2504
- C:\Windows\System\NdvXTJh.exe
  C:\Windows\System\NdvXTJh.exe
  2⤵
  PID:5732
- C:\Windows\System\AaUhjUo.exe
  C:\Windows\System\AaUhjUo.exe
  2⤵
  PID:1912
- C:\Windows\System\gRbOcPU.exe
  C:\Windows\System\gRbOcPU.exe
  2⤵
  PID:6188
- C:\Windows\System\hopomDP.exe
  C:\Windows\System\hopomDP.exe
  2⤵
  PID:6204
- C:\Windows\System\feWkRzY.exe
  C:\Windows\System\feWkRzY.exe
  2⤵
  PID:6224
- C:\Windows\System\FJSmNpm.exe
  C:\Windows\System\FJSmNpm.exe
  2⤵
  PID:6248
- C:\Windows\System\XROjcOq.exe
  C:\Windows\System\XROjcOq.exe
  2⤵
  PID:6264
- C:\Windows\System\IWGqnDb.exe
  C:\Windows\System\IWGqnDb.exe
  2⤵
  PID:6308
- C:\Windows\System\HppCrTk.exe
  C:\Windows\System\HppCrTk.exe
  2⤵
  PID:6332
- C:\Windows\System\JYBJfDb.exe
  C:\Windows\System\JYBJfDb.exe
  2⤵
  PID:6364
- C:\Windows\System\UaGtdGZ.exe
  C:\Windows\System\UaGtdGZ.exe
  2⤵
  PID:6388
- C:\Windows\System\IbjpNwn.exe
  C:\Windows\System\IbjpNwn.exe
  2⤵
  PID:6408
- C:\Windows\System\CaHHCJr.exe
  C:\Windows\System\CaHHCJr.exe
  2⤵
  PID:6424
- C:\Windows\System\uviRDfD.exe
  C:\Windows\System\uviRDfD.exe
  2⤵
  PID:6448
- C:\Windows\System\XetoQyd.exe
  C:\Windows\System\XetoQyd.exe
  2⤵
  PID:6464
- C:\Windows\System\dWLBbTd.exe
  C:\Windows\System\dWLBbTd.exe
  2⤵
  PID:6484
- C:\Windows\System\uvVhmuU.exe
  C:\Windows\System\uvVhmuU.exe
  2⤵
  PID:6516
- C:\Windows\System\MBLPuOE.exe
  C:\Windows\System\MBLPuOE.exe
  2⤵
  PID:6536
- C:\Windows\System\PIgqdLL.exe
  C:\Windows\System\PIgqdLL.exe
  2⤵
  PID:6552
- C:\Windows\System\UwqsQBS.exe
  C:\Windows\System\UwqsQBS.exe
  2⤵
  PID:6576
- C:\Windows\System\QKzTEIv.exe
  C:\Windows\System\QKzTEIv.exe
  2⤵
  PID:6592
- C:\Windows\System\kYuidSG.exe
  C:\Windows\System\kYuidSG.exe
  2⤵
  PID:6608
- C:\Windows\System\DTXKlXc.exe
  C:\Windows\System\DTXKlXc.exe
  2⤵
  PID:6632
- C:\Windows\System\SangrIE.exe
  C:\Windows\System\SangrIE.exe
  2⤵
  PID:6732
- C:\Windows\System\zHvgaiS.exe
  C:\Windows\System\zHvgaiS.exe
  2⤵
  PID:6756
- C:\Windows\System\eWZDCTC.exe
  C:\Windows\System\eWZDCTC.exe
  2⤵
  PID:6772
- C:\Windows\System\Afuctno.exe
  C:\Windows\System\Afuctno.exe
  2⤵
  PID:6788
- C:\Windows\System\KXGGSOl.exe
  C:\Windows\System\KXGGSOl.exe
  2⤵
  PID:6804
- C:\Windows\System\HYkBYPY.exe
  C:\Windows\System\HYkBYPY.exe
  2⤵
  PID:6828
- C:\Windows\System\RvTnMeU.exe
  C:\Windows\System\RvTnMeU.exe
  2⤵
  PID:6852
- C:\Windows\System\UrrvKwE.exe
  C:\Windows\System\UrrvKwE.exe
  2⤵
  PID:6868
- C:\Windows\System\QCHbfUv.exe
  C:\Windows\System\QCHbfUv.exe
  2⤵
  PID:6904
- C:\Windows\System\XkkiJXk.exe
  C:\Windows\System\XkkiJXk.exe
  2⤵
  PID:7020
- C:\Windows\System\gWrlgpd.exe
  C:\Windows\System\gWrlgpd.exe
  2⤵
  PID:7040
- C:\Windows\System\eOeRlaH.exe
  C:\Windows\System\eOeRlaH.exe
  2⤵
  PID:7068
- C:\Windows\System\ZzmwQQw.exe
  C:\Windows\System\ZzmwQQw.exe
  2⤵
  PID:7084
- C:\Windows\System\lpvRSrs.exe
  C:\Windows\System\lpvRSrs.exe
  2⤵
  PID:7104
- C:\Windows\System\kPDwyUs.exe
  C:\Windows\System\kPDwyUs.exe
  2⤵
  PID:7136
- C:\Windows\System\UbaAUwn.exe
  C:\Windows\System\UbaAUwn.exe
  2⤵
  PID:2264
- C:\Windows\System\QjDqCBy.exe
  C:\Windows\System\QjDqCBy.exe
  2⤵
  PID:6180
- C:\Windows\System\NYffHcX.exe
  C:\Windows\System\NYffHcX.exe
  2⤵
  PID:6216
- C:\Windows\System\wqhDHfO.exe
  C:\Windows\System\wqhDHfO.exe
  2⤵
  PID:6328
- C:\Windows\System\giSzxjH.exe
  C:\Windows\System\giSzxjH.exe
  2⤵
  PID:6436
- C:\Windows\System\LXODRGs.exe
  C:\Windows\System\LXODRGs.exe
  2⤵
  PID:6500
- C:\Windows\System\xzKNYVf.exe
  C:\Windows\System\xzKNYVf.exe
  2⤵
  PID:6584
- C:\Windows\System\STQEDnK.exe
  C:\Windows\System\STQEDnK.exe
  2⤵
  PID:6728
- C:\Windows\System\DyhCBqq.exe
  C:\Windows\System\DyhCBqq.exe
  2⤵
  PID:6820
- C:\Windows\System\ijZOnWt.exe
  C:\Windows\System\ijZOnWt.exe
  2⤵
  PID:6884
- C:\Windows\System\QSRjvTr.exe
  C:\Windows\System\QSRjvTr.exe
  2⤵
  PID:6940
- C:\Windows\System\naLImJT.exe
  C:\Windows\System\naLImJT.exe
  2⤵
  PID:7052
- C:\Windows\System\SjAVfNz.exe
  C:\Windows\System\SjAVfNz.exe
  2⤵
  PID:7100
- C:\Windows\System\foagpGn.exe
  C:\Windows\System\foagpGn.exe
  2⤵
  PID:7148
- C:\Windows\System\IbLujwk.exe
  C:\Windows\System\IbLujwk.exe
  2⤵
  PID:7156
- C:\Windows\System\iYORlFt.exe
  C:\Windows\System\iYORlFt.exe
  2⤵
  PID:6212
- C:\Windows\System\Lifbiem.exe
  C:\Windows\System\Lifbiem.exe
  2⤵
  PID:6352
- C:\Windows\System\rCCLtuF.exe
  C:\Windows\System\rCCLtuF.exe
  2⤵
  PID:6456
- C:\Windows\System\yOZUqxO.exe
  C:\Windows\System\yOZUqxO.exe
  2⤵
  PID:5740
- C:\Windows\System\ZgKlVBm.exe
  C:\Windows\System\ZgKlVBm.exe
  2⤵
  PID:6860
- C:\Windows\System\ZrGVfas.exe
  C:\Windows\System\ZrGVfas.exe
  2⤵
  PID:6396
- C:\Windows\System\YDnyIyS.exe
  C:\Windows\System\YDnyIyS.exe
  2⤵
  PID:7076
- C:\Windows\System\gcifHoP.exe
  C:\Windows\System\gcifHoP.exe
  2⤵
  PID:6284
- C:\Windows\System\uOmfZLF.exe
  C:\Windows\System\uOmfZLF.exe
  2⤵
  PID:6644
- C:\Windows\System\FsBVYWg.exe
  C:\Windows\System\FsBVYWg.exe
  2⤵
  PID:6240
- C:\Windows\System\vgEOkGc.exe
  C:\Windows\System\vgEOkGc.exe
  2⤵
  PID:7176
- C:\Windows\System\syvydaf.exe
  C:\Windows\System\syvydaf.exe
  2⤵
  PID:7212
- C:\Windows\System\klplkZq.exe
  C:\Windows\System\klplkZq.exe
  2⤵
  PID:7228
- C:\Windows\System\qfjUgZt.exe
  C:\Windows\System\qfjUgZt.exe
  2⤵
  PID:7260
- C:\Windows\System\KIvvfYg.exe
  C:\Windows\System\KIvvfYg.exe
  2⤵
  PID:7296
- C:\Windows\System\OSJJluN.exe
  C:\Windows\System\OSJJluN.exe
  2⤵
  PID:7316
- C:\Windows\System\XpCcmYv.exe
  C:\Windows\System\XpCcmYv.exe
  2⤵
  PID:7336
- C:\Windows\System\ojyDQqe.exe
  C:\Windows\System\ojyDQqe.exe
  2⤵
  PID:7356
- C:\Windows\System\YvbOHGa.exe
  C:\Windows\System\YvbOHGa.exe
  2⤵
  PID:7376
- C:\Windows\System\ZRFELlY.exe
  C:\Windows\System\ZRFELlY.exe
  2⤵
  PID:7444
- C:\Windows\System\ggMivYW.exe
  C:\Windows\System\ggMivYW.exe
  2⤵
  PID:7460
- C:\Windows\System\rPPqIEy.exe
  C:\Windows\System\rPPqIEy.exe
  2⤵
  PID:7484
- C:\Windows\System\iGYUECD.exe
  C:\Windows\System\iGYUECD.exe
  2⤵
  PID:7508
- C:\Windows\System\OhhCbOi.exe
  C:\Windows\System\OhhCbOi.exe
  2⤵
  PID:7524
- C:\Windows\System\eRGSiFh.exe
  C:\Windows\System\eRGSiFh.exe
  2⤵
  PID:7600
- C:\Windows\System\ykaznwT.exe
  C:\Windows\System\ykaznwT.exe
  2⤵
  PID:7648
- C:\Windows\System\rSUCQHO.exe
  C:\Windows\System\rSUCQHO.exe
  2⤵
  PID:7668
- C:\Windows\System\qnkIgSg.exe
  C:\Windows\System\qnkIgSg.exe
  2⤵
  PID:7688
- C:\Windows\System\xIIQXXt.exe
  C:\Windows\System\xIIQXXt.exe
  2⤵
  PID:7720
- C:\Windows\System\ZoSHfKF.exe
  C:\Windows\System\ZoSHfKF.exe
  2⤵
  PID:7764
- C:\Windows\System\NlkKFFI.exe
  C:\Windows\System\NlkKFFI.exe
  2⤵
  PID:7780
- C:\Windows\System\RDymqdU.exe
  C:\Windows\System\RDymqdU.exe
  2⤵
  PID:7800
- C:\Windows\System\XuNLCnt.exe
  C:\Windows\System\XuNLCnt.exe
  2⤵
  PID:7816
- C:\Windows\System\DoNtmVI.exe
  C:\Windows\System\DoNtmVI.exe
  2⤵
  PID:7840
- C:\Windows\System\mOpwgGK.exe
  C:\Windows\System\mOpwgGK.exe
  2⤵
  PID:7860
- C:\Windows\System\WNJGVlL.exe
  C:\Windows\System\WNJGVlL.exe
  2⤵
  PID:7888
- C:\Windows\System\kzFKKCL.exe
  C:\Windows\System\kzFKKCL.exe
  2⤵
  PID:7908
- C:\Windows\System\ourJELj.exe
  C:\Windows\System\ourJELj.exe
  2⤵
  PID:7976
- C:\Windows\System\ICRfXuG.exe
  C:\Windows\System\ICRfXuG.exe
  2⤵
  PID:7992
- C:\Windows\System\kTappYo.exe
  C:\Windows\System\kTappYo.exe
  2⤵
  PID:8016
- C:\Windows\System\bUeIHgs.exe
  C:\Windows\System\bUeIHgs.exe
  2⤵
  PID:8036
- C:\Windows\System\LNWlBiv.exe
  C:\Windows\System\LNWlBiv.exe
  2⤵
  PID:8072
- C:\Windows\System\QvRekWP.exe
  C:\Windows\System\QvRekWP.exe
  2⤵
  PID:8092
- C:\Windows\System\HlKrhci.exe
  C:\Windows\System\HlKrhci.exe
  2⤵
  PID:8176
- C:\Windows\System\xfxuidx.exe
  C:\Windows\System\xfxuidx.exe
  2⤵
  PID:5844
- C:\Windows\System\OUwNIEY.exe
  C:\Windows\System\OUwNIEY.exe
  2⤵
  PID:7248
- C:\Windows\System\NstjHEO.exe
  C:\Windows\System\NstjHEO.exe
  2⤵
  PID:7344
- C:\Windows\System\TSZheMO.exe
  C:\Windows\System\TSZheMO.exe
  2⤵
  PID:7348
- C:\Windows\System\idfuQpz.exe
  C:\Windows\System\idfuQpz.exe
  2⤵
  PID:7404
- C:\Windows\System\KEDBArp.exe
  C:\Windows\System\KEDBArp.exe
  2⤵
  PID:7468
- C:\Windows\System\RXNHHrb.exe
  C:\Windows\System\RXNHHrb.exe
  2⤵
  PID:7580
- C:\Windows\System\ftCGokU.exe
  C:\Windows\System\ftCGokU.exe
  2⤵
  PID:7640
- C:\Windows\System\KWvaCSk.exe
  C:\Windows\System\KWvaCSk.exe
  2⤵
  PID:7656
- C:\Windows\System\ycXkavR.exe
  C:\Windows\System\ycXkavR.exe
  2⤵
  PID:7772
- C:\Windows\System\LBdkuRU.exe
  C:\Windows\System\LBdkuRU.exe
  2⤵
  PID:7848
- C:\Windows\System\lANoukz.exe
  C:\Windows\System\lANoukz.exe
  2⤵
  PID:7916
- C:\Windows\System\IAarECP.exe
  C:\Windows\System\IAarECP.exe
  2⤵
  PID:8044
- C:\Windows\System\QUxHctc.exe
  C:\Windows\System\QUxHctc.exe
  2⤵
  PID:7952
- C:\Windows\System\XLOGHfK.exe
  C:\Windows\System\XLOGHfK.exe
  2⤵
  PID:7972
- C:\Windows\System\iFLsEHX.exe
  C:\Windows\System\iFLsEHX.exe
  2⤵
  PID:8000
- C:\Windows\System\RnJSsyq.exe
  C:\Windows\System\RnJSsyq.exe
  2⤵
  PID:8080
- C:\Windows\System\WSkbvxc.exe
  C:\Windows\System\WSkbvxc.exe
  2⤵
  PID:8156
- C:\Windows\System\UrIGPMG.exe
  C:\Windows\System\UrIGPMG.exe
  2⤵
  PID:6964
- C:\Windows\System\kMlgArR.exe
  C:\Windows\System\kMlgArR.exe
  2⤵
  PID:2036
- C:\Windows\System\RDFiecx.exe
  C:\Windows\System\RDFiecx.exe
  2⤵
  PID:7388
- C:\Windows\System\opKwMcw.exe
  C:\Windows\System\opKwMcw.exe
  2⤵
  PID:1576
- C:\Windows\System\jfdYQLW.exe
  C:\Windows\System\jfdYQLW.exe
  2⤵
  PID:5512
- C:\Windows\System\dwgRmLR.exe
  C:\Windows\System\dwgRmLR.exe
  2⤵
  PID:7552
- C:\Windows\System\xtVaVlA.exe
  C:\Windows\System\xtVaVlA.exe
  2⤵
  PID:7696
- C:\Windows\System\UnrdagD.exe
  C:\Windows\System\UnrdagD.exe
  2⤵
  PID:7988
- C:\Windows\System\YBcJHSu.exe
  C:\Windows\System\YBcJHSu.exe
  2⤵
  PID:8108
- C:\Windows\System\xeprplx.exe
  C:\Windows\System\xeprplx.exe
  2⤵
  PID:8136
- C:\Windows\System\yFEhDVo.exe
  C:\Windows\System\yFEhDVo.exe
  2⤵
  PID:5360
- C:\Windows\System\OqbvutL.exe
  C:\Windows\System\OqbvutL.exe
  2⤵
  PID:7456
- C:\Windows\System\bxaAJlY.exe
  C:\Windows\System\bxaAJlY.exe
  2⤵
  PID:8268
- C:\Windows\System\SiqFzvM.exe
  C:\Windows\System\SiqFzvM.exe
  2⤵
  PID:8292
- C:\Windows\System\RYwbTYV.exe
  C:\Windows\System\RYwbTYV.exe
  2⤵
  PID:8336
- C:\Windows\System\sNDHhQl.exe
  C:\Windows\System\sNDHhQl.exe
  2⤵
  PID:8388
- C:\Windows\System\GuKrCKr.exe
  C:\Windows\System\GuKrCKr.exe
  2⤵
  PID:8404
- C:\Windows\System\ariMxMi.exe
  C:\Windows\System\ariMxMi.exe
  2⤵
  PID:8424
- C:\Windows\System\wYnqtjv.exe
  C:\Windows\System\wYnqtjv.exe
  2⤵
  PID:8444
- C:\Windows\System\SehZWtW.exe
  C:\Windows\System\SehZWtW.exe
  2⤵
  PID:8468
- C:\Windows\System\ytqoiwV.exe
  C:\Windows\System\ytqoiwV.exe
  2⤵
  PID:8528
- C:\Windows\System\acwDAaq.exe
  C:\Windows\System\acwDAaq.exe
  2⤵
  PID:8560
- C:\Windows\System\RlWMpEQ.exe
  C:\Windows\System\RlWMpEQ.exe
  2⤵
  PID:8576
- C:\Windows\System\tuRflrt.exe
  C:\Windows\System\tuRflrt.exe
  2⤵
  PID:8600
- C:\Windows\System\cXtXzWq.exe
  C:\Windows\System\cXtXzWq.exe
  2⤵
  PID:8616
- C:\Windows\System\GAOiStI.exe
  C:\Windows\System\GAOiStI.exe
  2⤵
  PID:8696
- C:\Windows\System\ehROewZ.exe
  C:\Windows\System\ehROewZ.exe
  2⤵
  PID:8712
- C:\Windows\System\ZDyTOtp.exe
  C:\Windows\System\ZDyTOtp.exe
  2⤵
  PID:8736
- C:\Windows\System\SqYtoan.exe
  C:\Windows\System\SqYtoan.exe
  2⤵
  PID:8792
- C:\Windows\System\OhoXzqf.exe
  C:\Windows\System\OhoXzqf.exe
  2⤵
  PID:8816
- C:\Windows\System\rLeHODi.exe
  C:\Windows\System\rLeHODi.exe
  2⤵
  PID:8860
- C:\Windows\System\vpgnDCl.exe
  C:\Windows\System\vpgnDCl.exe
  2⤵
  PID:8884
- C:\Windows\System\SFpUzBN.exe
  C:\Windows\System\SFpUzBN.exe
  2⤵
  PID:8908
- C:\Windows\System\gJsfjNU.exe
  C:\Windows\System\gJsfjNU.exe
  2⤵
  PID:8940
- C:\Windows\System\dDNADIC.exe
  C:\Windows\System\dDNADIC.exe
  2⤵
  PID:8972
- C:\Windows\System\BpRmObJ.exe
  C:\Windows\System\BpRmObJ.exe
  2⤵
  PID:8988
- C:\Windows\System\raeRZLd.exe
  C:\Windows\System\raeRZLd.exe
  2⤵
  PID:9012
- C:\Windows\System\TRQbCFX.exe
  C:\Windows\System\TRQbCFX.exe
  2⤵
  PID:9044
- C:\Windows\System\TqPexbM.exe
  C:\Windows\System\TqPexbM.exe
  2⤵
  PID:9060
- C:\Windows\System\HbXwlJz.exe
  C:\Windows\System\HbXwlJz.exe
  2⤵
  PID:9100
- C:\Windows\System\ykkkZbO.exe
  C:\Windows\System\ykkkZbO.exe
  2⤵
  PID:9124
- C:\Windows\System\CjKysQg.exe
  C:\Windows\System\CjKysQg.exe
  2⤵
  PID:9156
- C:\Windows\System\gPGczSb.exe
  C:\Windows\System\gPGczSb.exe
  2⤵
  PID:9192
- C:\Windows\System\zrISfym.exe
  C:\Windows\System\zrISfym.exe
  2⤵
  PID:7588
- C:\Windows\System\ewmrhyr.exe
  C:\Windows\System\ewmrhyr.exe
  2⤵
  PID:7240
- C:\Windows\System\TgLkfxR.exe
  C:\Windows\System\TgLkfxR.exe
  2⤵
  PID:8084
- C:\Windows\System\CUZcPrm.exe
  C:\Windows\System\CUZcPrm.exe
  2⤵
  PID:7748
- C:\Windows\System\phGxrjy.exe
  C:\Windows\System\phGxrjy.exe
  2⤵
  PID:5756
- C:\Windows\System\RvHGyMm.exe
  C:\Windows\System\RvHGyMm.exe
  2⤵
  PID:7756
- C:\Windows\System\ijJCern.exe
  C:\Windows\System\ijJCern.exe
  2⤵
  PID:7436
- C:\Windows\System\ftYMvOT.exe
  C:\Windows\System\ftYMvOT.exe
  2⤵
  PID:8304
- C:\Windows\System\JRvfMcD.exe
  C:\Windows\System\JRvfMcD.exe
  2⤵
  PID:8280
- C:\Windows\System\PnVpsZz.exe
  C:\Windows\System\PnVpsZz.exe
  2⤵
  PID:8400
- C:\Windows\System\nVOPBIP.exe
  C:\Windows\System\nVOPBIP.exe
  2⤵
  PID:8436
- C:\Windows\System\JkAPIKm.exe
  C:\Windows\System\JkAPIKm.exe
  2⤵
  PID:8524
- C:\Windows\System\QdFBvVB.exe
  C:\Windows\System\QdFBvVB.exe
  2⤵
  PID:8572
- C:\Windows\System\uSkxIAK.exe
  C:\Windows\System\uSkxIAK.exe
  2⤵
  PID:8608
- C:\Windows\System\GqHVXzY.exe
  C:\Windows\System\GqHVXzY.exe
  2⤵
  PID:8652
- C:\Windows\System\sIjdfdy.exe
  C:\Windows\System\sIjdfdy.exe
  2⤵
  PID:8748
- C:\Windows\System\mMnivrC.exe
  C:\Windows\System\mMnivrC.exe
  2⤵
  PID:8704
- C:\Windows\System\VQdIzTv.exe
  C:\Windows\System\VQdIzTv.exe
  2⤵
  PID:8760
- C:\Windows\System\fHEFCXF.exe
  C:\Windows\System\fHEFCXF.exe
  2⤵
  PID:5928
- C:\Windows\System\QAYaRRB.exe
  C:\Windows\System\QAYaRRB.exe
  2⤵
  PID:8788
- C:\Windows\System\UnDFhBc.exe
  C:\Windows\System\UnDFhBc.exe
  2⤵
  PID:9040
- C:\Windows\System\QoRgBzr.exe
  C:\Windows\System\QoRgBzr.exe
  2⤵
  PID:9056
- C:\Windows\System\pLKMFMN.exe
  C:\Windows\System\pLKMFMN.exe
  2⤵
  PID:6028
- C:\Windows\System\qVoXJvH.exe
  C:\Windows\System\qVoXJvH.exe
  2⤵
  PID:8032
- C:\Windows\System\OQHiGJi.exe
  C:\Windows\System\OQHiGJi.exe
  2⤵
  PID:8548
- C:\Windows\System\lePSOvj.exe
  C:\Windows\System\lePSOvj.exe
  2⤵
  PID:4552
- C:\Windows\System\KibunNd.exe
  C:\Windows\System\KibunNd.exe
  2⤵
  PID:8592
- C:\Windows\System\foqKsjV.exe
  C:\Windows\System\foqKsjV.exe
  2⤵
  PID:9008
- C:\Windows\System\DRswbIl.exe
  C:\Windows\System\DRswbIl.exe
  2⤵
  PID:9120
- C:\Windows\System\LbRMIfo.exe
  C:\Windows\System\LbRMIfo.exe
  2⤵
  PID:8876
- C:\Windows\System\bsuKSUU.exe
  C:\Windows\System\bsuKSUU.exe
  2⤵
  PID:9000
- C:\Windows\System\McRftfG.exe
  C:\Windows\System\McRftfG.exe
  2⤵
  PID:8216
- C:\Windows\System\sAkKrLq.exe
  C:\Windows\System\sAkKrLq.exe
  2⤵
  PID:8432
- C:\Windows\System\LrBUJHY.exe
  C:\Windows\System\LrBUJHY.exe
  2⤵
  PID:8276
- C:\Windows\System\jlqXDwW.exe
  C:\Windows\System\jlqXDwW.exe
  2⤵
  PID:8632
- C:\Windows\System\vIluOCY.exe
  C:\Windows\System\vIluOCY.exe
  2⤵
  PID:8596
- C:\Windows\System\UQCsPXf.exe
  C:\Windows\System\UQCsPXf.exe
  2⤵
  PID:8028
- C:\Windows\System\iPghuBv.exe
  C:\Windows\System\iPghuBv.exe
  2⤵
  PID:9248
- C:\Windows\System\UZFMkpQ.exe
  C:\Windows\System\UZFMkpQ.exe
  2⤵
  PID:9264
- C:\Windows\System\BeHUIqo.exe
  C:\Windows\System\BeHUIqo.exe
  2⤵
  PID:9288
- C:\Windows\System\xlmUPGX.exe
  C:\Windows\System\xlmUPGX.exe
  2⤵
  PID:9332
- C:\Windows\System\cEfvoZj.exe
  C:\Windows\System\cEfvoZj.exe
  2⤵
  PID:9356
- C:\Windows\System\qZwwDBm.exe
  C:\Windows\System\qZwwDBm.exe
  2⤵
  PID:9380
- C:\Windows\System\uDpvfKL.exe
  C:\Windows\System\uDpvfKL.exe
  2⤵
  PID:9436
- C:\Windows\System\moCIPjZ.exe
  C:\Windows\System\moCIPjZ.exe
  2⤵
  PID:9488
- C:\Windows\System\liOFMuX.exe
  C:\Windows\System\liOFMuX.exe
  2⤵
  PID:9504
- C:\Windows\System\sdYHtmW.exe
  C:\Windows\System\sdYHtmW.exe
  2⤵
  PID:9528
- C:\Windows\System\kcMirnT.exe
  C:\Windows\System\kcMirnT.exe
  2⤵
  PID:9552
- C:\Windows\System\mWDVBAz.exe
  C:\Windows\System\mWDVBAz.exe
  2⤵
  PID:9576
- C:\Windows\System\briqbHE.exe
  C:\Windows\System\briqbHE.exe
  2⤵
  PID:9592
- C:\Windows\System\JjEZnrp.exe
  C:\Windows\System\JjEZnrp.exe
  2⤵
  PID:9608
- C:\Windows\System\nrzAtVG.exe
  C:\Windows\System\nrzAtVG.exe
  2⤵
  PID:9628
- C:\Windows\System\TKyXXyU.exe
  C:\Windows\System\TKyXXyU.exe
  2⤵
  PID:9644
- C:\Windows\System\KTbWyeD.exe
  C:\Windows\System\KTbWyeD.exe
  2⤵
  PID:9672
- C:\Windows\System\XQXOyzt.exe
  C:\Windows\System\XQXOyzt.exe
  2⤵
  PID:9704
- C:\Windows\System\yiQFSGV.exe
  C:\Windows\System\yiQFSGV.exe
  2⤵
  PID:9760
- C:\Windows\System\nHHVpqB.exe
  C:\Windows\System\nHHVpqB.exe
  2⤵
  PID:9776
- C:\Windows\System\pWsIFyQ.exe
  C:\Windows\System\pWsIFyQ.exe
  2⤵
  PID:9800
- C:\Windows\System\QwnTvCB.exe
  C:\Windows\System\QwnTvCB.exe
  2⤵
  PID:9880
- C:\Windows\System\eYvoAiu.exe
  C:\Windows\System\eYvoAiu.exe
  2⤵
  PID:9940
- C:\Windows\System\ZCsoGuN.exe
  C:\Windows\System\ZCsoGuN.exe
  2⤵
  PID:9956
- C:\Windows\System\HVUwUwT.exe
  C:\Windows\System\HVUwUwT.exe
  2⤵
  PID:9980
- C:\Windows\System\NowNKDJ.exe
  C:\Windows\System\NowNKDJ.exe
  2⤵
  PID:10004
- C:\Windows\System\gIevRYE.exe
  C:\Windows\System\gIevRYE.exe
  2⤵
  PID:10024
- C:\Windows\System\LxQcXFB.exe
  C:\Windows\System\LxQcXFB.exe
  2⤵
  PID:10040
- C:\Windows\System\FiUipoj.exe
  C:\Windows\System\FiUipoj.exe
  2⤵
  PID:10064
- C:\Windows\System\NmdoVTb.exe
  C:\Windows\System\NmdoVTb.exe
  2⤵
  PID:10080
- C:\Windows\System\dGvkIkn.exe
  C:\Windows\System\dGvkIkn.exe
  2⤵
  PID:10120
- C:\Windows\System\Lccporb.exe
  C:\Windows\System\Lccporb.exe
  2⤵
  PID:10140
- C:\Windows\System\MdOJvRo.exe
  C:\Windows\System\MdOJvRo.exe
  2⤵
  PID:10176
- C:\Windows\System\ZNrtIZZ.exe
  C:\Windows\System\ZNrtIZZ.exe
  2⤵
  PID:10192
- C:\Windows\System\bnYRDge.exe
  C:\Windows\System\bnYRDge.exe
  2⤵
  PID:10216
- C:\Windows\System\pLdPbxR.exe
  C:\Windows\System\pLdPbxR.exe
  2⤵
  PID:9088
- C:\Windows\System\iwTWjgQ.exe
  C:\Windows\System\iwTWjgQ.exe
  2⤵
  PID:6088
- C:\Windows\System\TYedMVo.exe
  C:\Windows\System\TYedMVo.exe
  2⤵
  PID:9340
- C:\Windows\System\BeLFVxN.exe
  C:\Windows\System\BeLFVxN.exe
  2⤵
  PID:9604
- C:\Windows\System\JIapaCf.exe
  C:\Windows\System\JIapaCf.exe
  2⤵
  PID:9636
- C:\Windows\System\VJTpkNW.exe
  C:\Windows\System\VJTpkNW.exe
  2⤵
  PID:9548
- C:\Windows\System\AJfYzkA.exe
  C:\Windows\System\AJfYzkA.exe
  2⤵
  PID:9520
- C:\Windows\System\dmdOWIT.exe
  C:\Windows\System\dmdOWIT.exe
  2⤵
  PID:9600
- C:\Windows\System\xLMDwrc.exe
  C:\Windows\System\xLMDwrc.exe
  2⤵
  PID:9792
- C:\Windows\System\cNmvmZQ.exe
  C:\Windows\System\cNmvmZQ.exe
  2⤵
  PID:9888
- C:\Windows\System\HwGttAh.exe
  C:\Windows\System\HwGttAh.exe
  2⤵
  PID:9972
- C:\Windows\System\AjOsBHn.exe
  C:\Windows\System\AjOsBHn.exe
  2⤵
  PID:9868
- C:\Windows\System\KHfLIWx.exe
  C:\Windows\System\KHfLIWx.exe
  2⤵
  PID:9916
- C:\Windows\System\EPHSxOH.exe
  C:\Windows\System\EPHSxOH.exe
  2⤵
  PID:10096
- C:\Windows\System\XudVkre.exe
  C:\Windows\System\XudVkre.exe
  2⤵
  PID:9228
- C:\Windows\System\vJQHoHz.exe
  C:\Windows\System\vJQHoHz.exe
  2⤵
  PID:5156
- C:\Windows\System\Vkyxvcd.exe
  C:\Windows\System\Vkyxvcd.exe
  2⤵
  PID:9260
- C:\Windows\System\LxChMCA.exe
  C:\Windows\System\LxChMCA.exe
  2⤵
  PID:9616
- C:\Windows\System\iOKXhcY.exe
  C:\Windows\System\iOKXhcY.exe
  2⤵
  PID:9572
- C:\Windows\System\pfaLNMX.exe
  C:\Windows\System\pfaLNMX.exe
  2⤵
  PID:9472
- C:\Windows\System\YKwjhAE.exe
  C:\Windows\System\YKwjhAE.exe
  2⤵
  PID:9544
- C:\Windows\System\ZqDyFgh.exe
  C:\Windows\System\ZqDyFgh.exe
  2⤵
  PID:9796
- C:\Windows\System\fTxhWBq.exe
  C:\Windows\System\fTxhWBq.exe
  2⤵
  PID:9872
- C:\Windows\System\iRnFZKZ.exe
  C:\Windows\System\iRnFZKZ.exe
  2⤵
  PID:10072
- C:\Windows\System\IrPfcni.exe
  C:\Windows\System\IrPfcni.exe
  2⤵
  PID:996
- C:\Windows\System\opfKpno.exe
  C:\Windows\System\opfKpno.exe
  2⤵
  PID:6324
- C:\Windows\System\fiWSRfb.exe
  C:\Windows\System\fiWSRfb.exe
  2⤵
  PID:8948
- C:\Windows\System\TIgbcGD.exe
  C:\Windows\System\TIgbcGD.exe
  2⤵
  PID:9484
- C:\Windows\System\gbbqCzL.exe
  C:\Windows\System\gbbqCzL.exe
  2⤵
  PID:9460
- C:\Windows\System\QyfUzgi.exe
  C:\Windows\System\QyfUzgi.exe
  2⤵
  PID:10260
- C:\Windows\System\CzGCega.exe
  C:\Windows\System\CzGCega.exe
  2⤵
  PID:10328
- C:\Windows\System\ciftBTk.exe
  C:\Windows\System\ciftBTk.exe
  2⤵
  PID:10352
- C:\Windows\System\mGtxcFb.exe
  C:\Windows\System\mGtxcFb.exe
  2⤵
  PID:10424
- C:\Windows\System\svyppYG.exe
  C:\Windows\System\svyppYG.exe
  2⤵
  PID:10456
- C:\Windows\System\OtgOWwQ.exe
  C:\Windows\System\OtgOWwQ.exe
  2⤵
  PID:10480
- C:\Windows\System\tBfxHuF.exe
  C:\Windows\System\tBfxHuF.exe
  2⤵
  PID:10500
- C:\Windows\System\jpcUezI.exe
  C:\Windows\System\jpcUezI.exe
  2⤵
  PID:10516
- C:\Windows\System\JBQbiCG.exe
  C:\Windows\System\JBQbiCG.exe
  2⤵
  PID:10532
- C:\Windows\System\fitaOTV.exe
  C:\Windows\System\fitaOTV.exe
  2⤵
  PID:10552
- C:\Windows\System\ySspVwU.exe
  C:\Windows\System\ySspVwU.exe
  2⤵
  PID:10584
- C:\Windows\System\EGioqmF.exe
  C:\Windows\System\EGioqmF.exe
  2⤵
  PID:10616
- C:\Windows\System\psaEefZ.exe
  C:\Windows\System\psaEefZ.exe
  2⤵
  PID:10632
- C:\Windows\System\HrDLdgM.exe
  C:\Windows\System\HrDLdgM.exe
  2⤵
  PID:10656
- C:\Windows\System\YsSWDnP.exe
  C:\Windows\System\YsSWDnP.exe
  2⤵
  PID:10680
- C:\Windows\System\CRgyEzg.exe
  C:\Windows\System\CRgyEzg.exe
  2⤵
  PID:10780
- C:\Windows\System\WYpHKzn.exe
  C:\Windows\System\WYpHKzn.exe
  2⤵
  PID:10796
- C:\Windows\System\EfZqxcW.exe
  C:\Windows\System\EfZqxcW.exe
  2⤵
  PID:10816
- C:\Windows\System\GzjpGgr.exe
  C:\Windows\System\GzjpGgr.exe
  2⤵
  PID:10840
- C:\Windows\System\zhoWrNZ.exe
  C:\Windows\System\zhoWrNZ.exe
  2⤵
  PID:10912
- C:\Windows\System\YAlZDID.exe
  C:\Windows\System\YAlZDID.exe
  2⤵
  PID:10932
- C:\Windows\System\sJSYejk.exe
  C:\Windows\System\sJSYejk.exe
  2⤵
  PID:10956
- C:\Windows\System\rIGoZsQ.exe
  C:\Windows\System\rIGoZsQ.exe
  2⤵
  PID:10976
- C:\Windows\System\OsRfARO.exe
  C:\Windows\System\OsRfARO.exe
  2⤵
  PID:11044
- C:\Windows\System\TwnJkNe.exe
  C:\Windows\System\TwnJkNe.exe
  2⤵
  PID:11060
- C:\Windows\System\BxkaQQV.exe
  C:\Windows\System\BxkaQQV.exe
  2⤵
  PID:11104
- C:\Windows\System\TRhzjcW.exe
  C:\Windows\System\TRhzjcW.exe
  2⤵
  PID:11128
- C:\Windows\System\uViITWE.exe
  C:\Windows\System\uViITWE.exe
  2⤵
  PID:11144
- C:\Windows\System\VENjgSX.exe
  C:\Windows\System\VENjgSX.exe
  2⤵
  PID:11176
- C:\Windows\System\TGnIZyX.exe
  C:\Windows\System\TGnIZyX.exe
  2⤵
  PID:11192
- C:\Windows\System\lhsKTEk.exe
  C:\Windows\System\lhsKTEk.exe
  2⤵
  PID:11240
- C:\Windows\System\YWOsuzC.exe
  C:\Windows\System\YWOsuzC.exe
  2⤵
  PID:11260
- C:\Windows\System\yxZnIKE.exe
  C:\Windows\System\yxZnIKE.exe
  2⤵
  PID:10020
- C:\Windows\System\GPzaOWn.exe
  C:\Windows\System\GPzaOWn.exe
  2⤵
  PID:9756
- C:\Windows\System\WNFixCL.exe
  C:\Windows\System\WNFixCL.exe
  2⤵
  PID:10272
- C:\Windows\System\tKJxNUA.exe
  C:\Windows\System\tKJxNUA.exe
  2⤵
  PID:10320
- C:\Windows\System\OpHAerd.exe
  C:\Windows\System\OpHAerd.exe
  2⤵
  PID:10360
- C:\Windows\System\GluWASL.exe
  C:\Windows\System\GluWASL.exe
  2⤵
  PID:10388
- C:\Windows\System\TYTpxfE.exe
  C:\Windows\System\TYTpxfE.exe
  2⤵
  PID:10464
- C:\Windows\System\EGYtltT.exe
  C:\Windows\System\EGYtltT.exe
  2⤵
  PID:10508
- C:\Windows\System\qmzVQCE.exe
  C:\Windows\System\qmzVQCE.exe
  2⤵
  PID:10528
- C:\Windows\System\ccwEHHZ.exe
  C:\Windows\System\ccwEHHZ.exe
  2⤵
  PID:10648
- C:\Windows\System\IzHUfJW.exe
  C:\Windows\System\IzHUfJW.exe
  2⤵
  PID:10604
- C:\Windows\System\iAaptKv.exe
  C:\Windows\System\iAaptKv.exe
  2⤵
  PID:10668
- C:\Windows\System\EuZYTOu.exe
  C:\Windows\System\EuZYTOu.exe
  2⤵
  PID:560
- C:\Windows\System\zbABISs.exe
  C:\Windows\System\zbABISs.exe
  2⤵
  PID:10924
- C:\Windows\System\hSevBga.exe
  C:\Windows\System\hSevBga.exe
  2⤵
  PID:10892

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:11728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGvQvbO.exe

Filesize
2.2MB

MD5
e30b8ee5f3258b287e870969e851b212

SHA1
612413137fc5e704753181cfc7502aecc0d0c06a

SHA256
cca151cb62ad03a63af50117d9d4d5bce4ead1b293c26d289c8754d7162f1e6e

SHA512
f846cf3f1b4466b7e4e95d8a9824683d0d86435f554e00f7fd13d53dc81428682841a04791cab0142aa009b7ccdcc61ee7ef41992eecf8c61caf815f88b1173b

Download Submit
C:\Windows\System\ARDBcjm.exe

Filesize
2.2MB

MD5
7ee5254224f1cf96d503fc62a3300328

SHA1
600da5ae329713254ad18ac546cb64b8e30bcf56

SHA256
887896d2532570b02c63244b1e2a2ddabb27504d28e9bf72c7cb93dc6b9277f7

SHA512
381594aee288a2a1c15b5729f6186ce9a97874262159301d521a2ba60e8b726d681815e27deee8c9bf0129442e4ee29b3145b050e1e73c8617b8235bec62e6f3

Download Submit
C:\Windows\System\FlnrjdO.exe

Filesize
2.2MB

MD5
473d04a2f7ca06dea455fac3d5e30b31

SHA1
dca508b31e5cd4be39cc67adcc251fbe85e856ab

SHA256
2ec7722c62f392989107a1530c0e0f00a773a057ecd66a96e7c5e4d7b07475bc

SHA512
02aede7257694e305eb7a4b54a4bc2c8b185695c291cdc3ad6d7f04f5ff2e9660174a9fb4aa3a68d5efa6b98f8cb08d16d2b7af6162c07ec6c63440e2660dbb6

Download Submit
C:\Windows\System\GJfkliq.exe

Filesize
2.2MB

MD5
97404d54bb29894ae0249c67e4e79ded

SHA1
bd1ca95f8bff45f75a287ecadb2bef1eccf79fa7

SHA256
6e37c08980b52b67fae22af46e5d7e065008f90cedbccb13916a0e7c9aacd9db

SHA512
7abd84a9fdf176b92e36dac0d562516a855e00106ebd2b06ff548b08d13afe5d6ac70172fb68b3cdef95bfbe4045a45caefda50727ff6a37a157eb79cdb09686

Download Submit
C:\Windows\System\GJfkliq.exe

Filesize
264KB

MD5
49787d9d4f2fbf56da757379fbbcd1c9

SHA1
b3a1fee2ffb65028cf7d127aba0372c0c9882f8d

SHA256
a1fdeff60a1621ac96463a5e796d7f84cb746e1c2e5d47d5cd78496cefab2e54

SHA512
0492b70fbaf1fdd12f1d465cea52398cf09f0afc6821e115688e162a031d05cc60877ee4a6a1784044a5684d45aa7c57d5bf7337d868978d5addfbc684b86f68

Download Submit
C:\Windows\System\HdSEJtg.exe

Filesize
2.2MB

MD5
7dbe2f0a6c5d64372e23cff219eb7c5a

SHA1
3c4ab4af7f634e0637a2386efa9a6e752b2939a2

SHA256
99ef9fe59fe6fd031379c5e69d6ebf5bc4acff3e18c85540553daa11f7030c1d

SHA512
9080e09280be75489059cb4bd3d70d9faab283f6f0d7dcf0e9ea0bd3c00fa37ca689240320c0d987ad3deffa0104e1c6c61a76c9b2b0f62cc1fcdec7446c0733

Download Submit
C:\Windows\System\HdSEJtg.exe

Filesize
59KB

MD5
5a708d542ce306ba406d46bbdb396511

SHA1
33c92f7a24b99604e273cb9efb642cf85a8574f3

SHA256
2b2c28621c0e111bccbedbf30f85e4cfc1cd99cf7495de7ba0271d5c417c1fa7

SHA512
9e3a088050357a990d9e51584eb9ad9c97d5c4d11ccf40a0e13ca1e6051a8420a723e2f11d06c140be7bd2e01fafff4d930285577e0a3d10e1fab9182bd7d94b

Download Submit
C:\Windows\System\IARqtHI.exe

Filesize
2.2MB

MD5
1074ac93864b84aabab9307fb83fbd86

SHA1
cd3e4416aba0333fe9487808cbaf4da779a9c35b

SHA256
cd595467d96cd9e60ef807544d9494dfa91aefc9906cb48e8eb7713494ec2921

SHA512
769af5f98825e375f133baa2eb4fd44690b9805738d7fb9339c41f20d3722489a01c19819c7746445a4afa60dc03f2a3660967126130140b786f8a4285799ee5

Download Submit
C:\Windows\System\IzFGHvf.exe

Filesize
2.2MB

MD5
6e2cc4788b654194fdb20ead18367e75

SHA1
84fc5045bffcf213de0f34c3d5578f728412d5b3

SHA256
03ba529723af23a24b6f5f2c36edad0268415d5e2b9beb143e03b792526ca59b

SHA512
a129466a4325728e38c42512231dd97662e2411aae5cd4830091a117e15a833213d391167b5beb3036eb5521eb38732eb1de64013bb180b53eb09ca216be73a1

Download Submit
C:\Windows\System\IzFGHvf.exe

Filesize
263KB

MD5
c751691efd98fedc8fcdf848e5441c6f

SHA1
7b316643e353287de1decf5b983683f52a78b7dd

SHA256
09c0c21e3876b02cd1733c7a095719d6f20c61f5c84e1d76ca4f3b99db79992f

SHA512
f5e922c2d364acbd631c88304ead851574965cc91721d89eececb2f9df8f86222fe77159e94e3b1c5cec429ec75e0763c2bf56a6086d7fd07877f916f89622fa

Download Submit
C:\Windows\System\KFRPHID.exe

Filesize
2.2MB

MD5
67d643dedd03ac286c2aaa581608d467

SHA1
2ed8ddc764a23f02e66d0b3d48863765ae041c64

SHA256
8f515494322fa4c3aaecf15a2ed06167b0fd3042dd6a99eb597db6a00becda94

SHA512
2e5857ed09c6ca4810cd96905d2b9b3c557aab2ae7c9439a61fba887fecfefd00676c654c45f4b26a6d481fec5662d8bf232c5fab7e4a1f860a8201030e4c542

Download Submit
C:\Windows\System\KZVpuWr.exe

Filesize
166KB

MD5
eaae893283481a37fcbbe020d3d697fd

SHA1
44ba48d15e8f0cd809b5d15b054cce1b3b6bc7e9

SHA256
2fcad26a0a6fac03d1251e27780c3a01c6270f4a9cf8abe58dadcad4a9523078

SHA512
b96f5a8d77ecb720bbf42cb35cdd49b098dd145357d9ddcd0c105340481dd345fe306d77664ff3faf4b591c4fc4137c1039e32b059a0020f0900eaa63fcadd5a

Download Submit
C:\Windows\System\KZVpuWr.exe

Filesize
113KB

MD5
6cd15a88d8b9bad08fe90cb7d952db6e

SHA1
27c92ec045309334488265226cf6644a7458df41

SHA256
bfd5b724d057f75cf1c902f877ad2bf1094266df57210b776d28ccc368297300

SHA512
567b9285226e4c89278992a80c0ee4568b7338418c180b2621df06b257add17345671ac4c720063a61814df80c03b86451fbabc203425fd10abc2f68784b8ad8

Download Submit
C:\Windows\System\KbbUcSr.exe

Filesize
551KB

MD5
82cc3ec9e595560e6a119194103360c9

SHA1
e00e82625984d67e03e6bb23712bf4f69715c288

SHA256
74c5608cf4e6e015271faf28ba980439f4aff619b0b888b3200db4db9699b5f4

SHA512
f4499317e915619cacb8bcc0e7fa62a6c522177e735260cb4501eb7d93491aaed142e50d7794f535ccee00b803db26e1ab463e075da01051856e8b843cb927f2

Download Submit
C:\Windows\System\KbbUcSr.exe

Filesize
738KB

MD5
3fdb1deb14f1de2ecf765555efea62e9

SHA1
3b2e0638d79cff56b0dfc82fca02ffc086d627c1

SHA256
18a0f0920aa8b0e815691e1410b73aca0d1dc34e21e14c237fa24f02b77deb19

SHA512
74fcc780eb3c7a43b2485ac218320755f5d47b278b7346574c3bf13836cc25183dd2e9c2053d687713fd363373ba239937867b0cdfbdfb59eca3245e0c0253ec

Download Submit
C:\Windows\System\KbbUcSr.exe

Filesize
1.1MB

MD5
a6eab68bc43a6280fbf6a4c85431abaa

SHA1
c776d4300439514f82c722f7b59315b44298777d

SHA256
d9e09aef9e24370d373778e4dfced54ba1635fea1d4344418ec5b275924bdda8

SHA512
e4743aa505bef2e8368530d18cd14cb255ed1b4427dea1f68315512175fb33dc6bfbe29ce823f5ac5431a37399c86961c431a972891e9ae580964108442195f7

Download Submit
C:\Windows\System\LWWGVaT.exe

Filesize
149KB

MD5
d3ed56f89d3c6247527c455f14dc66b1

SHA1
19ed5a8d81407715b17e420a0587f32cfa7ae417

SHA256
adea76aaecbf5ce9f007dde33ccac22b4d6601e977a8f03019c82010fc5acf15

SHA512
21014d096951a9f7e938436e7e19c88079f3a2fb45d09009423556451f4c5cb4b335fa03e63f3e095e063ffd6ca4dda0fc3d37fe26a98846de6dff0922bbc16d

Download Submit
C:\Windows\System\LWWGVaT.exe

Filesize
2.2MB

MD5
61d9bb6162ef51e9ab33fc40420279be

SHA1
8c9b171ba864d4b21dda39f42936b485094a226b

SHA256
1b7657ad7035f1e21183d606969aeae42e2bfc87491d4756e5989185f876b8c1

SHA512
fe462918e7afb40cacb96bfeaaf4243bfd7391366844716004b5ddb72ee6b08cde1db43eaa45ca03d47352fafa8a9b43b3e8ba50d6821f03b1c65410b9d2736f

Download Submit
C:\Windows\System\NNScqvX.exe

Filesize
2.2MB

MD5
5af45c919f83cd6b50ede405a629ae54

SHA1
a1e89414811cd7b3992d00d84a44a9a825674248

SHA256
8bc3fcc67ed49769b99da479213cc9c89345ffb1c9a260b58907c84fcdf066e3

SHA512
2a2236121d48898183b01ed61288a9223ab6ce9c688820919b4576c6b1790fb2fd10b804ff7ea0229dcebd796fc8245df32ffc5d60c8e7a660a43ef743dca06e

Download Submit
C:\Windows\System\NjMIYhD.exe

Filesize
281KB

MD5
c0f07e1d2f48f32f2861cef2e3bd4865

SHA1
115993dfc66226862ec3ab52f96a73d5050d79f7

SHA256
35e333262cbdb8e6c7791610c7e5b3d9f35c44ff74c6ca46efe8563fbcd068c1

SHA512
09c4f5674bfafaf4d9cff2999e7d2fe6e024791ca95f011f9e13dbb91a53129ee1efa2353d1f1a0bbc380783abda913b7ce30131684647719919451aecd84621

Download Submit
C:\Windows\System\NjMIYhD.exe

Filesize
2.2MB

MD5
2a985ba7c0dff5f5d82aa05bbd4cf178

SHA1
7519e4c931f946aa1f9acd0f3c42c21364a005fc

SHA256
70231fe83a272b03c6d75e9a06c7dfbeb555941cd8025df4629f1dd4fe973b56

SHA512
c62371443283a667ab46bfdfa77b7e4a29555e57aee024cf5099763acb2fc687652b6d328381efe0bfa676639f648f419512a97a7cff9224849b81b0161a0f3e

Download Submit
C:\Windows\System\QcDfhQF.exe

Filesize
2.2MB

MD5
a6c8f3ca8d7cb631d0113dd5c8017e4e

SHA1
843fc5e8625c2074e983b9a1113124e2c7afd7ed

SHA256
426dca6424a4ebbfe217191c5831a70705e9ad01a78052a66f10ae878f11a42e

SHA512
fa41d54bde14edba9e5026d62869c85c249cc808cc5c93e09fe3d949de09990084870c205c5bdbe11ae4887b918a1c70aaf303dacf7a4c21cc7a01c8cf387653

Download Submit
C:\Windows\System\SYOKjVj.exe

Filesize
2.2MB

MD5
cd1a3f6744f09defc41989d9b8ef00b1

SHA1
6cc62ffbdaa8ceded629ab98e1d4d6af523fc845

SHA256
a06fa07b439e7bfdea3f98baa5c33f71abcff4273847929ee932beef75a75446

SHA512
27ac26d22b28bb923cb6b3847b7b248fd38d19907e6fae6306e27952e0e1a26998c11233fe8cdee90500bef5ae9e211991b88849e948ff592232b4de02deaf2a

Download Submit
C:\Windows\System\SYOKjVj.exe

Filesize
63KB

MD5
694f2567718132e13b758ed455edfc08

SHA1
df7092d7a0bd7492d2eabb8cf74bbb9db34452d1

SHA256
9ff8a5f090948b4a445a85cfa5fc58929b4eff564139fd2002f329a4c2c34d3e

SHA512
348b4d2eb4c0e7a7dd4b3e2d56f91d3ab2bcadb6921fa7646734e71e90e94d0e4bf9e0b58a3d24c40ba4515e585b0240902e699f606525fb42a5d41ade676e60

Download Submit
C:\Windows\System\TQBHGfE.exe

Filesize
832KB

MD5
fe23d8f2a683ea3c37e211db5c47c198

SHA1
c8d98757080f758fa71fe2947f967f4c2ba26b77

SHA256
e791fb8dbe7f5a7d384dc32653c49cf355982fbc2394ea1e3030cd6ebb798cb8

SHA512
ff5ab31bffe4dcd555455f3d81b2d9fca6cd687b604f37f4aa99e780677c84919321fd43b5fd13f9cb6081978b182fef58c2564f773d39cf2fefe33142ce3656

Download Submit
C:\Windows\System\TQBHGfE.exe

Filesize
818KB

MD5
c9720cddbc4e9d16c8b499a98662be62

SHA1
0ebffe3815ff0f606faaa28875b278720d90c26d

SHA256
3339f3b7e0d112e8ae98a6e5ecb07cf9faa1caee3f651a4eedf2c138d8fc0d9d

SHA512
564e76acd8106caf9267ab433ea8eb2286a6e88132cb38e728a77d6c2cd2751ad6eaa7667fb00f6bace833f908712cf2ca92776c0528ea2c6838b77cc121626f

Download Submit
C:\Windows\System\WBXuxgO.exe

Filesize
2.2MB

MD5
5658677b26fac95e1446f6b5a1ee4f33

SHA1
251fd5b90f477af7be983e7f83fea587c948dbcf

SHA256
312ecb237600e1d932a71f7edb826805d2fa2994a10fd16f9d8a60a624c5401e

SHA512
ca390bb51c4425f80cdf5d30ea7d9fa2758178f1ba4c9277fcd9b4a1fbd36ce80ed04ee7536bc212ac251f454623cc4be23a8f9da7178e5be9ceb21229720f0a

Download Submit
C:\Windows\System\YjeygeI.exe

Filesize
285KB

MD5
f2f3b5ea798aee1f924681b4b3e39e82

SHA1
86305369874a18ab6f474f5d62119c48f83a52e6

SHA256
999cf3cd08a930dcaeedda1ee23178040c895278aa367eb512f668052e7882c2

SHA512
5d229b8ee1ea6dc074511feba194dc216e3f441738bd5f56721beb289a84d12d1bca6a52853c433a6fd0dee4412972d4ebcf06f78f8c268f49ad74e0c1e1945c

Download Submit
C:\Windows\System\YjeygeI.exe

Filesize
2.2MB

MD5
e8546c1635b862c86555709580a3f81a

SHA1
ef0bdf1b9d0537c1ce2f121113d528c70db91631

SHA256
035d0071d3e58d8c264ffda2810f9960f687b259b6d080ebc7f5b2da9cbc945f

SHA512
91109e1d0107ff00d688946eca6de29331f2c4c69df2f0f8ee1c3f62ad13068d0f720ddb0fb0823b3c22eefccc9948ed3622a2843924884b7e99683dc03377f9

Download Submit
C:\Windows\System\ZCRXPCL.exe

Filesize
2.2MB

MD5
ddc9481ff9a54eccfadc71346f39b0cd

SHA1
751177f885c7b30886d2122bda3e346b5fe9bb2c

SHA256
e9798569586ccfe1a40033784fecc04f8da3c847a3a9a3f823fd964ab1f124c8

SHA512
fc78b86ea0f696395a402346e4f549e855e669d4e542c9fb23927b6f9564ea8847cdcfafdf25cbe509bc7ffc67efb08d8d3362427ef029af5ad44e061aa32789

Download Submit
C:\Windows\System\ZJlQnSJ.exe

Filesize
2.2MB

MD5
12089e4e31984eb123c1b42f5b768659

SHA1
471f167e58fee2a78c6f74db3e5ba2b774f24a1f

SHA256
b721aeb023f07294ac8dbda598b356fd20cb4cf8424577b99d63531d5c257d0f

SHA512
485cb00aad1b908a279a1b2cb0472b4e658a4c2e822e3b4e0e51d71596c7e41f636b558418e164eafa9fff349f4db02c5ba2a5e661c8b3bb1469414e1c028880

Download Submit
C:\Windows\System\aatrscV.exe

Filesize
430KB

MD5
6b18fc5928257bccaef358ba313e2006

SHA1
5a7590383d28299f3be9ff8726806897687b9db3

SHA256
6a7cdef920d62617191d7e50e49219568a880eecb06ad86741d58347a6c583eb

SHA512
2c2262201a826cad54875b3b37620a341fa04458e711c9fefa51703b4ca8a3c62d9683312822a5b5c2b6cdd3a9af3ce69ba44c1d015ddf5c9fc4457d9d0483c6

Download Submit
C:\Windows\System\aatrscV.exe

Filesize
2.2MB

MD5
c64310add6cfe3ac67963c9c5218a0ac

SHA1
6fc82387e41d6c8a0fb50d657ae73c7f9de063e1

SHA256
c449bef154c0f7394ca3bdb9fa0546b864036ba252aed5032860c459b7b0bb40

SHA512
acee63fd546839e0a483cc74bbfa50bbfc9cfac6ae34c8f6939bfe90c9258210a402b067723517006a53d0a8fb0f23e5d78573cf83e5f3dee23db26088d554bd

Download Submit
C:\Windows\System\aePirmn.exe

Filesize
450KB

MD5
f5bf6a074574fd0fe82d57010bc3df7e

SHA1
7254638c86b1ead4432d719d284d16c8ce1296e4

SHA256
4153cca570d625dc8f6596cff94259ddb934b9acb95994686ef2bfb653b9593d

SHA512
67f1de1bfa0c863e8e47d46203708eeea901559a0534fada54584d80856429a1f29dae43a2777bf9c5c20a7a1fe2317ec7876c46e4c46b0784510fb51efbbbbf

Download Submit
C:\Windows\System\eDFMjnY.exe

Filesize
2.2MB

MD5
4825c6119b92f88fd75487c291f736e2

SHA1
4f8905a87b8b643c784b3db7b1450067b18b2e50

SHA256
b9595f146f626bb187a1947eea3872a8bf733275d4edd243e9283b2c9b2b9119

SHA512
923d2776574a6a68adbca4b7e159b948c99da957272458d3ab7ba6c36d887c25b95994d934ee06b71eade47ad5358402eb8e2bcbe283be825f47668c18c3d0d5

Download Submit
C:\Windows\System\ebQPwma.exe

Filesize
2.2MB

MD5
824afe7aab2bb0054bc3f2c6c5ea4da6

SHA1
134d282c59df645b0507722472fb7383dbb2c5f7

SHA256
d7bd4f3688d013df0511ec34411f9566ed08d8ef9550ed7ea30b2f606e34d533

SHA512
aa833366bc39a39b41fc8845f5ac724ce697b061ba806224738371b4fe1af846e34bc6d65d0a67534e743e8a35638ae2b27ea585721cb9837ae8259119b7e328

Download Submit
C:\Windows\System\ebQPwma.exe

Filesize
64KB

MD5
51e4020b90426a266032ae5bcb74e5b3

SHA1
242fa8dc7d05d7b78f629fe2652627274810a122

SHA256
5984cb4794a67b4fd33c39a8582f294030d387db17fdb4933391142fb7f614c6

SHA512
5acda5a7b0ce962164cbb0c2fe75fb43a2d35d269fbb33e0eda06f3daf5a3cc37b11c0b76c58b3b3846604a879813821c87b0ead541065090905bfc897125758

Download Submit
C:\Windows\System\hmxseOV.exe

Filesize
2.2MB

MD5
ab6e6d5ae2534e98c1735fb83ccc3c43

SHA1
ee4d2a90b3fa32643d5055743d3d7f031629505e

SHA256
227b32b928e9a032bf91961f225aa7cfc59651113448f12fe5b611fb3994fac8

SHA512
b0469eb2b21662eaff167505dd7c448e0b9e00f1396fd7a9298917e692745181155f79cd92dd588b660088255f29a277592d6997589a2762893355a1c8245cdc

Download Submit
C:\Windows\System\hmxseOV.exe

Filesize
315KB

MD5
05ce66bf73c6ca213328d2b116ffd9d6

SHA1
df47645f3374c6f9c503af85840703c88d846bec

SHA256
53eb66833a8de12d64235e9b5fac5ca92388e89210e62b374999f589cc4fbe03

SHA512
410809d2e03a9e75ef6108c43babfcda646bd038b15821a25920405882cb5201a9633c3c5b4073ec5cd4ad979afad0abc28ff078509e93920f0a4ed651070383

Download Submit
C:\Windows\System\kqNVnwM.exe

Filesize
2.2MB

MD5
d530d537527e75123d3e020e5c8171c9

SHA1
3e59fce6f01def7bd9dfc0d22ded7ee4eb38239f

SHA256
26d25254933f3f5e3e72a0ceb594003e99260cbe497ff340cc60b8c72a59ac2a

SHA512
86489c056af7cb50940c587b91a1e4407c0b1d1530c8aa2f139090cf1abeb27c8f8ca1c98d185772deb47831ed54d5e939f15ce7e0ad2fd1f93470fba9481dd2

Download Submit
C:\Windows\System\kqNVnwM.exe

Filesize
84KB

MD5
e5a4cf2e55d8bced515c9dd4b7baa0ee

SHA1
25180ae1ca281629590b9d595a61333d351ce42f

SHA256
223e071ee624e6699257367e86de00f2efa80d32c6f48b9e6be5d13ddb250c51

SHA512
dcf58ffb458f40f18b46e14a10767f3836af78abe432ddecb43cc42df075f99262e02afdbe5ffa9f7d58727f3a5099556d1ed2dec31bdc0477d5374fcdb8b837

Download Submit
C:\Windows\System\lykXzrg.exe

Filesize
576KB

MD5
2b325ba998218e1724cf0adeb30ee980

SHA1
91c91f972b93ca21c02dbae5cc375d4e1212c0a0

SHA256
3b509ef9edb2905d68e114a86a101a00bf7ea4fa51d16ade0566e14bca5a50a9

SHA512
d7398cce9bbdb945487f66d7ab2c5fc7624933379c2058d1b197daa7f380b66de5a2145bdf0033355e795b1072c67b0031b7045307d04119888457779d707df5

Download Submit
C:\Windows\System\lykXzrg.exe

Filesize
2.2MB

MD5
11fa6d0c390b1bd70532a7a70ac20190

SHA1
b129c0be9ba59a6cbd8d3fb1762972f1a4fe0065

SHA256
6c6009e33af3e7047971e0ab5da86814731dda912ec7b3d3d8d1d82aea5e1311

SHA512
ca00b8a457e3a38109392b1d75aa2e32aadb46381362d64715b5bba6a678ed395978550568a904d9352e12a3397524f140c21af25db196d3bd5624c261b6296e

Download Submit
C:\Windows\System\npdKNMw.exe

Filesize
2.2MB

MD5
66ba57712a1192cfa92c9b7744f2664f

SHA1
d12042b7c46216db2ed58f7a1ea9eb181486dd30

SHA256
1399e019e3b69e0056eb1257cc10c3ad7e2336356482c89666e0a247cf54b8ed

SHA512
196e6d30f0d659e755e67ded71e2a8f54c72408c4a0a7b0103f710cca3891e931866cae4e38009228018d68f7a6df4e0ae4409d42a8b3187dfbb863c24c9a559

Download Submit
C:\Windows\System\pwVDCCo.exe

Filesize
2.2MB

MD5
56a365fe4ffcaa287efddaf0813a5bfd

SHA1
f08bce0a17be72a1e162aa0f85e5c8699cead2d8

SHA256
04f3fcd877473ea2fbe4177190b8af4a0ec480b3ec2bb509c26b801407473b87

SHA512
bf807995f631cf064474207c45b1585013a916a21ca801b9afb28d0064897523b461568c030fd92af2ca9dc003873778d5ea00ebdf30bed99ee92f916645f436

Download Submit
C:\Windows\System\rQYvFQW.exe

Filesize
2.2MB

MD5
3940bd45c1b92bccc079904525070aa8

SHA1
ef747daf71d27944ef9227a49e6582c96ad9bc00

SHA256
74dd7c5fc95356a2417dc5ac14eaa116c516029aa4affd61b4482c6cfb59a232

SHA512
02b9d29330425de24c3812ab306652298c4decb037284b93ca3d939bb3e55d7dac4a935cb49382216f3dfd88d90f44840197d111028185e74695c0bd1a0534c0

Download Submit
C:\Windows\System\vFkRHRk.exe

Filesize
2.2MB

MD5
b8443bd41cc3d69c3d8a6a2aa232b265

SHA1
14abc90de815ef30d059525716999ee66b982d9d

SHA256
b4d2ce5801716629779fe6ab81003819766e9c26ba306169ec7a7150ec21b355

SHA512
0529d72a1b833b8393ba86d6dbb8aad4cf736b10cc952996517085e9e22a13c820d0d6fbb57801883c140f0001c1f1a5b6f04ffbbffc686733b3268275da23ee

Download Submit
C:\Windows\System\yXeDJTR.exe

Filesize
2.2MB

MD5
92d3c0d1ace20945d3c1ab3f1e9b4644

SHA1
2305fd038fc67ce1125549e1e8cca1373147b2f2

SHA256
4d6732061525bac639fa49cfa0ea85b3b11743cad50cd5d600a2b8ec3d802f31

SHA512
aecdb2a5eaf115465a76dc232fa9f94616d118e7a9b190d5abfca8cfd9d8419375b03aea74c070585eedb6407c9d62393d66fb271d8ca62feac88c48dc295f02

Download Submit
C:\Windows\System\ziakRkd.exe

Filesize
1.0MB

MD5
9f8b72f3d5b5802c014af354ce1a8c70

SHA1
d4cfa987d4a5f4ee5b4a82a0fda338fdf3d4527c

SHA256
ed7484dd9e2e03e2748220f703e5b667564e0b8aebd78eceafa32b6eefd4d56f

SHA512
67c6a5b7cc4aa0586cde5ac6c0f64a35c84511bc64a52897b2e624f13e48e064991c3b22aa8e771301f52de05542212336ce23110ad07f61340bf126ed7834b6

Download Submit
C:\Windows\System\ziakRkd.exe

Filesize
2.2MB

MD5
8688164cfac3c7512344c6cd7248281f

SHA1
666ed5a3eb4fbfbec2829ad1c59e3161afc5e50d

SHA256
349650d975b94783f95feee876b4eadb487465f6bf842657ede0281713873c7c

SHA512
81015378242d8c1014f8b90444390b65fd96891ff62d93b7308646aac45452b92900a7b7145592802fa451d5bbb089dfdcc46bfe1b060a4c57085a1a8f79cc6a

Download Submit
memory/388-368-0x00007FF693EE0000-0x00007FF694234000-memory.dmp

Filesize
3.3MB

Download
memory/404-207-0x00007FF612D90000-0x00007FF6130E4000-memory.dmp

Filesize
3.3MB

Download
memory/548-15-0x00007FF675990000-0x00007FF675CE4000-memory.dmp

Filesize
3.3MB

Download
memory/760-202-0x00007FF679F60000-0x00007FF67A2B4000-memory.dmp

Filesize
3.3MB

Download
memory/872-119-0x00007FF6344C0000-0x00007FF634814000-memory.dmp

Filesize
3.3MB

Download
memory/988-306-0x00007FF6CBAD0000-0x00007FF6CBE24000-memory.dmp

Filesize
3.3MB

Download
memory/1020-623-0x00007FF755DC0000-0x00007FF756114000-memory.dmp

Filesize
3.3MB

Download
memory/1380-141-0x00007FF720FC0000-0x00007FF721314000-memory.dmp

Filesize
3.3MB

Download
memory/1536-455-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp

Filesize
3.3MB

Download
memory/1540-502-0x00007FF64DA40000-0x00007FF64DD94000-memory.dmp

Filesize
3.3MB

Download
memory/1676-391-0x00007FF6BF440000-0x00007FF6BF794000-memory.dmp

Filesize
3.3MB

Download
memory/1752-508-0x00007FF673C60000-0x00007FF673FB4000-memory.dmp

Filesize
3.3MB

Download
memory/1812-603-0x00007FF6EC6D0000-0x00007FF6ECA24000-memory.dmp

Filesize
3.3MB

Download
memory/1876-345-0x00007FF676030000-0x00007FF676384000-memory.dmp

Filesize
3.3MB

Download
memory/1956-353-0x00007FF6D6770000-0x00007FF6D6AC4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-426-0x00007FF619410000-0x00007FF619764000-memory.dmp

Filesize
3.3MB

Download
memory/2044-436-0x00007FF798940000-0x00007FF798C94000-memory.dmp

Filesize
3.3MB

Download
memory/2076-166-0x00007FF7BD030000-0x00007FF7BD384000-memory.dmp

Filesize
3.3MB

Download
memory/2212-148-0x00007FF6211E0000-0x00007FF621534000-memory.dmp

Filesize
3.3MB

Download
memory/2316-295-0x00007FF6CF4C0000-0x00007FF6CF814000-memory.dmp

Filesize
3.3MB

Download
memory/2444-83-0x00007FF6DC570000-0x00007FF6DC8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2516-160-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp

Filesize
3.3MB

Download
memory/2556-102-0x00007FF7EC660000-0x00007FF7EC9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-35-0x00007FF7C3740000-0x00007FF7C3A94000-memory.dmp

Filesize
3.3MB

Download
memory/2636-187-0x00007FF60A360000-0x00007FF60A6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-320-0x00007FF687E70000-0x00007FF6881C4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-26-0x00007FF60BEB0000-0x00007FF60C204000-memory.dmp

Filesize
3.3MB

Download
memory/2892-527-0x00007FF77B2B0000-0x00007FF77B604000-memory.dmp

Filesize
3.3MB

Download
memory/2988-105-0x00007FF69F290000-0x00007FF69F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-535-0x00007FF681BC0000-0x00007FF681F14000-memory.dmp

Filesize
3.3MB

Download
memory/3020-408-0x00007FF63ACB0000-0x00007FF63B004000-memory.dmp

Filesize
3.3MB

Download
memory/3036-565-0x00007FF7E0610000-0x00007FF7E0964000-memory.dmp

Filesize
3.3MB

Download
memory/3068-556-0x00007FF783DA0000-0x00007FF7840F4000-memory.dmp

Filesize
3.3MB

Download
memory/3180-438-0x00007FF6FBC60000-0x00007FF6FBFB4000-memory.dmp

Filesize
3.3MB

Download
memory/3244-123-0x00007FF7BB310000-0x00007FF7BB664000-memory.dmp

Filesize
3.3MB

Download
memory/3248-44-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp

Filesize
3.3MB

Download
memory/3264-297-0x00007FF68AEA0000-0x00007FF68B1F4000-memory.dmp

Filesize
3.3MB

Download
memory/3340-546-0x00007FF60BAF0000-0x00007FF60BE44000-memory.dmp

Filesize
3.3MB

Download
memory/3412-495-0x00007FF61E1E0000-0x00007FF61E534000-memory.dmp

Filesize
3.3MB

Download
memory/3468-135-0x00007FF7DE650000-0x00007FF7DE9A4000-memory.dmp

Filesize
3.3MB

Download
memory/3524-179-0x00007FF7A7E40000-0x00007FF7A8194000-memory.dmp

Filesize
3.3MB

Download
memory/3604-76-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp

Filesize
3.3MB

Download
memory/3820-464-0x00007FF686E30000-0x00007FF687184000-memory.dmp

Filesize
3.3MB

Download
memory/3984-442-0x00007FF6B5AF0000-0x00007FF6B5E44000-memory.dmp

Filesize
3.3MB

Download
memory/4052-63-0x00007FF7DD120000-0x00007FF7DD474000-memory.dmp

Filesize
3.3MB

Download
memory/4140-583-0x00007FF601F50000-0x00007FF6022A4000-memory.dmp

Filesize
3.3MB

Download
memory/4220-384-0x00007FF711C90000-0x00007FF711FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4360-174-0x00007FF723D80000-0x00007FF7240D4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-185-0x00007FF6913B0000-0x00007FF691704000-memory.dmp

Filesize
3.3MB

Download
memory/4436-443-0x00007FF64A240000-0x00007FF64A594000-memory.dmp

Filesize
3.3MB

Download
memory/4472-465-0x00007FF69E9B0000-0x00007FF69ED04000-memory.dmp

Filesize
3.3MB

Download
memory/4716-486-0x00007FF7E5200000-0x00007FF7E5554000-memory.dmp

Filesize
3.3MB

Download
memory/4724-419-0x00007FF6AE7E0000-0x00007FF6AEB34000-memory.dmp

Filesize
3.3MB

Download
memory/4732-130-0x00007FF713FF0000-0x00007FF714344000-memory.dmp

Filesize
3.3MB

Download
memory/4780-170-0x00007FF628640000-0x00007FF628994000-memory.dmp

Filesize
3.3MB

Download
memory/4868-1-0x0000015C70270000-0x0000015C70280000-memory.dmp

Filesize
64KB

Download
memory/4868-0-0x00007FF723110000-0x00007FF723464000-memory.dmp

Filesize
3.3MB

Download
memory/4876-296-0x00007FF7B6290000-0x00007FF7B65E4000-memory.dmp

Filesize
3.3MB

Download
memory/4892-94-0x00007FF7A1700000-0x00007FF7A1A54000-memory.dmp

Filesize
3.3MB

Download
memory/4976-191-0x00007FF73D5C0000-0x00007FF73D914000-memory.dmp

Filesize
3.3MB

Download
memory/4988-298-0x00007FF672120000-0x00007FF672474000-memory.dmp

Filesize
3.3MB

Download
memory/5076-57-0x00007FF7ECD10000-0x00007FF7ED064000-memory.dmp

Filesize
3.3MB

Download
memory/5088-198-0x00007FF6771B0000-0x00007FF677504000-memory.dmp

Filesize
3.3MB

Download
memory/5092-199-0x00007FF686F90000-0x00007FF6872E4000-memory.dmp

Filesize
3.3MB

Download
memory/5100-316-0x00007FF7C6700000-0x00007FF7C6A54000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads