xmrig | 5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290

Analysis

max time kernel
130s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
Size

1.9MB
MD5

bdb9406bb52a8fef74bc7e2cc3b447ed
SHA1

1512164edfcd5c2f2118a3b7a74f767e0b9e0028
SHA256

5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290
SHA512

d8a9506fd807a7fe3550f573d6d7834622154d05de19e3aa5f9aff5e456a81bd44d8b985913358c5e7cac939401df69034bc162e5b7a3f13ea112cc0e117b693
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIQOYFB9b+:BemTLkNdfE0pZrQC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4984-0-0x00007FF695D60000-0x00007FF6960B4000-memory.dmp	UPX
behavioral2/files/0x0008000000023442-4.dat	UPX
behavioral2/memory/4020-11-0x00007FF724450000-0x00007FF7247A4000-memory.dmp	UPX
behavioral2/files/0x0008000000023448-8.dat	UPX
behavioral2/memory/3616-17-0x00007FF78FEF0000-0x00007FF790244000-memory.dmp	UPX
behavioral2/files/0x0007000000023449-21.dat	UPX
behavioral2/memory/2848-30-0x00007FF68E360000-0x00007FF68E6B4000-memory.dmp	UPX
behavioral2/files/0x000700000002344c-38.dat	UPX
behavioral2/files/0x000700000002344b-43.dat	UPX
behavioral2/files/0x000700000002344d-50.dat	UPX
behavioral2/files/0x000700000002344e-55.dat	UPX
behavioral2/files/0x0007000000023450-63.dat	UPX
behavioral2/files/0x0007000000023451-67.dat	UPX
behavioral2/files/0x0007000000023453-81.dat	UPX
behavioral2/files/0x0007000000023454-88.dat	UPX
behavioral2/files/0x0007000000023456-110.dat	UPX
behavioral2/files/0x0007000000023459-112.dat	UPX
behavioral2/memory/3992-109-0x00007FF762E70000-0x00007FF7631C4000-memory.dmp	UPX
behavioral2/files/0x0007000000023458-106.dat	UPX
behavioral2/files/0x0007000000023457-105.dat	UPX
behavioral2/files/0x0008000000023446-104.dat	UPX
behavioral2/files/0x0007000000023455-102.dat	UPX
behavioral2/memory/4172-99-0x00007FF745760000-0x00007FF745AB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023452-93.dat	UPX
behavioral2/memory/228-86-0x00007FF64E9B0000-0x00007FF64ED04000-memory.dmp	UPX
behavioral2/memory/2728-80-0x00007FF69D410000-0x00007FF69D764000-memory.dmp	UPX
behavioral2/memory/4928-66-0x00007FF79A0C0000-0x00007FF79A414000-memory.dmp	UPX
behavioral2/memory/2208-62-0x00007FF608080000-0x00007FF6083D4000-memory.dmp	UPX
behavioral2/files/0x000700000002344f-60.dat	UPX
behavioral2/files/0x000700000002345a-130.dat	UPX
behavioral2/memory/1428-153-0x00007FF6A0F30000-0x00007FF6A1284000-memory.dmp	UPX
behavioral2/files/0x0007000000023463-180.dat	UPX
behavioral2/files/0x0007000000023469-187.dat	UPX
behavioral2/memory/4980-198-0x00007FF75C880000-0x00007FF75CBD4000-memory.dmp	UPX
behavioral2/memory/1272-211-0x00007FF6C61C0000-0x00007FF6C6514000-memory.dmp	UPX
behavioral2/memory/2920-216-0x00007FF6341C0000-0x00007FF634514000-memory.dmp	UPX
behavioral2/memory/4584-229-0x00007FF695320000-0x00007FF695674000-memory.dmp	UPX
behavioral2/memory/1136-237-0x00007FF7B6880000-0x00007FF7B6BD4000-memory.dmp	UPX
behavioral2/memory/4556-250-0x00007FF75DB40000-0x00007FF75DE94000-memory.dmp	UPX
behavioral2/memory/1960-253-0x00007FF75E710000-0x00007FF75EA64000-memory.dmp	UPX
behavioral2/memory/2472-257-0x00007FF7976A0000-0x00007FF7979F4000-memory.dmp	UPX
behavioral2/memory/1912-246-0x00007FF743CE0000-0x00007FF744034000-memory.dmp	UPX
behavioral2/memory/5040-269-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp	UPX
behavioral2/memory/4616-278-0x00007FF6D6FD0000-0x00007FF6D7324000-memory.dmp	UPX
behavioral2/memory/2896-303-0x00007FF64D500000-0x00007FF64D854000-memory.dmp	UPX
behavioral2/memory/2484-307-0x00007FF682FC0000-0x00007FF683314000-memory.dmp	UPX
behavioral2/memory/4692-320-0x00007FF710DA0000-0x00007FF7110F4000-memory.dmp	UPX
behavioral2/memory/5100-323-0x00007FF7D1490000-0x00007FF7D17E4000-memory.dmp	UPX
behavioral2/memory/1216-352-0x00007FF6C0980000-0x00007FF6C0CD4000-memory.dmp	UPX
behavioral2/memory/4196-366-0x00007FF7634A0000-0x00007FF7637F4000-memory.dmp	UPX
behavioral2/memory/3560-382-0x00007FF690C80000-0x00007FF690FD4000-memory.dmp	UPX
behavioral2/memory/3552-388-0x00007FF727DE0000-0x00007FF728134000-memory.dmp	UPX
behavioral2/memory/5328-409-0x00007FF768660000-0x00007FF7689B4000-memory.dmp	UPX
behavioral2/memory/5364-415-0x00007FF6E4A50000-0x00007FF6E4DA4000-memory.dmp	UPX
behavioral2/memory/5416-431-0x00007FF6DBE00000-0x00007FF6DC154000-memory.dmp	UPX
behavioral2/memory/5636-475-0x00007FF7266D0000-0x00007FF726A24000-memory.dmp	UPX
behavioral2/memory/5692-483-0x00007FF64FE80000-0x00007FF6501D4000-memory.dmp	UPX
behavioral2/memory/5716-488-0x00007FF63FE30000-0x00007FF640184000-memory.dmp	UPX
behavioral2/memory/5588-463-0x00007FF793B80000-0x00007FF793ED4000-memory.dmp	UPX
behavioral2/memory/5612-462-0x00007FF783200000-0x00007FF783554000-memory.dmp	UPX
behavioral2/memory/5572-451-0x00007FF710E70000-0x00007FF7111C4000-memory.dmp	UPX
behavioral2/memory/5552-443-0x00007FF68BB70000-0x00007FF68BEC4000-memory.dmp	UPX
behavioral2/memory/5536-440-0x00007FF641BD0000-0x00007FF641F24000-memory.dmp	UPX
behavioral2/memory/5380-422-0x00007FF79CC40000-0x00007FF79CF94000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4984-0-0x00007FF695D60000-0x00007FF6960B4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023442-4.dat	xmrig
behavioral2/memory/4020-11-0x00007FF724450000-0x00007FF7247A4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023448-8.dat	xmrig
behavioral2/memory/3616-17-0x00007FF78FEF0000-0x00007FF790244000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-21.dat	xmrig
behavioral2/memory/2848-30-0x00007FF68E360000-0x00007FF68E6B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344c-38.dat	xmrig
behavioral2/files/0x000700000002344b-43.dat	xmrig
behavioral2/files/0x000700000002344d-50.dat	xmrig
behavioral2/files/0x000700000002344e-55.dat	xmrig
behavioral2/files/0x0007000000023450-63.dat	xmrig
behavioral2/files/0x0007000000023451-67.dat	xmrig
behavioral2/files/0x0007000000023453-81.dat	xmrig
behavioral2/files/0x0007000000023454-88.dat	xmrig
behavioral2/files/0x0007000000023456-110.dat	xmrig
behavioral2/files/0x0007000000023459-112.dat	xmrig
behavioral2/memory/3992-109-0x00007FF762E70000-0x00007FF7631C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023458-106.dat	xmrig
behavioral2/files/0x0007000000023457-105.dat	xmrig
behavioral2/files/0x0008000000023446-104.dat	xmrig
behavioral2/files/0x0007000000023455-102.dat	xmrig
behavioral2/memory/4172-99-0x00007FF745760000-0x00007FF745AB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023452-93.dat	xmrig
behavioral2/memory/228-86-0x00007FF64E9B0000-0x00007FF64ED04000-memory.dmp	xmrig
behavioral2/memory/2728-80-0x00007FF69D410000-0x00007FF69D764000-memory.dmp	xmrig
behavioral2/memory/4928-66-0x00007FF79A0C0000-0x00007FF79A414000-memory.dmp	xmrig
behavioral2/memory/2208-62-0x00007FF608080000-0x00007FF6083D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344f-60.dat	xmrig
behavioral2/files/0x000700000002345a-130.dat	xmrig
behavioral2/memory/1428-153-0x00007FF6A0F30000-0x00007FF6A1284000-memory.dmp	xmrig
behavioral2/files/0x0007000000023463-180.dat	xmrig
behavioral2/files/0x0007000000023469-187.dat	xmrig
behavioral2/memory/4980-198-0x00007FF75C880000-0x00007FF75CBD4000-memory.dmp	xmrig
behavioral2/memory/1272-211-0x00007FF6C61C0000-0x00007FF6C6514000-memory.dmp	xmrig
behavioral2/memory/2920-216-0x00007FF6341C0000-0x00007FF634514000-memory.dmp	xmrig
behavioral2/memory/4584-229-0x00007FF695320000-0x00007FF695674000-memory.dmp	xmrig
behavioral2/memory/1136-237-0x00007FF7B6880000-0x00007FF7B6BD4000-memory.dmp	xmrig
behavioral2/memory/4556-250-0x00007FF75DB40000-0x00007FF75DE94000-memory.dmp	xmrig
behavioral2/memory/1960-253-0x00007FF75E710000-0x00007FF75EA64000-memory.dmp	xmrig
behavioral2/memory/2472-257-0x00007FF7976A0000-0x00007FF7979F4000-memory.dmp	xmrig
behavioral2/memory/1912-246-0x00007FF743CE0000-0x00007FF744034000-memory.dmp	xmrig
behavioral2/memory/5040-269-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp	xmrig
behavioral2/memory/4616-278-0x00007FF6D6FD0000-0x00007FF6D7324000-memory.dmp	xmrig
behavioral2/memory/2896-303-0x00007FF64D500000-0x00007FF64D854000-memory.dmp	xmrig
behavioral2/memory/2484-307-0x00007FF682FC0000-0x00007FF683314000-memory.dmp	xmrig
behavioral2/memory/4692-320-0x00007FF710DA0000-0x00007FF7110F4000-memory.dmp	xmrig
behavioral2/memory/5100-323-0x00007FF7D1490000-0x00007FF7D17E4000-memory.dmp	xmrig
behavioral2/memory/1216-352-0x00007FF6C0980000-0x00007FF6C0CD4000-memory.dmp	xmrig
behavioral2/memory/4196-366-0x00007FF7634A0000-0x00007FF7637F4000-memory.dmp	xmrig
behavioral2/memory/3560-382-0x00007FF690C80000-0x00007FF690FD4000-memory.dmp	xmrig
behavioral2/memory/3552-388-0x00007FF727DE0000-0x00007FF728134000-memory.dmp	xmrig
behavioral2/memory/5328-409-0x00007FF768660000-0x00007FF7689B4000-memory.dmp	xmrig
behavioral2/memory/5364-415-0x00007FF6E4A50000-0x00007FF6E4DA4000-memory.dmp	xmrig
behavioral2/memory/5416-431-0x00007FF6DBE00000-0x00007FF6DC154000-memory.dmp	xmrig
behavioral2/memory/5636-475-0x00007FF7266D0000-0x00007FF726A24000-memory.dmp	xmrig
behavioral2/memory/5692-483-0x00007FF64FE80000-0x00007FF6501D4000-memory.dmp	xmrig
behavioral2/memory/5716-488-0x00007FF63FE30000-0x00007FF640184000-memory.dmp	xmrig
behavioral2/memory/5588-463-0x00007FF793B80000-0x00007FF793ED4000-memory.dmp	xmrig
behavioral2/memory/5612-462-0x00007FF783200000-0x00007FF783554000-memory.dmp	xmrig
behavioral2/memory/5572-451-0x00007FF710E70000-0x00007FF7111C4000-memory.dmp	xmrig
behavioral2/memory/5552-443-0x00007FF68BB70000-0x00007FF68BEC4000-memory.dmp	xmrig
behavioral2/memory/5536-440-0x00007FF641BD0000-0x00007FF641F24000-memory.dmp	xmrig
behavioral2/memory/5380-422-0x00007FF79CC40000-0x00007FF79CF94000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4020	RzxAvDJ.exe
1792	cbcTDBs.exe
3616	kbZoSEt.exe
4564	aOtEmjC.exe
2848	VCyfJBd.exe
3880	MdKrdNJ.exe
2456	HgExlfK.exe
2208	VbijOJJ.exe
4928	EIoNqpr.exe
2728	zhlJiAG.exe
228	DkDOdkU.exe
1088	mZdLpdL.exe
4476	RgIgNfO.exe
4172	WXNdJQG.exe
3992	OjElBjP.exe
1548	ELrhFHc.exe
3868	ZOTeTBi.exe
2956	AmKDLZw.exe
792	mQnqOuI.exe
4440	iCkTBVu.exe
5084	zGWDEBI.exe
592	rJvkpso.exe
1428	cqdqSUo.exe
4596	xtVEyxR.exe
4980	tqkJMwe.exe
2780	qxMFBNy.exe
1272	hhdNQbg.exe
2920	BJrpMUK.exe
2864	mlGVEIJ.exe
624	SsDLvpf.exe
4584	sTQqzSu.exe
3244	HXomHAS.exe
1136	aScaPFV.exe
1912	wRjejii.exe
4556	gjBrIfH.exe
1960	kfVwMhF.exe
2472	omNGibp.exe
5052	WajrMdJ.exe
5040	VkoOdOE.exe
4616	AUxvewc.exe
3264	DNGFUQq.exe
4872	MqexcZe.exe
2420	veKIeuu.exe
3328	ANDXlsi.exe
4960	aaelulo.exe
2372	SnZvYdu.exe
2120	jmWPxrY.exe
4540	qsCstVA.exe
2384	HxVvRPW.exe
4296	UvwriUK.exe
2896	dZMDbrz.exe
2484	uKMKqca.exe
1244	zWtnqIC.exe
4380	YwoXscS.exe
1668	QPUlFvl.exe
964	CYTUWuJ.exe
4248	OVCbfPP.exe
1384	WldReOi.exe
4692	GYhvfdS.exe
3748	EpXBeZQ.exe
5100	iLbfQQv.exe
744	YvcEELS.exe
1432	iIZTJCd.exe
1316	QSGxrnS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4984-0-0x00007FF695D60000-0x00007FF6960B4000-memory.dmp	upx
behavioral2/files/0x0008000000023442-4.dat	upx
behavioral2/memory/4020-11-0x00007FF724450000-0x00007FF7247A4000-memory.dmp	upx
behavioral2/files/0x0008000000023448-8.dat	upx
behavioral2/memory/3616-17-0x00007FF78FEF0000-0x00007FF790244000-memory.dmp	upx
behavioral2/files/0x0007000000023449-21.dat	upx
behavioral2/memory/2848-30-0x00007FF68E360000-0x00007FF68E6B4000-memory.dmp	upx
behavioral2/files/0x000700000002344c-38.dat	upx
behavioral2/files/0x000700000002344b-43.dat	upx
behavioral2/files/0x000700000002344d-50.dat	upx
behavioral2/files/0x000700000002344e-55.dat	upx
behavioral2/files/0x0007000000023450-63.dat	upx
behavioral2/files/0x0007000000023451-67.dat	upx
behavioral2/files/0x0007000000023453-81.dat	upx
behavioral2/files/0x0007000000023454-88.dat	upx
behavioral2/files/0x0007000000023456-110.dat	upx
behavioral2/files/0x0007000000023459-112.dat	upx
behavioral2/memory/3992-109-0x00007FF762E70000-0x00007FF7631C4000-memory.dmp	upx
behavioral2/files/0x0007000000023458-106.dat	upx
behavioral2/files/0x0007000000023457-105.dat	upx
behavioral2/files/0x0008000000023446-104.dat	upx
behavioral2/files/0x0007000000023455-102.dat	upx
behavioral2/memory/4172-99-0x00007FF745760000-0x00007FF745AB4000-memory.dmp	upx
behavioral2/files/0x0007000000023452-93.dat	upx
behavioral2/memory/228-86-0x00007FF64E9B0000-0x00007FF64ED04000-memory.dmp	upx
behavioral2/memory/2728-80-0x00007FF69D410000-0x00007FF69D764000-memory.dmp	upx
behavioral2/memory/4928-66-0x00007FF79A0C0000-0x00007FF79A414000-memory.dmp	upx
behavioral2/memory/2208-62-0x00007FF608080000-0x00007FF6083D4000-memory.dmp	upx
behavioral2/files/0x000700000002344f-60.dat	upx
behavioral2/files/0x000700000002345a-130.dat	upx
behavioral2/memory/1428-153-0x00007FF6A0F30000-0x00007FF6A1284000-memory.dmp	upx
behavioral2/files/0x0007000000023463-180.dat	upx
behavioral2/files/0x0007000000023469-187.dat	upx
behavioral2/memory/4980-198-0x00007FF75C880000-0x00007FF75CBD4000-memory.dmp	upx
behavioral2/memory/1272-211-0x00007FF6C61C0000-0x00007FF6C6514000-memory.dmp	upx
behavioral2/memory/2920-216-0x00007FF6341C0000-0x00007FF634514000-memory.dmp	upx
behavioral2/memory/4584-229-0x00007FF695320000-0x00007FF695674000-memory.dmp	upx
behavioral2/memory/1136-237-0x00007FF7B6880000-0x00007FF7B6BD4000-memory.dmp	upx
behavioral2/memory/4556-250-0x00007FF75DB40000-0x00007FF75DE94000-memory.dmp	upx
behavioral2/memory/1960-253-0x00007FF75E710000-0x00007FF75EA64000-memory.dmp	upx
behavioral2/memory/2472-257-0x00007FF7976A0000-0x00007FF7979F4000-memory.dmp	upx
behavioral2/memory/1912-246-0x00007FF743CE0000-0x00007FF744034000-memory.dmp	upx
behavioral2/memory/5040-269-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp	upx
behavioral2/memory/4616-278-0x00007FF6D6FD0000-0x00007FF6D7324000-memory.dmp	upx
behavioral2/memory/2896-303-0x00007FF64D500000-0x00007FF64D854000-memory.dmp	upx
behavioral2/memory/2484-307-0x00007FF682FC0000-0x00007FF683314000-memory.dmp	upx
behavioral2/memory/4692-320-0x00007FF710DA0000-0x00007FF7110F4000-memory.dmp	upx
behavioral2/memory/5100-323-0x00007FF7D1490000-0x00007FF7D17E4000-memory.dmp	upx
behavioral2/memory/1216-352-0x00007FF6C0980000-0x00007FF6C0CD4000-memory.dmp	upx
behavioral2/memory/4196-366-0x00007FF7634A0000-0x00007FF7637F4000-memory.dmp	upx
behavioral2/memory/3560-382-0x00007FF690C80000-0x00007FF690FD4000-memory.dmp	upx
behavioral2/memory/3552-388-0x00007FF727DE0000-0x00007FF728134000-memory.dmp	upx
behavioral2/memory/5328-409-0x00007FF768660000-0x00007FF7689B4000-memory.dmp	upx
behavioral2/memory/5364-415-0x00007FF6E4A50000-0x00007FF6E4DA4000-memory.dmp	upx
behavioral2/memory/5416-431-0x00007FF6DBE00000-0x00007FF6DC154000-memory.dmp	upx
behavioral2/memory/5636-475-0x00007FF7266D0000-0x00007FF726A24000-memory.dmp	upx
behavioral2/memory/5692-483-0x00007FF64FE80000-0x00007FF6501D4000-memory.dmp	upx
behavioral2/memory/5716-488-0x00007FF63FE30000-0x00007FF640184000-memory.dmp	upx
behavioral2/memory/5588-463-0x00007FF793B80000-0x00007FF793ED4000-memory.dmp	upx
behavioral2/memory/5612-462-0x00007FF783200000-0x00007FF783554000-memory.dmp	upx
behavioral2/memory/5572-451-0x00007FF710E70000-0x00007FF7111C4000-memory.dmp	upx
behavioral2/memory/5552-443-0x00007FF68BB70000-0x00007FF68BEC4000-memory.dmp	upx
behavioral2/memory/5536-440-0x00007FF641BD0000-0x00007FF641F24000-memory.dmp	upx
behavioral2/memory/5380-422-0x00007FF79CC40000-0x00007FF79CF94000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\mpcbafx.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\gjBrIfH.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\jDDpSJV.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\nKZiQOH.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\TiePYxg.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\jcrdbQe.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\OOgXXCh.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\nnGXlNs.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\SHRCEfP.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\HOrnJmZ.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\CAmcKNH.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\ZngaOEY.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\zyEEngF.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\XHfCOoc.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\phirKmY.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\IXFpfjl.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\IGdmgdB.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\sILnDHG.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\jmWPxrY.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\OWUNbKU.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\SsDLvpf.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\sbZWkHp.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\RopSZaw.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\zuPJgtY.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\ZFLrTHU.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\JRlZQOM.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\HJkvqZB.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\YhqyVLd.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\IUhJTMX.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\ZOTeTBi.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\SnZvYdu.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\HxVvRPW.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\mdulnFx.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\SRPHaWW.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\hKevIIl.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\FwCNEHh.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\StsgUdm.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\nNobwEq.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\cySXbOb.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\UkoqVDW.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\mNdSvdQ.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\xIZOoNX.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\SYQwfeN.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\RgIgNfO.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\uxfigpH.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\vzexMql.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\ixntmmS.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\sISXbbR.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\QyBVHXh.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\RRJlkpJ.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\fpMpVIA.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\OhZQaaF.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\wRjejii.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\hZSeMbm.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\xxDPNnM.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\iZweMtR.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\VsSPaPo.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\DpGhAUH.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\GSpEhCx.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\rpKXxue.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\bHryKJi.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\rjnhpAu.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\OGjEDMq.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
File created	C:\Windows\System\WnlzHbA.exe	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	10636	dwm.exe
Token: SeChangeNotifyPrivilege	10636	dwm.exe
Token: 33	10636	dwm.exe
Token: SeIncBasePriorityPrivilege	10636	dwm.exe
Token: SeShutdownPrivilege	10636	dwm.exe
Token: SeCreatePagefilePrivilege	10636	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4020	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	89
PID 4984 wrote to memory of 4020	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	89
PID 4984 wrote to memory of 1792	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	90
PID 4984 wrote to memory of 1792	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	90
PID 4984 wrote to memory of 3616	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	91
PID 4984 wrote to memory of 3616	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	91
PID 4984 wrote to memory of 4564	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	92
PID 4984 wrote to memory of 4564	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	92
PID 4984 wrote to memory of 2848	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	93
PID 4984 wrote to memory of 2848	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	93
PID 4984 wrote to memory of 3880	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	94
PID 4984 wrote to memory of 3880	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	94
PID 4984 wrote to memory of 2456	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	95
PID 4984 wrote to memory of 2456	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	95
PID 4984 wrote to memory of 2208	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	96
PID 4984 wrote to memory of 2208	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	96
PID 4984 wrote to memory of 4928	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	97
PID 4984 wrote to memory of 4928	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	97
PID 4984 wrote to memory of 2728	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	98
PID 4984 wrote to memory of 2728	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	98
PID 4984 wrote to memory of 228	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	99
PID 4984 wrote to memory of 228	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	99
PID 4984 wrote to memory of 1088	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	100
PID 4984 wrote to memory of 1088	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	100
PID 4984 wrote to memory of 1548	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	101
PID 4984 wrote to memory of 1548	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	101
PID 4984 wrote to memory of 4476	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	102
PID 4984 wrote to memory of 4476	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	102
PID 4984 wrote to memory of 4172	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	103
PID 4984 wrote to memory of 4172	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	103
PID 4984 wrote to memory of 3992	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	104
PID 4984 wrote to memory of 3992	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	104
PID 4984 wrote to memory of 3868	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	105
PID 4984 wrote to memory of 3868	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	105
PID 4984 wrote to memory of 2956	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	106
PID 4984 wrote to memory of 2956	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	106
PID 4984 wrote to memory of 792	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	107
PID 4984 wrote to memory of 792	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	107
PID 4984 wrote to memory of 4440	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	108
PID 4984 wrote to memory of 4440	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	108
PID 4984 wrote to memory of 5084	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	109
PID 4984 wrote to memory of 5084	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	109
PID 4984 wrote to memory of 592	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	110
PID 4984 wrote to memory of 592	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	110
PID 4984 wrote to memory of 1428	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	111
PID 4984 wrote to memory of 1428	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	111
PID 4984 wrote to memory of 4596	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	112
PID 4984 wrote to memory of 4596	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	112
PID 4984 wrote to memory of 4980	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	113
PID 4984 wrote to memory of 4980	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	113
PID 4984 wrote to memory of 2780	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	114
PID 4984 wrote to memory of 2780	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	114
PID 4984 wrote to memory of 1272	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	115
PID 4984 wrote to memory of 1272	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	115
PID 4984 wrote to memory of 2920	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	116
PID 4984 wrote to memory of 2920	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	116
PID 4984 wrote to memory of 2864	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	117
PID 4984 wrote to memory of 2864	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	117
PID 4984 wrote to memory of 624	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	118
PID 4984 wrote to memory of 624	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	118
PID 4984 wrote to memory of 4584	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	119
PID 4984 wrote to memory of 4584	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	119
PID 4984 wrote to memory of 5052	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	120
PID 4984 wrote to memory of 5052	4984	5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe	120

C:\Users\Admin\AppData\Local\Temp\5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe
"C:\Users\Admin\AppData\Local\Temp\5bb054c19237fdf6aacf1cd5d9e117d54d59f83b88f69573568623f21327d290.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\System\RzxAvDJ.exe
  C:\Windows\System\RzxAvDJ.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\cbcTDBs.exe
  C:\Windows\System\cbcTDBs.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\kbZoSEt.exe
  C:\Windows\System\kbZoSEt.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\aOtEmjC.exe
  C:\Windows\System\aOtEmjC.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\VCyfJBd.exe
  C:\Windows\System\VCyfJBd.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\MdKrdNJ.exe
  C:\Windows\System\MdKrdNJ.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\HgExlfK.exe
  C:\Windows\System\HgExlfK.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\VbijOJJ.exe
  C:\Windows\System\VbijOJJ.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\EIoNqpr.exe
  C:\Windows\System\EIoNqpr.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\zhlJiAG.exe
  C:\Windows\System\zhlJiAG.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\DkDOdkU.exe
  C:\Windows\System\DkDOdkU.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\mZdLpdL.exe
  C:\Windows\System\mZdLpdL.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\ELrhFHc.exe
  C:\Windows\System\ELrhFHc.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\RgIgNfO.exe
  C:\Windows\System\RgIgNfO.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\WXNdJQG.exe
  C:\Windows\System\WXNdJQG.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\OjElBjP.exe
  C:\Windows\System\OjElBjP.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\ZOTeTBi.exe
  C:\Windows\System\ZOTeTBi.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\AmKDLZw.exe
  C:\Windows\System\AmKDLZw.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\mQnqOuI.exe
  C:\Windows\System\mQnqOuI.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System\iCkTBVu.exe
  C:\Windows\System\iCkTBVu.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\zGWDEBI.exe
  C:\Windows\System\zGWDEBI.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\rJvkpso.exe
  C:\Windows\System\rJvkpso.exe
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\System\cqdqSUo.exe
  C:\Windows\System\cqdqSUo.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\xtVEyxR.exe
  C:\Windows\System\xtVEyxR.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\tqkJMwe.exe
  C:\Windows\System\tqkJMwe.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\qxMFBNy.exe
  C:\Windows\System\qxMFBNy.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\hhdNQbg.exe
  C:\Windows\System\hhdNQbg.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\BJrpMUK.exe
  C:\Windows\System\BJrpMUK.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\mlGVEIJ.exe
  C:\Windows\System\mlGVEIJ.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\SsDLvpf.exe
  C:\Windows\System\SsDLvpf.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\sTQqzSu.exe
  C:\Windows\System\sTQqzSu.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\WajrMdJ.exe
  C:\Windows\System\WajrMdJ.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\HXomHAS.exe
  C:\Windows\System\HXomHAS.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\aScaPFV.exe
  C:\Windows\System\aScaPFV.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\wRjejii.exe
  C:\Windows\System\wRjejii.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\gjBrIfH.exe
  C:\Windows\System\gjBrIfH.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\kfVwMhF.exe
  C:\Windows\System\kfVwMhF.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\omNGibp.exe
  C:\Windows\System\omNGibp.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\VkoOdOE.exe
  C:\Windows\System\VkoOdOE.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\AUxvewc.exe
  C:\Windows\System\AUxvewc.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\DNGFUQq.exe
  C:\Windows\System\DNGFUQq.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\veKIeuu.exe
  C:\Windows\System\veKIeuu.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\ANDXlsi.exe
  C:\Windows\System\ANDXlsi.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\MqexcZe.exe
  C:\Windows\System\MqexcZe.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\aaelulo.exe
  C:\Windows\System\aaelulo.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\SnZvYdu.exe
  C:\Windows\System\SnZvYdu.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\jmWPxrY.exe
  C:\Windows\System\jmWPxrY.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\qsCstVA.exe
  C:\Windows\System\qsCstVA.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\HxVvRPW.exe
  C:\Windows\System\HxVvRPW.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\UvwriUK.exe
  C:\Windows\System\UvwriUK.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\dZMDbrz.exe
  C:\Windows\System\dZMDbrz.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\uKMKqca.exe
  C:\Windows\System\uKMKqca.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\zWtnqIC.exe
  C:\Windows\System\zWtnqIC.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\YwoXscS.exe
  C:\Windows\System\YwoXscS.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\QPUlFvl.exe
  C:\Windows\System\QPUlFvl.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\CYTUWuJ.exe
  C:\Windows\System\CYTUWuJ.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\EpXBeZQ.exe
  C:\Windows\System\EpXBeZQ.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\OVCbfPP.exe
  C:\Windows\System\OVCbfPP.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\WldReOi.exe
  C:\Windows\System\WldReOi.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\GYhvfdS.exe
  C:\Windows\System\GYhvfdS.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\iLbfQQv.exe
  C:\Windows\System\iLbfQQv.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\YvcEELS.exe
  C:\Windows\System\YvcEELS.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\iIZTJCd.exe
  C:\Windows\System\iIZTJCd.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\QSGxrnS.exe
  C:\Windows\System\QSGxrnS.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\LkGrMOZ.exe
  C:\Windows\System\LkGrMOZ.exe
  2⤵
  PID:3452
- C:\Windows\System\QyBVHXh.exe
  C:\Windows\System\QyBVHXh.exe
  2⤵
  PID:4712
- C:\Windows\System\pFSFnKu.exe
  C:\Windows\System\pFSFnKu.exe
  2⤵
  PID:3952
- C:\Windows\System\IApZzlO.exe
  C:\Windows\System\IApZzlO.exe
  2⤵
  PID:412
- C:\Windows\System\jDDpSJV.exe
  C:\Windows\System\jDDpSJV.exe
  2⤵
  PID:1412
- C:\Windows\System\efyWgOi.exe
  C:\Windows\System\efyWgOi.exe
  2⤵
  PID:4796
- C:\Windows\System\RUumKgf.exe
  C:\Windows\System\RUumKgf.exe
  2⤵
  PID:4368
- C:\Windows\System\WlPEfyI.exe
  C:\Windows\System\WlPEfyI.exe
  2⤵
  PID:4572
- C:\Windows\System\pzwmoVK.exe
  C:\Windows\System\pzwmoVK.exe
  2⤵
  PID:1216
- C:\Windows\System\AylVcoY.exe
  C:\Windows\System\AylVcoY.exe
  2⤵
  PID:2224
- C:\Windows\System\ZqTEHQn.exe
  C:\Windows\System\ZqTEHQn.exe
  2⤵
  PID:3288
- C:\Windows\System\gbEqmDR.exe
  C:\Windows\System\gbEqmDR.exe
  2⤵
  PID:3900
- C:\Windows\System\NjFeaBc.exe
  C:\Windows\System\NjFeaBc.exe
  2⤵
  PID:1540
- C:\Windows\System\qnSjsMh.exe
  C:\Windows\System\qnSjsMh.exe
  2⤵
  PID:4196
- C:\Windows\System\lkceIks.exe
  C:\Windows\System\lkceIks.exe
  2⤵
  PID:3320
- C:\Windows\System\lWuVthu.exe
  C:\Windows\System\lWuVthu.exe
  2⤵
  PID:3560
- C:\Windows\System\CpzCWFZ.exe
  C:\Windows\System\CpzCWFZ.exe
  2⤵
  PID:3552
- C:\Windows\System\TXOdzmi.exe
  C:\Windows\System\TXOdzmi.exe
  2⤵
  PID:116
- C:\Windows\System\QKdmlsP.exe
  C:\Windows\System\QKdmlsP.exe
  2⤵
  PID:5132
- C:\Windows\System\KUueaDB.exe
  C:\Windows\System\KUueaDB.exe
  2⤵
  PID:5160
- C:\Windows\System\JMfRhic.exe
  C:\Windows\System\JMfRhic.exe
  2⤵
  PID:5192
- C:\Windows\System\phirKmY.exe
  C:\Windows\System\phirKmY.exe
  2⤵
  PID:5244
- C:\Windows\System\vNLxZUE.exe
  C:\Windows\System\vNLxZUE.exe
  2⤵
  PID:5328
- C:\Windows\System\RRJlkpJ.exe
  C:\Windows\System\RRJlkpJ.exe
  2⤵
  PID:5348
- C:\Windows\System\HzpoBTA.exe
  C:\Windows\System\HzpoBTA.exe
  2⤵
  PID:5364
- C:\Windows\System\StsgUdm.exe
  C:\Windows\System\StsgUdm.exe
  2⤵
  PID:5380
- C:\Windows\System\SeMJQww.exe
  C:\Windows\System\SeMJQww.exe
  2⤵
  PID:5396
- C:\Windows\System\uAHqElH.exe
  C:\Windows\System\uAHqElH.exe
  2⤵
  PID:5416
- C:\Windows\System\hrTPahj.exe
  C:\Windows\System\hrTPahj.exe
  2⤵
  PID:5468
- C:\Windows\System\DiOTRRV.exe
  C:\Windows\System\DiOTRRV.exe
  2⤵
  PID:5520
- C:\Windows\System\nNobwEq.exe
  C:\Windows\System\nNobwEq.exe
  2⤵
  PID:5536
- C:\Windows\System\XmyuVJD.exe
  C:\Windows\System\XmyuVJD.exe
  2⤵
  PID:5552
- C:\Windows\System\mdulnFx.exe
  C:\Windows\System\mdulnFx.exe
  2⤵
  PID:5572
- C:\Windows\System\UHQMqep.exe
  C:\Windows\System\UHQMqep.exe
  2⤵
  PID:5588
- C:\Windows\System\glHUeym.exe
  C:\Windows\System\glHUeym.exe
  2⤵
  PID:5612
- C:\Windows\System\zaTHvAh.exe
  C:\Windows\System\zaTHvAh.exe
  2⤵
  PID:5636
- C:\Windows\System\CAmcKNH.exe
  C:\Windows\System\CAmcKNH.exe
  2⤵
  PID:5660
- C:\Windows\System\XZKVbOB.exe
  C:\Windows\System\XZKVbOB.exe
  2⤵
  PID:5692
- C:\Windows\System\KsShyra.exe
  C:\Windows\System\KsShyra.exe
  2⤵
  PID:5716
- C:\Windows\System\rwZAGcK.exe
  C:\Windows\System\rwZAGcK.exe
  2⤵
  PID:5732
- C:\Windows\System\DySEmtl.exe
  C:\Windows\System\DySEmtl.exe
  2⤵
  PID:5752
- C:\Windows\System\wTTfdMr.exe
  C:\Windows\System\wTTfdMr.exe
  2⤵
  PID:5804
- C:\Windows\System\mKEoQRS.exe
  C:\Windows\System\mKEoQRS.exe
  2⤵
  PID:5828
- C:\Windows\System\FPQyxGo.exe
  C:\Windows\System\FPQyxGo.exe
  2⤵
  PID:5912
- C:\Windows\System\VsSPaPo.exe
  C:\Windows\System\VsSPaPo.exe
  2⤵
  PID:5936
- C:\Windows\System\SRPHaWW.exe
  C:\Windows\System\SRPHaWW.exe
  2⤵
  PID:5960
- C:\Windows\System\AwbaXNZ.exe
  C:\Windows\System\AwbaXNZ.exe
  2⤵
  PID:5988
- C:\Windows\System\CfkqTFs.exe
  C:\Windows\System\CfkqTFs.exe
  2⤵
  PID:6008
- C:\Windows\System\msjTCuj.exe
  C:\Windows\System\msjTCuj.exe
  2⤵
  PID:6076
- C:\Windows\System\NuDOtHj.exe
  C:\Windows\System\NuDOtHj.exe
  2⤵
  PID:6092
- C:\Windows\System\FpNYhgi.exe
  C:\Windows\System\FpNYhgi.exe
  2⤵
  PID:6108
- C:\Windows\System\fAAYZVU.exe
  C:\Windows\System\fAAYZVU.exe
  2⤵
  PID:6136
- C:\Windows\System\qgkPLDf.exe
  C:\Windows\System\qgkPLDf.exe
  2⤵
  PID:3940
- C:\Windows\System\vxNmPQE.exe
  C:\Windows\System\vxNmPQE.exe
  2⤵
  PID:1528
- C:\Windows\System\hZSeMbm.exe
  C:\Windows\System\hZSeMbm.exe
  2⤵
  PID:864
- C:\Windows\System\YaVfXZN.exe
  C:\Windows\System\YaVfXZN.exe
  2⤵
  PID:5124
- C:\Windows\System\EwkFPlP.exe
  C:\Windows\System\EwkFPlP.exe
  2⤵
  PID:4956
- C:\Windows\System\XsWQLfV.exe
  C:\Windows\System\XsWQLfV.exe
  2⤵
  PID:5144
- C:\Windows\System\PhdPyrI.exe
  C:\Windows\System\PhdPyrI.exe
  2⤵
  PID:5232
- C:\Windows\System\nKZiQOH.exe
  C:\Windows\System\nKZiQOH.exe
  2⤵
  PID:1864
- C:\Windows\System\bKmNVgU.exe
  C:\Windows\System\bKmNVgU.exe
  2⤵
  PID:5372
- C:\Windows\System\cQXSGbR.exe
  C:\Windows\System\cQXSGbR.exe
  2⤵
  PID:1948
- C:\Windows\System\aLlXJzB.exe
  C:\Windows\System\aLlXJzB.exe
  2⤵
  PID:5464
- C:\Windows\System\ZWavlkD.exe
  C:\Windows\System\ZWavlkD.exe
  2⤵
  PID:5508
- C:\Windows\System\zvKiGQC.exe
  C:\Windows\System\zvKiGQC.exe
  2⤵
  PID:5608
- C:\Windows\System\xxDPNnM.exe
  C:\Windows\System\xxDPNnM.exe
  2⤵
  PID:5548
- C:\Windows\System\LPtPltS.exe
  C:\Windows\System\LPtPltS.exe
  2⤵
  PID:5840
- C:\Windows\System\VQsYwMW.exe
  C:\Windows\System\VQsYwMW.exe
  2⤵
  PID:6084
- C:\Windows\System\dYYGcDY.exe
  C:\Windows\System\dYYGcDY.exe
  2⤵
  PID:5956
- C:\Windows\System\OUtjvmh.exe
  C:\Windows\System\OUtjvmh.exe
  2⤵
  PID:6088
- C:\Windows\System\pjTyuBm.exe
  C:\Windows\System\pjTyuBm.exe
  2⤵
  PID:4220
- C:\Windows\System\LKiubli.exe
  C:\Windows\System\LKiubli.exe
  2⤵
  PID:1648
- C:\Windows\System\sTMSemi.exe
  C:\Windows\System\sTMSemi.exe
  2⤵
  PID:5272
- C:\Windows\System\yqCmryC.exe
  C:\Windows\System\yqCmryC.exe
  2⤵
  PID:904
- C:\Windows\System\WnlzHbA.exe
  C:\Windows\System\WnlzHbA.exe
  2⤵
  PID:4916
- C:\Windows\System\TSPsodI.exe
  C:\Windows\System\TSPsodI.exe
  2⤵
  PID:5324
- C:\Windows\System\qqkweeI.exe
  C:\Windows\System\qqkweeI.exe
  2⤵
  PID:5408
- C:\Windows\System\pEcIbeR.exe
  C:\Windows\System\pEcIbeR.exe
  2⤵
  PID:2908
- C:\Windows\System\zuPJgtY.exe
  C:\Windows\System\zuPJgtY.exe
  2⤵
  PID:5648
- C:\Windows\System\JRlZQOM.exe
  C:\Windows\System\JRlZQOM.exe
  2⤵
  PID:2492
- C:\Windows\System\aRfZxOc.exe
  C:\Windows\System\aRfZxOc.exe
  2⤵
  PID:5892
- C:\Windows\System\ugHUhke.exe
  C:\Windows\System\ugHUhke.exe
  2⤵
  PID:4592
- C:\Windows\System\lMsjaTi.exe
  C:\Windows\System\lMsjaTi.exe
  2⤵
  PID:3248
- C:\Windows\System\YPvIPiq.exe
  C:\Windows\System\YPvIPiq.exe
  2⤵
  PID:796
- C:\Windows\System\cySXbOb.exe
  C:\Windows\System\cySXbOb.exe
  2⤵
  PID:5360
- C:\Windows\System\ZzoSHVE.exe
  C:\Windows\System\ZzoSHVE.exe
  2⤵
  PID:6152
- C:\Windows\System\vKRzFsC.exe
  C:\Windows\System\vKRzFsC.exe
  2⤵
  PID:6168
- C:\Windows\System\EkysQyg.exe
  C:\Windows\System\EkysQyg.exe
  2⤵
  PID:6188
- C:\Windows\System\nyZVGST.exe
  C:\Windows\System\nyZVGST.exe
  2⤵
  PID:6240
- C:\Windows\System\PQYkdKq.exe
  C:\Windows\System\PQYkdKq.exe
  2⤵
  PID:6296
- C:\Windows\System\DmJylto.exe
  C:\Windows\System\DmJylto.exe
  2⤵
  PID:6384
- C:\Windows\System\uWiWhFR.exe
  C:\Windows\System\uWiWhFR.exe
  2⤵
  PID:6408
- C:\Windows\System\cgwaCnr.exe
  C:\Windows\System\cgwaCnr.exe
  2⤵
  PID:6460
- C:\Windows\System\nZEfjtB.exe
  C:\Windows\System\nZEfjtB.exe
  2⤵
  PID:6488
- C:\Windows\System\MVKHiWA.exe
  C:\Windows\System\MVKHiWA.exe
  2⤵
  PID:6508
- C:\Windows\System\PNzDDrZ.exe
  C:\Windows\System\PNzDDrZ.exe
  2⤵
  PID:6524
- C:\Windows\System\HJkvqZB.exe
  C:\Windows\System\HJkvqZB.exe
  2⤵
  PID:6548
- C:\Windows\System\zIVKHpI.exe
  C:\Windows\System\zIVKHpI.exe
  2⤵
  PID:6568
- C:\Windows\System\fRhmUUC.exe
  C:\Windows\System\fRhmUUC.exe
  2⤵
  PID:6584
- C:\Windows\System\ZngaOEY.exe
  C:\Windows\System\ZngaOEY.exe
  2⤵
  PID:6604
- C:\Windows\System\EFwoKwA.exe
  C:\Windows\System\EFwoKwA.exe
  2⤵
  PID:6620
- C:\Windows\System\cGuhwga.exe
  C:\Windows\System\cGuhwga.exe
  2⤵
  PID:6636
- C:\Windows\System\phKSPnJ.exe
  C:\Windows\System\phKSPnJ.exe
  2⤵
  PID:6660
- C:\Windows\System\vXmVhmw.exe
  C:\Windows\System\vXmVhmw.exe
  2⤵
  PID:6680
- C:\Windows\System\dqxsYhm.exe
  C:\Windows\System\dqxsYhm.exe
  2⤵
  PID:6704
- C:\Windows\System\CoRryCO.exe
  C:\Windows\System\CoRryCO.exe
  2⤵
  PID:6720
- C:\Windows\System\XfGdlQR.exe
  C:\Windows\System\XfGdlQR.exe
  2⤵
  PID:6736
- C:\Windows\System\HMztqkX.exe
  C:\Windows\System\HMztqkX.exe
  2⤵
  PID:6792
- C:\Windows\System\YFzpxCk.exe
  C:\Windows\System\YFzpxCk.exe
  2⤵
  PID:6916
- C:\Windows\System\UkoqVDW.exe
  C:\Windows\System\UkoqVDW.exe
  2⤵
  PID:6936
- C:\Windows\System\WKfpAXn.exe
  C:\Windows\System\WKfpAXn.exe
  2⤵
  PID:6952
- C:\Windows\System\OWUNbKU.exe
  C:\Windows\System\OWUNbKU.exe
  2⤵
  PID:6972
- C:\Windows\System\eFwBcsd.exe
  C:\Windows\System\eFwBcsd.exe
  2⤵
  PID:6988
- C:\Windows\System\ytmJnNz.exe
  C:\Windows\System\ytmJnNz.exe
  2⤵
  PID:7024
- C:\Windows\System\ERnhBWM.exe
  C:\Windows\System\ERnhBWM.exe
  2⤵
  PID:7048
- C:\Windows\System\uxfigpH.exe
  C:\Windows\System\uxfigpH.exe
  2⤵
  PID:7072
- C:\Windows\System\ZFLrTHU.exe
  C:\Windows\System\ZFLrTHU.exe
  2⤵
  PID:7116
- C:\Windows\System\YjBbvoL.exe
  C:\Windows\System\YjBbvoL.exe
  2⤵
  PID:7152
- C:\Windows\System\ZhYVEjB.exe
  C:\Windows\System\ZhYVEjB.exe
  2⤵
  PID:5448
- C:\Windows\System\NvJdaBw.exe
  C:\Windows\System\NvJdaBw.exe
  2⤵
  PID:3848
- C:\Windows\System\PygPQcf.exe
  C:\Windows\System\PygPQcf.exe
  2⤵
  PID:2964
- C:\Windows\System\TEzemFi.exe
  C:\Windows\System\TEzemFi.exe
  2⤵
  PID:6160
- C:\Windows\System\AFSXlSo.exe
  C:\Windows\System\AFSXlSo.exe
  2⤵
  PID:6184
- C:\Windows\System\KTDjMim.exe
  C:\Windows\System\KTDjMim.exe
  2⤵
  PID:1108
- C:\Windows\System\stZBMmI.exe
  C:\Windows\System\stZBMmI.exe
  2⤵
  PID:2020
- C:\Windows\System\HSkqMjh.exe
  C:\Windows\System\HSkqMjh.exe
  2⤵
  PID:3196
- C:\Windows\System\sbZWkHp.exe
  C:\Windows\System\sbZWkHp.exe
  2⤵
  PID:6212
- C:\Windows\System\dFbeIKC.exe
  C:\Windows\System\dFbeIKC.exe
  2⤵
  PID:6264
- C:\Windows\System\NgtjriY.exe
  C:\Windows\System\NgtjriY.exe
  2⤵
  PID:6400
- C:\Windows\System\eAHhNpL.exe
  C:\Windows\System\eAHhNpL.exe
  2⤵
  PID:6592
- C:\Windows\System\dYJmKld.exe
  C:\Windows\System\dYJmKld.exe
  2⤵
  PID:6644
- C:\Windows\System\LuLvBCf.exe
  C:\Windows\System\LuLvBCf.exe
  2⤵
  PID:6784
- C:\Windows\System\PdTBNum.exe
  C:\Windows\System\PdTBNum.exe
  2⤵
  PID:6804
- C:\Windows\System\RRKLOig.exe
  C:\Windows\System\RRKLOig.exe
  2⤵
  PID:6944
- C:\Windows\System\zvfZHJt.exe
  C:\Windows\System\zvfZHJt.exe
  2⤵
  PID:6980
- C:\Windows\System\dUWzQCQ.exe
  C:\Windows\System\dUWzQCQ.exe
  2⤵
  PID:7020
- C:\Windows\System\KRrgYVn.exe
  C:\Windows\System\KRrgYVn.exe
  2⤵
  PID:4052
- C:\Windows\System\MrhkJli.exe
  C:\Windows\System\MrhkJli.exe
  2⤵
  PID:7144
- C:\Windows\System\sQryJDV.exe
  C:\Windows\System\sQryJDV.exe
  2⤵
  PID:7092
- C:\Windows\System\JqsZVek.exe
  C:\Windows\System\JqsZVek.exe
  2⤵
  PID:5356
- C:\Windows\System\DRgmfXz.exe
  C:\Windows\System\DRgmfXz.exe
  2⤵
  PID:5376
- C:\Windows\System\ieQsaCW.exe
  C:\Windows\System\ieQsaCW.exe
  2⤵
  PID:6628
- C:\Windows\System\mNdSvdQ.exe
  C:\Windows\System\mNdSvdQ.exe
  2⤵
  PID:6596
- C:\Windows\System\oAdqqEB.exe
  C:\Windows\System\oAdqqEB.exe
  2⤵
  PID:4920
- C:\Windows\System\nPufZuc.exe
  C:\Windows\System\nPufZuc.exe
  2⤵
  PID:6840
- C:\Windows\System\pEpwikx.exe
  C:\Windows\System\pEpwikx.exe
  2⤵
  PID:6540
- C:\Windows\System\fpMpVIA.exe
  C:\Windows\System\fpMpVIA.exe
  2⤵
  PID:6884
- C:\Windows\System\kEPlwbo.exe
  C:\Windows\System\kEPlwbo.exe
  2⤵
  PID:6928
- C:\Windows\System\vzexMql.exe
  C:\Windows\System\vzexMql.exe
  2⤵
  PID:7060
- C:\Windows\System\nmqeZXS.exe
  C:\Windows\System\nmqeZXS.exe
  2⤵
  PID:5188
- C:\Windows\System\GhiHhDR.exe
  C:\Windows\System\GhiHhDR.exe
  2⤵
  PID:4288
- C:\Windows\System\fzgLOpr.exe
  C:\Windows\System\fzgLOpr.exe
  2⤵
  PID:6232
- C:\Windows\System\hSBQHtX.exe
  C:\Windows\System\hSBQHtX.exe
  2⤵
  PID:1148
- C:\Windows\System\kzaMdxA.exe
  C:\Windows\System\kzaMdxA.exe
  2⤵
  PID:7184
- C:\Windows\System\UZOkdpu.exe
  C:\Windows\System\UZOkdpu.exe
  2⤵
  PID:7212
- C:\Windows\System\dZgQZNU.exe
  C:\Windows\System\dZgQZNU.exe
  2⤵
  PID:7248
- C:\Windows\System\DpGhAUH.exe
  C:\Windows\System\DpGhAUH.exe
  2⤵
  PID:7264
- C:\Windows\System\smCtJht.exe
  C:\Windows\System\smCtJht.exe
  2⤵
  PID:7288
- C:\Windows\System\POfxLYf.exe
  C:\Windows\System\POfxLYf.exe
  2⤵
  PID:7304
- C:\Windows\System\cxQAYSW.exe
  C:\Windows\System\cxQAYSW.exe
  2⤵
  PID:7324
- C:\Windows\System\aOZvpVB.exe
  C:\Windows\System\aOZvpVB.exe
  2⤵
  PID:7340
- C:\Windows\System\ixntmmS.exe
  C:\Windows\System\ixntmmS.exe
  2⤵
  PID:7360
- C:\Windows\System\vIfdfnM.exe
  C:\Windows\System\vIfdfnM.exe
  2⤵
  PID:7416
- C:\Windows\System\gNkHpIA.exe
  C:\Windows\System\gNkHpIA.exe
  2⤵
  PID:7436
- C:\Windows\System\ilfpwsM.exe
  C:\Windows\System\ilfpwsM.exe
  2⤵
  PID:7532
- C:\Windows\System\oBRpZen.exe
  C:\Windows\System\oBRpZen.exe
  2⤵
  PID:7552
- C:\Windows\System\fcmGbDS.exe
  C:\Windows\System\fcmGbDS.exe
  2⤵
  PID:7580
- C:\Windows\System\GSpEhCx.exe
  C:\Windows\System\GSpEhCx.exe
  2⤵
  PID:7596
- C:\Windows\System\eKwQiIf.exe
  C:\Windows\System\eKwQiIf.exe
  2⤵
  PID:7624
- C:\Windows\System\gYsXprk.exe
  C:\Windows\System\gYsXprk.exe
  2⤵
  PID:7640
- C:\Windows\System\xIZOoNX.exe
  C:\Windows\System\xIZOoNX.exe
  2⤵
  PID:7732
- C:\Windows\System\sQkHEFU.exe
  C:\Windows\System\sQkHEFU.exe
  2⤵
  PID:7816
- C:\Windows\System\rpKXxue.exe
  C:\Windows\System\rpKXxue.exe
  2⤵
  PID:7832
- C:\Windows\System\glcTwcM.exe
  C:\Windows\System\glcTwcM.exe
  2⤵
  PID:7856
- C:\Windows\System\bHryKJi.exe
  C:\Windows\System\bHryKJi.exe
  2⤵
  PID:7872
- C:\Windows\System\tQlgNNq.exe
  C:\Windows\System\tQlgNNq.exe
  2⤵
  PID:7892
- C:\Windows\System\RopSZaw.exe
  C:\Windows\System\RopSZaw.exe
  2⤵
  PID:7928
- C:\Windows\System\HzCpCjK.exe
  C:\Windows\System\HzCpCjK.exe
  2⤵
  PID:7968
- C:\Windows\System\kgxnXZd.exe
  C:\Windows\System\kgxnXZd.exe
  2⤵
  PID:7988
- C:\Windows\System\LPAevlQ.exe
  C:\Windows\System\LPAevlQ.exe
  2⤵
  PID:8036
- C:\Windows\System\wbIwdEw.exe
  C:\Windows\System\wbIwdEw.exe
  2⤵
  PID:8056
- C:\Windows\System\PvsjWkX.exe
  C:\Windows\System\PvsjWkX.exe
  2⤵
  PID:8104
- C:\Windows\System\jOwyEOs.exe
  C:\Windows\System\jOwyEOs.exe
  2⤵
  PID:8124
- C:\Windows\System\zAlprjx.exe
  C:\Windows\System\zAlprjx.exe
  2⤵
  PID:8140
- C:\Windows\System\FdwASGg.exe
  C:\Windows\System\FdwASGg.exe
  2⤵
  PID:8156
- C:\Windows\System\IrasSlS.exe
  C:\Windows\System\IrasSlS.exe
  2⤵
  PID:6556
- C:\Windows\System\dIlXWiU.exe
  C:\Windows\System\dIlXWiU.exe
  2⤵
  PID:376
- C:\Windows\System\fhpGNqp.exe
  C:\Windows\System\fhpGNqp.exe
  2⤵
  PID:2760
- C:\Windows\System\FDqQddH.exe
  C:\Windows\System\FDqQddH.exe
  2⤵
  PID:6860
- C:\Windows\System\PVZtqzS.exe
  C:\Windows\System\PVZtqzS.exe
  2⤵
  PID:6028
- C:\Windows\System\kBIEgfC.exe
  C:\Windows\System\kBIEgfC.exe
  2⤵
  PID:7320
- C:\Windows\System\CQxNeHc.exe
  C:\Windows\System\CQxNeHc.exe
  2⤵
  PID:7464
- C:\Windows\System\labmlIE.exe
  C:\Windows\System\labmlIE.exe
  2⤵
  PID:7336
- C:\Windows\System\zyEEngF.exe
  C:\Windows\System\zyEEngF.exe
  2⤵
  PID:7412
- C:\Windows\System\KFCtlHD.exe
  C:\Windows\System\KFCtlHD.exe
  2⤵
  PID:7384
- C:\Windows\System\kNknGDu.exe
  C:\Windows\System\kNknGDu.exe
  2⤵
  PID:2680
- C:\Windows\System\xdzEZjI.exe
  C:\Windows\System\xdzEZjI.exe
  2⤵
  PID:7748
- C:\Windows\System\yFvuNSQ.exe
  C:\Windows\System\yFvuNSQ.exe
  2⤵
  PID:1248
- C:\Windows\System\LFeKgBi.exe
  C:\Windows\System\LFeKgBi.exe
  2⤵
  PID:7868
- C:\Windows\System\SwvCgkY.exe
  C:\Windows\System\SwvCgkY.exe
  2⤵
  PID:7880
- C:\Windows\System\OVtVeRR.exe
  C:\Windows\System\OVtVeRR.exe
  2⤵
  PID:7916
- C:\Windows\System\SLhHhzm.exe
  C:\Windows\System\SLhHhzm.exe
  2⤵
  PID:8000
- C:\Windows\System\SUeWJkN.exe
  C:\Windows\System\SUeWJkN.exe
  2⤵
  PID:8120
- C:\Windows\System\hZpQHvR.exe
  C:\Windows\System\hZpQHvR.exe
  2⤵
  PID:8044
- C:\Windows\System\IXFpfjl.exe
  C:\Windows\System\IXFpfjl.exe
  2⤵
  PID:8092
- C:\Windows\System\ROInVjR.exe
  C:\Windows\System\ROInVjR.exe
  2⤵
  PID:6692
- C:\Windows\System\EnNPDce.exe
  C:\Windows\System\EnNPDce.exe
  2⤵
  PID:860
- C:\Windows\System\IarHFot.exe
  C:\Windows\System\IarHFot.exe
  2⤵
  PID:7160
- C:\Windows\System\bfMLZdS.exe
  C:\Windows\System\bfMLZdS.exe
  2⤵
  PID:6564
- C:\Windows\System\oxEEMyU.exe
  C:\Windows\System\oxEEMyU.exe
  2⤵
  PID:7368
- C:\Windows\System\puOkbqJ.exe
  C:\Windows\System\puOkbqJ.exe
  2⤵
  PID:7296
- C:\Windows\System\ufbZehP.exe
  C:\Windows\System\ufbZehP.exe
  2⤵
  PID:7428
- C:\Windows\System\eYzBahD.exe
  C:\Windows\System\eYzBahD.exe
  2⤵
  PID:7676
- C:\Windows\System\XHfCOoc.exe
  C:\Windows\System\XHfCOoc.exe
  2⤵
  PID:7572
- C:\Windows\System\XpWGNKZ.exe
  C:\Windows\System\XpWGNKZ.exe
  2⤵
  PID:7940
- C:\Windows\System\HiwTDSI.exe
  C:\Windows\System\HiwTDSI.exe
  2⤵
  PID:5488
- C:\Windows\System\pgwvQDJ.exe
  C:\Windows\System\pgwvQDJ.exe
  2⤵
  PID:7276
- C:\Windows\System\hiFkTaW.exe
  C:\Windows\System\hiFkTaW.exe
  2⤵
  PID:6848
- C:\Windows\System\RhJajSw.exe
  C:\Windows\System\RhJajSw.exe
  2⤵
  PID:7608
- C:\Windows\System\pSOZSdx.exe
  C:\Windows\System\pSOZSdx.exe
  2⤵
  PID:7508
- C:\Windows\System\zhatMZG.exe
  C:\Windows\System\zhatMZG.exe
  2⤵
  PID:8168
- C:\Windows\System\oouFLsP.exe
  C:\Windows\System\oouFLsP.exe
  2⤵
  PID:6732
- C:\Windows\System\QUACpev.exe
  C:\Windows\System\QUACpev.exe
  2⤵
  PID:7112
- C:\Windows\System\VErhrMy.exe
  C:\Windows\System\VErhrMy.exe
  2⤵
  PID:8232
- C:\Windows\System\fxcqpgf.exe
  C:\Windows\System\fxcqpgf.exe
  2⤵
  PID:8248
- C:\Windows\System\NFyADMX.exe
  C:\Windows\System\NFyADMX.exe
  2⤵
  PID:8276
- C:\Windows\System\rjnhpAu.exe
  C:\Windows\System\rjnhpAu.exe
  2⤵
  PID:8292
- C:\Windows\System\uyjzRvB.exe
  C:\Windows\System\uyjzRvB.exe
  2⤵
  PID:8312
- C:\Windows\System\oBPisuH.exe
  C:\Windows\System\oBPisuH.exe
  2⤵
  PID:8332
- C:\Windows\System\mVUHKHa.exe
  C:\Windows\System\mVUHKHa.exe
  2⤵
  PID:8348
- C:\Windows\System\CVwxEDj.exe
  C:\Windows\System\CVwxEDj.exe
  2⤵
  PID:8364
- C:\Windows\System\yxQPUfx.exe
  C:\Windows\System\yxQPUfx.exe
  2⤵
  PID:8384
- C:\Windows\System\lJFWtbG.exe
  C:\Windows\System\lJFWtbG.exe
  2⤵
  PID:8400
- C:\Windows\System\SUYwCpV.exe
  C:\Windows\System\SUYwCpV.exe
  2⤵
  PID:8416
- C:\Windows\System\HotlpAp.exe
  C:\Windows\System\HotlpAp.exe
  2⤵
  PID:8452
- C:\Windows\System\npAclxt.exe
  C:\Windows\System\npAclxt.exe
  2⤵
  PID:8508
- C:\Windows\System\TiePYxg.exe
  C:\Windows\System\TiePYxg.exe
  2⤵
  PID:8584
- C:\Windows\System\OwjwLEP.exe
  C:\Windows\System\OwjwLEP.exe
  2⤵
  PID:8608
- C:\Windows\System\uBhNLDS.exe
  C:\Windows\System\uBhNLDS.exe
  2⤵
  PID:8660
- C:\Windows\System\xWvnJVI.exe
  C:\Windows\System\xWvnJVI.exe
  2⤵
  PID:8680
- C:\Windows\System\CYcWHEg.exe
  C:\Windows\System\CYcWHEg.exe
  2⤵
  PID:8708
- C:\Windows\System\khQusEg.exe
  C:\Windows\System\khQusEg.exe
  2⤵
  PID:8724
- C:\Windows\System\UPhGIza.exe
  C:\Windows\System\UPhGIza.exe
  2⤵
  PID:8744
- C:\Windows\System\OWFtfsV.exe
  C:\Windows\System\OWFtfsV.exe
  2⤵
  PID:8768
- C:\Windows\System\TUZGkcy.exe
  C:\Windows\System\TUZGkcy.exe
  2⤵
  PID:8784
- C:\Windows\System\YhqyVLd.exe
  C:\Windows\System\YhqyVLd.exe
  2⤵
  PID:8800
- C:\Windows\System\mFPaoch.exe
  C:\Windows\System\mFPaoch.exe
  2⤵
  PID:8816
- C:\Windows\System\kVLhqOm.exe
  C:\Windows\System\kVLhqOm.exe
  2⤵
  PID:8836
- C:\Windows\System\waqofsK.exe
  C:\Windows\System\waqofsK.exe
  2⤵
  PID:8856
- C:\Windows\System\RNNbRvR.exe
  C:\Windows\System\RNNbRvR.exe
  2⤵
  PID:8872
- C:\Windows\System\CrorREo.exe
  C:\Windows\System\CrorREo.exe
  2⤵
  PID:8896
- C:\Windows\System\CouBdym.exe
  C:\Windows\System\CouBdym.exe
  2⤵
  PID:8912
- C:\Windows\System\vFYtRZa.exe
  C:\Windows\System\vFYtRZa.exe
  2⤵
  PID:8928
- C:\Windows\System\KnFHQmQ.exe
  C:\Windows\System\KnFHQmQ.exe
  2⤵
  PID:8956
- C:\Windows\System\rYyEbmN.exe
  C:\Windows\System\rYyEbmN.exe
  2⤵
  PID:8972
- C:\Windows\System\DHVhuNC.exe
  C:\Windows\System\DHVhuNC.exe
  2⤵
  PID:8988
- C:\Windows\System\TZUtWBI.exe
  C:\Windows\System\TZUtWBI.exe
  2⤵
  PID:9088
- C:\Windows\System\FoGEbFZ.exe
  C:\Windows\System\FoGEbFZ.exe
  2⤵
  PID:9104
- C:\Windows\System\cOxhVXo.exe
  C:\Windows\System\cOxhVXo.exe
  2⤵
  PID:9120
- C:\Windows\System\LCJbkpC.exe
  C:\Windows\System\LCJbkpC.exe
  2⤵
  PID:9148
- C:\Windows\System\PdAQKyk.exe
  C:\Windows\System\PdAQKyk.exe
  2⤵
  PID:3844
- C:\Windows\System\gqDrRpW.exe
  C:\Windows\System\gqDrRpW.exe
  2⤵
  PID:8380
- C:\Windows\System\WUYiFhI.exe
  C:\Windows\System\WUYiFhI.exe
  2⤵
  PID:8436
- C:\Windows\System\MRZtWwQ.exe
  C:\Windows\System\MRZtWwQ.exe
  2⤵
  PID:8360
- C:\Windows\System\zuCIBwF.exe
  C:\Windows\System\zuCIBwF.exe
  2⤵
  PID:8268
- C:\Windows\System\IGdmgdB.exe
  C:\Windows\System\IGdmgdB.exe
  2⤵
  PID:5060
- C:\Windows\System\ZYjLcnU.exe
  C:\Windows\System\ZYjLcnU.exe
  2⤵
  PID:8572
- C:\Windows\System\fxhOAkf.exe
  C:\Windows\System\fxhOAkf.exe
  2⤵
  PID:8732
- C:\Windows\System\yJAMFsy.exe
  C:\Windows\System\yJAMFsy.exe
  2⤵
  PID:8760
- C:\Windows\System\jUWRwnc.exe
  C:\Windows\System\jUWRwnc.exe
  2⤵
  PID:8776
- C:\Windows\System\QGxaLgF.exe
  C:\Windows\System\QGxaLgF.exe
  2⤵
  PID:5432
- C:\Windows\System\YDtFGZY.exe
  C:\Windows\System\YDtFGZY.exe
  2⤵
  PID:9008
- C:\Windows\System\VUlSYZx.exe
  C:\Windows\System\VUlSYZx.exe
  2⤵
  PID:8844
- C:\Windows\System\zkwhZZl.exe
  C:\Windows\System\zkwhZZl.exe
  2⤵
  PID:8868
- C:\Windows\System\bPgTKuV.exe
  C:\Windows\System\bPgTKuV.exe
  2⤵
  PID:9176
- C:\Windows\System\znpzfGv.exe
  C:\Windows\System\znpzfGv.exe
  2⤵
  PID:9112
- C:\Windows\System\OlZYjJj.exe
  C:\Windows\System\OlZYjJj.exe
  2⤵
  PID:8112
- C:\Windows\System\ZVOgzdY.exe
  C:\Windows\System\ZVOgzdY.exe
  2⤵
  PID:7192
- C:\Windows\System\uLZHJEq.exe
  C:\Windows\System\uLZHJEq.exe
  2⤵
  PID:8468
- C:\Windows\System\XhMrpAQ.exe
  C:\Windows\System\XhMrpAQ.exe
  2⤵
  PID:8616
- C:\Windows\System\AzuIGtr.exe
  C:\Windows\System\AzuIGtr.exe
  2⤵
  PID:8568
- C:\Windows\System\iNFteIj.exe
  C:\Windows\System\iNFteIj.exe
  2⤵
  PID:8796
- C:\Windows\System\GUlZbYE.exe
  C:\Windows\System\GUlZbYE.exe
  2⤵
  PID:1312
- C:\Windows\System\jcrdbQe.exe
  C:\Windows\System\jcrdbQe.exe
  2⤵
  PID:8984
- C:\Windows\System\exKOWBE.exe
  C:\Windows\System\exKOWBE.exe
  2⤵
  PID:5024
- C:\Windows\System\mUxYhfu.exe
  C:\Windows\System\mUxYhfu.exe
  2⤵
  PID:8500
- C:\Windows\System\wpPuDjk.exe
  C:\Windows\System\wpPuDjk.exe
  2⤵
  PID:8656
- C:\Windows\System\OqzHMCh.exe
  C:\Windows\System\OqzHMCh.exe
  2⤵
  PID:7812
- C:\Windows\System\WyLjpse.exe
  C:\Windows\System\WyLjpse.exe
  2⤵
  PID:8448
- C:\Windows\System\xsngDrY.exe
  C:\Windows\System\xsngDrY.exe
  2⤵
  PID:9224
- C:\Windows\System\XmIdFzX.exe
  C:\Windows\System\XmIdFzX.exe
  2⤵
  PID:9260
- C:\Windows\System\SHRCEfP.exe
  C:\Windows\System\SHRCEfP.exe
  2⤵
  PID:9276
- C:\Windows\System\OhZQaaF.exe
  C:\Windows\System\OhZQaaF.exe
  2⤵
  PID:9300
- C:\Windows\System\ujSYQYD.exe
  C:\Windows\System\ujSYQYD.exe
  2⤵
  PID:9352
- C:\Windows\System\fDGulWp.exe
  C:\Windows\System\fDGulWp.exe
  2⤵
  PID:9372
- C:\Windows\System\CTNextl.exe
  C:\Windows\System\CTNextl.exe
  2⤵
  PID:9396
- C:\Windows\System\aFajTam.exe
  C:\Windows\System\aFajTam.exe
  2⤵
  PID:9472
- C:\Windows\System\cvdtSNi.exe
  C:\Windows\System\cvdtSNi.exe
  2⤵
  PID:9516
- C:\Windows\System\esiYFAh.exe
  C:\Windows\System\esiYFAh.exe
  2⤵
  PID:9532
- C:\Windows\System\sEnHLOc.exe
  C:\Windows\System\sEnHLOc.exe
  2⤵
  PID:9556
- C:\Windows\System\KxbWNBt.exe
  C:\Windows\System\KxbWNBt.exe
  2⤵
  PID:9572
- C:\Windows\System\WJFePwb.exe
  C:\Windows\System\WJFePwb.exe
  2⤵
  PID:9588
- C:\Windows\System\jdaUdkH.exe
  C:\Windows\System\jdaUdkH.exe
  2⤵
  PID:9612
- C:\Windows\System\dTOwwsh.exe
  C:\Windows\System\dTOwwsh.exe
  2⤵
  PID:9632
- C:\Windows\System\duToBRJ.exe
  C:\Windows\System\duToBRJ.exe
  2⤵
  PID:9656
- C:\Windows\System\BrDTkip.exe
  C:\Windows\System\BrDTkip.exe
  2⤵
  PID:9672
- C:\Windows\System\ElaByiy.exe
  C:\Windows\System\ElaByiy.exe
  2⤵
  PID:9748
- C:\Windows\System\Urlyurk.exe
  C:\Windows\System\Urlyurk.exe
  2⤵
  PID:9784
- C:\Windows\System\WEgcqMo.exe
  C:\Windows\System\WEgcqMo.exe
  2⤵
  PID:9800
- C:\Windows\System\XAPnNGH.exe
  C:\Windows\System\XAPnNGH.exe
  2⤵
  PID:9816
- C:\Windows\System\oSOhUWO.exe
  C:\Windows\System\oSOhUWO.exe
  2⤵
  PID:9840
- C:\Windows\System\KtuKkfm.exe
  C:\Windows\System\KtuKkfm.exe
  2⤵
  PID:9856
- C:\Windows\System\BEjmZit.exe
  C:\Windows\System\BEjmZit.exe
  2⤵
  PID:9896
- C:\Windows\System\WAqPKGH.exe
  C:\Windows\System\WAqPKGH.exe
  2⤵
  PID:9912
- C:\Windows\System\MCEAyjK.exe
  C:\Windows\System\MCEAyjK.exe
  2⤵
  PID:9964
- C:\Windows\System\UFfOSFE.exe
  C:\Windows\System\UFfOSFE.exe
  2⤵
  PID:9980
- C:\Windows\System\lvHmOUj.exe
  C:\Windows\System\lvHmOUj.exe
  2⤵
  PID:10020
- C:\Windows\System\bNoAugL.exe
  C:\Windows\System\bNoAugL.exe
  2⤵
  PID:10040
- C:\Windows\System\rpnDDZg.exe
  C:\Windows\System\rpnDDZg.exe
  2⤵
  PID:10064
- C:\Windows\System\gVZZQYn.exe
  C:\Windows\System\gVZZQYn.exe
  2⤵
  PID:10136
- C:\Windows\System\ovligCu.exe
  C:\Windows\System\ovligCu.exe
  2⤵
  PID:10156
- C:\Windows\System\WOtwRjV.exe
  C:\Windows\System\WOtwRjV.exe
  2⤵
  PID:10176
- C:\Windows\System\uHsZJIB.exe
  C:\Windows\System\uHsZJIB.exe
  2⤵
  PID:10196
- C:\Windows\System\kVJFNlz.exe
  C:\Windows\System\kVJFNlz.exe
  2⤵
  PID:9140
- C:\Windows\System\FciENis.exe
  C:\Windows\System\FciENis.exe
  2⤵
  PID:8696
- C:\Windows\System\RhTfYkl.exe
  C:\Windows\System\RhTfYkl.exe
  2⤵
  PID:9080
- C:\Windows\System\iRWQSEn.exe
  C:\Windows\System\iRWQSEn.exe
  2⤵
  PID:5284
- C:\Windows\System\StQBuWD.exe
  C:\Windows\System\StQBuWD.exe
  2⤵
  PID:9292
- C:\Windows\System\jNSSvTV.exe
  C:\Windows\System\jNSSvTV.exe
  2⤵
  PID:9328
- C:\Windows\System\GiDdoyj.exe
  C:\Windows\System\GiDdoyj.exe
  2⤵
  PID:9544
- C:\Windows\System\fftkoQu.exe
  C:\Windows\System\fftkoQu.exe
  2⤵
  PID:9604
- C:\Windows\System\rSMfaYu.exe
  C:\Windows\System\rSMfaYu.exe
  2⤵
  PID:9628
- C:\Windows\System\YPLZEfP.exe
  C:\Windows\System\YPLZEfP.exe
  2⤵
  PID:9736
- C:\Windows\System\SnUFnGN.exe
  C:\Windows\System\SnUFnGN.exe
  2⤵
  PID:9756
- C:\Windows\System\OOgXXCh.exe
  C:\Windows\System\OOgXXCh.exe
  2⤵
  PID:9892
- C:\Windows\System\klhcCAr.exe
  C:\Windows\System\klhcCAr.exe
  2⤵
  PID:9908
- C:\Windows\System\hKevIIl.exe
  C:\Windows\System\hKevIIl.exe
  2⤵
  PID:9952
- C:\Windows\System\vkpTMui.exe
  C:\Windows\System\vkpTMui.exe
  2⤵
  PID:10084
- C:\Windows\System\FroyQAY.exe
  C:\Windows\System\FroyQAY.exe
  2⤵
  PID:10144
- C:\Windows\System\FtXLJjs.exe
  C:\Windows\System\FtXLJjs.exe
  2⤵
  PID:10224
- C:\Windows\System\ZhZlKii.exe
  C:\Windows\System\ZhZlKii.exe
  2⤵
  PID:9160
- C:\Windows\System\CqpgpOl.exe
  C:\Windows\System\CqpgpOl.exe
  2⤵
  PID:9320
- C:\Windows\System\HOrnJmZ.exe
  C:\Windows\System\HOrnJmZ.exe
  2⤵
  PID:9244
- C:\Windows\System\nrRMiYM.exe
  C:\Windows\System\nrRMiYM.exe
  2⤵
  PID:9648
- C:\Windows\System\wljTonL.exe
  C:\Windows\System\wljTonL.exe
  2⤵
  PID:9732
- C:\Windows\System\fbvnsQn.exe
  C:\Windows\System\fbvnsQn.exe
  2⤵
  PID:9740
- C:\Windows\System\zCqhtsY.exe
  C:\Windows\System\zCqhtsY.exe
  2⤵
  PID:9848
- C:\Windows\System\sISXbbR.exe
  C:\Windows\System\sISXbbR.exe
  2⤵
  PID:9992
- C:\Windows\System\SYQwfeN.exe
  C:\Windows\System\SYQwfeN.exe
  2⤵
  PID:8756
- C:\Windows\System\uqgeYyB.exe
  C:\Windows\System\uqgeYyB.exe
  2⤵
  PID:9564
- C:\Windows\System\VzWExsC.exe
  C:\Windows\System\VzWExsC.exe
  2⤵
  PID:9976
- C:\Windows\System\vUPSfLD.exe
  C:\Windows\System\vUPSfLD.exe
  2⤵
  PID:4716
- C:\Windows\System\gQhUdOG.exe
  C:\Windows\System\gQhUdOG.exe
  2⤵
  PID:10076
- C:\Windows\System\YcgREdT.exe
  C:\Windows\System\YcgREdT.exe
  2⤵
  PID:1880
- C:\Windows\System\joVqzXD.exe
  C:\Windows\System\joVqzXD.exe
  2⤵
  PID:10244
- C:\Windows\System\ArHHoZn.exe
  C:\Windows\System\ArHHoZn.exe
  2⤵
  PID:10328
- C:\Windows\System\sILnDHG.exe
  C:\Windows\System\sILnDHG.exe
  2⤵
  PID:10376
- C:\Windows\System\nnGXlNs.exe
  C:\Windows\System\nnGXlNs.exe
  2⤵
  PID:10392
- C:\Windows\System\LbvyGBB.exe
  C:\Windows\System\LbvyGBB.exe
  2⤵
  PID:10408
- C:\Windows\System\hdHukaf.exe
  C:\Windows\System\hdHukaf.exe
  2⤵
  PID:10460
- C:\Windows\System\VmqGupv.exe
  C:\Windows\System\VmqGupv.exe
  2⤵
  PID:10480
- C:\Windows\System\iiYnfGK.exe
  C:\Windows\System\iiYnfGK.exe
  2⤵
  PID:10504
- C:\Windows\System\MHIjfhJ.exe
  C:\Windows\System\MHIjfhJ.exe
  2⤵
  PID:10520
- C:\Windows\System\LwKRVyc.exe
  C:\Windows\System\LwKRVyc.exe
  2⤵
  PID:10536
- C:\Windows\System\CJRjEGA.exe
  C:\Windows\System\CJRjEGA.exe
  2⤵
  PID:10564
- C:\Windows\System\FjrYmbA.exe
  C:\Windows\System\FjrYmbA.exe
  2⤵
  PID:10580
- C:\Windows\System\OGjEDMq.exe
  C:\Windows\System\OGjEDMq.exe
  2⤵
  PID:10596
- C:\Windows\System\FwCNEHh.exe
  C:\Windows\System\FwCNEHh.exe
  2⤵
  PID:10644
- C:\Windows\System\ylVxvlP.exe
  C:\Windows\System\ylVxvlP.exe
  2⤵
  PID:10672
- C:\Windows\System\jYjtemp.exe
  C:\Windows\System\jYjtemp.exe
  2⤵
  PID:10688
- C:\Windows\System\AvEJviU.exe
  C:\Windows\System\AvEJviU.exe
  2⤵
  PID:10704
- C:\Windows\System\vyVOmOL.exe
  C:\Windows\System\vyVOmOL.exe
  2⤵
  PID:10732
- C:\Windows\System\mpcbafx.exe
  C:\Windows\System\mpcbafx.exe
  2⤵
  PID:10836
- C:\Windows\System\dRQrUdP.exe
  C:\Windows\System\dRQrUdP.exe
  2⤵
  PID:10860
- C:\Windows\System\oMQPEUh.exe
  C:\Windows\System\oMQPEUh.exe
  2⤵
  PID:10884
- C:\Windows\System\kFWfLWS.exe
  C:\Windows\System\kFWfLWS.exe
  2⤵
  PID:10912
- C:\Windows\System\lkgbubB.exe
  C:\Windows\System\lkgbubB.exe
  2⤵
  PID:10956
- C:\Windows\System\XCoLFax.exe
  C:\Windows\System\XCoLFax.exe
  2⤵
  PID:10976
- C:\Windows\System\hQWaZgb.exe
  C:\Windows\System\hQWaZgb.exe
  2⤵
  PID:10996
- C:\Windows\System\TQahDwD.exe
  C:\Windows\System\TQahDwD.exe
  2⤵
  PID:11012
- C:\Windows\System\ilYTBUU.exe
  C:\Windows\System\ilYTBUU.exe
  2⤵
  PID:11052
- C:\Windows\System\KCWXxrk.exe
  C:\Windows\System\KCWXxrk.exe
  2⤵
  PID:11068
- C:\Windows\System\WgkUngN.exe
  C:\Windows\System\WgkUngN.exe
  2⤵
  PID:11088
- C:\Windows\System\tHSWoCa.exe
  C:\Windows\System\tHSWoCa.exe
  2⤵
  PID:11108

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:10636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AmKDLZw.exe

Filesize
1.9MB

MD5
67a62470ed0dddcc3a8f674854ef3994

SHA1
78f1bbafe2afccb6c73af3974b85f0161e6c428a

SHA256
816426cd336700197984fc897fc64c9dfde5012e8f8c27987a558302fe08962a

SHA512
6c55d03f4cf1c0086ba0c4531fad28d17044c9f622d414706d35c4ae442e78e3cf4df4c7bb71f349643f48af1e6000fa5aa3d26a8e7c32ffa74966c8fa95d9e9

Download Submit
C:\Windows\System\BJrpMUK.exe

Filesize
1.9MB

MD5
443eb2fcb5a28b7c9b45dfd55a45c497

SHA1
c650b5c6254ad5d11dcf5e8b1c1147a6a6d3e5f4

SHA256
8eef7bfdb56de131320b8e25a17769ac19661afa94cf26e2b429da33e5263c8b

SHA512
977aa166861755c655e32e8905f871de69c6e60dae651f496c10282d2f04a4eeec4723b0eabefb83b9394c036825a2aaba20e69f82e02de683ae242bc01dd8a4

Download Submit
C:\Windows\System\DkDOdkU.exe

Filesize
1.9MB

MD5
f6816db75e42cd50e8b2281473cf2b50

SHA1
b03ff39b4c931c520bb34cb7489c17f0f5ee505d

SHA256
39bc6308aa832abb2346a8606f404c90a0a9a9ae58a636b318a2abb6325d8668

SHA512
0224bb5467d54690ab5de924caa29a27efced1de788685d10d6beef5e09293b783838696dc3a9d656a14ef839e98494f51d98192e962bd771a40eb27bf776271

Download Submit
C:\Windows\System\EIoNqpr.exe

Filesize
1.9MB

MD5
cab2454a1e3bea80636ded542895e864

SHA1
b7f1afefbb8c0c3e2ac67ab7dc26aa4cc275dd4f

SHA256
aacfec1e204df15abd7d85f2cf9dcbd483ef764d5dcdc6c67aec5eb0696260ce

SHA512
c3bda337dcfeb4cbcd712706df81bd9661c3ae01c9221ad1db7aeb4fce5c690422ef3b38678719611c28c2b980837e6265ac5aec0123a85a9c2e0097ad50a04f

Download Submit
C:\Windows\System\ELrhFHc.exe

Filesize
1.9MB

MD5
90e0912c0b966257b50a9d5a96a5ec77

SHA1
6d188a4a79682f21101a7ef4a5829cd7058d7e58

SHA256
d761261488e8cf20d45f376220ac7329029241296a3c406a5b216ce913606b9d

SHA512
696ecf9e08a3adb6bda0464aa8355d14335afbd1233b0ace4f97f8e207c5b4699b3e91fb313c8d5465083450ec04f60ebfa384a92bb8339bc403c473f9360a9b

Download Submit
C:\Windows\System\HXomHAS.exe

Filesize
1.9MB

MD5
6f1a18b83998610c0adfb9d27f718405

SHA1
f1f213887f59413591f77268f2a22b0c4c591657

SHA256
8b94de0242111e146e40156c72b88407793044094f041d59906f29b1f6b6552f

SHA512
37ca21fcf278fe5140be9b17aeadcc5940fab41dc12649dfec8793800ae5b8e30f5eddbb0d2a1aee882ee096e2b988809f0f6e726a4d705817dca44c7801e68e

Download Submit
C:\Windows\System\HgExlfK.exe

Filesize
1.9MB

MD5
50481fd874e62869222a5482e01bb788

SHA1
3040dffafdd2a97696f0f675dc91cbba1e071b6b

SHA256
85d73bf2ea3dd7c1657de40cad913da83e0e55b3d21add655f9739c2fd406a42

SHA512
fca5d07cda59024183aa07f60ee655f3f760ea6aeaf659721ca3b3383b631500f7b70614df59035b51181039a3fd54e3e243937f10162cb2184dab88629a9b8f

Download Submit
C:\Windows\System\MdKrdNJ.exe

Filesize
1.9MB

MD5
aff8c1481faab50140eec53ebfed6bc9

SHA1
8390342d7a573ce650b248226de731ad607c7da0

SHA256
6edd0dbc78c0b5430bb1d79178e7b340485c3a9e988f4f7462e382c8e1bb1217

SHA512
251fe675491a07fe82b5cf1b09f173c51f4f1c102886a950bcdfda25f2b99b67a658f9a01a0871277e95f4d229ceb13e0156a84331c943e9a4c3dc513f25ec6f

Download Submit
C:\Windows\System\OjElBjP.exe

Filesize
1.9MB

MD5
87c688574cfd3936157265cdbdf01c69

SHA1
f7410bf9f66674a316057e3aa8ae8a90238d7efe

SHA256
0be14ed5d15da6cd372ca5540fb7f33b38860a70fea9277b2f3e29821531120b

SHA512
66b9420eb611493d599ca7755ba5812352e16ace5503a5f28831a48128c14e3bfc9032571b1c45e9a329a8069154a0cc499a0a4be258bc2e24fce98cca04455a

Download Submit
C:\Windows\System\RgIgNfO.exe

Filesize
1.9MB

MD5
8441bed9a11edf621fda90be5cc2e30b

SHA1
18886369a9893006cacf7bc1e8559896dfdcaa78

SHA256
8cb34fa304e8faeed44405709d58735644da72db94f869fff85209a1bc2de3ef

SHA512
9e9143a5fc2ab51e51dc8975b9a27af0d0bbe5beac5ffc6d90ca810b208fc0dc36249deb1643ef9fa3a8bfb6b5b8227365f6095d83abe681c8ce0a616b589375

Download Submit
C:\Windows\System\RzxAvDJ.exe

Filesize
1.9MB

MD5
e9d778946b5b99a8c293007578dbd932

SHA1
42b24934e779fe7f2dfb76639bae1199e896d3ff

SHA256
790a70b36c7321d5736faf584cf72c1ee4127bf33e7f68f342d4957344372fbf

SHA512
39f1b4e1e7c20f2e4a302b60e671a8698e79abe0333b907416e561e098cbb4f63ed716711d9cf9080f37480ffff61e502e9dcf252bfa53c8a2c25402ba872857

Download Submit
C:\Windows\System\SsDLvpf.exe

Filesize
1.9MB

MD5
3d4bf80a46d0a4af76449a136267feb6

SHA1
a54394c5d7aee93f968ebe5da3e9a8692040e1c1

SHA256
fd2cd4215931b8dce8bbef4f06c92a36cba3e5df3be7cc8508908f454d4fbe64

SHA512
80e293d74da9cd9f62d691d1ae1cde8d8a481109542fb3e69ee331363dc33039db5bd5ceca6657d907efdbe09000eeaf038467a97f62cc5bf10f5e77150cea09

Download Submit
C:\Windows\System\VCyfJBd.exe

Filesize
1.9MB

MD5
d5fdc365c375514c3015e0efdf737ecc

SHA1
5da2e5371835ae7a2e2aaf3d7b0237a1322aedfe

SHA256
20dc6ea56537286f61152077ec4ce09ff5e25ffaaed6085fb96a9db498092867

SHA512
9689109d048385b604fe9d4717a05b7d15658b892e907324c6a51a8e38c45bf5392a0e1db9093b76f15d65c81a28fba5c0f83aba28eb2cf4209c1f5b14e59c0a

Download Submit
C:\Windows\System\VbijOJJ.exe

Filesize
1.9MB

MD5
ed0ba30f9471642547b344c6a598216a

SHA1
10c7b080775020c8e3203f1183409d33f0c74ea4

SHA256
841a39cc0d4ece51908e0eede2572905c7efa526a10a42f93ec4396f6fd6a378

SHA512
5c2d558772d4960b32c363fda35f4f78ab8d0359258b4e1b43e09a8fec694cd30a758001d4e443d57411068063e5533bc47106116c151b048d95c170c57315e6

Download Submit
C:\Windows\System\WXNdJQG.exe

Filesize
1.9MB

MD5
125122bab2831a224cd9e21e5a22ffa5

SHA1
4e901aa27339dca597fff58d66825d40914af665

SHA256
8bcc3cb666f4ce7e27edba80a842b8409e62faeb4be8f28e27640ee411a84627

SHA512
a4b89eb6e21866b2c03ebc25c5184e689c8ddba218099511116c31dd041d7764f86d625f2d7aca14a10a10f9c7d34adf5d18d662f8a36b707d3c0ea6db2a19bb

Download Submit
C:\Windows\System\ZOTeTBi.exe

Filesize
1.9MB

MD5
bb7e7f6f3c4aec5bd92f79dc4d829f36

SHA1
db90914aef488a837feea541778d55d6c9c0ca9b

SHA256
f362ba567a65541ae03a94b04b3c2043e34f5d2648907f78d8e9fbb67f524505

SHA512
ae45dd5f671f32fbbd8846647ff227ac6cd49f46fbd7c4e62e54929d0fbe36bb556bc03c126951c6ff0967cd95af35c3f97941857c59056ea55de5d9e080d889

Download Submit
C:\Windows\System\aOtEmjC.exe

Filesize
1.9MB

MD5
1bc6e80638089a4b0410129d4e733c6a

SHA1
9b277e6273049f929a0bfe3d884206fd7f614933

SHA256
25843a969045c545f4ec0efaad4630b1b7bf0023d0e468b435a8985a2697a787

SHA512
d6a30829f3dd913628bfdb0ec962ad1489dbe383256a0bea06854b15b34a470b82512d62c65528823d8c3f3a918e4285195bdef347b12d478ce82c98a68d1025

Download Submit
C:\Windows\System\aScaPFV.exe

Filesize
1.9MB

MD5
2856d271c98cfbe424e63b9aef942fa0

SHA1
24be4f75b2c46178f0b1a27440c9b9db6bca0f12

SHA256
ec4e7adad0e3b77233329a35fad1f159ac43b1ed43fa24d7eacd37926f4dd552

SHA512
6b61d1e7589c1a8db0c6421a286bfcd121a84d619224669f900cc257dca1709ddbf6dee95ec2d0485714c4f8aca2dcaeeabd61170b75b362df4c5286a0349742

Download Submit
C:\Windows\System\cbcTDBs.exe

Filesize
1.9MB

MD5
747b966a5a6bfbeaf41e8d808354d846

SHA1
14511369e706ac060668c76d56c1ecaf20d52677

SHA256
df80f2b9fb9b615938a8041677be2904b65409372fecd14d677142c68ed5c92b

SHA512
ec806722de21c078ff54a2b5966c0cbd0881df0965b48d729da011fbae19a9e3c79b0a6fd4cddc791ec42ebb323538cd8e8c8352f8631352cf9fc04b7dc850a1

Download Submit
C:\Windows\System\cqdqSUo.exe

Filesize
1.9MB

MD5
a0803f21a86dc18d9897ad74108661d2

SHA1
06fcb5701a6babb17ca0c606662c082d7264216c

SHA256
f54c708d20762a226d1122747a4bb1b67f1959e903566a49cf6d40b037994a43

SHA512
f72da13a17352909d7286e6ef7ceff01bceda6c5db233712a1962c365302d9a41e58a1e2029680307c71bf6f6bd3745b7921e5b81cfb77f1b133f63136b5caa4

Download Submit
C:\Windows\System\gjBrIfH.exe

Filesize
1.9MB

MD5
4ada4b171936bbc9290559c8a97babdc

SHA1
aede2571cd75d4d27c9d727c3bc86ef09a9a5d7b

SHA256
f4065b6f98a4d643d9e503d2d064f328299902fd3bc0bf41f3ee8de1a3e69a9d

SHA512
c94a412dd07fee7a8f1cfc8674a64b8c47d60b99201a220bf9653a228a3e432ff250e05b7e80665d55a1b7f893a9131d826eb82cd593ff4de7f8f3fb30163b98

Download Submit
C:\Windows\System\hhdNQbg.exe

Filesize
1.9MB

MD5
1dd4deb3cf506612e31608166043f0c7

SHA1
947a777a01fad6cf6f29bdeef28b0fa52bc9185c

SHA256
0955f6482f98380591c90beb1e91d708dec64a6478e00e5a841c1a9afabb10f2

SHA512
6bb8b84f1fc80d2f758a54c355514466543e95144fac21573ff0335fb72f8346d86ce2299805cd78d0f8b2d4bc24b636f2b12d322da1a0e85d100c65449a643b

Download Submit
C:\Windows\System\iCkTBVu.exe

Filesize
1.9MB

MD5
89de1fbb72e22918647af5acddb4a876

SHA1
e0e65e447fb63eee35b31154cbeba69a1b200d1f

SHA256
f3304394092e6ed4c87903d13a6ed078a17ade969427de2c0f49745adca1def6

SHA512
a7bf9e6ec223d5d8e8c7c09d2a6b5f15ca1ba8b963847455b0bba39b814732613a1d45529c55dc6eb4884d8cb329dfd5cfa3d12571f746958c5bea154442d057

Download Submit
C:\Windows\System\kbZoSEt.exe

Filesize
1.9MB

MD5
85d9be44e2e668baa94714f1ee4e5063

SHA1
2a49dd4cc6a41905b3829cfbdb1ed4569b4664a0

SHA256
935108f61e57a64d0c3865a6bd9ec3118721e4fb6ebfe3c11c333a576152a156

SHA512
dc2f8daab3ff3dd0a096765d96bead8e047834717a2d9056966f4d5fe2839396a6632800b4d9178354b0bb084e7e345cc28fe56fe7f1a1323a24f08cb63bad94

Download Submit
C:\Windows\System\kfVwMhF.exe

Filesize
1.9MB

MD5
e0839811e9f5df912dbeae139af7b2a1

SHA1
659b74160b19ce69faec8601d8e460f7d4952945

SHA256
93f1c06d3c19d76bd6dbb0857df17e5fe50e02e42a99bc71e5ee2d29e0091f39

SHA512
d29cecc3a4f454966019a37957104c65fc23797498380fb70604b4679c73ca43cf6f0d0d99b496759db34097c7778764f9a4dfb9cb492cdb3fa76d454ec9bb95

Download Submit
C:\Windows\System\mQnqOuI.exe

Filesize
1.9MB

MD5
2e136c53cbc11672caec722933f2d1a7

SHA1
84b23269e852c2d52961eb5c65cad48611e743fc

SHA256
7c3105077f17d19329b578c5733abd98c79e2bd7cfbd0bbd325d4da19bd520a8

SHA512
61f9f868c7d026d9bd86b417d45cd8ea9738b32199bbe53916ebcc58c3b038604839df697e51bfa5f002998899c60b9c1f655f4bfdc9f35648d1050dce6aedef

Download Submit
C:\Windows\System\mZdLpdL.exe

Filesize
1.9MB

MD5
44bc574950e2538fd0b1e7942fab888d

SHA1
cef7d4d0c36633c0aee2e8ce48f34e26753cb2ad

SHA256
99c0263acdd0d3971febf9b203e5806789894e5be3ab551d0bf92a82e61058b3

SHA512
baa2a6777d608c9150e66d841435b1ab4384e83085364eb8cb604656a8c674c2a215f9d51ec90a0fc91ce7c5f666ba56db149832caab2b49c86707a1afb09ec5

Download Submit
C:\Windows\System\mlGVEIJ.exe

Filesize
1.9MB

MD5
b413cceb36624825c5749b91cc4bcca4

SHA1
689b753aa601621dfb517854fb6077d21f27a499

SHA256
a2c486be6d95fc58bb04642854eba4fbd5d3d9fb6265717740f830145581ac56

SHA512
89e284a56c2d4ac6cc9c3787906fe2ea6b9c28a2a987e1f233ed994d1c54e30179e2a02c52d4f69c74184fcc9cfb64feaa85b3520cb4bf9536d1804daa7c2c7c

Download Submit
C:\Windows\System\qxMFBNy.exe

Filesize
1.9MB

MD5
ad5511eae63e27c8ac7e5a36ad9c07e5

SHA1
1d6dd635de58f262acd31bd9c45f9e6758177d28

SHA256
697787df23dc2e67a3476b7feb41c448133cd8692a04e4caa3048e7747c75390

SHA512
9c3c49eea349f4871b95eb8788338e57cc934b337b486cb65903e596b0a23553159a63959c25ed17fc15bcc257f5628e1586dd453c3a4fd81e005850cc97ea24

Download Submit
C:\Windows\System\rJvkpso.exe

Filesize
1.9MB

MD5
3a6aa0c20c42ee82e90bcf5570776daa

SHA1
c650fed3fd6d39545e95d7074a880d4f2165fbf2

SHA256
4502357f0ac1357ccede7ccb0717dc51c8c7b479e0bf07ab2c78e7dc4369cb91

SHA512
a954d3261d74565b9986e2864b68597497466aa97a0bdb83abf43a86a4c7f18f56d06d3d86b13e8662dc01784a16a5bb26f469be276eced62614ffc04c44c89f

Download Submit
C:\Windows\System\sTQqzSu.exe

Filesize
1.9MB

MD5
b016edecfb24a3422eecf282e095d394

SHA1
ae585c1a713f1d3595f083b183bc2e4e8f235c83

SHA256
228b99a70155210878645c668c78cbce6d3cdbbe2e687bdb41ed091a07b2b2e0

SHA512
837bf1c52b3b797e3befb4fcfae6b3f171a5de792ff17a15b779a3af3e3813ba299d2a6b3108edce5909d7e636fbfd4bc29ebca5e61a64ba3e45260c1239dca2

Download Submit
C:\Windows\System\tqkJMwe.exe

Filesize
1.9MB

MD5
75e453e3c963a777d3ee7015e6a4b9de

SHA1
9f2d801099f0ca0624d680cb9015e607df434c59

SHA256
7bdf45070726eb5fc3994d17fae120a8099d918907975cde17d2a0f201ba65c2

SHA512
34ff59e482ccc83c379b21afff1ee571624b93ebe9a6896d016e93fed1f3d0494c86e8b74e589e125c7816b6d1aa583e8d8f5df79110c3fd2adeededa08e8229

Download Submit
C:\Windows\System\wRjejii.exe

Filesize
1.9MB

MD5
8c9078553ea6e07d2eb7b7f4b99b1030

SHA1
7102574e806c9784b8ea920afe0880f169bf1765

SHA256
ab3ed6cfa4f0f6b5e45b551967d588cfacafbd0d10e516903acd23b8eed7200b

SHA512
5d9720ca8f97235243d9c74dffd097b7a5a09b53a908f03375240c5027fd3f46a6a2b385077c74b4a64dd4ceae8b6dd293f78bedf9ccdd2a6dd42ea0235cf3af

Download Submit
C:\Windows\System\xtVEyxR.exe

Filesize
1.9MB

MD5
105d87b7be8443c7a0cb06ae01786c27

SHA1
95e46f860995c79729942aebe5b08647d02a507c

SHA256
25993844aa069a4e1fb7d85b157a4fa39618ef7507bd7839fa976d48b901909c

SHA512
42abda7f3893835d255d2d42c497cbde89c492c145735ec73e07520fdfd71d56cf4227184814e5f08264e3fdc16a86842cd0fc6cf7b8b544c06db06227abafc5

Download Submit
C:\Windows\System\zGWDEBI.exe

Filesize
1.9MB

MD5
9319b0b957c745ceb9ed3757ccd7f6ea

SHA1
d90a8d5ced55898bed41fe57e97c7474736c253c

SHA256
4d61698265149bdadb62195a8fa4cdcee99ee904f758fac17505a188d510b5f3

SHA512
0db67823d4cf6900160f9fcf9edc3a1dad5b0a6f005d44ad2da4fd3814df5d1f8bc0f1c72cd5d009ca266a76fbd3aa7c0688d48bae0224067c7aafcebd927584

Download Submit
C:\Windows\System\zhlJiAG.exe

Filesize
1.9MB

MD5
e778f74fb0761130f39b9d492f12b2c9

SHA1
6f028a225cb8177d02d60370115d487cfff449a0

SHA256
c17e661e7f206aa5a293dba2b7ed3ea2db90e9bd1f1c2aaf2f1307c86e4ee5e7

SHA512
42d1458186a137cab92807256b994f5050594427597512fde2b972107911e68537caf38943fe346355a2d9746fa98bd1ac5db8b72a14254ad729601449acaf88

Download Submit
memory/116-398-0x00007FF6B90F0000-0x00007FF6B9444000-memory.dmp

Filesize
3.3MB

Download
memory/228-86-0x00007FF64E9B0000-0x00007FF64ED04000-memory.dmp

Filesize
3.3MB

Download
memory/412-332-0x00007FF675100000-0x00007FF675454000-memory.dmp

Filesize
3.3MB

Download
memory/624-224-0x00007FF65E280000-0x00007FF65E5D4000-memory.dmp

Filesize
3.3MB

Download
memory/744-326-0x00007FF7125E0000-0x00007FF712934000-memory.dmp

Filesize
3.3MB

Download
memory/792-128-0x00007FF6FF010000-0x00007FF6FF364000-memory.dmp

Filesize
3.3MB

Download
memory/1136-237-0x00007FF7B6880000-0x00007FF7B6BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1216-352-0x00007FF6C0980000-0x00007FF6C0CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1272-211-0x00007FF6C61C0000-0x00007FF6C6514000-memory.dmp

Filesize
3.3MB

Download
memory/1384-316-0x00007FF690830000-0x00007FF690B84000-memory.dmp

Filesize
3.3MB

Download
memory/1428-153-0x00007FF6A0F30000-0x00007FF6A1284000-memory.dmp

Filesize
3.3MB

Download
memory/1792-22-0x00007FF791250000-0x00007FF7915A4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-246-0x00007FF743CE0000-0x00007FF744034000-memory.dmp

Filesize
3.3MB

Download
memory/1960-253-0x00007FF75E710000-0x00007FF75EA64000-memory.dmp

Filesize
3.3MB

Download
memory/2120-293-0x00007FF67A030000-0x00007FF67A384000-memory.dmp

Filesize
3.3MB

Download
memory/2208-62-0x00007FF608080000-0x00007FF6083D4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-45-0x00007FF7FB5D0000-0x00007FF7FB924000-memory.dmp

Filesize
3.3MB

Download
memory/2472-257-0x00007FF7976A0000-0x00007FF7979F4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-307-0x00007FF682FC0000-0x00007FF683314000-memory.dmp

Filesize
3.3MB

Download
memory/2728-80-0x00007FF69D410000-0x00007FF69D764000-memory.dmp

Filesize
3.3MB

Download
memory/2848-30-0x00007FF68E360000-0x00007FF68E6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2896-303-0x00007FF64D500000-0x00007FF64D854000-memory.dmp

Filesize
3.3MB

Download
memory/2920-216-0x00007FF6341C0000-0x00007FF634514000-memory.dmp

Filesize
3.3MB

Download
memory/3320-368-0x00007FF60F020000-0x00007FF60F374000-memory.dmp

Filesize
3.3MB

Download
memory/3328-286-0x00007FF60F290000-0x00007FF60F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/3552-388-0x00007FF727DE0000-0x00007FF728134000-memory.dmp

Filesize
3.3MB

Download
memory/3560-382-0x00007FF690C80000-0x00007FF690FD4000-memory.dmp

Filesize
3.3MB

Download
memory/3616-17-0x00007FF78FEF0000-0x00007FF790244000-memory.dmp

Filesize
3.3MB

Download
memory/3868-115-0x00007FF6D46B0000-0x00007FF6D4A04000-memory.dmp

Filesize
3.3MB

Download
memory/3880-57-0x00007FF67E090000-0x00007FF67E3E4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-358-0x00007FF635180000-0x00007FF6354D4000-memory.dmp

Filesize
3.3MB

Download
memory/3992-109-0x00007FF762E70000-0x00007FF7631C4000-memory.dmp

Filesize
3.3MB

Download
memory/4020-11-0x00007FF724450000-0x00007FF7247A4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-99-0x00007FF745760000-0x00007FF745AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4196-366-0x00007FF7634A0000-0x00007FF7637F4000-memory.dmp

Filesize
3.3MB

Download
memory/4248-312-0x00007FF657F40000-0x00007FF658294000-memory.dmp

Filesize
3.3MB

Download
memory/4440-145-0x00007FF7C8760000-0x00007FF7C8AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-297-0x00007FF79D730000-0x00007FF79DA84000-memory.dmp

Filesize
3.3MB

Download
memory/4556-250-0x00007FF75DB40000-0x00007FF75DE94000-memory.dmp

Filesize
3.3MB

Download
memory/4564-48-0x00007FF612A70000-0x00007FF612DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4584-229-0x00007FF695320000-0x00007FF695674000-memory.dmp

Filesize
3.3MB

Download
memory/4596-181-0x00007FF616630000-0x00007FF616984000-memory.dmp

Filesize
3.3MB

Download
memory/4616-278-0x00007FF6D6FD0000-0x00007FF6D7324000-memory.dmp

Filesize
3.3MB

Download
memory/4692-320-0x00007FF710DA0000-0x00007FF7110F4000-memory.dmp

Filesize
3.3MB

Download
memory/4796-346-0x00007FF6D6B90000-0x00007FF6D6EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4872-281-0x00007FF6F7870000-0x00007FF6F7BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-66-0x00007FF79A0C0000-0x00007FF79A414000-memory.dmp

Filesize
3.3MB

Download
memory/4960-289-0x00007FF7B38D0000-0x00007FF7B3C24000-memory.dmp

Filesize
3.3MB

Download
memory/4980-198-0x00007FF75C880000-0x00007FF75CBD4000-memory.dmp

Filesize
3.3MB

Download
memory/4984-0-0x00007FF695D60000-0x00007FF6960B4000-memory.dmp

Filesize
3.3MB

Download
memory/4984-1-0x0000021128D60000-0x0000021128D70000-memory.dmp

Filesize
64KB

Download
memory/5040-269-0x00007FF665D60000-0x00007FF6660B4000-memory.dmp

Filesize
3.3MB

Download
memory/5100-323-0x00007FF7D1490000-0x00007FF7D17E4000-memory.dmp

Filesize
3.3MB

Download
memory/5328-409-0x00007FF768660000-0x00007FF7689B4000-memory.dmp

Filesize
3.3MB

Download
memory/5364-415-0x00007FF6E4A50000-0x00007FF6E4DA4000-memory.dmp

Filesize
3.3MB

Download
memory/5380-422-0x00007FF79CC40000-0x00007FF79CF94000-memory.dmp

Filesize
3.3MB

Download
memory/5416-431-0x00007FF6DBE00000-0x00007FF6DC154000-memory.dmp

Filesize
3.3MB

Download
memory/5536-440-0x00007FF641BD0000-0x00007FF641F24000-memory.dmp

Filesize
3.3MB

Download
memory/5552-443-0x00007FF68BB70000-0x00007FF68BEC4000-memory.dmp

Filesize
3.3MB

Download
memory/5572-451-0x00007FF710E70000-0x00007FF7111C4000-memory.dmp

Filesize
3.3MB

Download
memory/5588-463-0x00007FF793B80000-0x00007FF793ED4000-memory.dmp

Filesize
3.3MB

Download
memory/5612-462-0x00007FF783200000-0x00007FF783554000-memory.dmp

Filesize
3.3MB

Download
memory/5636-475-0x00007FF7266D0000-0x00007FF726A24000-memory.dmp

Filesize
3.3MB

Download
memory/5692-483-0x00007FF64FE80000-0x00007FF6501D4000-memory.dmp

Filesize
3.3MB

Download
memory/5716-488-0x00007FF63FE30000-0x00007FF640184000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads