xmrig | 5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
Size

1.8MB
MD5

4d9ee15d4578cb9e80961e9924c2bae6
SHA1

37054cb0de898bfbb2d0ee6c3e59f181760786af
SHA256

5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf
SHA512

d5bbec6ec34274cf6578945881359d543518168849092a10b4a84705c4815e804a58e5860c2852e36a2a2070e8b66f51b83ae9d4a4fc55d2b930020fd5027c12
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIXxeHNEXYG:BemTLkNdfE0pZrr

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3656-0-0x00007FF7AE190000-0x00007FF7AE4E4000-memory.dmp	UPX
behavioral2/files/0x000d000000023152-5.dat	UPX
behavioral2/files/0x000d000000023152-10.dat	UPX
behavioral2/files/0x000a0000000231ff-23.dat	UPX
behavioral2/memory/3848-19-0x00007FF7490C0000-0x00007FF749414000-memory.dmp	UPX
behavioral2/files/0x000700000002320a-17.dat	UPX
behavioral2/files/0x000700000002320b-22.dat	UPX
behavioral2/files/0x000700000002320b-29.dat	UPX
behavioral2/files/0x000700000002320e-34.dat	UPX
behavioral2/files/0x0007000000023210-53.dat	UPX
behavioral2/memory/556-58-0x00007FF7335D0000-0x00007FF733924000-memory.dmp	UPX
behavioral2/files/0x0007000000023212-70.dat	UPX
behavioral2/files/0x0007000000023213-73.dat	UPX
behavioral2/files/0x0007000000023215-89.dat	UPX
behavioral2/memory/1692-95-0x00007FF68C7B0000-0x00007FF68CB04000-memory.dmp	UPX
behavioral2/files/0x0007000000023219-107.dat	UPX
behavioral2/memory/3164-109-0x00007FF6FABB0000-0x00007FF6FAF04000-memory.dmp	UPX
behavioral2/memory/2628-111-0x00007FF6611C0000-0x00007FF661514000-memory.dmp	UPX
behavioral2/memory/4552-113-0x00007FF665A50000-0x00007FF665DA4000-memory.dmp	UPX
behavioral2/memory/4100-112-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	UPX
behavioral2/memory/2620-110-0x00007FF6E25F0000-0x00007FF6E2944000-memory.dmp	UPX
behavioral2/memory/4212-108-0x00007FF6DFEE0000-0x00007FF6E0234000-memory.dmp	UPX
behavioral2/memory/3364-106-0x00007FF65AE10000-0x00007FF65B164000-memory.dmp	UPX
behavioral2/files/0x0007000000023218-105.dat	UPX
behavioral2/memory/1752-104-0x00007FF795A90000-0x00007FF795DE4000-memory.dmp	UPX
behavioral2/memory/672-102-0x00007FF703810000-0x00007FF703B64000-memory.dmp	UPX
behavioral2/files/0x0009000000023207-91.dat	UPX
behavioral2/files/0x0007000000023216-85.dat	UPX
behavioral2/files/0x0007000000023214-75.dat	UPX
behavioral2/memory/116-72-0x00007FF767D70000-0x00007FF7680C4000-memory.dmp	UPX
behavioral2/memory/2636-69-0x00007FF775760000-0x00007FF775AB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023213-67.dat	UPX
behavioral2/memory/2244-66-0x00007FF621840000-0x00007FF621B94000-memory.dmp	UPX
behavioral2/files/0x0007000000023212-59.dat	UPX
behavioral2/memory/1432-55-0x00007FF7E5A30000-0x00007FF7E5D84000-memory.dmp	UPX
behavioral2/files/0x0007000000023211-52.dat	UPX
behavioral2/files/0x000700000002320f-50.dat	UPX
behavioral2/files/0x0007000000023210-47.dat	UPX
behavioral2/memory/3984-41-0x00007FF79E830000-0x00007FF79EB84000-memory.dmp	UPX
behavioral2/files/0x000700000002320d-37.dat	UPX
behavioral2/files/0x000700000002320c-35.dat	UPX
behavioral2/memory/380-28-0x00007FF640310000-0x00007FF640664000-memory.dmp	UPX
behavioral2/files/0x000a0000000231ff-8.dat	UPX
behavioral2/memory/1896-9-0x00007FF636F60000-0x00007FF6372B4000-memory.dmp	UPX
behavioral2/files/0x000700000002320a-7.dat	UPX
behavioral2/memory/544-133-0x00007FF787810000-0x00007FF787B64000-memory.dmp	UPX
behavioral2/files/0x000700000002321a-122.dat	UPX
behavioral2/files/0x000700000002321a-119.dat	UPX
behavioral2/memory/4372-158-0x00007FF6BE490000-0x00007FF6BE7E4000-memory.dmp	UPX
behavioral2/files/0x000700000002322d-201.dat	UPX
behavioral2/memory/2952-228-0x00007FF792480000-0x00007FF7927D4000-memory.dmp	UPX
behavioral2/memory/4716-245-0x00007FF6BB160000-0x00007FF6BB4B4000-memory.dmp	UPX
behavioral2/memory/4396-206-0x00007FF6F4280000-0x00007FF6F45D4000-memory.dmp	UPX
behavioral2/files/0x000700000002321e-191.dat	UPX
behavioral2/memory/3720-187-0x00007FF63A7A0000-0x00007FF63AAF4000-memory.dmp	UPX
behavioral2/files/0x0007000000023223-174.dat	UPX
behavioral2/files/0x000700000002321b-144.dat	UPX
behavioral2/files/0x0007000000023221-143.dat	UPX
behavioral2/files/0x0007000000023220-140.dat	UPX
behavioral2/files/0x000700000002321f-139.dat	UPX
behavioral2/files/0x000700000002321e-138.dat	UPX
behavioral2/files/0x000700000002321c-137.dat	UPX
behavioral2/memory/4472-254-0x00007FF6B5FE0000-0x00007FF6B6334000-memory.dmp	UPX
behavioral2/memory/2400-285-0x00007FF64A840000-0x00007FF64AB94000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3656-0-0x00007FF7AE190000-0x00007FF7AE4E4000-memory.dmp	xmrig
behavioral2/files/0x000d000000023152-5.dat	xmrig
behavioral2/files/0x000d000000023152-10.dat	xmrig
behavioral2/files/0x000a0000000231ff-23.dat	xmrig
behavioral2/memory/3848-19-0x00007FF7490C0000-0x00007FF749414000-memory.dmp	xmrig
behavioral2/files/0x000700000002320a-17.dat	xmrig
behavioral2/files/0x000700000002320b-22.dat	xmrig
behavioral2/files/0x000700000002320b-29.dat	xmrig
behavioral2/files/0x000700000002320e-34.dat	xmrig
behavioral2/files/0x0007000000023210-53.dat	xmrig
behavioral2/memory/556-58-0x00007FF7335D0000-0x00007FF733924000-memory.dmp	xmrig
behavioral2/files/0x0007000000023212-70.dat	xmrig
behavioral2/files/0x0007000000023213-73.dat	xmrig
behavioral2/files/0x0007000000023215-89.dat	xmrig
behavioral2/memory/1692-95-0x00007FF68C7B0000-0x00007FF68CB04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023219-107.dat	xmrig
behavioral2/memory/3164-109-0x00007FF6FABB0000-0x00007FF6FAF04000-memory.dmp	xmrig
behavioral2/memory/2628-111-0x00007FF6611C0000-0x00007FF661514000-memory.dmp	xmrig
behavioral2/memory/4552-113-0x00007FF665A50000-0x00007FF665DA4000-memory.dmp	xmrig
behavioral2/memory/4100-112-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	xmrig
behavioral2/memory/2620-110-0x00007FF6E25F0000-0x00007FF6E2944000-memory.dmp	xmrig
behavioral2/memory/4212-108-0x00007FF6DFEE0000-0x00007FF6E0234000-memory.dmp	xmrig
behavioral2/memory/3364-106-0x00007FF65AE10000-0x00007FF65B164000-memory.dmp	xmrig
behavioral2/files/0x0007000000023218-105.dat	xmrig
behavioral2/memory/1752-104-0x00007FF795A90000-0x00007FF795DE4000-memory.dmp	xmrig
behavioral2/memory/672-102-0x00007FF703810000-0x00007FF703B64000-memory.dmp	xmrig
behavioral2/files/0x0009000000023207-91.dat	xmrig
behavioral2/files/0x0007000000023216-85.dat	xmrig
behavioral2/files/0x0007000000023214-75.dat	xmrig
behavioral2/memory/116-72-0x00007FF767D70000-0x00007FF7680C4000-memory.dmp	xmrig
behavioral2/memory/2636-69-0x00007FF775760000-0x00007FF775AB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023213-67.dat	xmrig
behavioral2/memory/2244-66-0x00007FF621840000-0x00007FF621B94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023212-59.dat	xmrig
behavioral2/memory/1432-55-0x00007FF7E5A30000-0x00007FF7E5D84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023211-52.dat	xmrig
behavioral2/files/0x000700000002320f-50.dat	xmrig
behavioral2/files/0x0007000000023210-47.dat	xmrig
behavioral2/memory/3984-41-0x00007FF79E830000-0x00007FF79EB84000-memory.dmp	xmrig
behavioral2/files/0x000700000002320d-37.dat	xmrig
behavioral2/files/0x000700000002320c-35.dat	xmrig
behavioral2/memory/380-28-0x00007FF640310000-0x00007FF640664000-memory.dmp	xmrig
behavioral2/files/0x000a0000000231ff-8.dat	xmrig
behavioral2/memory/1896-9-0x00007FF636F60000-0x00007FF6372B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002320a-7.dat	xmrig
behavioral2/memory/544-133-0x00007FF787810000-0x00007FF787B64000-memory.dmp	xmrig
behavioral2/files/0x000700000002321a-122.dat	xmrig
behavioral2/files/0x000700000002321a-119.dat	xmrig
behavioral2/memory/4372-158-0x00007FF6BE490000-0x00007FF6BE7E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002322d-201.dat	xmrig
behavioral2/memory/2952-228-0x00007FF792480000-0x00007FF7927D4000-memory.dmp	xmrig
behavioral2/memory/4716-245-0x00007FF6BB160000-0x00007FF6BB4B4000-memory.dmp	xmrig
behavioral2/memory/4396-206-0x00007FF6F4280000-0x00007FF6F45D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002321e-191.dat	xmrig
behavioral2/memory/3720-187-0x00007FF63A7A0000-0x00007FF63AAF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023223-174.dat	xmrig
behavioral2/files/0x000700000002321b-144.dat	xmrig
behavioral2/files/0x0007000000023221-143.dat	xmrig
behavioral2/files/0x0007000000023220-140.dat	xmrig
behavioral2/files/0x000700000002321f-139.dat	xmrig
behavioral2/files/0x000700000002321e-138.dat	xmrig
behavioral2/files/0x000700000002321c-137.dat	xmrig
behavioral2/memory/4472-254-0x00007FF6B5FE0000-0x00007FF6B6334000-memory.dmp	xmrig
behavioral2/memory/2400-285-0x00007FF64A840000-0x00007FF64AB94000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1896	zAplGnS.exe
3848	waLCBPG.exe
116	VWeOECB.exe
380	nWTdmKD.exe
1692	IPVMsIR.exe
3984	sIWVEpd.exe
672	oJhFhwZ.exe
1432	hHgdghr.exe
556	TmYmkpx.exe
2244	yISSRrO.exe
1752	XUAxFxF.exe
3364	rFLerqA.exe
2636	KYkXVnL.exe
2628	uylEgJN.exe
4212	pSFjNuB.exe
3164	iVBQtsC.exe
2620	mIMqgxg.exe
4100	FRkaXHQ.exe
4552	wOEzkaD.exe
544	ZKkdvvL.exe
2348	QLiiWTK.exe
4104	EiEEfqS.exe
4372	gwFLWph.exe
3720	QSqlZrU.exe
4396	CEvDpmW.exe
2952	mnxvIUx.exe
2364	RJFWjeE.exe
4716	fcfbrcU.exe
4472	NAVZCey.exe
316	zwOBmRK.exe
3108	NrDDets.exe
2400	hiGpFwP.exe
1608	IyFlXAs.exe
5028	iGOROZi.exe
1740	miwQnLN.exe
4336	qeCLCfr.exe
4424	GFRrIdo.exe
2100	jOQQRCN.exe
2392	NuBENgP.exe
2088	HzZTCnh.exe
5012	dlvgJlu.exe
1016	tuLGQkg.exe
4912	wzVHjjQ.exe
4672	GPhqwAu.exe
2320	HuMWZki.exe
2336	ZbPZIEV.exe
2648	SkPiuGi.exe
1976	LYxdbTc.exe
3360	ZaNcChG.exe
3560	AHAFKjK.exe
1096	fkIrBbW.exe
4568	ljvFwmW.exe
1552	HsKazfq.exe
2904	SWDvfye.exe
3668	iRvMoKG.exe
3220	ihCNcaG.exe
4060	ULPONTM.exe
668	XnUdlok.exe
2396	oJAPfZE.exe
3652	VVMAQij.exe
1616	ZnGXfuY.exe
2860	ZHyTFWd.exe
4544	iAZYDDF.exe
4736	GrccnCq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3656-0-0x00007FF7AE190000-0x00007FF7AE4E4000-memory.dmp	upx
behavioral2/files/0x000d000000023152-5.dat	upx
behavioral2/files/0x000d000000023152-10.dat	upx
behavioral2/files/0x000a0000000231ff-23.dat	upx
behavioral2/memory/3848-19-0x00007FF7490C0000-0x00007FF749414000-memory.dmp	upx
behavioral2/files/0x000700000002320a-17.dat	upx
behavioral2/files/0x000700000002320b-22.dat	upx
behavioral2/files/0x000700000002320b-29.dat	upx
behavioral2/files/0x000700000002320e-34.dat	upx
behavioral2/files/0x0007000000023210-53.dat	upx
behavioral2/memory/556-58-0x00007FF7335D0000-0x00007FF733924000-memory.dmp	upx
behavioral2/files/0x0007000000023212-70.dat	upx
behavioral2/files/0x0007000000023213-73.dat	upx
behavioral2/files/0x0007000000023215-89.dat	upx
behavioral2/memory/1692-95-0x00007FF68C7B0000-0x00007FF68CB04000-memory.dmp	upx
behavioral2/files/0x0007000000023219-107.dat	upx
behavioral2/memory/3164-109-0x00007FF6FABB0000-0x00007FF6FAF04000-memory.dmp	upx
behavioral2/memory/2628-111-0x00007FF6611C0000-0x00007FF661514000-memory.dmp	upx
behavioral2/memory/4552-113-0x00007FF665A50000-0x00007FF665DA4000-memory.dmp	upx
behavioral2/memory/4100-112-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	upx
behavioral2/memory/2620-110-0x00007FF6E25F0000-0x00007FF6E2944000-memory.dmp	upx
behavioral2/memory/4212-108-0x00007FF6DFEE0000-0x00007FF6E0234000-memory.dmp	upx
behavioral2/memory/3364-106-0x00007FF65AE10000-0x00007FF65B164000-memory.dmp	upx
behavioral2/files/0x0007000000023218-105.dat	upx
behavioral2/memory/1752-104-0x00007FF795A90000-0x00007FF795DE4000-memory.dmp	upx
behavioral2/memory/672-102-0x00007FF703810000-0x00007FF703B64000-memory.dmp	upx
behavioral2/files/0x0009000000023207-91.dat	upx
behavioral2/files/0x0007000000023216-85.dat	upx
behavioral2/files/0x0007000000023214-75.dat	upx
behavioral2/memory/116-72-0x00007FF767D70000-0x00007FF7680C4000-memory.dmp	upx
behavioral2/memory/2636-69-0x00007FF775760000-0x00007FF775AB4000-memory.dmp	upx
behavioral2/files/0x0007000000023213-67.dat	upx
behavioral2/memory/2244-66-0x00007FF621840000-0x00007FF621B94000-memory.dmp	upx
behavioral2/files/0x0007000000023212-59.dat	upx
behavioral2/memory/1432-55-0x00007FF7E5A30000-0x00007FF7E5D84000-memory.dmp	upx
behavioral2/files/0x0007000000023211-52.dat	upx
behavioral2/files/0x000700000002320f-50.dat	upx
behavioral2/files/0x0007000000023210-47.dat	upx
behavioral2/memory/3984-41-0x00007FF79E830000-0x00007FF79EB84000-memory.dmp	upx
behavioral2/files/0x000700000002320d-37.dat	upx
behavioral2/files/0x000700000002320c-35.dat	upx
behavioral2/memory/380-28-0x00007FF640310000-0x00007FF640664000-memory.dmp	upx
behavioral2/files/0x000a0000000231ff-8.dat	upx
behavioral2/memory/1896-9-0x00007FF636F60000-0x00007FF6372B4000-memory.dmp	upx
behavioral2/files/0x000700000002320a-7.dat	upx
behavioral2/memory/544-133-0x00007FF787810000-0x00007FF787B64000-memory.dmp	upx
behavioral2/files/0x000700000002321a-122.dat	upx
behavioral2/files/0x000700000002321a-119.dat	upx
behavioral2/memory/4372-158-0x00007FF6BE490000-0x00007FF6BE7E4000-memory.dmp	upx
behavioral2/files/0x000700000002322d-201.dat	upx
behavioral2/memory/2952-228-0x00007FF792480000-0x00007FF7927D4000-memory.dmp	upx
behavioral2/memory/4716-245-0x00007FF6BB160000-0x00007FF6BB4B4000-memory.dmp	upx
behavioral2/memory/4396-206-0x00007FF6F4280000-0x00007FF6F45D4000-memory.dmp	upx
behavioral2/files/0x000700000002321e-191.dat	upx
behavioral2/memory/3720-187-0x00007FF63A7A0000-0x00007FF63AAF4000-memory.dmp	upx
behavioral2/files/0x0007000000023223-174.dat	upx
behavioral2/files/0x000700000002321b-144.dat	upx
behavioral2/files/0x0007000000023221-143.dat	upx
behavioral2/files/0x0007000000023220-140.dat	upx
behavioral2/files/0x000700000002321f-139.dat	upx
behavioral2/files/0x000700000002321e-138.dat	upx
behavioral2/files/0x000700000002321c-137.dat	upx
behavioral2/memory/4472-254-0x00007FF6B5FE0000-0x00007FF6B6334000-memory.dmp	upx
behavioral2/memory/2400-285-0x00007FF64A840000-0x00007FF64AB94000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\VhBcTRi.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\szdeLCC.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\kUpUbYs.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\wbnwVqM.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\euWKJyB.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\FIIWmmE.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\FBAMgiO.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\IkPHJhs.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\klYEAZT.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\wAPzRbo.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\BTqMStQ.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\MSAKCgF.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\XtFccot.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\rjbrmXH.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\QGgiNXO.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\RUKgoVV.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\WJAXRlo.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\asNiQBX.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\YXPSVDt.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\bmrLntu.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\hBHoTfe.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\XzwMJrY.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\VWeOECB.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\GPhqwAu.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\JptyKsR.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\fwhszqq.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\UfLWYjc.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\mqkAycC.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\HsKazfq.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\vJWedaL.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\sdUBoEx.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\KqAVfVF.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\SKNLsoG.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\ENlrEFX.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\IekbciK.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\iBfMBAR.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\oJAPfZE.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\qObQqRu.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\EDwELRH.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\JHfXXwA.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\zTpGmXr.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\zpNjbrF.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\jEtQROw.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\ZKkdvvL.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\zwOBmRK.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\tZdZUmK.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\FFiFqpp.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\bYWIWGL.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\dfUzjwn.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\TJsMLQa.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\zwUsdCl.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\sIWVEpd.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\SWDvfye.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\yirDdkw.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\ZoQokXs.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\sincDzR.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\lIlwIoZ.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\ysdYGNJ.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\DlkjmPr.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\DWPrbcG.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\CIYQLoh.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\CNDnZNF.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\LfDSXxp.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
File created	C:\Windows\System\GYVWKAo.exe	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	10352	dwm.exe
Token: SeChangeNotifyPrivilege	10352	dwm.exe
Token: 33	10352	dwm.exe
Token: SeIncBasePriorityPrivilege	10352	dwm.exe
Token: SeShutdownPrivilege	10352	dwm.exe
Token: SeCreatePagefilePrivilege	10352	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 1896	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	90
PID 3656 wrote to memory of 1896	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	90
PID 3656 wrote to memory of 3848	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	91
PID 3656 wrote to memory of 3848	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	91
PID 3656 wrote to memory of 116	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	92
PID 3656 wrote to memory of 116	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	92
PID 3656 wrote to memory of 380	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	93
PID 3656 wrote to memory of 380	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	93
PID 3656 wrote to memory of 1692	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	94
PID 3656 wrote to memory of 1692	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	94
PID 3656 wrote to memory of 3984	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	95
PID 3656 wrote to memory of 3984	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	95
PID 3656 wrote to memory of 672	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	96
PID 3656 wrote to memory of 672	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	96
PID 3656 wrote to memory of 1432	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	97
PID 3656 wrote to memory of 1432	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	97
PID 3656 wrote to memory of 556	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	98
PID 3656 wrote to memory of 556	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	98
PID 3656 wrote to memory of 2244	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	99
PID 3656 wrote to memory of 2244	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	99
PID 3656 wrote to memory of 1752	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	100
PID 3656 wrote to memory of 1752	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	100
PID 3656 wrote to memory of 3364	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	101
PID 3656 wrote to memory of 3364	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	101
PID 3656 wrote to memory of 2636	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	102
PID 3656 wrote to memory of 2636	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	102
PID 3656 wrote to memory of 2628	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	103
PID 3656 wrote to memory of 2628	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	103
PID 3656 wrote to memory of 4212	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	104
PID 3656 wrote to memory of 4212	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	104
PID 3656 wrote to memory of 3164	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	105
PID 3656 wrote to memory of 3164	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	105
PID 3656 wrote to memory of 2620	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	106
PID 3656 wrote to memory of 2620	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	106
PID 3656 wrote to memory of 4100	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	107
PID 3656 wrote to memory of 4100	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	107
PID 3656 wrote to memory of 4552	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	108
PID 3656 wrote to memory of 4552	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	108
PID 3656 wrote to memory of 544	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	109
PID 3656 wrote to memory of 544	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	109
PID 3656 wrote to memory of 2348	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	110
PID 3656 wrote to memory of 2348	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	110
PID 3656 wrote to memory of 4372	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	111
PID 3656 wrote to memory of 4372	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	111
PID 3656 wrote to memory of 4104	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	112
PID 3656 wrote to memory of 4104	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	112
PID 3656 wrote to memory of 3720	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	113
PID 3656 wrote to memory of 3720	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	113
PID 3656 wrote to memory of 4396	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	114
PID 3656 wrote to memory of 4396	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	114
PID 3656 wrote to memory of 2952	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	115
PID 3656 wrote to memory of 2952	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	115
PID 3656 wrote to memory of 2364	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	116
PID 3656 wrote to memory of 2364	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	116
PID 3656 wrote to memory of 4716	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	117
PID 3656 wrote to memory of 4716	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	117
PID 3656 wrote to memory of 4472	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	118
PID 3656 wrote to memory of 4472	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	118
PID 3656 wrote to memory of 316	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	119
PID 3656 wrote to memory of 316	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	119
PID 3656 wrote to memory of 3108	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	120
PID 3656 wrote to memory of 3108	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	120
PID 3656 wrote to memory of 2400	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	121
PID 3656 wrote to memory of 2400	3656	5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe	121

C:\Users\Admin\AppData\Local\Temp\5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe
"C:\Users\Admin\AppData\Local\Temp\5ecda646b23931514e91d13275605c00a1c4b0bc776d2bd00ff73b80275e3fbf.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\System\zAplGnS.exe
  C:\Windows\System\zAplGnS.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\waLCBPG.exe
  C:\Windows\System\waLCBPG.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\VWeOECB.exe
  C:\Windows\System\VWeOECB.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\nWTdmKD.exe
  C:\Windows\System\nWTdmKD.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\IPVMsIR.exe
  C:\Windows\System\IPVMsIR.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\sIWVEpd.exe
  C:\Windows\System\sIWVEpd.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\oJhFhwZ.exe
  C:\Windows\System\oJhFhwZ.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System\hHgdghr.exe
  C:\Windows\System\hHgdghr.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\TmYmkpx.exe
  C:\Windows\System\TmYmkpx.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\yISSRrO.exe
  C:\Windows\System\yISSRrO.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\XUAxFxF.exe
  C:\Windows\System\XUAxFxF.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\rFLerqA.exe
  C:\Windows\System\rFLerqA.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\KYkXVnL.exe
  C:\Windows\System\KYkXVnL.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\uylEgJN.exe
  C:\Windows\System\uylEgJN.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\pSFjNuB.exe
  C:\Windows\System\pSFjNuB.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\iVBQtsC.exe
  C:\Windows\System\iVBQtsC.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\mIMqgxg.exe
  C:\Windows\System\mIMqgxg.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\FRkaXHQ.exe
  C:\Windows\System\FRkaXHQ.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\wOEzkaD.exe
  C:\Windows\System\wOEzkaD.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\ZKkdvvL.exe
  C:\Windows\System\ZKkdvvL.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\QLiiWTK.exe
  C:\Windows\System\QLiiWTK.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\gwFLWph.exe
  C:\Windows\System\gwFLWph.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\EiEEfqS.exe
  C:\Windows\System\EiEEfqS.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\QSqlZrU.exe
  C:\Windows\System\QSqlZrU.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\CEvDpmW.exe
  C:\Windows\System\CEvDpmW.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\mnxvIUx.exe
  C:\Windows\System\mnxvIUx.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\RJFWjeE.exe
  C:\Windows\System\RJFWjeE.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\fcfbrcU.exe
  C:\Windows\System\fcfbrcU.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\NAVZCey.exe
  C:\Windows\System\NAVZCey.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\zwOBmRK.exe
  C:\Windows\System\zwOBmRK.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\NrDDets.exe
  C:\Windows\System\NrDDets.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\hiGpFwP.exe
  C:\Windows\System\hiGpFwP.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\IyFlXAs.exe
  C:\Windows\System\IyFlXAs.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\iGOROZi.exe
  C:\Windows\System\iGOROZi.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\miwQnLN.exe
  C:\Windows\System\miwQnLN.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\GPhqwAu.exe
  C:\Windows\System\GPhqwAu.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\qeCLCfr.exe
  C:\Windows\System\qeCLCfr.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\GFRrIdo.exe
  C:\Windows\System\GFRrIdo.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\jOQQRCN.exe
  C:\Windows\System\jOQQRCN.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\NuBENgP.exe
  C:\Windows\System\NuBENgP.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\HzZTCnh.exe
  C:\Windows\System\HzZTCnh.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\dlvgJlu.exe
  C:\Windows\System\dlvgJlu.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\tuLGQkg.exe
  C:\Windows\System\tuLGQkg.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\wzVHjjQ.exe
  C:\Windows\System\wzVHjjQ.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\HuMWZki.exe
  C:\Windows\System\HuMWZki.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\ZbPZIEV.exe
  C:\Windows\System\ZbPZIEV.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\HsKazfq.exe
  C:\Windows\System\HsKazfq.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\SkPiuGi.exe
  C:\Windows\System\SkPiuGi.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\LYxdbTc.exe
  C:\Windows\System\LYxdbTc.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\ZaNcChG.exe
  C:\Windows\System\ZaNcChG.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\AHAFKjK.exe
  C:\Windows\System\AHAFKjK.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\ULPONTM.exe
  C:\Windows\System\ULPONTM.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\fkIrBbW.exe
  C:\Windows\System\fkIrBbW.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Windows\System\ljvFwmW.exe
  C:\Windows\System\ljvFwmW.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\XnUdlok.exe
  C:\Windows\System\XnUdlok.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\SWDvfye.exe
  C:\Windows\System\SWDvfye.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\iRvMoKG.exe
  C:\Windows\System\iRvMoKG.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\ihCNcaG.exe
  C:\Windows\System\ihCNcaG.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\oJAPfZE.exe
  C:\Windows\System\oJAPfZE.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\VVMAQij.exe
  C:\Windows\System\VVMAQij.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\ZnGXfuY.exe
  C:\Windows\System\ZnGXfuY.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\ZHyTFWd.exe
  C:\Windows\System\ZHyTFWd.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\iAZYDDF.exe
  C:\Windows\System\iAZYDDF.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\GrccnCq.exe
  C:\Windows\System\GrccnCq.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\VOPxRgd.exe
  C:\Windows\System\VOPxRgd.exe
  2⤵
  PID:5016
- C:\Windows\System\mplHInY.exe
  C:\Windows\System\mplHInY.exe
  2⤵
  PID:3908
- C:\Windows\System\UkKuwEb.exe
  C:\Windows\System\UkKuwEb.exe
  2⤵
  PID:764
- C:\Windows\System\kWJWEdd.exe
  C:\Windows\System\kWJWEdd.exe
  2⤵
  PID:3404
- C:\Windows\System\EHyqiAe.exe
  C:\Windows\System\EHyqiAe.exe
  2⤵
  PID:2696
- C:\Windows\System\XkIVlQo.exe
  C:\Windows\System\XkIVlQo.exe
  2⤵
  PID:4356
- C:\Windows\System\YXPSVDt.exe
  C:\Windows\System\YXPSVDt.exe
  2⤵
  PID:396
- C:\Windows\System\ZOXgzwL.exe
  C:\Windows\System\ZOXgzwL.exe
  2⤵
  PID:1244
- C:\Windows\System\ysdYGNJ.exe
  C:\Windows\System\ysdYGNJ.exe
  2⤵
  PID:2900
- C:\Windows\System\HxJiDcJ.exe
  C:\Windows\System\HxJiDcJ.exe
  2⤵
  PID:1864
- C:\Windows\System\IGcGPaA.exe
  C:\Windows\System\IGcGPaA.exe
  2⤵
  PID:4032
- C:\Windows\System\DvLmLVi.exe
  C:\Windows\System\DvLmLVi.exe
  2⤵
  PID:4836
- C:\Windows\System\jXzlQgU.exe
  C:\Windows\System\jXzlQgU.exe
  2⤵
  PID:4788
- C:\Windows\System\dQBibqH.exe
  C:\Windows\System\dQBibqH.exe
  2⤵
  PID:5148
- C:\Windows\System\fGTmOVs.exe
  C:\Windows\System\fGTmOVs.exe
  2⤵
  PID:5176
- C:\Windows\System\MKpGckp.exe
  C:\Windows\System\MKpGckp.exe
  2⤵
  PID:5196
- C:\Windows\System\VpNKayx.exe
  C:\Windows\System\VpNKayx.exe
  2⤵
  PID:5240
- C:\Windows\System\CIYQLoh.exe
  C:\Windows\System\CIYQLoh.exe
  2⤵
  PID:5268
- C:\Windows\System\jFainOn.exe
  C:\Windows\System\jFainOn.exe
  2⤵
  PID:5288
- C:\Windows\System\grukuwM.exe
  C:\Windows\System\grukuwM.exe
  2⤵
  PID:5340
- C:\Windows\System\tayQZSK.exe
  C:\Windows\System\tayQZSK.exe
  2⤵
  PID:5396
- C:\Windows\System\HvqbqPJ.exe
  C:\Windows\System\HvqbqPJ.exe
  2⤵
  PID:5412
- C:\Windows\System\NIOzumk.exe
  C:\Windows\System\NIOzumk.exe
  2⤵
  PID:5444
- C:\Windows\System\bRBpKns.exe
  C:\Windows\System\bRBpKns.exe
  2⤵
  PID:5488
- C:\Windows\System\irYzzbA.exe
  C:\Windows\System\irYzzbA.exe
  2⤵
  PID:5508
- C:\Windows\System\zVCubOd.exe
  C:\Windows\System\zVCubOd.exe
  2⤵
  PID:5572
- C:\Windows\System\moPpsEA.exe
  C:\Windows\System\moPpsEA.exe
  2⤵
  PID:5604
- C:\Windows\System\cmHBgYA.exe
  C:\Windows\System\cmHBgYA.exe
  2⤵
  PID:5620
- C:\Windows\System\hyZDPXK.exe
  C:\Windows\System\hyZDPXK.exe
  2⤵
  PID:5640
- C:\Windows\System\SvKgJqG.exe
  C:\Windows\System\SvKgJqG.exe
  2⤵
  PID:5664
- C:\Windows\System\HfUpWoH.exe
  C:\Windows\System\HfUpWoH.exe
  2⤵
  PID:5692
- C:\Windows\System\EpWOkDm.exe
  C:\Windows\System\EpWOkDm.exe
  2⤵
  PID:5732
- C:\Windows\System\ewCDVfr.exe
  C:\Windows\System\ewCDVfr.exe
  2⤵
  PID:5752
- C:\Windows\System\wCRGVEV.exe
  C:\Windows\System\wCRGVEV.exe
  2⤵
  PID:5780
- C:\Windows\System\oZkIMwo.exe
  C:\Windows\System\oZkIMwo.exe
  2⤵
  PID:5804
- C:\Windows\System\lQKxqtx.exe
  C:\Windows\System\lQKxqtx.exe
  2⤵
  PID:5820
- C:\Windows\System\DlkjmPr.exe
  C:\Windows\System\DlkjmPr.exe
  2⤵
  PID:5836
- C:\Windows\System\cAKJQRz.exe
  C:\Windows\System\cAKJQRz.exe
  2⤵
  PID:5884
- C:\Windows\System\oqubmpD.exe
  C:\Windows\System\oqubmpD.exe
  2⤵
  PID:5904
- C:\Windows\System\FrLGcSh.exe
  C:\Windows\System\FrLGcSh.exe
  2⤵
  PID:5960
- C:\Windows\System\qIkmyGn.exe
  C:\Windows\System\qIkmyGn.exe
  2⤵
  PID:5980
- C:\Windows\System\EuMGhXk.exe
  C:\Windows\System\EuMGhXk.exe
  2⤵
  PID:6032
- C:\Windows\System\ILkFxVi.exe
  C:\Windows\System\ILkFxVi.exe
  2⤵
  PID:6076
- C:\Windows\System\QICgJFo.exe
  C:\Windows\System\QICgJFo.exe
  2⤵
  PID:6096
- C:\Windows\System\oqbTgvQ.exe
  C:\Windows\System\oqbTgvQ.exe
  2⤵
  PID:6120
- C:\Windows\System\ksEvJvN.exe
  C:\Windows\System\ksEvJvN.exe
  2⤵
  PID:5164
- C:\Windows\System\cRAPsgA.exe
  C:\Windows\System\cRAPsgA.exe
  2⤵
  PID:5052
- C:\Windows\System\loFCkyA.exe
  C:\Windows\System\loFCkyA.exe
  2⤵
  PID:3644
- C:\Windows\System\oyZsUOw.exe
  C:\Windows\System\oyZsUOw.exe
  2⤵
  PID:692
- C:\Windows\System\aOJPLUN.exe
  C:\Windows\System\aOJPLUN.exe
  2⤵
  PID:5252
- C:\Windows\System\bYWIWGL.exe
  C:\Windows\System\bYWIWGL.exe
  2⤵
  PID:5308
- C:\Windows\System\ZpgnPNG.exe
  C:\Windows\System\ZpgnPNG.exe
  2⤵
  PID:5356
- C:\Windows\System\yGyDSud.exe
  C:\Windows\System\yGyDSud.exe
  2⤵
  PID:5388
- C:\Windows\System\bmrLntu.exe
  C:\Windows\System\bmrLntu.exe
  2⤵
  PID:5372
- C:\Windows\System\AsKBejA.exe
  C:\Windows\System\AsKBejA.exe
  2⤵
  PID:944
- C:\Windows\System\yirDdkw.exe
  C:\Windows\System\yirDdkw.exe
  2⤵
  PID:5452
- C:\Windows\System\DyRMvea.exe
  C:\Windows\System\DyRMvea.exe
  2⤵
  PID:5496
- C:\Windows\System\wqhmGFd.exe
  C:\Windows\System\wqhmGFd.exe
  2⤵
  PID:224
- C:\Windows\System\rjbrmXH.exe
  C:\Windows\System\rjbrmXH.exe
  2⤵
  PID:5552
- C:\Windows\System\XGNrKOK.exe
  C:\Windows\System\XGNrKOK.exe
  2⤵
  PID:5580
- C:\Windows\System\JDGxkyt.exe
  C:\Windows\System\JDGxkyt.exe
  2⤵
  PID:968
- C:\Windows\System\VMfLxDD.exe
  C:\Windows\System\VMfLxDD.exe
  2⤵
  PID:5856
- C:\Windows\System\DYVKugV.exe
  C:\Windows\System\DYVKugV.exe
  2⤵
  PID:5744
- C:\Windows\System\fmLjhCj.exe
  C:\Windows\System\fmLjhCj.exe
  2⤵
  PID:5852
- C:\Windows\System\tVUVnxl.exe
  C:\Windows\System\tVUVnxl.exe
  2⤵
  PID:5816
- C:\Windows\System\wjEJgoM.exe
  C:\Windows\System\wjEJgoM.exe
  2⤵
  PID:4496
- C:\Windows\System\eUWGlbQ.exe
  C:\Windows\System\eUWGlbQ.exe
  2⤵
  PID:5880
- C:\Windows\System\lrVMOjI.exe
  C:\Windows\System\lrVMOjI.exe
  2⤵
  PID:5916
- C:\Windows\System\qBSISIt.exe
  C:\Windows\System\qBSISIt.exe
  2⤵
  PID:5956
- C:\Windows\System\EngOZdX.exe
  C:\Windows\System\EngOZdX.exe
  2⤵
  PID:4628
- C:\Windows\System\lOqSUUR.exe
  C:\Windows\System\lOqSUUR.exe
  2⤵
  PID:3692
- C:\Windows\System\tApSoYK.exe
  C:\Windows\System\tApSoYK.exe
  2⤵
  PID:2960
- C:\Windows\System\iPRgYgx.exe
  C:\Windows\System\iPRgYgx.exe
  2⤵
  PID:5160
- C:\Windows\System\cucbtuv.exe
  C:\Windows\System\cucbtuv.exe
  2⤵
  PID:1668
- C:\Windows\System\hHbSmjB.exe
  C:\Windows\System\hHbSmjB.exe
  2⤵
  PID:5348
- C:\Windows\System\oWiRPDl.exe
  C:\Windows\System\oWiRPDl.exe
  2⤵
  PID:5460
- C:\Windows\System\vJWedaL.exe
  C:\Windows\System\vJWedaL.exe
  2⤵
  PID:3900
- C:\Windows\System\onLJtBh.exe
  C:\Windows\System\onLJtBh.exe
  2⤵
  PID:5500
- C:\Windows\System\ugcSifG.exe
  C:\Windows\System\ugcSifG.exe
  2⤵
  PID:5792
- C:\Windows\System\kyhDspP.exe
  C:\Windows\System\kyhDspP.exe
  2⤵
  PID:5424
- C:\Windows\System\tzIriGW.exe
  C:\Windows\System\tzIriGW.exe
  2⤵
  PID:4792
- C:\Windows\System\CNDnZNF.exe
  C:\Windows\System\CNDnZNF.exe
  2⤵
  PID:5600
- C:\Windows\System\irpAAfs.exe
  C:\Windows\System\irpAAfs.exe
  2⤵
  PID:1820
- C:\Windows\System\IGSkAri.exe
  C:\Windows\System\IGSkAri.exe
  2⤵
  PID:3936
- C:\Windows\System\ybqKEOn.exe
  C:\Windows\System\ybqKEOn.exe
  2⤵
  PID:6188
- C:\Windows\System\sdUBoEx.exe
  C:\Windows\System\sdUBoEx.exe
  2⤵
  PID:6204
- C:\Windows\System\MPVcRwi.exe
  C:\Windows\System\MPVcRwi.exe
  2⤵
  PID:6232
- C:\Windows\System\WKIEoXK.exe
  C:\Windows\System\WKIEoXK.exe
  2⤵
  PID:6248
- C:\Windows\System\zmPkgeS.exe
  C:\Windows\System\zmPkgeS.exe
  2⤵
  PID:6268
- C:\Windows\System\fWXYYhP.exe
  C:\Windows\System\fWXYYhP.exe
  2⤵
  PID:6292
- C:\Windows\System\KtkjBit.exe
  C:\Windows\System\KtkjBit.exe
  2⤵
  PID:6348
- C:\Windows\System\iuRBInQ.exe
  C:\Windows\System\iuRBInQ.exe
  2⤵
  PID:6372
- C:\Windows\System\IktiYtB.exe
  C:\Windows\System\IktiYtB.exe
  2⤵
  PID:6448
- C:\Windows\System\zusVTRi.exe
  C:\Windows\System\zusVTRi.exe
  2⤵
  PID:6512
- C:\Windows\System\yDXuVqu.exe
  C:\Windows\System\yDXuVqu.exe
  2⤵
  PID:6632
- C:\Windows\System\yYGXRrS.exe
  C:\Windows\System\yYGXRrS.exe
  2⤵
  PID:6648
- C:\Windows\System\gXePbhD.exe
  C:\Windows\System\gXePbhD.exe
  2⤵
  PID:6672
- C:\Windows\System\BRrTKom.exe
  C:\Windows\System\BRrTKom.exe
  2⤵
  PID:6692
- C:\Windows\System\qObQqRu.exe
  C:\Windows\System\qObQqRu.exe
  2⤵
  PID:6716
- C:\Windows\System\tdlivUb.exe
  C:\Windows\System\tdlivUb.exe
  2⤵
  PID:6736
- C:\Windows\System\fzuvEkp.exe
  C:\Windows\System\fzuvEkp.exe
  2⤵
  PID:6756
- C:\Windows\System\PlVBkIO.exe
  C:\Windows\System\PlVBkIO.exe
  2⤵
  PID:6772
- C:\Windows\System\RDTDzRp.exe
  C:\Windows\System\RDTDzRp.exe
  2⤵
  PID:6792
- C:\Windows\System\tmlQVoE.exe
  C:\Windows\System\tmlQVoE.exe
  2⤵
  PID:6808
- C:\Windows\System\iFcfgNx.exe
  C:\Windows\System\iFcfgNx.exe
  2⤵
  PID:6832
- C:\Windows\System\yVxMuxh.exe
  C:\Windows\System\yVxMuxh.exe
  2⤵
  PID:6848
- C:\Windows\System\znhjyCG.exe
  C:\Windows\System\znhjyCG.exe
  2⤵
  PID:6864
- C:\Windows\System\xCuEims.exe
  C:\Windows\System\xCuEims.exe
  2⤵
  PID:6884
- C:\Windows\System\sRqxBQs.exe
  C:\Windows\System\sRqxBQs.exe
  2⤵
  PID:6904
- C:\Windows\System\IekbciK.exe
  C:\Windows\System\IekbciK.exe
  2⤵
  PID:6956
- C:\Windows\System\BqsOIHK.exe
  C:\Windows\System\BqsOIHK.exe
  2⤵
  PID:6980
- C:\Windows\System\znfZfvF.exe
  C:\Windows\System\znfZfvF.exe
  2⤵
  PID:7060
- C:\Windows\System\rsPopnF.exe
  C:\Windows\System\rsPopnF.exe
  2⤵
  PID:7080
- C:\Windows\System\dtkgNDx.exe
  C:\Windows\System\dtkgNDx.exe
  2⤵
  PID:7104
- C:\Windows\System\VHFSjFu.exe
  C:\Windows\System\VHFSjFu.exe
  2⤵
  PID:6084
- C:\Windows\System\ErUnFSM.exe
  C:\Windows\System\ErUnFSM.exe
  2⤵
  PID:5296
- C:\Windows\System\MbUKMmp.exe
  C:\Windows\System\MbUKMmp.exe
  2⤵
  PID:3228
- C:\Windows\System\vlZouwy.exe
  C:\Windows\System\vlZouwy.exe
  2⤵
  PID:6176
- C:\Windows\System\PumiLwp.exe
  C:\Windows\System\PumiLwp.exe
  2⤵
  PID:6216
- C:\Windows\System\stuybSn.exe
  C:\Windows\System\stuybSn.exe
  2⤵
  PID:6364
- C:\Windows\System\NDleyxy.exe
  C:\Windows\System\NDleyxy.exe
  2⤵
  PID:6200
- C:\Windows\System\CvUiFsq.exe
  C:\Windows\System\CvUiFsq.exe
  2⤵
  PID:6256
- C:\Windows\System\BTqMStQ.exe
  C:\Windows\System\BTqMStQ.exe
  2⤵
  PID:6340
- C:\Windows\System\loLPgvE.exe
  C:\Windows\System\loLPgvE.exe
  2⤵
  PID:6556
- C:\Windows\System\DqOAyOR.exe
  C:\Windows\System\DqOAyOR.exe
  2⤵
  PID:6580
- C:\Windows\System\HKdNRah.exe
  C:\Windows\System\HKdNRah.exe
  2⤵
  PID:6480
- C:\Windows\System\ZhHJNXw.exe
  C:\Windows\System\ZhHJNXw.exe
  2⤵
  PID:6712
- C:\Windows\System\PwVyUaf.exe
  C:\Windows\System\PwVyUaf.exe
  2⤵
  PID:4368
- C:\Windows\System\OwuAwTx.exe
  C:\Windows\System\OwuAwTx.exe
  2⤵
  PID:6824
- C:\Windows\System\QLvVRar.exe
  C:\Windows\System\QLvVRar.exe
  2⤵
  PID:6860
- C:\Windows\System\szdeLCC.exe
  C:\Windows\System\szdeLCC.exe
  2⤵
  PID:7028
- C:\Windows\System\QBzAWvP.exe
  C:\Windows\System\QBzAWvP.exe
  2⤵
  PID:7040
- C:\Windows\System\UrWROhK.exe
  C:\Windows\System\UrWROhK.exe
  2⤵
  PID:5248
- C:\Windows\System\pAzpwFG.exe
  C:\Windows\System\pAzpwFG.exe
  2⤵
  PID:5520
- C:\Windows\System\MSAKCgF.exe
  C:\Windows\System\MSAKCgF.exe
  2⤵
  PID:5900
- C:\Windows\System\oMQYBBf.exe
  C:\Windows\System\oMQYBBf.exe
  2⤵
  PID:6244
- C:\Windows\System\zTqqQZN.exe
  C:\Windows\System\zTqqQZN.exe
  2⤵
  PID:6316
- C:\Windows\System\TEPDhdv.exe
  C:\Windows\System\TEPDhdv.exe
  2⤵
  PID:6500
- C:\Windows\System\VKvSmUl.exe
  C:\Windows\System\VKvSmUl.exe
  2⤵
  PID:6656
- C:\Windows\System\xmmpqvP.exe
  C:\Windows\System\xmmpqvP.exe
  2⤵
  PID:6820
- C:\Windows\System\mdVDqAk.exe
  C:\Windows\System\mdVDqAk.exe
  2⤵
  PID:6844
- C:\Windows\System\VDDWiyP.exe
  C:\Windows\System\VDDWiyP.exe
  2⤵
  PID:6856
- C:\Windows\System\iBfMBAR.exe
  C:\Windows\System\iBfMBAR.exe
  2⤵
  PID:6972
- C:\Windows\System\wQZTayH.exe
  C:\Windows\System\wQZTayH.exe
  2⤵
  PID:7120
- C:\Windows\System\PhJSmhP.exe
  C:\Windows\System\PhJSmhP.exe
  2⤵
  PID:6344
- C:\Windows\System\hBHoTfe.exe
  C:\Windows\System\hBHoTfe.exe
  2⤵
  PID:6624
- C:\Windows\System\IkPHJhs.exe
  C:\Windows\System\IkPHJhs.exe
  2⤵
  PID:6504
- C:\Windows\System\RhRiFtY.exe
  C:\Windows\System\RhRiFtY.exe
  2⤵
  PID:7180
- C:\Windows\System\BzvbRCX.exe
  C:\Windows\System\BzvbRCX.exe
  2⤵
  PID:7200
- C:\Windows\System\mBlQSUV.exe
  C:\Windows\System\mBlQSUV.exe
  2⤵
  PID:7224
- C:\Windows\System\XTOqPMc.exe
  C:\Windows\System\XTOqPMc.exe
  2⤵
  PID:7244
- C:\Windows\System\cysjaAD.exe
  C:\Windows\System\cysjaAD.exe
  2⤵
  PID:7264
- C:\Windows\System\RCMbgRE.exe
  C:\Windows\System\RCMbgRE.exe
  2⤵
  PID:7316
- C:\Windows\System\qxpqaJf.exe
  C:\Windows\System\qxpqaJf.exe
  2⤵
  PID:7340
- C:\Windows\System\WteNoht.exe
  C:\Windows\System\WteNoht.exe
  2⤵
  PID:7356
- C:\Windows\System\JptyKsR.exe
  C:\Windows\System\JptyKsR.exe
  2⤵
  PID:7408
- C:\Windows\System\KkRMjwh.exe
  C:\Windows\System\KkRMjwh.exe
  2⤵
  PID:7436
- C:\Windows\System\ZGTHocf.exe
  C:\Windows\System\ZGTHocf.exe
  2⤵
  PID:7456
- C:\Windows\System\fwhszqq.exe
  C:\Windows\System\fwhszqq.exe
  2⤵
  PID:7472
- C:\Windows\System\gRqkyHl.exe
  C:\Windows\System\gRqkyHl.exe
  2⤵
  PID:7496
- C:\Windows\System\EDwELRH.exe
  C:\Windows\System\EDwELRH.exe
  2⤵
  PID:7572
- C:\Windows\System\FHSkYsJ.exe
  C:\Windows\System\FHSkYsJ.exe
  2⤵
  PID:7592
- C:\Windows\System\DWHbByl.exe
  C:\Windows\System\DWHbByl.exe
  2⤵
  PID:7608
- C:\Windows\System\CnSZXBe.exe
  C:\Windows\System\CnSZXBe.exe
  2⤵
  PID:7684
- C:\Windows\System\yEVSXdl.exe
  C:\Windows\System\yEVSXdl.exe
  2⤵
  PID:7700
- C:\Windows\System\vZyLmli.exe
  C:\Windows\System\vZyLmli.exe
  2⤵
  PID:7716
- C:\Windows\System\QZOMHhw.exe
  C:\Windows\System\QZOMHhw.exe
  2⤵
  PID:7732
- C:\Windows\System\kXIKQTO.exe
  C:\Windows\System\kXIKQTO.exe
  2⤵
  PID:7760
- C:\Windows\System\sTXRaBv.exe
  C:\Windows\System\sTXRaBv.exe
  2⤵
  PID:7800
- C:\Windows\System\vHKaZIk.exe
  C:\Windows\System\vHKaZIk.exe
  2⤵
  PID:7816
- C:\Windows\System\QWrFdIN.exe
  C:\Windows\System\QWrFdIN.exe
  2⤵
  PID:7832
- C:\Windows\System\MEzlDmh.exe
  C:\Windows\System\MEzlDmh.exe
  2⤵
  PID:7904
- C:\Windows\System\jrJNvAb.exe
  C:\Windows\System\jrJNvAb.exe
  2⤵
  PID:7948
- C:\Windows\System\hgBNXrG.exe
  C:\Windows\System\hgBNXrG.exe
  2⤵
  PID:8004
- C:\Windows\System\IxOTuJZ.exe
  C:\Windows\System\IxOTuJZ.exe
  2⤵
  PID:8020
- C:\Windows\System\khhPnVE.exe
  C:\Windows\System\khhPnVE.exe
  2⤵
  PID:8040
- C:\Windows\System\bTjZorO.exe
  C:\Windows\System\bTjZorO.exe
  2⤵
  PID:8056
- C:\Windows\System\wOAuwLY.exe
  C:\Windows\System\wOAuwLY.exe
  2⤵
  PID:8092
- C:\Windows\System\bRoNKhj.exe
  C:\Windows\System\bRoNKhj.exe
  2⤵
  PID:8120
- C:\Windows\System\LjBAuFS.exe
  C:\Windows\System\LjBAuFS.exe
  2⤵
  PID:8136
- C:\Windows\System\xWLlDPE.exe
  C:\Windows\System\xWLlDPE.exe
  2⤵
  PID:8160
- C:\Windows\System\rpVWDNu.exe
  C:\Windows\System\rpVWDNu.exe
  2⤵
  PID:2096
- C:\Windows\System\IYFVWgJ.exe
  C:\Windows\System\IYFVWgJ.exe
  2⤵
  PID:6688
- C:\Windows\System\tyOsSeZ.exe
  C:\Windows\System\tyOsSeZ.exe
  2⤵
  PID:7196
- C:\Windows\System\INkKjaS.exe
  C:\Windows\System\INkKjaS.exe
  2⤵
  PID:7240
- C:\Windows\System\rRwVWUB.exe
  C:\Windows\System\rRwVWUB.exe
  2⤵
  PID:7372
- C:\Windows\System\iiWzzZr.exe
  C:\Windows\System\iiWzzZr.exe
  2⤵
  PID:3004
- C:\Windows\System\FmRSoUn.exe
  C:\Windows\System\FmRSoUn.exe
  2⤵
  PID:7400
- C:\Windows\System\tPKNtXr.exe
  C:\Windows\System\tPKNtXr.exe
  2⤵
  PID:7464
- C:\Windows\System\psGTzwg.exe
  C:\Windows\System\psGTzwg.exe
  2⤵
  PID:7600
- C:\Windows\System\weMSGsc.exe
  C:\Windows\System\weMSGsc.exe
  2⤵
  PID:7488
- C:\Windows\System\uwrsIqE.exe
  C:\Windows\System\uwrsIqE.exe
  2⤵
  PID:7520
- C:\Windows\System\dUXkxNJ.exe
  C:\Windows\System\dUXkxNJ.exe
  2⤵
  PID:7648
- C:\Windows\System\EayyLFv.exe
  C:\Windows\System\EayyLFv.exe
  2⤵
  PID:3752
- C:\Windows\System\cglZfmL.exe
  C:\Windows\System\cglZfmL.exe
  2⤵
  PID:3648
- C:\Windows\System\TYPptiK.exe
  C:\Windows\System\TYPptiK.exe
  2⤵
  PID:7728
- C:\Windows\System\dLfOoHO.exe
  C:\Windows\System\dLfOoHO.exe
  2⤵
  PID:7944
- C:\Windows\System\AhDlmEV.exe
  C:\Windows\System\AhDlmEV.exe
  2⤵
  PID:4952
- C:\Windows\System\becVoLi.exe
  C:\Windows\System\becVoLi.exe
  2⤵
  PID:7932
- C:\Windows\System\afeyoDS.exe
  C:\Windows\System\afeyoDS.exe
  2⤵
  PID:7968
- C:\Windows\System\lzCtrxK.exe
  C:\Windows\System\lzCtrxK.exe
  2⤵
  PID:8012
- C:\Windows\System\eeCuCcE.exe
  C:\Windows\System\eeCuCcE.exe
  2⤵
  PID:8068
- C:\Windows\System\kTWCAHS.exe
  C:\Windows\System\kTWCAHS.exe
  2⤵
  PID:7404
- C:\Windows\System\FmZrNWe.exe
  C:\Windows\System\FmZrNWe.exe
  2⤵
  PID:4184
- C:\Windows\System\ZoQokXs.exe
  C:\Windows\System\ZoQokXs.exe
  2⤵
  PID:8016
- C:\Windows\System\efNADnm.exe
  C:\Windows\System\efNADnm.exe
  2⤵
  PID:8048
- C:\Windows\System\gcELgjH.exe
  C:\Windows\System\gcELgjH.exe
  2⤵
  PID:1368
- C:\Windows\System\jxyokYZ.exe
  C:\Windows\System\jxyokYZ.exe
  2⤵
  PID:8116
- C:\Windows\System\FIIWmmE.exe
  C:\Windows\System\FIIWmmE.exe
  2⤵
  PID:3268
- C:\Windows\System\DUYRPRi.exe
  C:\Windows\System\DUYRPRi.exe
  2⤵
  PID:7092
- C:\Windows\System\dLCIYnb.exe
  C:\Windows\System\dLCIYnb.exe
  2⤵
  PID:7696
- C:\Windows\System\DtRKaut.exe
  C:\Windows\System\DtRKaut.exe
  2⤵
  PID:7644
- C:\Windows\System\sincDzR.exe
  C:\Windows\System\sincDzR.exe
  2⤵
  PID:7604
- C:\Windows\System\ppsJLLF.exe
  C:\Windows\System\ppsJLLF.exe
  2⤵
  PID:7872
- C:\Windows\System\ALOWoQb.exe
  C:\Windows\System\ALOWoQb.exe
  2⤵
  PID:7668
- C:\Windows\System\BdvGKul.exe
  C:\Windows\System\BdvGKul.exe
  2⤵
  PID:8200
- C:\Windows\System\seMPfFH.exe
  C:\Windows\System\seMPfFH.exe
  2⤵
  PID:8224
- C:\Windows\System\NXGsNeN.exe
  C:\Windows\System\NXGsNeN.exe
  2⤵
  PID:8300
- C:\Windows\System\JHfXXwA.exe
  C:\Windows\System\JHfXXwA.exe
  2⤵
  PID:8316
- C:\Windows\System\RqjWsrq.exe
  C:\Windows\System\RqjWsrq.exe
  2⤵
  PID:8376
- C:\Windows\System\oLShmvI.exe
  C:\Windows\System\oLShmvI.exe
  2⤵
  PID:8416
- C:\Windows\System\cfRLYZv.exe
  C:\Windows\System\cfRLYZv.exe
  2⤵
  PID:8440
- C:\Windows\System\oasUcxS.exe
  C:\Windows\System\oasUcxS.exe
  2⤵
  PID:8456
- C:\Windows\System\wZfsFAZ.exe
  C:\Windows\System\wZfsFAZ.exe
  2⤵
  PID:8472
- C:\Windows\System\dfUzjwn.exe
  C:\Windows\System\dfUzjwn.exe
  2⤵
  PID:8496
- C:\Windows\System\UXCofIf.exe
  C:\Windows\System\UXCofIf.exe
  2⤵
  PID:8516
- C:\Windows\System\XBbihpX.exe
  C:\Windows\System\XBbihpX.exe
  2⤵
  PID:8532
- C:\Windows\System\sSBRaNF.exe
  C:\Windows\System\sSBRaNF.exe
  2⤵
  PID:8552
- C:\Windows\System\gLjBwDA.exe
  C:\Windows\System\gLjBwDA.exe
  2⤵
  PID:8572
- C:\Windows\System\FzdGsph.exe
  C:\Windows\System\FzdGsph.exe
  2⤵
  PID:8588
- C:\Windows\System\IALMdbC.exe
  C:\Windows\System\IALMdbC.exe
  2⤵
  PID:8688
- C:\Windows\System\RoHDfPL.exe
  C:\Windows\System\RoHDfPL.exe
  2⤵
  PID:8744
- C:\Windows\System\KqAVfVF.exe
  C:\Windows\System\KqAVfVF.exe
  2⤵
  PID:8764
- C:\Windows\System\gwnEgcl.exe
  C:\Windows\System\gwnEgcl.exe
  2⤵
  PID:8792
- C:\Windows\System\QGgiNXO.exe
  C:\Windows\System\QGgiNXO.exe
  2⤵
  PID:8808
- C:\Windows\System\DWPrbcG.exe
  C:\Windows\System\DWPrbcG.exe
  2⤵
  PID:8828
- C:\Windows\System\JcsGeeD.exe
  C:\Windows\System\JcsGeeD.exe
  2⤵
  PID:8848
- C:\Windows\System\sycUJCT.exe
  C:\Windows\System\sycUJCT.exe
  2⤵
  PID:8872
- C:\Windows\System\MTalEyY.exe
  C:\Windows\System\MTalEyY.exe
  2⤵
  PID:8916
- C:\Windows\System\kpodkXx.exe
  C:\Windows\System\kpodkXx.exe
  2⤵
  PID:8960
- C:\Windows\System\IKRdfNf.exe
  C:\Windows\System\IKRdfNf.exe
  2⤵
  PID:8976
- C:\Windows\System\SaNXccJ.exe
  C:\Windows\System\SaNXccJ.exe
  2⤵
  PID:9064
- C:\Windows\System\UhjOtFi.exe
  C:\Windows\System\UhjOtFi.exe
  2⤵
  PID:9080
- C:\Windows\System\zTpGmXr.exe
  C:\Windows\System\zTpGmXr.exe
  2⤵
  PID:9116
- C:\Windows\System\lIlwIoZ.exe
  C:\Windows\System\lIlwIoZ.exe
  2⤵
  PID:9140
- C:\Windows\System\pCbdUhq.exe
  C:\Windows\System\pCbdUhq.exe
  2⤵
  PID:9160
- C:\Windows\System\NeWmxLm.exe
  C:\Windows\System\NeWmxLm.exe
  2⤵
  PID:9176
- C:\Windows\System\iiNfbqQ.exe
  C:\Windows\System\iiNfbqQ.exe
  2⤵
  PID:9204
- C:\Windows\System\zQQjAOW.exe
  C:\Windows\System\zQQjAOW.exe
  2⤵
  PID:7492
- C:\Windows\System\bPfZrRD.exe
  C:\Windows\System\bPfZrRD.exe
  2⤵
  PID:2492
- C:\Windows\System\GDKXFow.exe
  C:\Windows\System\GDKXFow.exe
  2⤵
  PID:7900
- C:\Windows\System\udwOfCR.exe
  C:\Windows\System\udwOfCR.exe
  2⤵
  PID:5156
- C:\Windows\System\SLjDaQL.exe
  C:\Windows\System\SLjDaQL.exe
  2⤵
  PID:8236
- C:\Windows\System\tjVkloi.exe
  C:\Windows\System\tjVkloi.exe
  2⤵
  PID:1948
- C:\Windows\System\QArtHZf.exe
  C:\Windows\System\QArtHZf.exe
  2⤵
  PID:8296
- C:\Windows\System\kbKfSos.exe
  C:\Windows\System\kbKfSos.exe
  2⤵
  PID:8384
- C:\Windows\System\IwCGARV.exe
  C:\Windows\System\IwCGARV.exe
  2⤵
  PID:8464
- C:\Windows\System\qXhyHUR.exe
  C:\Windows\System\qXhyHUR.exe
  2⤵
  PID:8696
- C:\Windows\System\zpNjbrF.exe
  C:\Windows\System\zpNjbrF.exe
  2⤵
  PID:8684
- C:\Windows\System\UfhcYEI.exe
  C:\Windows\System\UfhcYEI.exe
  2⤵
  PID:4308
- C:\Windows\System\BxbqnFX.exe
  C:\Windows\System\BxbqnFX.exe
  2⤵
  PID:8908
- C:\Windows\System\kHqbUBh.exe
  C:\Windows\System\kHqbUBh.exe
  2⤵
  PID:8888
- C:\Windows\System\oLzxEUq.exe
  C:\Windows\System\oLzxEUq.exe
  2⤵
  PID:9004
- C:\Windows\System\YxNHgxj.exe
  C:\Windows\System\YxNHgxj.exe
  2⤵
  PID:9024
- C:\Windows\System\wwwBSUe.exe
  C:\Windows\System\wwwBSUe.exe
  2⤵
  PID:880
- C:\Windows\System\ImWusMs.exe
  C:\Windows\System\ImWusMs.exe
  2⤵
  PID:9088
- C:\Windows\System\qfqxCaO.exe
  C:\Windows\System\qfqxCaO.exe
  2⤵
  PID:9128
- C:\Windows\System\RXxqCUU.exe
  C:\Windows\System\RXxqCUU.exe
  2⤵
  PID:7216
- C:\Windows\System\qiwIEvp.exe
  C:\Windows\System\qiwIEvp.exe
  2⤵
  PID:9196
- C:\Windows\System\xkuEqSw.exe
  C:\Windows\System\xkuEqSw.exe
  2⤵
  PID:8468
- C:\Windows\System\CLfcxtG.exe
  C:\Windows\System\CLfcxtG.exe
  2⤵
  PID:8564
- C:\Windows\System\ppiMIKR.exe
  C:\Windows\System\ppiMIKR.exe
  2⤵
  PID:8760
- C:\Windows\System\RUKgoVV.exe
  C:\Windows\System\RUKgoVV.exe
  2⤵
  PID:8884
- C:\Windows\System\hFsGAtk.exe
  C:\Windows\System\hFsGAtk.exe
  2⤵
  PID:9072
- C:\Windows\System\GZhmUpD.exe
  C:\Windows\System\GZhmUpD.exe
  2⤵
  PID:9112
- C:\Windows\System\WJAXRlo.exe
  C:\Windows\System\WJAXRlo.exe
  2⤵
  PID:9148
- C:\Windows\System\mjwxKpR.exe
  C:\Windows\System\mjwxKpR.exe
  2⤵
  PID:4776
- C:\Windows\System\SKNLsoG.exe
  C:\Windows\System\SKNLsoG.exe
  2⤵
  PID:8452
- C:\Windows\System\qsorgih.exe
  C:\Windows\System\qsorgih.exe
  2⤵
  PID:8636
- C:\Windows\System\xuTcPMK.exe
  C:\Windows\System\xuTcPMK.exe
  2⤵
  PID:6388
- C:\Windows\System\VThNaxp.exe
  C:\Windows\System\VThNaxp.exe
  2⤵
  PID:8708
- C:\Windows\System\eMjlBby.exe
  C:\Windows\System\eMjlBby.exe
  2⤵
  PID:9108
- C:\Windows\System\fMpEcks.exe
  C:\Windows\System\fMpEcks.exe
  2⤵
  PID:8128
- C:\Windows\System\DzPWBFW.exe
  C:\Windows\System\DzPWBFW.exe
  2⤵
  PID:9224
- C:\Windows\System\UkaSXTR.exe
  C:\Windows\System\UkaSXTR.exe
  2⤵
  PID:9280
- C:\Windows\System\kUpUbYs.exe
  C:\Windows\System\kUpUbYs.exe
  2⤵
  PID:9300
- C:\Windows\System\XAGBgvZ.exe
  C:\Windows\System\XAGBgvZ.exe
  2⤵
  PID:9316
- C:\Windows\System\wbnwVqM.exe
  C:\Windows\System\wbnwVqM.exe
  2⤵
  PID:9404
- C:\Windows\System\jcSQmdD.exe
  C:\Windows\System\jcSQmdD.exe
  2⤵
  PID:9420
- C:\Windows\System\iyZwbmG.exe
  C:\Windows\System\iyZwbmG.exe
  2⤵
  PID:9468
- C:\Windows\System\WXPIOAG.exe
  C:\Windows\System\WXPIOAG.exe
  2⤵
  PID:9488
- C:\Windows\System\nyuasQc.exe
  C:\Windows\System\nyuasQc.exe
  2⤵
  PID:9516
- C:\Windows\System\StuHlWI.exe
  C:\Windows\System\StuHlWI.exe
  2⤵
  PID:9556
- C:\Windows\System\jtjnFUQ.exe
  C:\Windows\System\jtjnFUQ.exe
  2⤵
  PID:9584
- C:\Windows\System\lfCIzvd.exe
  C:\Windows\System\lfCIzvd.exe
  2⤵
  PID:9616
- C:\Windows\System\yeNdfoB.exe
  C:\Windows\System\yeNdfoB.exe
  2⤵
  PID:9644
- C:\Windows\System\uVfiTDo.exe
  C:\Windows\System\uVfiTDo.exe
  2⤵
  PID:9664
- C:\Windows\System\jPdRocI.exe
  C:\Windows\System\jPdRocI.exe
  2⤵
  PID:9736
- C:\Windows\System\gqWPqOk.exe
  C:\Windows\System\gqWPqOk.exe
  2⤵
  PID:9780
- C:\Windows\System\kJAYSdS.exe
  C:\Windows\System\kJAYSdS.exe
  2⤵
  PID:9796
- C:\Windows\System\KfoOyMW.exe
  C:\Windows\System\KfoOyMW.exe
  2⤵
  PID:9812
- C:\Windows\System\XGONydf.exe
  C:\Windows\System\XGONydf.exe
  2⤵
  PID:9836
- C:\Windows\System\dfANihH.exe
  C:\Windows\System\dfANihH.exe
  2⤵
  PID:9856
- C:\Windows\System\cQyTeWt.exe
  C:\Windows\System\cQyTeWt.exe
  2⤵
  PID:9872
- C:\Windows\System\euWKJyB.exe
  C:\Windows\System\euWKJyB.exe
  2⤵
  PID:9892
- C:\Windows\System\jEtQROw.exe
  C:\Windows\System\jEtQROw.exe
  2⤵
  PID:9908
- C:\Windows\System\PxSktSM.exe
  C:\Windows\System\PxSktSM.exe
  2⤵
  PID:9928
- C:\Windows\System\RPjadfC.exe
  C:\Windows\System\RPjadfC.exe
  2⤵
  PID:9944
- C:\Windows\System\xlUutSE.exe
  C:\Windows\System\xlUutSE.exe
  2⤵
  PID:9996
- C:\Windows\System\MXzvbPv.exe
  C:\Windows\System\MXzvbPv.exe
  2⤵
  PID:10020
- C:\Windows\System\TJsMLQa.exe
  C:\Windows\System\TJsMLQa.exe
  2⤵
  PID:10040
- C:\Windows\System\tZdZUmK.exe
  C:\Windows\System\tZdZUmK.exe
  2⤵
  PID:10064
- C:\Windows\System\dffmMFf.exe
  C:\Windows\System\dffmMFf.exe
  2⤵
  PID:10144
- C:\Windows\System\mvrcCGa.exe
  C:\Windows\System\mvrcCGa.exe
  2⤵
  PID:10164
- C:\Windows\System\asNiQBX.exe
  C:\Windows\System\asNiQBX.exe
  2⤵
  PID:10180
- C:\Windows\System\EEBvmYw.exe
  C:\Windows\System\EEBvmYw.exe
  2⤵
  PID:10200
- C:\Windows\System\KqzIXWZ.exe
  C:\Windows\System\KqzIXWZ.exe
  2⤵
  PID:8524
- C:\Windows\System\NCWOSvt.exe
  C:\Windows\System\NCWOSvt.exe
  2⤵
  PID:9312
- C:\Windows\System\taDZfQD.exe
  C:\Windows\System\taDZfQD.exe
  2⤵
  PID:9412
- C:\Windows\System\FBAMgiO.exe
  C:\Windows\System\FBAMgiO.exe
  2⤵
  PID:9484
- C:\Windows\System\kJrlvkV.exe
  C:\Windows\System\kJrlvkV.exe
  2⤵
  PID:9612
- C:\Windows\System\Qjotfbu.exe
  C:\Windows\System\Qjotfbu.exe
  2⤵
  PID:9692
- C:\Windows\System\aXlVxMq.exe
  C:\Windows\System\aXlVxMq.exe
  2⤵
  PID:9776
- C:\Windows\System\aLlwCIQ.exe
  C:\Windows\System\aLlwCIQ.exe
  2⤵
  PID:9852
- C:\Windows\System\UTYzKIP.exe
  C:\Windows\System\UTYzKIP.exe
  2⤵
  PID:9804
- C:\Windows\System\RVGjYxY.exe
  C:\Windows\System\RVGjYxY.exe
  2⤵
  PID:9920
- C:\Windows\System\dsnGsgH.exe
  C:\Windows\System\dsnGsgH.exe
  2⤵
  PID:9916
- C:\Windows\System\wRowNor.exe
  C:\Windows\System\wRowNor.exe
  2⤵
  PID:10004
- C:\Windows\System\klYEAZT.exe
  C:\Windows\System\klYEAZT.exe
  2⤵
  PID:10028
- C:\Windows\System\ZchgDAW.exe
  C:\Windows\System\ZchgDAW.exe
  2⤵
  PID:3008
- C:\Windows\System\XaucCxU.exe
  C:\Windows\System\XaucCxU.exe
  2⤵
  PID:10172
- C:\Windows\System\SlkDSAn.exe
  C:\Windows\System\SlkDSAn.exe
  2⤵
  PID:836
- C:\Windows\System\DGHoFHx.exe
  C:\Windows\System\DGHoFHx.exe
  2⤵
  PID:9096
- C:\Windows\System\VOlOtjX.exe
  C:\Windows\System\VOlOtjX.exe
  2⤵
  PID:7448
- C:\Windows\System\mDZvmSV.exe
  C:\Windows\System\mDZvmSV.exe
  2⤵
  PID:9464
- C:\Windows\System\WXLTZtc.exe
  C:\Windows\System\WXLTZtc.exe
  2⤵
  PID:9268
- C:\Windows\System\pIyUtsq.exe
  C:\Windows\System\pIyUtsq.exe
  2⤵
  PID:9608
- C:\Windows\System\tosfxUs.exe
  C:\Windows\System\tosfxUs.exe
  2⤵
  PID:712
- C:\Windows\System\pdkrlRt.exe
  C:\Windows\System\pdkrlRt.exe
  2⤵
  PID:3080
- C:\Windows\System\KyJaIjC.exe
  C:\Windows\System\KyJaIjC.exe
  2⤵
  PID:9660
- C:\Windows\System\GnZBOTb.exe
  C:\Windows\System\GnZBOTb.exe
  2⤵
  PID:9788
- C:\Windows\System\fwovrfC.exe
  C:\Windows\System\fwovrfC.exe
  2⤵
  PID:9956
- C:\Windows\System\lSLqgus.exe
  C:\Windows\System\lSLqgus.exe
  2⤵
  PID:10036
- C:\Windows\System\QyTGeHh.exe
  C:\Windows\System\QyTGeHh.exe
  2⤵
  PID:9152
- C:\Windows\System\ytNdfHA.exe
  C:\Windows\System\ytNdfHA.exe
  2⤵
  PID:9276
- C:\Windows\System\bHRJKME.exe
  C:\Windows\System\bHRJKME.exe
  2⤵
  PID:9480
- C:\Windows\System\MDnxulS.exe
  C:\Windows\System\MDnxulS.exe
  2⤵
  PID:9848
- C:\Windows\System\WVRhaqr.exe
  C:\Windows\System\WVRhaqr.exe
  2⤵
  PID:10260
- C:\Windows\System\wAPzRbo.exe
  C:\Windows\System\wAPzRbo.exe
  2⤵
  PID:10276
- C:\Windows\System\xSMfqfJ.exe
  C:\Windows\System\xSMfqfJ.exe
  2⤵
  PID:10296
- C:\Windows\System\rnGAMbx.exe
  C:\Windows\System\rnGAMbx.exe
  2⤵
  PID:10320
- C:\Windows\System\DAwjKgZ.exe
  C:\Windows\System\DAwjKgZ.exe
  2⤵
  PID:10372
- C:\Windows\System\uZSadNQ.exe
  C:\Windows\System\uZSadNQ.exe
  2⤵
  PID:10388
- C:\Windows\System\wTgbwcU.exe
  C:\Windows\System\wTgbwcU.exe
  2⤵
  PID:10508
- C:\Windows\System\UfLWYjc.exe
  C:\Windows\System\UfLWYjc.exe
  2⤵
  PID:10548
- C:\Windows\System\EiWueuf.exe
  C:\Windows\System\EiWueuf.exe
  2⤵
  PID:10572
- C:\Windows\System\fCZhPBf.exe
  C:\Windows\System\fCZhPBf.exe
  2⤵
  PID:10592
- C:\Windows\System\XvnCRhs.exe
  C:\Windows\System\XvnCRhs.exe
  2⤵
  PID:10616
- C:\Windows\System\MSIDUTc.exe
  C:\Windows\System\MSIDUTc.exe
  2⤵
  PID:10632
- C:\Windows\System\uYsddNt.exe
  C:\Windows\System\uYsddNt.exe
  2⤵
  PID:10656
- C:\Windows\System\fxUZjrC.exe
  C:\Windows\System\fxUZjrC.exe
  2⤵
  PID:10724

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:10352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CEvDpmW.exe

Filesize
1.8MB

MD5
139ece035bd203a7c882d7a71231bfad

SHA1
227e354b734b91b792d54c141242a529342c46fa

SHA256
7d44bef4a10148f0394712f389de9dd3deb60707163491a791dcdc665b48f645

SHA512
3abc3d493c5fba22864d386c6eb1dc20139944c175a27a2512305c629c9921ebf7f5e7de46c64309f776a7af68fc80558fc45c336d20bfc077e1539968c3f9fa

Download Submit
C:\Windows\System\FRkaXHQ.exe

Filesize
1024KB

MD5
b2ad855639c2b8f4bb10c3fa9e5e0e9a

SHA1
63a4a138146af5e173502df54e615e87862cd1a7

SHA256
cd53f3c3dd2c1bd95105a3edb1ec4cb3264e45baa2409fc2350b91725a8bf544

SHA512
3529025d3e0f67cb320696d9895c3861afb6e90b20da8d36532718eee7a4a8cbc519616d746669732421d515893f7df7d8c074a583a7d45ba03bc909082ec6ba

Download Submit
C:\Windows\System\IPVMsIR.exe

Filesize
1.8MB

MD5
9b58b743a1259e2e53dcc0caf5da0c59

SHA1
24cbb94ed7d12339538176c3f0db11d84b8a51cd

SHA256
367cc026a3896c177d2ff6d48184f2a0ca6692daabd104abe1e950c72f6a19cd

SHA512
905c9c2f570c6290a9bd106193bc6c3f14612a91daa9de5f65f740aa2a4e2bbf65bde06486fbddf4d4908e7cf70e6ad2b320200ea90f5768055307f0c607b79e

Download Submit
C:\Windows\System\KYkXVnL.exe

Filesize
1.8MB

MD5
4346679367451d7345cb864b478c9a58

SHA1
166599a32cfacb8336aa5902515f64bcc03cf62e

SHA256
d611eb3fc818ec253e7e6a498c898efdaffb8db2d80d92293650f5098dfe6b1f

SHA512
0a7f5209718f97df5b6fd9aaae8e988cb0677d94d9a98d8515ae5b82f56843f6c13c9c623eeddf544a6d25a502ff6eb3ac4eacdc40cd7ee20a1d751a00070887

Download Submit
C:\Windows\System\NAVZCey.exe

Filesize
1.4MB

MD5
b1d42e752fa166fce9f7b317b4fd8533

SHA1
06e18686465fd43f32a335d33ead2c9c270d8b3b

SHA256
f02ebb5bdc51079997a13fb267937555bf74bc187796833e49c1fb020e49a496

SHA512
fbbace52e1b407cfbb80d4d50ca40e190618d4d9fc444053cabae2886bbd3f34491b9f2effbb1fce3aa735e97114616f2b575b55bb4671bb8c6898a34978d99e

Download Submit
C:\Windows\System\QLiiWTK.exe

Filesize
1.8MB

MD5
ff18e024ef898d92fcc297c6e581c479

SHA1
31440cf7934d46c95800c6f17b365a1d81461683

SHA256
f6ae2a2ae3680c62cf83eb00b7c2faf6bc2c97992b38cd0b013a4561bf014460

SHA512
7bcf3fccfababea0d72699ff92df8541dbff9710c95164f4e843948b0fcd069cc879411bb8f40fb7018ee4da986c5e2c8886bc7dc7f5f210c7e6509d6bede667

Download Submit
C:\Windows\System\QSqlZrU.exe

Filesize
1.8MB

MD5
491c92711b4138c107800a49a8bca7f3

SHA1
edb25ac805b139319084e0e378c5a8b1a2b010d2

SHA256
8086841fe310a8d78bbb44fbd5aea8afe5490452293f045c355dc0c58d36b75e

SHA512
4611c2c974b97d98fbb0244de0a6347410b7ea24512e55dbfc6de95ff5d651338174a266a506ad5318ef1b7b46f7e4113ebbd04342b9e3e0d03edcc84d049eb2

Download Submit
C:\Windows\System\QSqlZrU.exe

Filesize
1.6MB

MD5
ba641165f6b949ad2a793d37eb6d3722

SHA1
2cb0c00047eae4c395d1295e869d1be58b311ef7

SHA256
9dd940bd94efbc6a5332347e88f4290aad8bba3634ef9a63df947aedd62a9f28

SHA512
51f3569e7658567737ebbcb6c09f878372fdbed12a7445ce97bf1cf61e55fe2cda36d2c0212c1741b9015b65f862245628e4ce37aa3f0f79e10d64b857f932a1

Download Submit
C:\Windows\System\RJFWjeE.exe

Filesize
1.8MB

MD5
c49cafdc6f0adbee2bf2643121d5b1af

SHA1
c9a3fcafc268549ec479cb5b2422d89265f9afb8

SHA256
e9ef954a7e87de5be866d06d870e7209e3dfe944aabb54d94b7b37654cd6024d

SHA512
0aa1eb8bb5fca8201c1c34d3e0f78c5f5787ea7e51d2262e57f73ba440cd810c219ba5da46b924e9fdb1da15cfed3e58452b93232c826eb40de3eb2be19096b2

Download Submit
C:\Windows\System\TmYmkpx.exe

Filesize
1.8MB

MD5
67fb913d43d056e42aaf58994e051852

SHA1
70110bc3dbb6a92bbd160080fa667e7a202ec950

SHA256
b356ea4d3b6963070fc1bd2855d648024aeede4639cc40273f90d0eea7ea8a15

SHA512
d23a17e10a6388ef7407b20bfd653f28e9c780a1804d6010b09b75081fa92ea07f137261c0358eda6a84d8088bb2fbca46ad2c0536071492c759dc29ffb34ab5

Download Submit
C:\Windows\System\TmYmkpx.exe

Filesize
768KB

MD5
096410221e55421e5c4c4275c7d21513

SHA1
a9a3350bb5b616aee4d0c922dc225694f8027702

SHA256
1162e04ab5acff6cf895e753ad87619013ecfffc06f47ed477cf1c201c040e66

SHA512
b442b0d589e49e95f8c072f6f97ae946c91e082ea0e6557eeef4f55282d6675cb325a5ba42eb1799fb9bff049919d0eef469abfd200cb35fe59f78974905588c

Download Submit
C:\Windows\System\VWeOECB.exe

Filesize
1.1MB

MD5
1241ba867453897ac081cd65f8362e09

SHA1
c06f20c8fe988e04887b1928c0d398e1278d1f63

SHA256
4da6a57bd18d845b9eb05ddd095ba49a9a1364f0f89dcc72e16f38ee06b3ecf2

SHA512
7035d20636296fc99797ebe12bb98dd381bedda6aae785250256cdbea17ca2a91777be59420c826d8c0a97d52e35f2dbc43b95df90b931416103881e71aafc54

Download Submit
C:\Windows\System\VWeOECB.exe

Filesize
1.8MB

MD5
c22fa631ea30aa00f8850ca53dded43c

SHA1
f45db88ba07496b696e74991a2292c079a7997a7

SHA256
626dade8faddc9e9c27106d9387ad643b7f5ff3f7627a0dd08491f2c37526afa

SHA512
c6ea4dc5dedf66692adb71f929846bfc753defa60b976f989c65ae17fe3aa75cecf2e8fc9aee1c79cd098c93826fa86fe716b8e68be0ab61039ab1442b68d61d

Download Submit
C:\Windows\System\XUAxFxF.exe

Filesize
1.8MB

MD5
21bf4bda44398f08ad5f26a7440c9594

SHA1
4d067a39264f13fef5216b1fdced734c9fbb36ab

SHA256
e5a929ab1065d001570ff3f2eaa9d0e7cb9436cf9ecf0e233bc72f7fd7324c4d

SHA512
aa160a8271b9ea422d085c57973451523b3fefec4f03efae065ae5b3f49819269bc3c56ce551dd148eebed3aad1597c832840540ad8e84716ad71c5d06578aa0

Download Submit
C:\Windows\System\XUAxFxF.exe

Filesize
640KB

MD5
469aca0e2abc33bcc5100f89b3196890

SHA1
b77c2be76b0bcd5c1640c82143bf4ae8abf6ed35

SHA256
8e4d419e754f89fae1d30741df9483d06709f6d20541cbce976b97c6b74f264f

SHA512
bb8f27156094a7b200e5c1844466de9827240ad5c62598ca983899918fcfddc76480438ab7ff457f4059655d26f5dee65f9d3ba57dc850a7e0c1c267d7e2bdae

Download Submit
C:\Windows\System\ZKkdvvL.exe

Filesize
1.3MB

MD5
4f91c11e96840f7afb88e012dcdfd12a

SHA1
a7b38f1b43b954817ccea978482b1fec1dbe1dc1

SHA256
18bcdf3d562bd384933c2e7e47fc3ad94c3012f2dc4ed4e22c9bc72ab0482299

SHA512
11f123bc159f1435c534cbff0a228bf2fe1b4231a81c5bd797101651f889f0b41be6c18f90bd56645dbd1f24858d02bd4a477b2e0999d35c8f254aee08f90aaf

Download Submit
C:\Windows\System\ZKkdvvL.exe

Filesize
704KB

MD5
27f1ae58c0e7ea96c463a8f0329d13e3

SHA1
a5352f33f2a7ec676e07aa36bd587f2a910b1502

SHA256
570ef729e78067f9e824a09ee84a0b44c24671dfe07947eaca970f453f235334

SHA512
51c2e61154a9cf7b8c51728bee23d084e40467a64fc74544ed07917de5c42cd2c4f093dc4dba57e475be140334b7f9d2f8c2784d353f9bec4fe5fc6098f5ad70

Download Submit
C:\Windows\System\gwFLWph.exe

Filesize
1.8MB

MD5
126fffe804eb9880b5f59edcd4e9702c

SHA1
773cdb56f1a74c729a3695c2fa6434ca4b8f7532

SHA256
e83c87da7ddd156aec41c21fbfc0727e7f9e9f57d27be39c91dfa569539be1a8

SHA512
f74ae718c19c2b282af3d17c78870163bb7bf4fd936584e7ea410c78f8632bc4d74c43ddd2b484033b46249fa61a980e6bd070a7f0324f36ef5c881683f65ff0

Download Submit
C:\Windows\System\hHgdghr.exe

Filesize
1.8MB

MD5
f91777d17fcc173cb36597de8cdc7f23

SHA1
4df3f256bb910dc037e8644ed1c69dcb7c31eaf3

SHA256
f088f16ecab6780a5c7ac9c9653b2e16e944462f0fa939e50fe6f6c3bd02778a

SHA512
133d9cd7c4fa3746552f17f1baf1ca0fa243f00ccdd0fad91a3745e0c46bce46275285e4fc9ea5d45999ca9f2a65cc72eb13f5142e7d554ebb4477f8ca85000b

Download Submit
C:\Windows\System\iVBQtsC.exe

Filesize
1.4MB

MD5
73c54f37ee1fd94779d03fbe76e04feb

SHA1
f16e3daa32b20c0e3693b2c94434d47c466fb56a

SHA256
6181e457adf301556ae3192d955ba7b2bdf3d8a3b17d7f2b1bd0c63bc6ee7282

SHA512
612f4ae13e73488d73a33d0ebda0c0adb46afdfe622260bc58e778b2696a3d7987b3676b630ed2ea3b1bb5f0c44c29cd4ecce541e8d65360916cff3ce342c111

Download Submit
C:\Windows\System\jOQQRCN.exe

Filesize
1.8MB

MD5
706d62c51630947cd2a8cff2926a17d2

SHA1
3da3725acd1cdfaf06c6a37aaac1da8ed30b8b4b

SHA256
02c9c8e8dc26c47e9dd5eba5d7002186af34e8e30bc6839d9309eee38e7cda0e

SHA512
ee62ca161fd6d005d2120cd6ca777ec4347617888da03ce99237563d1b1ac26823fcd56f023a51bf6b671137ae683cb47e3e49c5c19066cacb5e3fda6fb77903

Download Submit
C:\Windows\System\mnxvIUx.exe

Filesize
1.7MB

MD5
bf8c149b1fdef4e36cf2c55cc31ec010

SHA1
6bcff7856d15e031716720a4392bf9552eb02685

SHA256
03adb6bdb17c289e372abb3cc3ef2a3fa991dab1f8138f7722353654c6bafa4a

SHA512
f94b648402ed4d791c0ab4f376095dc5857b75fe0c706520031ddab2afd1d3887b3341a199fc5b204b5ab29af06ff3bf7bd157e2955004107c741c65397b0aa5

Download Submit
C:\Windows\System\nWTdmKD.exe

Filesize
1.8MB

MD5
85493306739d34e4e638bcc17c92df1b

SHA1
ca848d1e774ce96873378318a714e4fa974985bc

SHA256
0e1c97914605abb017d01ade38d583a287da938c7a38c7babbb00b9fd29ac7fb

SHA512
8a2f32e781cbeee31e2896eccbd487fc12e570e22ab8828070d624a8880e8600bbdebda2833eed2102a4eced073fd0e9a49f8c93ad961d4ae99ab57a475b41c2

Download Submit
C:\Windows\System\nWTdmKD.exe

Filesize
896KB

MD5
d8061570a3d685a09a8726d2e2043dcd

SHA1
5784ed9099dd4b61b63fc8ab2f585fc9e4456099

SHA256
2858747fe15b825bca2004f1fb5434e70a8f8952f994cb7850f53fc69e794e72

SHA512
491823d9b7c3d0e919d65b711645bd0839fa6e3b7a404dd101f61c497b50d40cc12658380d09032bb5d5d2ac84e5d2791f8235e5d4c6f54ca1090b042d3a4b7a

Download Submit
C:\Windows\System\oJhFhwZ.exe

Filesize
960KB

MD5
180ec18cff675908ea09fb02b8edeae7

SHA1
908a0fde6e66598e819044f800d2fb12a2c2d5e4

SHA256
35e0571c2720559fc2e392ef1ac01a4890a7f5a52de790fe0560ba1ddb8b0978

SHA512
f4efca4f8c80307ac309f06271cca1b553bd93330b442aaa71749f3ce5f3d47dab778dbee66162c088762bb8f4726a65ed8e5313f9bd8da09d951b910b9f8e49

Download Submit
C:\Windows\System\pSFjNuB.exe

Filesize
1.2MB

MD5
e8415a48a8394edebe9859f31669a119

SHA1
88123503cb3806d920c5045882df8f6e0c3e74f8

SHA256
673a3a64e33ae96b71ad45f327ba5052f5e8d5cbd59b937265f227e4717ceec2

SHA512
b2dfacf6cc8cf3e310bca2ae7a8803f8dcfb79cc05a7ec4334a574e352e214b4be25aed17bf7154e32fdba8bb62a4a408a3a5aac88c5c402cbfc37c40a3b1a1b

Download Submit
C:\Windows\System\rFLerqA.exe

Filesize
1.8MB

MD5
2b25d255f05266dd3b6ea064d6ebbcbb

SHA1
3d69c2026a514237926ab872ad64e2e4fb4e95b0

SHA256
94c4cb92e33306442b599f6a2e7a9cf34a28122375374dd46f8d9f41838beeb5

SHA512
34c3dea713f418123e87305f1e6a172667f2ec5355bc53458f465567d76eed46824ae0c618c62e8ff4ab17dbc1658d3490f1ec9c295bfd76dddbf648bc4027eb

Download Submit
C:\Windows\System\rFLerqA.exe

Filesize
512KB

MD5
6b5887af4274a78686a788865765637c

SHA1
5afc15e6fcbc11377bbabbda47ff43f6ebedd369

SHA256
ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

SHA512
4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

Download Submit
C:\Windows\System\sIWVEpd.exe

Filesize
1.8MB

MD5
124dd7ea02fb95d8a9e4197993db1672

SHA1
9f477378cbf48edfb9f8d12842520144ed7bb90d

SHA256
6d755ad3b820292d16bf6abec3ff893281035d56c0d9ecc30e2c8f43a663fef7

SHA512
f6624830bba8cdcc4fb87d2bed8f4442425b4680e623aaf4c035fc630d27cca8457a0df131cb8c1b805d4d69d7614d0dd511a54941f1394fd427acd5c321f21c

Download Submit
C:\Windows\System\uylEgJN.exe

Filesize
320KB

MD5
d21590ae8170aaccbcd19e7067ab6994

SHA1
10f350169749c21440531509a3e7295f89c18083

SHA256
46a31c66a5e2b5dc524bccbbcd87f163f058b2fedffe048e3850fee93fbd703a

SHA512
0a218e8b4f06e2867073755e2a8ca9407d373ed70a6cdd1433032aeda4491ab35054bde1767383405cb6459bec67b81063efb85a1f210d8040c877770e4e047f

Download Submit
C:\Windows\System\wOEzkaD.exe

Filesize
128KB

MD5
7ce4ba1725e83a50f64ba525f8815dcf

SHA1
b1714a2d23cfc42c18c37e1546ac0908d8252c04

SHA256
9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

SHA512
2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

Download Submit
C:\Windows\System\waLCBPG.exe

Filesize
1.2MB

MD5
7ec2d634f6f96feb5806b4fc3784da11

SHA1
05dc19262d5acb8a00de16f3ac9097c06f274d24

SHA256
732ce9c3e8c98b7a230c923281783d8a7bc127ef452e88138ce52363554d6dcd

SHA512
f369cefd8871bedeb2e2d8e1d05b2bc35652d344eeaefb092b7288c2025b5774f0f68abcf66b3244b77acac15c7c7a3da4e1e8085229461472aab47a681555f1

Download Submit
C:\Windows\System\waLCBPG.exe

Filesize
1.8MB

MD5
3878610201d12b17dd0a4c36b320ca17

SHA1
06397dc667ae61417765c11ffc4a79ade2b0d642

SHA256
760de8b6371d8f407dc9ed42dbb8d03086d42fdc7375d4bd429c5d5e280b8694

SHA512
0288b835ba9d268a2c9d8de5d1ca541862855f0fb16871263db5e718b48ef376c029b41ea052ba0ff38bb9ddb2c6a035b799188f66f392163a7315ed78630db4

Download Submit
C:\Windows\System\yISSRrO.exe

Filesize
1.8MB

MD5
ad5d1730989dfd1e39ceaa23f1c1b577

SHA1
7bdb9c0b30327cfdc03498df52edb062175533d5

SHA256
d4a9585d2e3e23fb7040a46fe063c16e3162444fd76d8fe5e9b399f15bff45f6

SHA512
b20355da311b60663ec3e8ff9316a3a61e4a27d20ff7e7b8008a3d0b4ea3337325236cbb45dd1f01562c98473aaca60255526e3171433df23b12f96ac9d162c0

Download Submit
C:\Windows\System\zAplGnS.exe

Filesize
1.1MB

MD5
bfd680643e8c5232951a448f19b01113

SHA1
9f10d4cf7414617ef9b7557edb7986c28f3dd17e

SHA256
2950296ce6957997a133b4771ba61774af013e57d57da9988a3fe1ec4bf8875b

SHA512
dd7d1c5dc6991953d3adf0ea63b3ca9b54da3f04388898a72d085192409c6142733ffbf7c4a4fef867d1f178ceef76eae2524b35a09b35f1d4bcc8168e3840d5

Download Submit
C:\Windows\System\zAplGnS.exe

Filesize
192KB

MD5
4a486a2a371d8db348dc0ad03e9fd9f0

SHA1
edd912c5d606628022dc3216eaf2db7c93554ff7

SHA256
93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b

SHA512
deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

Download Submit
memory/116-72-0x00007FF767D70000-0x00007FF7680C4000-memory.dmp

Filesize
3.3MB

Download
memory/316-261-0x00007FF61CBE0000-0x00007FF61CF34000-memory.dmp

Filesize
3.3MB

Download
memory/380-28-0x00007FF640310000-0x00007FF640664000-memory.dmp

Filesize
3.3MB

Download
memory/544-133-0x00007FF787810000-0x00007FF787B64000-memory.dmp

Filesize
3.3MB

Download
memory/556-58-0x00007FF7335D0000-0x00007FF733924000-memory.dmp

Filesize
3.3MB

Download
memory/668-315-0x00007FF676060000-0x00007FF6763B4000-memory.dmp

Filesize
3.3MB

Download
memory/672-102-0x00007FF703810000-0x00007FF703B64000-memory.dmp

Filesize
3.3MB

Download
memory/764-320-0x00007FF60F740000-0x00007FF60FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1016-325-0x00007FF7EEEE0000-0x00007FF7EF234000-memory.dmp

Filesize
3.3MB

Download
memory/1096-309-0x00007FF657910000-0x00007FF657C64000-memory.dmp

Filesize
3.3MB

Download
memory/1432-55-0x00007FF7E5A30000-0x00007FF7E5D84000-memory.dmp

Filesize
3.3MB

Download
memory/1552-327-0x00007FF6B2970000-0x00007FF6B2CC4000-memory.dmp

Filesize
3.3MB

Download
memory/1608-294-0x00007FF696A40000-0x00007FF696D94000-memory.dmp

Filesize
3.3MB

Download
memory/1692-95-0x00007FF68C7B0000-0x00007FF68CB04000-memory.dmp

Filesize
3.3MB

Download
memory/1740-295-0x00007FF77C4B0000-0x00007FF77C804000-memory.dmp

Filesize
3.3MB

Download
memory/1752-104-0x00007FF795A90000-0x00007FF795DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1896-9-0x00007FF636F60000-0x00007FF6372B4000-memory.dmp

Filesize
3.3MB

Download
memory/1976-306-0x00007FF7A1440000-0x00007FF7A1794000-memory.dmp

Filesize
3.3MB

Download
memory/2088-300-0x00007FF6A8530000-0x00007FF6A8884000-memory.dmp

Filesize
3.3MB

Download
memory/2100-298-0x00007FF6134B0000-0x00007FF613804000-memory.dmp

Filesize
3.3MB

Download
memory/2244-66-0x00007FF621840000-0x00007FF621B94000-memory.dmp

Filesize
3.3MB

Download
memory/2320-304-0x00007FF62A510000-0x00007FF62A864000-memory.dmp

Filesize
3.3MB

Download
memory/2336-305-0x00007FF66A750000-0x00007FF66AAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-321-0x00007FF7BD860000-0x00007FF7BDBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-323-0x00007FF7D3580000-0x00007FF7D38D4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-299-0x00007FF683690000-0x00007FF6839E4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-285-0x00007FF64A840000-0x00007FF64AB94000-memory.dmp

Filesize
3.3MB

Download
memory/2620-110-0x00007FF6E25F0000-0x00007FF6E2944000-memory.dmp

Filesize
3.3MB

Download
memory/2628-111-0x00007FF6611C0000-0x00007FF661514000-memory.dmp

Filesize
3.3MB

Download
memory/2636-69-0x00007FF775760000-0x00007FF775AB4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-326-0x00007FF79C100000-0x00007FF79C454000-memory.dmp

Filesize
3.3MB

Download
memory/2860-317-0x00007FF6123F0000-0x00007FF612744000-memory.dmp

Filesize
3.3MB

Download
memory/2904-311-0x00007FF64F3F0000-0x00007FF64F744000-memory.dmp

Filesize
3.3MB

Download
memory/2952-228-0x00007FF792480000-0x00007FF7927D4000-memory.dmp

Filesize
3.3MB

Download
memory/3108-274-0x00007FF727AF0000-0x00007FF727E44000-memory.dmp

Filesize
3.3MB

Download
memory/3164-109-0x00007FF6FABB0000-0x00007FF6FAF04000-memory.dmp

Filesize
3.3MB

Download
memory/3220-313-0x00007FF65F200000-0x00007FF65F554000-memory.dmp

Filesize
3.3MB

Download
memory/3360-307-0x00007FF68CFE0000-0x00007FF68D334000-memory.dmp

Filesize
3.3MB

Download
memory/3364-106-0x00007FF65AE10000-0x00007FF65B164000-memory.dmp

Filesize
3.3MB

Download
memory/3560-308-0x00007FF7088B0000-0x00007FF708C04000-memory.dmp

Filesize
3.3MB

Download
memory/3652-316-0x00007FF7FFB80000-0x00007FF7FFED4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-0-0x00007FF7AE190000-0x00007FF7AE4E4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-1-0x0000022725460000-0x0000022725470000-memory.dmp

Filesize
64KB

Download
memory/3668-312-0x00007FF7460F0000-0x00007FF746444000-memory.dmp

Filesize
3.3MB

Download
memory/3720-187-0x00007FF63A7A0000-0x00007FF63AAF4000-memory.dmp

Filesize
3.3MB

Download
memory/3848-19-0x00007FF7490C0000-0x00007FF749414000-memory.dmp

Filesize
3.3MB

Download
memory/3984-41-0x00007FF79E830000-0x00007FF79EB84000-memory.dmp

Filesize
3.3MB

Download
memory/4060-314-0x00007FF703870000-0x00007FF703BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4100-112-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp

Filesize
3.3MB

Download
memory/4104-322-0x00007FF7F7820000-0x00007FF7F7B74000-memory.dmp

Filesize
3.3MB

Download
memory/4212-108-0x00007FF6DFEE0000-0x00007FF6E0234000-memory.dmp

Filesize
3.3MB

Download
memory/4336-296-0x00007FF7EC440000-0x00007FF7EC794000-memory.dmp

Filesize
3.3MB

Download
memory/4372-158-0x00007FF6BE490000-0x00007FF6BE7E4000-memory.dmp

Filesize
3.3MB

Download
memory/4396-206-0x00007FF6F4280000-0x00007FF6F45D4000-memory.dmp

Filesize
3.3MB

Download
memory/4424-297-0x00007FF6ED5C0000-0x00007FF6ED914000-memory.dmp

Filesize
3.3MB

Download
memory/4472-254-0x00007FF6B5FE0000-0x00007FF6B6334000-memory.dmp

Filesize
3.3MB

Download
memory/4544-318-0x00007FF768740000-0x00007FF768A94000-memory.dmp

Filesize
3.3MB

Download
memory/4552-113-0x00007FF665A50000-0x00007FF665DA4000-memory.dmp

Filesize
3.3MB

Download
memory/4568-310-0x00007FF6F2FF0000-0x00007FF6F3344000-memory.dmp

Filesize
3.3MB

Download
memory/4672-303-0x00007FF7DE790000-0x00007FF7DEAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4716-245-0x00007FF6BB160000-0x00007FF6BB4B4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-319-0x00007FF792D80000-0x00007FF7930D4000-memory.dmp

Filesize
3.3MB

Download
memory/4912-302-0x00007FF6CBEB0000-0x00007FF6CC204000-memory.dmp

Filesize
3.3MB

Download
memory/5012-301-0x00007FF6581C0000-0x00007FF658514000-memory.dmp

Filesize
3.3MB

Download
memory/5028-324-0x00007FF6440B0000-0x00007FF644404000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads