xmrig | 27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
Size

1.9MB
MD5

de249e1601ce02b9d7f71d62ca7cab8c
SHA1

5e832ec576997bc62af2f489b988f5e1a6b8f622
SHA256

27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05
SHA512

9d81b75b0c8e08e8be72ca5f119e3cbbbafb2497e1ca88cbec731c1565caa0d20a4666144cd0659953071ae6aef143a9e28b87534c5773592773cdac4479be3b
SSDEEP

49152:ROdWCCi7/raU56uL3pgrCEd2hXe/s7HvoHGAL:RWWBib356utgF

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4532-0-0x00007FF72B2C0000-0x00007FF72B611000-memory.dmp	UPX
behavioral2/files/0x000700000002340c-5.dat	UPX
behavioral2/files/0x000700000002340e-7.dat	UPX
behavioral2/memory/2316-15-0x00007FF702480000-0x00007FF7027D1000-memory.dmp	UPX
behavioral2/memory/4000-21-0x00007FF6217B0000-0x00007FF621B01000-memory.dmp	UPX
behavioral2/files/0x000700000002340f-23.dat	UPX
behavioral2/files/0x0007000000023411-31.dat	UPX
behavioral2/files/0x0007000000023410-33.dat	UPX
behavioral2/memory/1516-40-0x00007FF7545F0000-0x00007FF754941000-memory.dmp	UPX
behavioral2/memory/2636-50-0x00007FF7FF630000-0x00007FF7FF981000-memory.dmp	UPX
behavioral2/files/0x0007000000023413-55.dat	UPX
behavioral2/memory/4856-62-0x00007FF69B010000-0x00007FF69B361000-memory.dmp	UPX
behavioral2/memory/3080-68-0x00007FF7B86A0000-0x00007FF7B89F1000-memory.dmp	UPX
behavioral2/memory/3004-71-0x00007FF773F30000-0x00007FF774281000-memory.dmp	UPX
behavioral2/memory/3196-74-0x00007FF67C110000-0x00007FF67C461000-memory.dmp	UPX
behavioral2/files/0x0007000000023416-72.dat	UPX
behavioral2/files/0x0008000000023408-65.dat	UPX
behavioral2/files/0x0007000000023415-63.dat	UPX
behavioral2/memory/1208-60-0x00007FF787F50000-0x00007FF7882A1000-memory.dmp	UPX
behavioral2/files/0x0007000000023414-54.dat	UPX
behavioral2/files/0x0007000000023412-44.dat	UPX
behavioral2/memory/968-43-0x00007FF69E570000-0x00007FF69E8C1000-memory.dmp	UPX
behavioral2/memory/1524-32-0x00007FF6674C0000-0x00007FF667811000-memory.dmp	UPX
behavioral2/memory/5012-27-0x00007FF730B10000-0x00007FF730E61000-memory.dmp	UPX
behavioral2/files/0x000700000002340d-12.dat	UPX
behavioral2/files/0x0007000000023417-77.dat	UPX
behavioral2/files/0x0007000000023418-83.dat	UPX
behavioral2/files/0x0007000000023419-89.dat	UPX
behavioral2/memory/572-92-0x00007FF7C7C50000-0x00007FF7C7FA1000-memory.dmp	UPX
behavioral2/files/0x000700000002341a-95.dat	UPX
behavioral2/files/0x000700000002341c-103.dat	UPX
behavioral2/files/0x000700000002341b-109.dat	UPX
behavioral2/memory/664-112-0x00007FF747360000-0x00007FF7476B1000-memory.dmp	UPX
behavioral2/files/0x0007000000023420-125.dat	UPX
behavioral2/memory/2560-133-0x00007FF7E5160000-0x00007FF7E54B1000-memory.dmp	UPX
behavioral2/memory/3448-135-0x00007FF67B170000-0x00007FF67B4C1000-memory.dmp	UPX
behavioral2/memory/3632-136-0x00007FF68BD00000-0x00007FF68C051000-memory.dmp	UPX
behavioral2/memory/3552-137-0x00007FF7427D0000-0x00007FF742B21000-memory.dmp	UPX
behavioral2/files/0x0007000000023421-139.dat	UPX
behavioral2/memory/3056-138-0x00007FF6D6790000-0x00007FF6D6AE1000-memory.dmp	UPX
behavioral2/memory/1748-134-0x00007FF6C0650000-0x00007FF6C09A1000-memory.dmp	UPX
behavioral2/memory/1976-130-0x00007FF632260000-0x00007FF6325B1000-memory.dmp	UPX
behavioral2/files/0x000700000002341f-122.dat	UPX
behavioral2/files/0x000700000002341d-115.dat	UPX
behavioral2/files/0x000700000002341e-114.dat	UPX
behavioral2/memory/4440-101-0x00007FF634B60000-0x00007FF634EB1000-memory.dmp	UPX
behavioral2/memory/3996-81-0x00007FF785080000-0x00007FF7853D1000-memory.dmp	UPX
behavioral2/files/0x0007000000023422-143.dat	UPX
behavioral2/memory/4532-145-0x00007FF72B2C0000-0x00007FF72B611000-memory.dmp	UPX
behavioral2/files/0x0008000000023423-149.dat	UPX
behavioral2/files/0x0007000000023426-161.dat	UPX
behavioral2/files/0x0007000000023427-168.dat	UPX
behavioral2/files/0x0007000000023428-174.dat	UPX
behavioral2/files/0x000700000002342b-186.dat	UPX
behavioral2/files/0x0007000000023429-189.dat	UPX
behavioral2/files/0x000700000002342c-194.dat	UPX
behavioral2/files/0x000700000002342a-193.dat	UPX
behavioral2/memory/4856-204-0x00007FF69B010000-0x00007FF69B361000-memory.dmp	UPX
behavioral2/memory/3196-205-0x00007FF67C110000-0x00007FF67C461000-memory.dmp	UPX
behavioral2/memory/3996-206-0x00007FF785080000-0x00007FF7853D1000-memory.dmp	UPX
behavioral2/memory/1124-215-0x00007FF750310000-0x00007FF750661000-memory.dmp	UPX
behavioral2/memory/4416-216-0x00007FF609120000-0x00007FF609471000-memory.dmp	UPX
behavioral2/memory/460-218-0x00007FF7686D0000-0x00007FF768A21000-memory.dmp	UPX
behavioral2/memory/3912-219-0x00007FF64F9D0000-0x00007FF64FD21000-memory.dmp	UPX

XMRig Miner payload 61 IoCs

miner

resource	yara_rule
behavioral2/memory/1516-40-0x00007FF7545F0000-0x00007FF754941000-memory.dmp	xmrig
behavioral2/memory/2636-50-0x00007FF7FF630000-0x00007FF7FF981000-memory.dmp	xmrig
behavioral2/memory/3080-68-0x00007FF7B86A0000-0x00007FF7B89F1000-memory.dmp	xmrig
behavioral2/memory/3004-71-0x00007FF773F30000-0x00007FF774281000-memory.dmp	xmrig
behavioral2/memory/968-43-0x00007FF69E570000-0x00007FF69E8C1000-memory.dmp	xmrig
behavioral2/memory/1524-32-0x00007FF6674C0000-0x00007FF667811000-memory.dmp	xmrig
behavioral2/memory/5012-27-0x00007FF730B10000-0x00007FF730E61000-memory.dmp	xmrig
behavioral2/memory/572-92-0x00007FF7C7C50000-0x00007FF7C7FA1000-memory.dmp	xmrig
behavioral2/memory/2560-133-0x00007FF7E5160000-0x00007FF7E54B1000-memory.dmp	xmrig
behavioral2/memory/3448-135-0x00007FF67B170000-0x00007FF67B4C1000-memory.dmp	xmrig
behavioral2/memory/3632-136-0x00007FF68BD00000-0x00007FF68C051000-memory.dmp	xmrig
behavioral2/memory/3552-137-0x00007FF7427D0000-0x00007FF742B21000-memory.dmp	xmrig
behavioral2/memory/1748-134-0x00007FF6C0650000-0x00007FF6C09A1000-memory.dmp	xmrig
behavioral2/memory/1976-130-0x00007FF632260000-0x00007FF6325B1000-memory.dmp	xmrig
behavioral2/memory/4532-145-0x00007FF72B2C0000-0x00007FF72B611000-memory.dmp	xmrig
behavioral2/memory/4856-204-0x00007FF69B010000-0x00007FF69B361000-memory.dmp	xmrig
behavioral2/memory/3196-205-0x00007FF67C110000-0x00007FF67C461000-memory.dmp	xmrig
behavioral2/memory/3996-206-0x00007FF785080000-0x00007FF7853D1000-memory.dmp	xmrig
behavioral2/memory/1124-215-0x00007FF750310000-0x00007FF750661000-memory.dmp	xmrig
behavioral2/memory/4416-216-0x00007FF609120000-0x00007FF609471000-memory.dmp	xmrig
behavioral2/memory/460-218-0x00007FF7686D0000-0x00007FF768A21000-memory.dmp	xmrig
behavioral2/memory/3912-219-0x00007FF64F9D0000-0x00007FF64FD21000-memory.dmp	xmrig
behavioral2/memory/2404-221-0x00007FF6CB180000-0x00007FF6CB4D1000-memory.dmp	xmrig
behavioral2/memory/3792-225-0x00007FF6B4AD0000-0x00007FF6B4E21000-memory.dmp	xmrig
behavioral2/memory/1028-226-0x00007FF7B2FF0000-0x00007FF7B3341000-memory.dmp	xmrig
behavioral2/memory/4508-241-0x00007FF7618C0000-0x00007FF761C11000-memory.dmp	xmrig
behavioral2/memory/1444-254-0x00007FF635850000-0x00007FF635BA1000-memory.dmp	xmrig
behavioral2/memory/1008-267-0x00007FF738B50000-0x00007FF738EA1000-memory.dmp	xmrig
behavioral2/memory/3692-271-0x00007FF6A9A70000-0x00007FF6A9DC1000-memory.dmp	xmrig
behavioral2/memory/4132-272-0x00007FF703EE0000-0x00007FF704231000-memory.dmp	xmrig
behavioral2/memory/2660-336-0x00007FF7B3E70000-0x00007FF7B41C1000-memory.dmp	xmrig
behavioral2/memory/1664-343-0x00007FF7A3A90000-0x00007FF7A3DE1000-memory.dmp	xmrig
behavioral2/memory/5024-349-0x00007FF610A80000-0x00007FF610DD1000-memory.dmp	xmrig
behavioral2/memory/3836-350-0x00007FF7C3AF0000-0x00007FF7C3E41000-memory.dmp	xmrig
behavioral2/memory/2064-361-0x00007FF6ACF40000-0x00007FF6AD291000-memory.dmp	xmrig
behavioral2/memory/5016-365-0x00007FF75D050000-0x00007FF75D3A1000-memory.dmp	xmrig
behavioral2/memory/3908-368-0x00007FF6CCFF0000-0x00007FF6CD341000-memory.dmp	xmrig
behavioral2/memory/2980-370-0x00007FF6817D0000-0x00007FF681B21000-memory.dmp	xmrig
behavioral2/memory/1004-372-0x00007FF603050000-0x00007FF6033A1000-memory.dmp	xmrig
behavioral2/memory/3976-369-0x00007FF635A10000-0x00007FF635D61000-memory.dmp	xmrig
behavioral2/memory/800-367-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp	xmrig
behavioral2/memory/2008-366-0x00007FF7EE720000-0x00007FF7EEA71000-memory.dmp	xmrig
behavioral2/memory/1968-364-0x00007FF79B4E0000-0x00007FF79B831000-memory.dmp	xmrig
behavioral2/memory/2396-363-0x00007FF7F48E0000-0x00007FF7F4C31000-memory.dmp	xmrig
behavioral2/memory/4464-362-0x00007FF7CD2C0000-0x00007FF7CD611000-memory.dmp	xmrig
behavioral2/memory/1388-357-0x00007FF60D760000-0x00007FF60DAB1000-memory.dmp	xmrig
behavioral2/memory/4360-351-0x00007FF6F0CB0000-0x00007FF6F1001000-memory.dmp	xmrig
behavioral2/memory/1176-348-0x00007FF7B3690000-0x00007FF7B39E1000-memory.dmp	xmrig
behavioral2/memory/1752-273-0x00007FF7F1F10000-0x00007FF7F2261000-memory.dmp	xmrig
behavioral2/memory/1760-246-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp	xmrig
behavioral2/memory/2864-244-0x00007FF641AA0000-0x00007FF641DF1000-memory.dmp	xmrig
behavioral2/memory/1180-238-0x00007FF67E650000-0x00007FF67E9A1000-memory.dmp	xmrig
behavioral2/memory/4620-234-0x00007FF653050000-0x00007FF6533A1000-memory.dmp	xmrig
behavioral2/memory/4944-222-0x00007FF78B240000-0x00007FF78B591000-memory.dmp	xmrig
behavioral2/memory/4956-220-0x00007FF62F070000-0x00007FF62F3C1000-memory.dmp	xmrig
behavioral2/memory/4924-217-0x00007FF656EC0000-0x00007FF657211000-memory.dmp	xmrig
behavioral2/memory/1208-188-0x00007FF787F50000-0x00007FF7882A1000-memory.dmp	xmrig
behavioral2/memory/2636-185-0x00007FF7FF630000-0x00007FF7FF981000-memory.dmp	xmrig
behavioral2/memory/1516-178-0x00007FF7545F0000-0x00007FF754941000-memory.dmp	xmrig
behavioral2/memory/4000-162-0x00007FF6217B0000-0x00007FF621B01000-memory.dmp	xmrig
behavioral2/memory/2316-151-0x00007FF702480000-0x00007FF7027D1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2316	isstImk.exe
5012	gimkgDE.exe
4000	Tbyjyme.exe
1524	dGWoXrx.exe
968	jDKmtJj.exe
1516	SsNVFvM.exe
2636	LREhGFR.exe
3080	TUNlOpn.exe
1208	MeZDsFg.exe
3004	vsFQPla.exe
4856	squiZkt.exe
3196	TNzNVHf.exe
3996	ewJEvUI.exe
572	nZSuGsx.exe
1976	EBLWhhM.exe
4440	JEXcrki.exe
2560	LCswqpr.exe
664	LpqkvpU.exe
1748	nAoVljw.exe
3448	ThGQAnU.exe
3552	LgDrsWr.exe
3632	YrJTdrf.exe
3056	kewKNdB.exe
1124	BGnonOD.exe
4416	vGOqKwz.exe
4924	zrVfCQD.exe
460	WMxxYZT.exe
3912	mnLMWcL.exe
4956	wFPUDIA.exe
2404	kdBfdsm.exe
4944	ronuAMq.exe
3792	ArgiuLi.exe
1028	goFwZpi.exe
4620	OxDoWFf.exe
1180	zNYOFkN.exe
4508	vHANAkC.exe
2864	DmpuJck.exe
1760	NlvmQcq.exe
1008	romZrhR.exe
3692	AKLdIzY.exe
1444	ynXCQBZ.exe
4132	lHtAuFa.exe
1752	YrhvPcy.exe
2660	SBnGYLB.exe
860	QvzNcpp.exe
4896	qEQWkzH.exe
3712	MdYGtPG.exe
1520	RczFoxH.exe
1112	KLaEqKR.exe
1796	bFcLspO.exe
1664	rLbjEMQ.exe
1176	jgjuvqO.exe
5024	VWaTvYP.exe
3836	TtkkeuG.exe
4360	BsLRBEq.exe
1388	rqqtniU.exe
2064	yHHosFo.exe
4464	KABLLrJ.exe
2396	evutUXz.exe
1968	wknCqKg.exe
5016	gpJcImh.exe
2008	FBMWaZZ.exe
800	lmyMuHU.exe
3908	EPffEIh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4532-0-0x00007FF72B2C0000-0x00007FF72B611000-memory.dmp	upx
behavioral2/files/0x000700000002340c-5.dat	upx
behavioral2/files/0x000700000002340e-7.dat	upx
behavioral2/memory/2316-15-0x00007FF702480000-0x00007FF7027D1000-memory.dmp	upx
behavioral2/memory/4000-21-0x00007FF6217B0000-0x00007FF621B01000-memory.dmp	upx
behavioral2/files/0x000700000002340f-23.dat	upx
behavioral2/files/0x0007000000023411-31.dat	upx
behavioral2/files/0x0007000000023410-33.dat	upx
behavioral2/memory/1516-40-0x00007FF7545F0000-0x00007FF754941000-memory.dmp	upx
behavioral2/memory/2636-50-0x00007FF7FF630000-0x00007FF7FF981000-memory.dmp	upx
behavioral2/files/0x0007000000023413-55.dat	upx
behavioral2/memory/4856-62-0x00007FF69B010000-0x00007FF69B361000-memory.dmp	upx
behavioral2/memory/3080-68-0x00007FF7B86A0000-0x00007FF7B89F1000-memory.dmp	upx
behavioral2/memory/3004-71-0x00007FF773F30000-0x00007FF774281000-memory.dmp	upx
behavioral2/memory/3196-74-0x00007FF67C110000-0x00007FF67C461000-memory.dmp	upx
behavioral2/files/0x0007000000023416-72.dat	upx
behavioral2/files/0x0008000000023408-65.dat	upx
behavioral2/files/0x0007000000023415-63.dat	upx
behavioral2/memory/1208-60-0x00007FF787F50000-0x00007FF7882A1000-memory.dmp	upx
behavioral2/files/0x0007000000023414-54.dat	upx
behavioral2/files/0x0007000000023412-44.dat	upx
behavioral2/memory/968-43-0x00007FF69E570000-0x00007FF69E8C1000-memory.dmp	upx
behavioral2/memory/1524-32-0x00007FF6674C0000-0x00007FF667811000-memory.dmp	upx
behavioral2/memory/5012-27-0x00007FF730B10000-0x00007FF730E61000-memory.dmp	upx
behavioral2/files/0x000700000002340d-12.dat	upx
behavioral2/files/0x0007000000023417-77.dat	upx
behavioral2/files/0x0007000000023418-83.dat	upx
behavioral2/files/0x0007000000023419-89.dat	upx
behavioral2/memory/572-92-0x00007FF7C7C50000-0x00007FF7C7FA1000-memory.dmp	upx
behavioral2/files/0x000700000002341a-95.dat	upx
behavioral2/files/0x000700000002341c-103.dat	upx
behavioral2/files/0x000700000002341b-109.dat	upx
behavioral2/memory/664-112-0x00007FF747360000-0x00007FF7476B1000-memory.dmp	upx
behavioral2/files/0x0007000000023420-125.dat	upx
behavioral2/memory/2560-133-0x00007FF7E5160000-0x00007FF7E54B1000-memory.dmp	upx
behavioral2/memory/3448-135-0x00007FF67B170000-0x00007FF67B4C1000-memory.dmp	upx
behavioral2/memory/3632-136-0x00007FF68BD00000-0x00007FF68C051000-memory.dmp	upx
behavioral2/memory/3552-137-0x00007FF7427D0000-0x00007FF742B21000-memory.dmp	upx
behavioral2/files/0x0007000000023421-139.dat	upx
behavioral2/memory/3056-138-0x00007FF6D6790000-0x00007FF6D6AE1000-memory.dmp	upx
behavioral2/memory/1748-134-0x00007FF6C0650000-0x00007FF6C09A1000-memory.dmp	upx
behavioral2/memory/1976-130-0x00007FF632260000-0x00007FF6325B1000-memory.dmp	upx
behavioral2/files/0x000700000002341f-122.dat	upx
behavioral2/files/0x000700000002341d-115.dat	upx
behavioral2/files/0x000700000002341e-114.dat	upx
behavioral2/memory/4440-101-0x00007FF634B60000-0x00007FF634EB1000-memory.dmp	upx
behavioral2/memory/3996-81-0x00007FF785080000-0x00007FF7853D1000-memory.dmp	upx
behavioral2/files/0x0007000000023422-143.dat	upx
behavioral2/memory/4532-145-0x00007FF72B2C0000-0x00007FF72B611000-memory.dmp	upx
behavioral2/files/0x0008000000023423-149.dat	upx
behavioral2/files/0x0007000000023426-161.dat	upx
behavioral2/files/0x0007000000023427-168.dat	upx
behavioral2/files/0x0007000000023428-174.dat	upx
behavioral2/files/0x000700000002342b-186.dat	upx
behavioral2/files/0x0007000000023429-189.dat	upx
behavioral2/files/0x000700000002342c-194.dat	upx
behavioral2/files/0x000700000002342a-193.dat	upx
behavioral2/memory/4856-204-0x00007FF69B010000-0x00007FF69B361000-memory.dmp	upx
behavioral2/memory/3196-205-0x00007FF67C110000-0x00007FF67C461000-memory.dmp	upx
behavioral2/memory/3996-206-0x00007FF785080000-0x00007FF7853D1000-memory.dmp	upx
behavioral2/memory/1124-215-0x00007FF750310000-0x00007FF750661000-memory.dmp	upx
behavioral2/memory/4416-216-0x00007FF609120000-0x00007FF609471000-memory.dmp	upx
behavioral2/memory/460-218-0x00007FF7686D0000-0x00007FF768A21000-memory.dmp	upx
behavioral2/memory/3912-219-0x00007FF64F9D0000-0x00007FF64FD21000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\FIfKIvl.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\rqqtniU.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\EVWUlaM.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\YDunnXW.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\dktUkpM.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\teEuDFF.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\JfgJnmD.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\tEZnUuE.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\PPVDNwv.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\GzuzDVm.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\MtwfpnL.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\mREraGW.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\wFPUDIA.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\abwWgJz.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\Fhkfxwl.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\SdGfpaw.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\UPiiuCM.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\VWaTvYP.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\ulJSpkE.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\lfelgvY.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\zDWzRiQ.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\kVzmhyO.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\DmQwbij.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\XkKVmZS.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\rWPqEJS.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\pbDwZfL.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\ArgiuLi.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\QHqngsP.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\cSPitwr.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\OjTmwiu.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\GmXnAId.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\sVzGNWE.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\HmCZAoH.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\LREhGFR.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\sLvebng.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\vbZLcBt.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\yVrdHHo.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\FRtvybF.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\iJmVkga.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\cuOGpDG.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\ICMLzlx.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\pXMvTKO.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\aZPUNKf.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\KVQHOaS.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\AKLdIzY.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\pqqQjNw.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\HeGLFDA.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\romZrhR.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\Dpybozj.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\YhBmrii.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\SBIEjPy.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\ajgzaaz.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\dmYbJDb.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\lPwaLEm.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\UVWghrd.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\PZvNEBj.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\TNzNVHf.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\GcXOCon.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\FDgxuyX.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\SYeJxgC.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\aCncifK.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\qfagqIL.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\SfdjScb.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
File created	C:\Windows\System\LxtvVuS.exe	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	11044	dwm.exe
Token: SeChangeNotifyPrivilege	11044	dwm.exe
Token: 33	11044	dwm.exe
Token: SeIncBasePriorityPrivilege	11044	dwm.exe
Token: SeShutdownPrivilege	11044	dwm.exe
Token: SeCreatePagefilePrivilege	11044	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2316	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	86
PID 4532 wrote to memory of 2316	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	86
PID 4532 wrote to memory of 5012	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	87
PID 4532 wrote to memory of 5012	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	87
PID 4532 wrote to memory of 4000	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	88
PID 4532 wrote to memory of 4000	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	88
PID 4532 wrote to memory of 1524	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	89
PID 4532 wrote to memory of 1524	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	89
PID 4532 wrote to memory of 968	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	90
PID 4532 wrote to memory of 968	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	90
PID 4532 wrote to memory of 1516	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	91
PID 4532 wrote to memory of 1516	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	91
PID 4532 wrote to memory of 2636	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	92
PID 4532 wrote to memory of 2636	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	92
PID 4532 wrote to memory of 1208	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	93
PID 4532 wrote to memory of 1208	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	93
PID 4532 wrote to memory of 3080	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	94
PID 4532 wrote to memory of 3080	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	94
PID 4532 wrote to memory of 3004	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	95
PID 4532 wrote to memory of 3004	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	95
PID 4532 wrote to memory of 4856	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	96
PID 4532 wrote to memory of 4856	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	96
PID 4532 wrote to memory of 3196	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	97
PID 4532 wrote to memory of 3196	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	97
PID 4532 wrote to memory of 3996	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	98
PID 4532 wrote to memory of 3996	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	98
PID 4532 wrote to memory of 572	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	99
PID 4532 wrote to memory of 572	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	99
PID 4532 wrote to memory of 1976	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	100
PID 4532 wrote to memory of 1976	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	100
PID 4532 wrote to memory of 4440	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	101
PID 4532 wrote to memory of 4440	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	101
PID 4532 wrote to memory of 2560	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	102
PID 4532 wrote to memory of 2560	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	102
PID 4532 wrote to memory of 664	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	103
PID 4532 wrote to memory of 664	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	103
PID 4532 wrote to memory of 1748	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	104
PID 4532 wrote to memory of 1748	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	104
PID 4532 wrote to memory of 3448	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	105
PID 4532 wrote to memory of 3448	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	105
PID 4532 wrote to memory of 3552	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	106
PID 4532 wrote to memory of 3552	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	106
PID 4532 wrote to memory of 3632	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	107
PID 4532 wrote to memory of 3632	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	107
PID 4532 wrote to memory of 3056	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	108
PID 4532 wrote to memory of 3056	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	108
PID 4532 wrote to memory of 1124	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	109
PID 4532 wrote to memory of 1124	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	109
PID 4532 wrote to memory of 4416	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	110
PID 4532 wrote to memory of 4416	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	110
PID 4532 wrote to memory of 4924	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	111
PID 4532 wrote to memory of 4924	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	111
PID 4532 wrote to memory of 460	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	112
PID 4532 wrote to memory of 460	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	112
PID 4532 wrote to memory of 3912	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	113
PID 4532 wrote to memory of 3912	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	113
PID 4532 wrote to memory of 4956	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	114
PID 4532 wrote to memory of 4956	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	114
PID 4532 wrote to memory of 3792	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	115
PID 4532 wrote to memory of 3792	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	115
PID 4532 wrote to memory of 2404	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	116
PID 4532 wrote to memory of 2404	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	116
PID 4532 wrote to memory of 4944	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	117
PID 4532 wrote to memory of 4944	4532	27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe	117

C:\Users\Admin\AppData\Local\Temp\27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe
"C:\Users\Admin\AppData\Local\Temp\27045043dacf4041682eee0b2c3347972a4191bffec17ae750da58383bbcff05.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\System\isstImk.exe
  C:\Windows\System\isstImk.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\gimkgDE.exe
  C:\Windows\System\gimkgDE.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\Tbyjyme.exe
  C:\Windows\System\Tbyjyme.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\dGWoXrx.exe
  C:\Windows\System\dGWoXrx.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\jDKmtJj.exe
  C:\Windows\System\jDKmtJj.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\SsNVFvM.exe
  C:\Windows\System\SsNVFvM.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\LREhGFR.exe
  C:\Windows\System\LREhGFR.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\MeZDsFg.exe
  C:\Windows\System\MeZDsFg.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\TUNlOpn.exe
  C:\Windows\System\TUNlOpn.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\vsFQPla.exe
  C:\Windows\System\vsFQPla.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\squiZkt.exe
  C:\Windows\System\squiZkt.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\TNzNVHf.exe
  C:\Windows\System\TNzNVHf.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\ewJEvUI.exe
  C:\Windows\System\ewJEvUI.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\nZSuGsx.exe
  C:\Windows\System\nZSuGsx.exe
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\System\EBLWhhM.exe
  C:\Windows\System\EBLWhhM.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\JEXcrki.exe
  C:\Windows\System\JEXcrki.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\LCswqpr.exe
  C:\Windows\System\LCswqpr.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\LpqkvpU.exe
  C:\Windows\System\LpqkvpU.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\nAoVljw.exe
  C:\Windows\System\nAoVljw.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\ThGQAnU.exe
  C:\Windows\System\ThGQAnU.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\LgDrsWr.exe
  C:\Windows\System\LgDrsWr.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\YrJTdrf.exe
  C:\Windows\System\YrJTdrf.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\kewKNdB.exe
  C:\Windows\System\kewKNdB.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\BGnonOD.exe
  C:\Windows\System\BGnonOD.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\vGOqKwz.exe
  C:\Windows\System\vGOqKwz.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\zrVfCQD.exe
  C:\Windows\System\zrVfCQD.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\WMxxYZT.exe
  C:\Windows\System\WMxxYZT.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\mnLMWcL.exe
  C:\Windows\System\mnLMWcL.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\wFPUDIA.exe
  C:\Windows\System\wFPUDIA.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\ArgiuLi.exe
  C:\Windows\System\ArgiuLi.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\kdBfdsm.exe
  C:\Windows\System\kdBfdsm.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\ronuAMq.exe
  C:\Windows\System\ronuAMq.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\goFwZpi.exe
  C:\Windows\System\goFwZpi.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\OxDoWFf.exe
  C:\Windows\System\OxDoWFf.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\zNYOFkN.exe
  C:\Windows\System\zNYOFkN.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\vHANAkC.exe
  C:\Windows\System\vHANAkC.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\DmpuJck.exe
  C:\Windows\System\DmpuJck.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\NlvmQcq.exe
  C:\Windows\System\NlvmQcq.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\romZrhR.exe
  C:\Windows\System\romZrhR.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\AKLdIzY.exe
  C:\Windows\System\AKLdIzY.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\ynXCQBZ.exe
  C:\Windows\System\ynXCQBZ.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\lHtAuFa.exe
  C:\Windows\System\lHtAuFa.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\YrhvPcy.exe
  C:\Windows\System\YrhvPcy.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\SBnGYLB.exe
  C:\Windows\System\SBnGYLB.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\QvzNcpp.exe
  C:\Windows\System\QvzNcpp.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\qEQWkzH.exe
  C:\Windows\System\qEQWkzH.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\MdYGtPG.exe
  C:\Windows\System\MdYGtPG.exe
  2⤵
  - Executes dropped EXE
  PID:3712
- C:\Windows\System\RczFoxH.exe
  C:\Windows\System\RczFoxH.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\KLaEqKR.exe
  C:\Windows\System\KLaEqKR.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\bFcLspO.exe
  C:\Windows\System\bFcLspO.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\rLbjEMQ.exe
  C:\Windows\System\rLbjEMQ.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\jgjuvqO.exe
  C:\Windows\System\jgjuvqO.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\VWaTvYP.exe
  C:\Windows\System\VWaTvYP.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\TtkkeuG.exe
  C:\Windows\System\TtkkeuG.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\BsLRBEq.exe
  C:\Windows\System\BsLRBEq.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\rqqtniU.exe
  C:\Windows\System\rqqtniU.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\yHHosFo.exe
  C:\Windows\System\yHHosFo.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\KABLLrJ.exe
  C:\Windows\System\KABLLrJ.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\evutUXz.exe
  C:\Windows\System\evutUXz.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\wknCqKg.exe
  C:\Windows\System\wknCqKg.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\gpJcImh.exe
  C:\Windows\System\gpJcImh.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\FBMWaZZ.exe
  C:\Windows\System\FBMWaZZ.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\lmyMuHU.exe
  C:\Windows\System\lmyMuHU.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\EPffEIh.exe
  C:\Windows\System\EPffEIh.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\ZiqdZgF.exe
  C:\Windows\System\ZiqdZgF.exe
  2⤵
  PID:2472
- C:\Windows\System\iIVPcDl.exe
  C:\Windows\System\iIVPcDl.exe
  2⤵
  PID:3976
- C:\Windows\System\uGUDIrI.exe
  C:\Windows\System\uGUDIrI.exe
  2⤵
  PID:2980
- C:\Windows\System\FmrPegt.exe
  C:\Windows\System\FmrPegt.exe
  2⤵
  PID:1004
- C:\Windows\System\sAsnnFb.exe
  C:\Windows\System\sAsnnFb.exe
  2⤵
  PID:4524
- C:\Windows\System\KhoUQFS.exe
  C:\Windows\System\KhoUQFS.exe
  2⤵
  PID:4748
- C:\Windows\System\FpWuRXO.exe
  C:\Windows\System\FpWuRXO.exe
  2⤵
  PID:4572
- C:\Windows\System\nuhMGgH.exe
  C:\Windows\System\nuhMGgH.exe
  2⤵
  PID:1084
- C:\Windows\System\NXGPkQC.exe
  C:\Windows\System\NXGPkQC.exe
  2⤵
  PID:2740
- C:\Windows\System\RjZIqrQ.exe
  C:\Windows\System\RjZIqrQ.exe
  2⤵
  PID:1596
- C:\Windows\System\sTcpEIv.exe
  C:\Windows\System\sTcpEIv.exe
  2⤵
  PID:2332
- C:\Windows\System\SnKQQaY.exe
  C:\Windows\System\SnKQQaY.exe
  2⤵
  PID:1452
- C:\Windows\System\PSCKWqT.exe
  C:\Windows\System\PSCKWqT.exe
  2⤵
  PID:4768
- C:\Windows\System\WCGukeX.exe
  C:\Windows\System\WCGukeX.exe
  2⤵
  PID:2952
- C:\Windows\System\tvBLzdU.exe
  C:\Windows\System\tvBLzdU.exe
  2⤵
  PID:4424
- C:\Windows\System\vwixpvg.exe
  C:\Windows\System\vwixpvg.exe
  2⤵
  PID:4272
- C:\Windows\System\uMmjGoj.exe
  C:\Windows\System\uMmjGoj.exe
  2⤵
  PID:5064
- C:\Windows\System\zTVTsTu.exe
  C:\Windows\System\zTVTsTu.exe
  2⤵
  PID:2936
- C:\Windows\System\eRXHaHC.exe
  C:\Windows\System\eRXHaHC.exe
  2⤵
  PID:4364
- C:\Windows\System\EjeEfnl.exe
  C:\Windows\System\EjeEfnl.exe
  2⤵
  PID:3376
- C:\Windows\System\GAHjOWj.exe
  C:\Windows\System\GAHjOWj.exe
  2⤵
  PID:3464
- C:\Windows\System\QoRGyqg.exe
  C:\Windows\System\QoRGyqg.exe
  2⤵
  PID:4348
- C:\Windows\System\zSvjMsq.exe
  C:\Windows\System\zSvjMsq.exe
  2⤵
  PID:2300
- C:\Windows\System\CGjgPpZ.exe
  C:\Windows\System\CGjgPpZ.exe
  2⤵
  PID:4308
- C:\Windows\System\zRjkkRJ.exe
  C:\Windows\System\zRjkkRJ.exe
  2⤵
  PID:3192
- C:\Windows\System\VjdkjsX.exe
  C:\Windows\System\VjdkjsX.exe
  2⤵
  PID:4456
- C:\Windows\System\tqjFazn.exe
  C:\Windows\System\tqjFazn.exe
  2⤵
  PID:2184
- C:\Windows\System\GWrfJhL.exe
  C:\Windows\System\GWrfJhL.exe
  2⤵
  PID:5140
- C:\Windows\System\sLvebng.exe
  C:\Windows\System\sLvebng.exe
  2⤵
  PID:5192
- C:\Windows\System\kFSvkKo.exe
  C:\Windows\System\kFSvkKo.exe
  2⤵
  PID:5232
- C:\Windows\System\ZLXLtlA.exe
  C:\Windows\System\ZLXLtlA.exe
  2⤵
  PID:5252
- C:\Windows\System\WUHlqDI.exe
  C:\Windows\System\WUHlqDI.exe
  2⤵
  PID:5300
- C:\Windows\System\JAysGfX.exe
  C:\Windows\System\JAysGfX.exe
  2⤵
  PID:5324
- C:\Windows\System\PxiFGOc.exe
  C:\Windows\System\PxiFGOc.exe
  2⤵
  PID:5348
- C:\Windows\System\pqqQjNw.exe
  C:\Windows\System\pqqQjNw.exe
  2⤵
  PID:5368
- C:\Windows\System\FkQcaEZ.exe
  C:\Windows\System\FkQcaEZ.exe
  2⤵
  PID:5392
- C:\Windows\System\GYYWNuy.exe
  C:\Windows\System\GYYWNuy.exe
  2⤵
  PID:5412
- C:\Windows\System\voRtKhX.exe
  C:\Windows\System\voRtKhX.exe
  2⤵
  PID:5432
- C:\Windows\System\xjwUHvb.exe
  C:\Windows\System\xjwUHvb.exe
  2⤵
  PID:5448
- C:\Windows\System\GkjjOqZ.exe
  C:\Windows\System\GkjjOqZ.exe
  2⤵
  PID:5476
- C:\Windows\System\ICMLzlx.exe
  C:\Windows\System\ICMLzlx.exe
  2⤵
  PID:5544
- C:\Windows\System\QrzQPFO.exe
  C:\Windows\System\QrzQPFO.exe
  2⤵
  PID:5588
- C:\Windows\System\wVZxNGr.exe
  C:\Windows\System\wVZxNGr.exe
  2⤵
  PID:5608
- C:\Windows\System\QHqngsP.exe
  C:\Windows\System\QHqngsP.exe
  2⤵
  PID:5636
- C:\Windows\System\YRwlTXM.exe
  C:\Windows\System\YRwlTXM.exe
  2⤵
  PID:5656
- C:\Windows\System\JdpVrem.exe
  C:\Windows\System\JdpVrem.exe
  2⤵
  PID:5696
- C:\Windows\System\mREraGW.exe
  C:\Windows\System\mREraGW.exe
  2⤵
  PID:5716
- C:\Windows\System\sdkQgCv.exe
  C:\Windows\System\sdkQgCv.exe
  2⤵
  PID:5740
- C:\Windows\System\DTHzBrZ.exe
  C:\Windows\System\DTHzBrZ.exe
  2⤵
  PID:5768
- C:\Windows\System\iqRYmqh.exe
  C:\Windows\System\iqRYmqh.exe
  2⤵
  PID:5788
- C:\Windows\System\ZraHhDu.exe
  C:\Windows\System\ZraHhDu.exe
  2⤵
  PID:5888
- C:\Windows\System\SPxrmdj.exe
  C:\Windows\System\SPxrmdj.exe
  2⤵
  PID:5940
- C:\Windows\System\eHXKLaR.exe
  C:\Windows\System\eHXKLaR.exe
  2⤵
  PID:5960
- C:\Windows\System\mAnDCHG.exe
  C:\Windows\System\mAnDCHG.exe
  2⤵
  PID:5984
- C:\Windows\System\dMbwRoE.exe
  C:\Windows\System\dMbwRoE.exe
  2⤵
  PID:6012
- C:\Windows\System\EBxCCha.exe
  C:\Windows\System\EBxCCha.exe
  2⤵
  PID:6032
- C:\Windows\System\KiZBzfT.exe
  C:\Windows\System\KiZBzfT.exe
  2⤵
  PID:6052
- C:\Windows\System\lwPTucP.exe
  C:\Windows\System\lwPTucP.exe
  2⤵
  PID:6096
- C:\Windows\System\GWKgIvV.exe
  C:\Windows\System\GWKgIvV.exe
  2⤵
  PID:6116
- C:\Windows\System\UzzvCEG.exe
  C:\Windows\System\UzzvCEG.exe
  2⤵
  PID:4336
- C:\Windows\System\vbZLcBt.exe
  C:\Windows\System\vbZLcBt.exe
  2⤵
  PID:1508
- C:\Windows\System\kjKJGtA.exe
  C:\Windows\System\kjKJGtA.exe
  2⤵
  PID:3980
- C:\Windows\System\XSvYGCO.exe
  C:\Windows\System\XSvYGCO.exe
  2⤵
  PID:5136
- C:\Windows\System\NnpxwBW.exe
  C:\Windows\System\NnpxwBW.exe
  2⤵
  PID:5272
- C:\Windows\System\cYWhQoq.exe
  C:\Windows\System\cYWhQoq.exe
  2⤵
  PID:5320
- C:\Windows\System\hDouoEv.exe
  C:\Windows\System\hDouoEv.exe
  2⤵
  PID:5380
- C:\Windows\System\iRtjyXP.exe
  C:\Windows\System\iRtjyXP.exe
  2⤵
  PID:5376
- C:\Windows\System\INJzfDw.exe
  C:\Windows\System\INJzfDw.exe
  2⤵
  PID:5404
- C:\Windows\System\QmhruJA.exe
  C:\Windows\System\QmhruJA.exe
  2⤵
  PID:5440
- C:\Windows\System\GiVIlUP.exe
  C:\Windows\System\GiVIlUP.exe
  2⤵
  PID:752
- C:\Windows\System\voxTyqe.exe
  C:\Windows\System\voxTyqe.exe
  2⤵
  PID:5632
- C:\Windows\System\tEZnUuE.exe
  C:\Windows\System\tEZnUuE.exe
  2⤵
  PID:5692
- C:\Windows\System\ghjBhtg.exe
  C:\Windows\System\ghjBhtg.exe
  2⤵
  PID:4860
- C:\Windows\System\WrczcQe.exe
  C:\Windows\System\WrczcQe.exe
  2⤵
  PID:5752
- C:\Windows\System\dhODMDq.exe
  C:\Windows\System\dhODMDq.exe
  2⤵
  PID:5784
- C:\Windows\System\RgNsNUb.exe
  C:\Windows\System\RgNsNUb.exe
  2⤵
  PID:5884
- C:\Windows\System\LKLqdUC.exe
  C:\Windows\System\LKLqdUC.exe
  2⤵
  PID:5904
- C:\Windows\System\sjIHtCA.exe
  C:\Windows\System\sjIHtCA.exe
  2⤵
  PID:5948
- C:\Windows\System\JVwcYHn.exe
  C:\Windows\System\JVwcYHn.exe
  2⤵
  PID:2296
- C:\Windows\System\DmQwbij.exe
  C:\Windows\System\DmQwbij.exe
  2⤵
  PID:6064
- C:\Windows\System\ByqHoUC.exe
  C:\Windows\System\ByqHoUC.exe
  2⤵
  PID:6084
- C:\Windows\System\pyqllMJ.exe
  C:\Windows\System\pyqllMJ.exe
  2⤵
  PID:3592
- C:\Windows\System\kXMoXiE.exe
  C:\Windows\System\kXMoXiE.exe
  2⤵
  PID:4520
- C:\Windows\System\GMWdgkc.exe
  C:\Windows\System\GMWdgkc.exe
  2⤵
  PID:5384
- C:\Windows\System\cmedQqs.exe
  C:\Windows\System\cmedQqs.exe
  2⤵
  PID:5388
- C:\Windows\System\EVWUlaM.exe
  C:\Windows\System\EVWUlaM.exe
  2⤵
  PID:5216
- C:\Windows\System\vaXslAN.exe
  C:\Windows\System\vaXslAN.exe
  2⤵
  PID:1576
- C:\Windows\System\SfdjScb.exe
  C:\Windows\System\SfdjScb.exe
  2⤵
  PID:5580
- C:\Windows\System\Dpybozj.exe
  C:\Windows\System\Dpybozj.exe
  2⤵
  PID:2912
- C:\Windows\System\JMJzTgf.exe
  C:\Windows\System\JMJzTgf.exe
  2⤵
  PID:5760
- C:\Windows\System\hWQPoox.exe
  C:\Windows\System\hWQPoox.exe
  2⤵
  PID:5936
- C:\Windows\System\GcXOCon.exe
  C:\Windows\System\GcXOCon.exe
  2⤵
  PID:6040
- C:\Windows\System\qInuDNF.exe
  C:\Windows\System\qInuDNF.exe
  2⤵
  PID:1612
- C:\Windows\System\fulYoLB.exe
  C:\Windows\System\fulYoLB.exe
  2⤵
  PID:4788
- C:\Windows\System\pwmjYLi.exe
  C:\Windows\System\pwmjYLi.exe
  2⤵
  PID:5344
- C:\Windows\System\EFfTAKH.exe
  C:\Windows\System\EFfTAKH.exe
  2⤵
  PID:5508
- C:\Windows\System\enQRUpj.exe
  C:\Windows\System\enQRUpj.exe
  2⤵
  PID:5968
- C:\Windows\System\FDgxuyX.exe
  C:\Windows\System\FDgxuyX.exe
  2⤵
  PID:5796
- C:\Windows\System\VsuhJRT.exe
  C:\Windows\System\VsuhJRT.exe
  2⤵
  PID:5156
- C:\Windows\System\KZEwWmc.exe
  C:\Windows\System\KZEwWmc.exe
  2⤵
  PID:6208
- C:\Windows\System\TvXBtst.exe
  C:\Windows\System\TvXBtst.exe
  2⤵
  PID:6264
- C:\Windows\System\BrAVpXc.exe
  C:\Windows\System\BrAVpXc.exe
  2⤵
  PID:6284
- C:\Windows\System\waYraXd.exe
  C:\Windows\System\waYraXd.exe
  2⤵
  PID:6332
- C:\Windows\System\nEOLpoO.exe
  C:\Windows\System\nEOLpoO.exe
  2⤵
  PID:6352
- C:\Windows\System\rEicdGl.exe
  C:\Windows\System\rEicdGl.exe
  2⤵
  PID:6372
- C:\Windows\System\ynoSHRb.exe
  C:\Windows\System\ynoSHRb.exe
  2⤵
  PID:6392
- C:\Windows\System\DMIajLd.exe
  C:\Windows\System\DMIajLd.exe
  2⤵
  PID:6412
- C:\Windows\System\XcaRTmE.exe
  C:\Windows\System\XcaRTmE.exe
  2⤵
  PID:6432
- C:\Windows\System\vvYqKRc.exe
  C:\Windows\System\vvYqKRc.exe
  2⤵
  PID:6500
- C:\Windows\System\YNjodSN.exe
  C:\Windows\System\YNjodSN.exe
  2⤵
  PID:6520
- C:\Windows\System\EdeRpKZ.exe
  C:\Windows\System\EdeRpKZ.exe
  2⤵
  PID:6536
- C:\Windows\System\BQPjcOs.exe
  C:\Windows\System\BQPjcOs.exe
  2⤵
  PID:6556
- C:\Windows\System\YCKDyCQ.exe
  C:\Windows\System\YCKDyCQ.exe
  2⤵
  PID:6604
- C:\Windows\System\XguTncF.exe
  C:\Windows\System\XguTncF.exe
  2⤵
  PID:6628
- C:\Windows\System\iMrSmCt.exe
  C:\Windows\System\iMrSmCt.exe
  2⤵
  PID:6692
- C:\Windows\System\mWQcqZG.exe
  C:\Windows\System\mWQcqZG.exe
  2⤵
  PID:6712
- C:\Windows\System\pGTLrvV.exe
  C:\Windows\System\pGTLrvV.exe
  2⤵
  PID:6728
- C:\Windows\System\gXSGYax.exe
  C:\Windows\System\gXSGYax.exe
  2⤵
  PID:6748
- C:\Windows\System\UckbDpJ.exe
  C:\Windows\System\UckbDpJ.exe
  2⤵
  PID:6804
- C:\Windows\System\DVDSOIE.exe
  C:\Windows\System\DVDSOIE.exe
  2⤵
  PID:6824
- C:\Windows\System\apgShSm.exe
  C:\Windows\System\apgShSm.exe
  2⤵
  PID:6844
- C:\Windows\System\WjQycqL.exe
  C:\Windows\System\WjQycqL.exe
  2⤵
  PID:6860
- C:\Windows\System\MaRdgJN.exe
  C:\Windows\System\MaRdgJN.exe
  2⤵
  PID:6876
- C:\Windows\System\kxAlgUu.exe
  C:\Windows\System\kxAlgUu.exe
  2⤵
  PID:6896
- C:\Windows\System\AiktUbz.exe
  C:\Windows\System\AiktUbz.exe
  2⤵
  PID:6920
- C:\Windows\System\JAycnTT.exe
  C:\Windows\System\JAycnTT.exe
  2⤵
  PID:6936
- C:\Windows\System\NCFJUrU.exe
  C:\Windows\System\NCFJUrU.exe
  2⤵
  PID:6984
- C:\Windows\System\fxqykqA.exe
  C:\Windows\System\fxqykqA.exe
  2⤵
  PID:7012
- C:\Windows\System\DNmeqea.exe
  C:\Windows\System\DNmeqea.exe
  2⤵
  PID:7056
- C:\Windows\System\PPVDNwv.exe
  C:\Windows\System\PPVDNwv.exe
  2⤵
  PID:7124
- C:\Windows\System\xnVtkjY.exe
  C:\Windows\System\xnVtkjY.exe
  2⤵
  PID:7144
- C:\Windows\System\IAMHGYW.exe
  C:\Windows\System\IAMHGYW.exe
  2⤵
  PID:5572
- C:\Windows\System\bbpxApW.exe
  C:\Windows\System\bbpxApW.exe
  2⤵
  PID:5824
- C:\Windows\System\PXforej.exe
  C:\Windows\System\PXforej.exe
  2⤵
  PID:6172
- C:\Windows\System\enhomup.exe
  C:\Windows\System\enhomup.exe
  2⤵
  PID:6196
- C:\Windows\System\gqXcLYr.exe
  C:\Windows\System\gqXcLYr.exe
  2⤵
  PID:6296
- C:\Windows\System\PHRJvIU.exe
  C:\Windows\System\PHRJvIU.exe
  2⤵
  PID:6324
- C:\Windows\System\dQrJjey.exe
  C:\Windows\System\dQrJjey.exe
  2⤵
  PID:6424
- C:\Windows\System\lFfHkCe.exe
  C:\Windows\System\lFfHkCe.exe
  2⤵
  PID:6472
- C:\Windows\System\TdtcRHG.exe
  C:\Windows\System\TdtcRHG.exe
  2⤵
  PID:6492
- C:\Windows\System\MoPREVH.exe
  C:\Windows\System\MoPREVH.exe
  2⤵
  PID:6640
- C:\Windows\System\UzbNIHs.exe
  C:\Windows\System\UzbNIHs.exe
  2⤵
  PID:6652
- C:\Windows\System\peMayvu.exe
  C:\Windows\System\peMayvu.exe
  2⤵
  PID:6708
- C:\Windows\System\VRJZusv.exe
  C:\Windows\System\VRJZusv.exe
  2⤵
  PID:6788
- C:\Windows\System\sjzXYKV.exe
  C:\Windows\System\sjzXYKV.exe
  2⤵
  PID:6868
- C:\Windows\System\xbeCPZe.exe
  C:\Windows\System\xbeCPZe.exe
  2⤵
  PID:6948
- C:\Windows\System\XjJgENc.exe
  C:\Windows\System\XjJgENc.exe
  2⤵
  PID:6912
- C:\Windows\System\zhfycXn.exe
  C:\Windows\System\zhfycXn.exe
  2⤵
  PID:7076
- C:\Windows\System\cSoCnxr.exe
  C:\Windows\System\cSoCnxr.exe
  2⤵
  PID:7116
- C:\Windows\System\YCMImHb.exe
  C:\Windows\System\YCMImHb.exe
  2⤵
  PID:3316
- C:\Windows\System\aOZKois.exe
  C:\Windows\System\aOZKois.exe
  2⤵
  PID:7132
- C:\Windows\System\QXeImPW.exe
  C:\Windows\System\QXeImPW.exe
  2⤵
  PID:6164
- C:\Windows\System\DoVCWPb.exe
  C:\Windows\System\DoVCWPb.exe
  2⤵
  PID:5200
- C:\Windows\System\LffKEzV.exe
  C:\Windows\System\LffKEzV.exe
  2⤵
  PID:6584
- C:\Windows\System\lHFsSon.exe
  C:\Windows\System\lHFsSon.exe
  2⤵
  PID:892
- C:\Windows\System\CiBDlsV.exe
  C:\Windows\System\CiBDlsV.exe
  2⤵
  PID:7096
- C:\Windows\System\uidRbbn.exe
  C:\Windows\System\uidRbbn.exe
  2⤵
  PID:6236
- C:\Windows\System\MMBuiSV.exe
  C:\Windows\System\MMBuiSV.exe
  2⤵
  PID:6564
- C:\Windows\System\VeqxZvT.exe
  C:\Windows\System\VeqxZvT.exe
  2⤵
  PID:1980
- C:\Windows\System\PEeLHJE.exe
  C:\Windows\System\PEeLHJE.exe
  2⤵
  PID:7064
- C:\Windows\System\jCvGBaq.exe
  C:\Windows\System\jCvGBaq.exe
  2⤵
  PID:6240
- C:\Windows\System\WndjfmX.exe
  C:\Windows\System\WndjfmX.exe
  2⤵
  PID:6408
- C:\Windows\System\rhqMAZk.exe
  C:\Windows\System\rhqMAZk.exe
  2⤵
  PID:7052
- C:\Windows\System\EmiQoNF.exe
  C:\Windows\System\EmiQoNF.exe
  2⤵
  PID:6312
- C:\Windows\System\iQgyeda.exe
  C:\Windows\System\iQgyeda.exe
  2⤵
  PID:7180
- C:\Windows\System\TdcpDHo.exe
  C:\Windows\System\TdcpDHo.exe
  2⤵
  PID:7232
- C:\Windows\System\iFtjucp.exe
  C:\Windows\System\iFtjucp.exe
  2⤵
  PID:7252
- C:\Windows\System\teEuDFF.exe
  C:\Windows\System\teEuDFF.exe
  2⤵
  PID:7272
- C:\Windows\System\SmJZlmT.exe
  C:\Windows\System\SmJZlmT.exe
  2⤵
  PID:7292
- C:\Windows\System\yWdDgMG.exe
  C:\Windows\System\yWdDgMG.exe
  2⤵
  PID:7308
- C:\Windows\System\DNaNIrz.exe
  C:\Windows\System\DNaNIrz.exe
  2⤵
  PID:7332
- C:\Windows\System\CRfnnKU.exe
  C:\Windows\System\CRfnnKU.exe
  2⤵
  PID:7356
- C:\Windows\System\DczHhCi.exe
  C:\Windows\System\DczHhCi.exe
  2⤵
  PID:7372
- C:\Windows\System\zteoZMf.exe
  C:\Windows\System\zteoZMf.exe
  2⤵
  PID:7460
- C:\Windows\System\zoEEKkm.exe
  C:\Windows\System\zoEEKkm.exe
  2⤵
  PID:7556
- C:\Windows\System\owyAsHv.exe
  C:\Windows\System\owyAsHv.exe
  2⤵
  PID:7588
- C:\Windows\System\xRpDeLS.exe
  C:\Windows\System\xRpDeLS.exe
  2⤵
  PID:7608
- C:\Windows\System\SYeJxgC.exe
  C:\Windows\System\SYeJxgC.exe
  2⤵
  PID:7628
- C:\Windows\System\cHDbrJZ.exe
  C:\Windows\System\cHDbrJZ.exe
  2⤵
  PID:7652
- C:\Windows\System\qEANJzc.exe
  C:\Windows\System\qEANJzc.exe
  2⤵
  PID:7668
- C:\Windows\System\pmbHfsO.exe
  C:\Windows\System\pmbHfsO.exe
  2⤵
  PID:7696
- C:\Windows\System\aZvKYqg.exe
  C:\Windows\System\aZvKYqg.exe
  2⤵
  PID:7760
- C:\Windows\System\YDunnXW.exe
  C:\Windows\System\YDunnXW.exe
  2⤵
  PID:7796
- C:\Windows\System\EMgNROY.exe
  C:\Windows\System\EMgNROY.exe
  2⤵
  PID:7812
- C:\Windows\System\akxYUrN.exe
  C:\Windows\System\akxYUrN.exe
  2⤵
  PID:7836
- C:\Windows\System\dPcrPbP.exe
  C:\Windows\System\dPcrPbP.exe
  2⤵
  PID:7864
- C:\Windows\System\EcHCAYW.exe
  C:\Windows\System\EcHCAYW.exe
  2⤵
  PID:7884
- C:\Windows\System\UHjXkpu.exe
  C:\Windows\System\UHjXkpu.exe
  2⤵
  PID:7912
- C:\Windows\System\LvCxkVS.exe
  C:\Windows\System\LvCxkVS.exe
  2⤵
  PID:7972
- C:\Windows\System\FFKUWSE.exe
  C:\Windows\System\FFKUWSE.exe
  2⤵
  PID:8004
- C:\Windows\System\sJgqUiw.exe
  C:\Windows\System\sJgqUiw.exe
  2⤵
  PID:8024
- C:\Windows\System\cJHmsiH.exe
  C:\Windows\System\cJHmsiH.exe
  2⤵
  PID:8076
- C:\Windows\System\aqAQChc.exe
  C:\Windows\System\aqAQChc.exe
  2⤵
  PID:8100
- C:\Windows\System\fCKyBon.exe
  C:\Windows\System\fCKyBon.exe
  2⤵
  PID:8124
- C:\Windows\System\Dypmzbx.exe
  C:\Windows\System\Dypmzbx.exe
  2⤵
  PID:8140
- C:\Windows\System\niIsbyD.exe
  C:\Windows\System\niIsbyD.exe
  2⤵
  PID:8160
- C:\Windows\System\XMYFCIZ.exe
  C:\Windows\System\XMYFCIZ.exe
  2⤵
  PID:576
- C:\Windows\System\Lzxxwsm.exe
  C:\Windows\System\Lzxxwsm.exe
  2⤵
  PID:7260
- C:\Windows\System\lRHfvIv.exe
  C:\Windows\System\lRHfvIv.exe
  2⤵
  PID:7268
- C:\Windows\System\WXpgGtW.exe
  C:\Windows\System\WXpgGtW.exe
  2⤵
  PID:7364
- C:\Windows\System\CZZBcMs.exe
  C:\Windows\System\CZZBcMs.exe
  2⤵
  PID:7412
- C:\Windows\System\FMVhGPr.exe
  C:\Windows\System\FMVhGPr.exe
  2⤵
  PID:7452
- C:\Windows\System\mjHuMgo.exe
  C:\Windows\System\mjHuMgo.exe
  2⤵
  PID:7552
- C:\Windows\System\CCbUCLb.exe
  C:\Windows\System\CCbUCLb.exe
  2⤵
  PID:7616
- C:\Windows\System\YzWDHqh.exe
  C:\Windows\System\YzWDHqh.exe
  2⤵
  PID:7748
- C:\Windows\System\rLevppc.exe
  C:\Windows\System\rLevppc.exe
  2⤵
  PID:7824
- C:\Windows\System\KrexaMP.exe
  C:\Windows\System\KrexaMP.exe
  2⤵
  PID:7900
- C:\Windows\System\VviCEKs.exe
  C:\Windows\System\VviCEKs.exe
  2⤵
  PID:6892
- C:\Windows\System\bEULKea.exe
  C:\Windows\System\bEULKea.exe
  2⤵
  PID:7968
- C:\Windows\System\niNpxOo.exe
  C:\Windows\System\niNpxOo.exe
  2⤵
  PID:8148
- C:\Windows\System\NAhixbM.exe
  C:\Windows\System\NAhixbM.exe
  2⤵
  PID:8084
- C:\Windows\System\xVmsBkB.exe
  C:\Windows\System\xVmsBkB.exe
  2⤵
  PID:8132
- C:\Windows\System\drBJZMi.exe
  C:\Windows\System\drBJZMi.exe
  2⤵
  PID:8176
- C:\Windows\System\tqHEaad.exe
  C:\Windows\System\tqHEaad.exe
  2⤵
  PID:7248
- C:\Windows\System\uRswtNe.exe
  C:\Windows\System\uRswtNe.exe
  2⤵
  PID:7568
- C:\Windows\System\RMrgRdv.exe
  C:\Windows\System\RMrgRdv.exe
  2⤵
  PID:7820
- C:\Windows\System\HeiCmZH.exe
  C:\Windows\System\HeiCmZH.exe
  2⤵
  PID:7732
- C:\Windows\System\rQhzBGY.exe
  C:\Windows\System\rQhzBGY.exe
  2⤵
  PID:8088
- C:\Windows\System\mionoVr.exe
  C:\Windows\System\mionoVr.exe
  2⤵
  PID:3392
- C:\Windows\System\ajgzaaz.exe
  C:\Windows\System\ajgzaaz.exe
  2⤵
  PID:7392
- C:\Windows\System\QJfyvtq.exe
  C:\Windows\System\QJfyvtq.exe
  2⤵
  PID:8108
- C:\Windows\System\cFuYPGE.exe
  C:\Windows\System\cFuYPGE.exe
  2⤵
  PID:3768
- C:\Windows\System\abwWgJz.exe
  C:\Windows\System\abwWgJz.exe
  2⤵
  PID:8212
- C:\Windows\System\tUEKtbh.exe
  C:\Windows\System\tUEKtbh.exe
  2⤵
  PID:8232
- C:\Windows\System\EdkQYQQ.exe
  C:\Windows\System\EdkQYQQ.exe
  2⤵
  PID:8252
- C:\Windows\System\dktUkpM.exe
  C:\Windows\System\dktUkpM.exe
  2⤵
  PID:8280
- C:\Windows\System\vjROOBq.exe
  C:\Windows\System\vjROOBq.exe
  2⤵
  PID:8304
- C:\Windows\System\KCRpsCy.exe
  C:\Windows\System\KCRpsCy.exe
  2⤵
  PID:8352
- C:\Windows\System\gLNaSqj.exe
  C:\Windows\System\gLNaSqj.exe
  2⤵
  PID:8372
- C:\Windows\System\GzuzDVm.exe
  C:\Windows\System\GzuzDVm.exe
  2⤵
  PID:8396
- C:\Windows\System\RbbslDl.exe
  C:\Windows\System\RbbslDl.exe
  2⤵
  PID:8448
- C:\Windows\System\qVyYarx.exe
  C:\Windows\System\qVyYarx.exe
  2⤵
  PID:8484
- C:\Windows\System\JLFPSTU.exe
  C:\Windows\System\JLFPSTU.exe
  2⤵
  PID:8520
- C:\Windows\System\UKArpSd.exe
  C:\Windows\System\UKArpSd.exe
  2⤵
  PID:8536
- C:\Windows\System\arEwjvT.exe
  C:\Windows\System\arEwjvT.exe
  2⤵
  PID:8556
- C:\Windows\System\RpJWOHb.exe
  C:\Windows\System\RpJWOHb.exe
  2⤵
  PID:8580
- C:\Windows\System\iuiCtSY.exe
  C:\Windows\System\iuiCtSY.exe
  2⤵
  PID:8628
- C:\Windows\System\yVrdHHo.exe
  C:\Windows\System\yVrdHHo.exe
  2⤵
  PID:8672
- C:\Windows\System\JvsHeMP.exe
  C:\Windows\System\JvsHeMP.exe
  2⤵
  PID:8720
- C:\Windows\System\dmYbJDb.exe
  C:\Windows\System\dmYbJDb.exe
  2⤵
  PID:8736
- C:\Windows\System\GAdQbGj.exe
  C:\Windows\System\GAdQbGj.exe
  2⤵
  PID:8760
- C:\Windows\System\stZGmlg.exe
  C:\Windows\System\stZGmlg.exe
  2⤵
  PID:8780
- C:\Windows\System\tvHnRsK.exe
  C:\Windows\System\tvHnRsK.exe
  2⤵
  PID:8804
- C:\Windows\System\FmpsCGC.exe
  C:\Windows\System\FmpsCGC.exe
  2⤵
  PID:8824
- C:\Windows\System\MIdWMVP.exe
  C:\Windows\System\MIdWMVP.exe
  2⤵
  PID:8872
- C:\Windows\System\lPwaLEm.exe
  C:\Windows\System\lPwaLEm.exe
  2⤵
  PID:8908
- C:\Windows\System\UPBAxUV.exe
  C:\Windows\System\UPBAxUV.exe
  2⤵
  PID:8928
- C:\Windows\System\XzIeBsJ.exe
  C:\Windows\System\XzIeBsJ.exe
  2⤵
  PID:8948
- C:\Windows\System\muqiZVq.exe
  C:\Windows\System\muqiZVq.exe
  2⤵
  PID:8968
- C:\Windows\System\OwLciLB.exe
  C:\Windows\System\OwLciLB.exe
  2⤵
  PID:8988
- C:\Windows\System\OcRsAyl.exe
  C:\Windows\System\OcRsAyl.exe
  2⤵
  PID:9052
- C:\Windows\System\EAyWuUV.exe
  C:\Windows\System\EAyWuUV.exe
  2⤵
  PID:9072
- C:\Windows\System\NxUoRHd.exe
  C:\Windows\System\NxUoRHd.exe
  2⤵
  PID:9092
- C:\Windows\System\JmYZkDp.exe
  C:\Windows\System\JmYZkDp.exe
  2⤵
  PID:9112
- C:\Windows\System\yYAVSyc.exe
  C:\Windows\System\yYAVSyc.exe
  2⤵
  PID:9136
- C:\Windows\System\zqjstSr.exe
  C:\Windows\System\zqjstSr.exe
  2⤵
  PID:9196
- C:\Windows\System\FXzKsOK.exe
  C:\Windows\System\FXzKsOK.exe
  2⤵
  PID:7280
- C:\Windows\System\BRShyzZ.exe
  C:\Windows\System\BRShyzZ.exe
  2⤵
  PID:8240
- C:\Windows\System\yvHJtms.exe
  C:\Windows\System\yvHJtms.exe
  2⤵
  PID:8292
- C:\Windows\System\ToNJqFj.exe
  C:\Windows\System\ToNJqFj.exe
  2⤵
  PID:8572
- C:\Windows\System\VwfVhPR.exe
  C:\Windows\System\VwfVhPR.exe
  2⤵
  PID:8616
- C:\Windows\System\cjlyHBt.exe
  C:\Windows\System\cjlyHBt.exe
  2⤵
  PID:8588
- C:\Windows\System\AzRurIM.exe
  C:\Windows\System\AzRurIM.exe
  2⤵
  PID:8660
- C:\Windows\System\SdqjIWG.exe
  C:\Windows\System\SdqjIWG.exe
  2⤵
  PID:8712
- C:\Windows\System\teRVnmX.exe
  C:\Windows\System\teRVnmX.exe
  2⤵
  PID:8752
- C:\Windows\System\UVWghrd.exe
  C:\Windows\System\UVWghrd.exe
  2⤵
  PID:8792
- C:\Windows\System\OaCjoOO.exe
  C:\Windows\System\OaCjoOO.exe
  2⤵
  PID:8916
- C:\Windows\System\NKetKho.exe
  C:\Windows\System\NKetKho.exe
  2⤵
  PID:9012
- C:\Windows\System\GoMzSTI.exe
  C:\Windows\System\GoMzSTI.exe
  2⤵
  PID:9080
- C:\Windows\System\OjTmwiu.exe
  C:\Windows\System\OjTmwiu.exe
  2⤵
  PID:9128
- C:\Windows\System\CoIopSf.exe
  C:\Windows\System\CoIopSf.exe
  2⤵
  PID:9176
- C:\Windows\System\jlBhrMq.exe
  C:\Windows\System\jlBhrMq.exe
  2⤵
  PID:8220
- C:\Windows\System\qdkdLHT.exe
  C:\Windows\System\qdkdLHT.exe
  2⤵
  PID:8064
- C:\Windows\System\YOQzSiz.exe
  C:\Windows\System\YOQzSiz.exe
  2⤵
  PID:8416
- C:\Windows\System\pXMvTKO.exe
  C:\Windows\System\pXMvTKO.exe
  2⤵
  PID:8472
- C:\Windows\System\LxtvVuS.exe
  C:\Windows\System\LxtvVuS.exe
  2⤵
  PID:8568
- C:\Windows\System\VKdXIzS.exe
  C:\Windows\System\VKdXIzS.exe
  2⤵
  PID:8668
- C:\Windows\System\muzErTC.exe
  C:\Windows\System\muzErTC.exe
  2⤵
  PID:8860
- C:\Windows\System\KwTnsPr.exe
  C:\Windows\System\KwTnsPr.exe
  2⤵
  PID:8964
- C:\Windows\System\HeGLFDA.exe
  C:\Windows\System\HeGLFDA.exe
  2⤵
  PID:9208
- C:\Windows\System\TIkDdkG.exe
  C:\Windows\System\TIkDdkG.exe
  2⤵
  PID:8476
- C:\Windows\System\WGVeucd.exe
  C:\Windows\System\WGVeucd.exe
  2⤵
  PID:8728
- C:\Windows\System\NeLZmcg.exe
  C:\Windows\System\NeLZmcg.exe
  2⤵
  PID:8504
- C:\Windows\System\qNspxWD.exe
  C:\Windows\System\qNspxWD.exe
  2⤵
  PID:8348
- C:\Windows\System\tOgmECz.exe
  C:\Windows\System\tOgmECz.exe
  2⤵
  PID:7548
- C:\Windows\System\MtwfpnL.exe
  C:\Windows\System\MtwfpnL.exe
  2⤵
  PID:9228
- C:\Windows\System\WPvpZMz.exe
  C:\Windows\System\WPvpZMz.exe
  2⤵
  PID:9276
- C:\Windows\System\JqegIoz.exe
  C:\Windows\System\JqegIoz.exe
  2⤵
  PID:9296
- C:\Windows\System\hkdeFEa.exe
  C:\Windows\System\hkdeFEa.exe
  2⤵
  PID:9348
- C:\Windows\System\GvQQEcm.exe
  C:\Windows\System\GvQQEcm.exe
  2⤵
  PID:9368
- C:\Windows\System\GmXnAId.exe
  C:\Windows\System\GmXnAId.exe
  2⤵
  PID:9408
- C:\Windows\System\oWFnqQC.exe
  C:\Windows\System\oWFnqQC.exe
  2⤵
  PID:9440
- C:\Windows\System\vPxNnrK.exe
  C:\Windows\System\vPxNnrK.exe
  2⤵
  PID:9516
- C:\Windows\System\pRMEpEw.exe
  C:\Windows\System\pRMEpEw.exe
  2⤵
  PID:9556
- C:\Windows\System\YZeBdrY.exe
  C:\Windows\System\YZeBdrY.exe
  2⤵
  PID:9576
- C:\Windows\System\lWKUJcu.exe
  C:\Windows\System\lWKUJcu.exe
  2⤵
  PID:9608
- C:\Windows\System\MIWSCGV.exe
  C:\Windows\System\MIWSCGV.exe
  2⤵
  PID:9632
- C:\Windows\System\XkKVmZS.exe
  C:\Windows\System\XkKVmZS.exe
  2⤵
  PID:9684
- C:\Windows\System\DPYIdHY.exe
  C:\Windows\System\DPYIdHY.exe
  2⤵
  PID:9708
- C:\Windows\System\YhBmrii.exe
  C:\Windows\System\YhBmrii.exe
  2⤵
  PID:9732
- C:\Windows\System\jNjAQjY.exe
  C:\Windows\System\jNjAQjY.exe
  2⤵
  PID:9760
- C:\Windows\System\KUYCfVw.exe
  C:\Windows\System\KUYCfVw.exe
  2⤵
  PID:9776
- C:\Windows\System\IupOQyj.exe
  C:\Windows\System\IupOQyj.exe
  2⤵
  PID:9796
- C:\Windows\System\kRpeyGP.exe
  C:\Windows\System\kRpeyGP.exe
  2⤵
  PID:9828
- C:\Windows\System\TejKWSr.exe
  C:\Windows\System\TejKWSr.exe
  2⤵
  PID:9876
- C:\Windows\System\PZvNEBj.exe
  C:\Windows\System\PZvNEBj.exe
  2⤵
  PID:9904
- C:\Windows\System\gVapGuJ.exe
  C:\Windows\System\gVapGuJ.exe
  2⤵
  PID:9964
- C:\Windows\System\RwHGMju.exe
  C:\Windows\System\RwHGMju.exe
  2⤵
  PID:9984
- C:\Windows\System\lArTVaO.exe
  C:\Windows\System\lArTVaO.exe
  2⤵
  PID:10004
- C:\Windows\System\PtPbEAm.exe
  C:\Windows\System\PtPbEAm.exe
  2⤵
  PID:10032
- C:\Windows\System\IRSCxmM.exe
  C:\Windows\System\IRSCxmM.exe
  2⤵
  PID:10048
- C:\Windows\System\sVzGNWE.exe
  C:\Windows\System\sVzGNWE.exe
  2⤵
  PID:10068
- C:\Windows\System\aQQNdZK.exe
  C:\Windows\System\aQQNdZK.exe
  2⤵
  PID:10116
- C:\Windows\System\urVWJAc.exe
  C:\Windows\System\urVWJAc.exe
  2⤵
  PID:10140
- C:\Windows\System\ulJSpkE.exe
  C:\Windows\System\ulJSpkE.exe
  2⤵
  PID:10164
- C:\Windows\System\stfGTgU.exe
  C:\Windows\System\stfGTgU.exe
  2⤵
  PID:10224
- C:\Windows\System\MdgVFgS.exe
  C:\Windows\System\MdgVFgS.exe
  2⤵
  PID:7856
- C:\Windows\System\ZSuagWF.exe
  C:\Windows\System\ZSuagWF.exe
  2⤵
  PID:8012
- C:\Windows\System\hWFDCoL.exe
  C:\Windows\System\hWFDCoL.exe
  2⤵
  PID:8340
- C:\Windows\System\spmBKNs.exe
  C:\Windows\System\spmBKNs.exe
  2⤵
  PID:9224
- C:\Windows\System\tHOxARz.exe
  C:\Windows\System\tHOxARz.exe
  2⤵
  PID:9284
- C:\Windows\System\JfgJnmD.exe
  C:\Windows\System\JfgJnmD.exe
  2⤵
  PID:9316
- C:\Windows\System\XlZPoRD.exe
  C:\Windows\System\XlZPoRD.exe
  2⤵
  PID:9360
- C:\Windows\System\TykzEbq.exe
  C:\Windows\System\TykzEbq.exe
  2⤵
  PID:9436
- C:\Windows\System\OVAHchK.exe
  C:\Windows\System\OVAHchK.exe
  2⤵
  PID:9468
- C:\Windows\System\UKfdRbC.exe
  C:\Windows\System\UKfdRbC.exe
  2⤵
  PID:9492
- C:\Windows\System\zlRxkBV.exe
  C:\Windows\System\zlRxkBV.exe
  2⤵
  PID:9604
- C:\Windows\System\XVWZffU.exe
  C:\Windows\System\XVWZffU.exe
  2⤵
  PID:9660
- C:\Windows\System\wnHWkha.exe
  C:\Windows\System\wnHWkha.exe
  2⤵
  PID:9692
- C:\Windows\System\lfelgvY.exe
  C:\Windows\System\lfelgvY.exe
  2⤵
  PID:9748
- C:\Windows\System\ULsLQEe.exe
  C:\Windows\System\ULsLQEe.exe
  2⤵
  PID:9752
- C:\Windows\System\VOCvYpA.exe
  C:\Windows\System\VOCvYpA.exe
  2⤵
  PID:9820
- C:\Windows\System\qqNSmfc.exe
  C:\Windows\System\qqNSmfc.exe
  2⤵
  PID:9892
- C:\Windows\System\KOJxlQc.exe
  C:\Windows\System\KOJxlQc.exe
  2⤵
  PID:10016
- C:\Windows\System\PYMcmTH.exe
  C:\Windows\System\PYMcmTH.exe
  2⤵
  PID:10184
- C:\Windows\System\cJkWJVi.exe
  C:\Windows\System\cJkWJVi.exe
  2⤵
  PID:9288
- C:\Windows\System\edAjheP.exe
  C:\Windows\System\edAjheP.exe
  2⤵
  PID:9220
- C:\Windows\System\WcmgcSa.exe
  C:\Windows\System\WcmgcSa.exe
  2⤵
  PID:9600
- C:\Windows\System\bkzLokd.exe
  C:\Windows\System\bkzLokd.exe
  2⤵
  PID:9740
- C:\Windows\System\dcSWLKO.exe
  C:\Windows\System\dcSWLKO.exe
  2⤵
  PID:9852
- C:\Windows\System\TSUjTJA.exe
  C:\Windows\System\TSUjTJA.exe
  2⤵
  PID:4232
- C:\Windows\System\SNpujhq.exe
  C:\Windows\System\SNpujhq.exe
  2⤵
  PID:388
- C:\Windows\System\yWUDFtc.exe
  C:\Windows\System\yWUDFtc.exe
  2⤵
  PID:10000
- C:\Windows\System\zXFghpz.exe
  C:\Windows\System\zXFghpz.exe
  2⤵
  PID:10212
- C:\Windows\System\HOjohpc.exe
  C:\Windows\System\HOjohpc.exe
  2⤵
  PID:9380
- C:\Windows\System\aOhkTyS.exe
  C:\Windows\System\aOhkTyS.exe
  2⤵
  PID:9620
- C:\Windows\System\WphecYh.exe
  C:\Windows\System\WphecYh.exe
  2⤵
  PID:9912
- C:\Windows\System\OthPTrH.exe
  C:\Windows\System\OthPTrH.exe
  2⤵
  PID:10084
- C:\Windows\System\PRspcrY.exe
  C:\Windows\System\PRspcrY.exe
  2⤵
  PID:9244
- C:\Windows\System\FNjPCDA.exe
  C:\Windows\System\FNjPCDA.exe
  2⤵
  PID:10100
- C:\Windows\System\HQXQcIx.exe
  C:\Windows\System\HQXQcIx.exe
  2⤵
  PID:10248
- C:\Windows\System\bCesjmL.exe
  C:\Windows\System\bCesjmL.exe
  2⤵
  PID:10272
- C:\Windows\System\rWPqEJS.exe
  C:\Windows\System\rWPqEJS.exe
  2⤵
  PID:10304
- C:\Windows\System\tnjKlfN.exe
  C:\Windows\System\tnjKlfN.exe
  2⤵
  PID:10344
- C:\Windows\System\SLcSraa.exe
  C:\Windows\System\SLcSraa.exe
  2⤵
  PID:10372
- C:\Windows\System\GFOJrlh.exe
  C:\Windows\System\GFOJrlh.exe
  2⤵
  PID:10388
- C:\Windows\System\dBwiQrm.exe
  C:\Windows\System\dBwiQrm.exe
  2⤵
  PID:10412
- C:\Windows\System\HGgnaBW.exe
  C:\Windows\System\HGgnaBW.exe
  2⤵
  PID:10508
- C:\Windows\System\zuizoly.exe
  C:\Windows\System\zuizoly.exe
  2⤵
  PID:10544
- C:\Windows\System\epSDYko.exe
  C:\Windows\System\epSDYko.exe
  2⤵
  PID:10560
- C:\Windows\System\cdhiEmV.exe
  C:\Windows\System\cdhiEmV.exe
  2⤵
  PID:10580
- C:\Windows\System\erYezTv.exe
  C:\Windows\System\erYezTv.exe
  2⤵
  PID:10596
- C:\Windows\System\zsGoAvU.exe
  C:\Windows\System\zsGoAvU.exe
  2⤵
  PID:10728
- C:\Windows\System\AHRPvjF.exe
  C:\Windows\System\AHRPvjF.exe
  2⤵
  PID:10804
- C:\Windows\System\uUGBbXs.exe
  C:\Windows\System\uUGBbXs.exe
  2⤵
  PID:10944
- C:\Windows\System\cSPitwr.exe
  C:\Windows\System\cSPitwr.exe
  2⤵
  PID:10968
- C:\Windows\System\SftyMXm.exe
  C:\Windows\System\SftyMXm.exe
  2⤵
  PID:11032
- C:\Windows\System\SrbNlFf.exe
  C:\Windows\System\SrbNlFf.exe
  2⤵
  PID:11052
- C:\Windows\System\esAndfr.exe
  C:\Windows\System\esAndfr.exe
  2⤵
  PID:9668
- C:\Windows\System\VHDiyxr.exe
  C:\Windows\System\VHDiyxr.exe
  2⤵
  PID:10296
- C:\Windows\System\aCncifK.exe
  C:\Windows\System\aCncifK.exe
  2⤵
  PID:10336
- C:\Windows\System\HQGDxlj.exe
  C:\Windows\System\HQGDxlj.exe
  2⤵
  PID:10408
- C:\Windows\System\ChPsbSF.exe
  C:\Windows\System\ChPsbSF.exe
  2⤵
  PID:10384
- C:\Windows\System\SdGfpaw.exe
  C:\Windows\System\SdGfpaw.exe
  2⤵
  PID:4400
- C:\Windows\System\vNRViGa.exe
  C:\Windows\System\vNRViGa.exe
  2⤵
  PID:10504

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:11044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ArgiuLi.exe

Filesize
1.9MB

MD5
c277e2aaa6f663a516cc337702206118

SHA1
2089d54c907cc44acdb3b1897a2f69ed5b477383

SHA256
e5324172cfff77ba1fd31604029f21064292ccca9a585a765c5703c2ad14b705

SHA512
d020b64f5f601a838675840a134403b673d70161f893c02163714d0bcb393341e1a35cb9153d8bd32847ecd1a9339410d2ce10a4128a4ba8f2645181e91fbd6b

Download Submit
C:\Windows\System\BGnonOD.exe

Filesize
1.9MB

MD5
72b65ad0b2b7b3da233849d8aa5076ca

SHA1
d1db9e131164f2854808de92afb74729cfc246d9

SHA256
aab9f3b66e6fd18d55333ce56f81cfb6c0390880948078e8468d5406c00fec9f

SHA512
35376e012aac4f87c6cd402ffe6e3fe83fc596998c05a8c8dd07806e7ade500a4094fddbcfbca8a2c7426cce0ba19aba4154ede8b8d4ab54d8d6ad8b14e6c936

Download Submit
C:\Windows\System\EBLWhhM.exe

Filesize
1.9MB

MD5
1736ed1bad8b4ce7ee6351323eb0baac

SHA1
aa87ce4d402ada75c6622fea911e28f1694a2d41

SHA256
1dd49b8dcf3e1a2381b67b10eacab9c175f99c0fd093f5b4aa80e954a960bc04

SHA512
151c3b3c47bdbe37babbb03b078b729b5d9c1b11fe670a135d9097e783b2ad0edcfc88dd451bb5433e553883066899edb479b6e9a5b18f4d45b799663799b148

Download Submit
C:\Windows\System\JEXcrki.exe

Filesize
1.9MB

MD5
32e0e41ee789e0ba47641a6604942b2a

SHA1
34034342974db0006f3c386c034c182ee332e7cf

SHA256
93445c39cd29dfa18a39309781433ecc8a9720603c15253b28df6d5a2bf4614d

SHA512
203618a10fab3f6f565cf689abe398ac7ef0ad1392ba80b56472effbcd14bd5dba223c5dcc522dab09418f97092b075dd663460b3f830434edd25ecd09f5ef1b

Download Submit
C:\Windows\System\LCswqpr.exe

Filesize
1.9MB

MD5
865e3fd93df476c9c6d8b22ad000a5eb

SHA1
28f18c349c306056c72235a212b7aa2208f10db2

SHA256
2a20be7a003707394a9233a0e605f516c4113d83a55acb89e166ffab154dacb4

SHA512
671d5fd160021be4322625dfd3d21bcea765c68ed9dbbb683dcfd7c219ff642ff3f4052515455556ff2417ac20964288d01aba064b731f3f921d990524f67907

Download Submit
C:\Windows\System\LREhGFR.exe

Filesize
1.9MB

MD5
0305b4f1738301ae84dd0a7ac8252a5a

SHA1
324498f427fb25caee606715dad8a77e323e382e

SHA256
74606527440e30df80e3dc28db3bcf9a22a0f54560d5a414dc36533e5f0ea4a0

SHA512
8eba78b05f96b6ad21060871e0661fce1bd5b7ef04c97b7136fb0c0968c80f861a3259bebf5021103154972cc68e2a44166b127771b803060665f94b95d2dcb2

Download Submit
C:\Windows\System\LgDrsWr.exe

Filesize
1.9MB

MD5
9722bd57352339bf69d0b31e40a0d8f5

SHA1
ab55256349b4551580f790b808da549866a4d4b9

SHA256
aec0505fa2568013c78021aada63fe51c94687a2fa8cc6dba5db4515ede6cca5

SHA512
1e9d92513a8900c252c1c93515f44064c868ff0bb12f7018970bf16a341e4e568f678384667f7d7a8ef6c4f4e8c6ea11020c637cbafe7fc61002065eaaae12ea

Download Submit
C:\Windows\System\LpqkvpU.exe

Filesize
1.9MB

MD5
dfd4c2e1b3581d1770deef6293477c37

SHA1
a943ba259ccac38ebcab4ddf5f54f256e41cab04

SHA256
c361c5edb4f70c3c6745e71b948e0fdddb342a386680a87d70c9276014735369

SHA512
9ef7ef71ca64eb32ffc442eab9ba50dabd6384002639b4d0d26259769d38109a064adbc9fe5b90da5534b0aafb7661fc28402e474326587c41300a9f2c8967ba

Download Submit
C:\Windows\System\MeZDsFg.exe

Filesize
1.9MB

MD5
dcebfac4a5d104fd139e234b57ca12dd

SHA1
f4f783849c6629e9bf3955758bc3efa45ab8b0c1

SHA256
bbf2f8f83f232ffcb3732cec9b08acc07c514b0e4740ef56de7de42b3db449c0

SHA512
aa2a014501133906a9e94b62dd3c79bf5dbfece15940cfdc93ca0a55cf4b5aede3c45cb3856ece69abd594d7615ee56b5a00840d7c96332c8e7d7fb590c8a7f4

Download Submit
C:\Windows\System\SsNVFvM.exe

Filesize
1.9MB

MD5
5af57d5970e3cb37eaeee04602a9a172

SHA1
3a75dd51366c4ab02a395aef8cfa078349d39f8f

SHA256
d919c5dc0c2ca5d6b772e7351a131934d27eee7c918fe16b8653ba22d3a33f51

SHA512
268b39f3efee281db515110e8b42f9020962d676be1175f6546ea84a2494f255095da7657bdeb3b17fbbc22a9a1da763e6d555d69e0755c69fc057083f0fb7c8

Download Submit
C:\Windows\System\TNzNVHf.exe

Filesize
1.9MB

MD5
c3af78723ea88a264e4a064c1ab9ffb7

SHA1
8b12814dbc5f1b97036e9b632cbc4a7cddae5ec7

SHA256
7b99f712d4c6148eb3a6388ac9bff4a5dcb626bbda57fa11dcfc7871e5436ff9

SHA512
7d86fab18ab936f76522929a7c109757f9af18114a83ce6fcac8d83f4f8cc60dc3dd7271971dd0f671d04f82d63c982c86cf2680e807d82bbb3f976717f073d3

Download Submit
C:\Windows\System\TUNlOpn.exe

Filesize
1.9MB

MD5
a497132ee1054b6f79d439e6e1fb1b5c

SHA1
843f5d3bd63dfed121b618b51698ffbe4710f90d

SHA256
131696e05a5aa6fe7f216ed872147fba720c5171114de9c9ad370dd86c368a56

SHA512
8c101d4cab6c0a10e0c0065903272a9ca5ed8dac8474d72015fac09324d1454aa4b144eb395aa2f63ba6c42db6e669b88daf410820cb36ce75f6cc186d700ead

Download Submit
C:\Windows\System\Tbyjyme.exe

Filesize
1.9MB

MD5
c251d599bc1733e4eb2f936f0adb5558

SHA1
5887521702acd9f8900d5934a65c2962e2a6c7d9

SHA256
47bdd339c0ab13f2024a479447725e3d6a1d53ad7b4dc5808f890536dc655a74

SHA512
0e12660918c86295b2293895220faa9c93036a48b2c7e00ed7d59eeb21904f4b583d1b6ec02e01676ca85586974a8d7d9aac1abc21de1840272b993acd4b7927

Download Submit
C:\Windows\System\ThGQAnU.exe

Filesize
1.9MB

MD5
238cec0ca8599a0aa7ef3332344d6aee

SHA1
1d528f2ff4cbe0843b4a9c2349a503ef1e41c095

SHA256
928fb0522ec04c2d7c1cb7acee20a7e3ed44488d193441468e3add1b95ac7752

SHA512
16282c824781e8b3f5505ad60190c7e2062073551d3c47d08a247ac5061c7963ab8a5e804d84b2b4b4f63088ddb54d5036830c2566dfa509f6f1560e5f78c81e

Download Submit
C:\Windows\System\WMxxYZT.exe

Filesize
1.9MB

MD5
e1e6f4d474f783d8a3132b291940c6ef

SHA1
288cd425c8d415daeee374fd0a47070f57205089

SHA256
aecbd654f5a39f6b295e50fbcaf0ce62a1698b81a4a5355ac68680a518f8ab0a

SHA512
f6ec1013556982333623e3d7c846c364bec5741d223e34f407bb1e0c7c550b937e29253046e997a7b794b9a97359dadcacc0b2a03cb8010ef09458613f39c8d8

Download Submit
C:\Windows\System\YrJTdrf.exe

Filesize
1.9MB

MD5
a729be61ea4fc0a0ebc6c1d4c82dff43

SHA1
c7ca725c040f1a1fab66972a22a311cb7f265e67

SHA256
65587e32c8c86de94897300681c9147a57048b0686e868e0860dad1c2f67f46b

SHA512
32a7a2c5cb511d2ca2d851e080cc001670cde5f0822f64169b0b1feb711d7e19a862de8d53df84d7ac3849525282f70bbcd00c4772e29a1092e866de0f42b8ae

Download Submit
C:\Windows\System\dGWoXrx.exe

Filesize
1.9MB

MD5
556a936c75abe5e229ede58b29e935b8

SHA1
ca5993bb2701cb893541165704d6aa14738c52be

SHA256
f074fbb8ec5e39a6a5c1afeb9c390e61e1eee28d7cf4a34ba5fbb0818048d9a3

SHA512
a4dafed47f24e0af01596a99a2267b5b5cba340accde68902c70e7527560f852fb9b93d36e4b8191ad25092be14bc4136c843469005e60b7f54e0f83d6dad0fd

Download Submit
C:\Windows\System\ewJEvUI.exe

Filesize
1.9MB

MD5
fb8245d7435b6b5f144436f22dc4589b

SHA1
6042fc853dd5bc00903a4c19c71dd91c44828cab

SHA256
4c5c1c38aca465fc751d0fce0c3448133b56b7dc7ec3353601a3e283d7ead5e0

SHA512
4b3e92eda65d860c94b85c6498e6d6d2e095deaca54c85fd6940bad71b3bd4bf11851e3ade4ab6157b95c259bd23ec1e3bddff23da8505f047b269242c18b0f1

Download Submit
C:\Windows\System\gimkgDE.exe

Filesize
1.9MB

MD5
d5129be5f028cb6d8ce77a4c53310484

SHA1
b62540adb7e9b18f0ae4990fa923ec982643b6c1

SHA256
f1db528c0035bac3e9f453ab7c0cb06e079f23604f32465fe06fdf07be09cf7f

SHA512
82aced21f587e2d0058820b8bcfb092f340c143e900af3d065566c30a7bf54ae7bd9734eb3c54bd3f68639552f2643660d83029224d749c0a655ff3ad4e6ab0e

Download Submit
C:\Windows\System\goFwZpi.exe

Filesize
1.9MB

MD5
46df07b32391d3100ea8979780164bd0

SHA1
880a6e2782148dcc2097ddea1142672c81a9025a

SHA256
7ddea0c8d72faedf3eaef5ae9b558aad0f9dbb455fe95f5a0a708482be797deb

SHA512
a9165e5daf6e37066599f94af434637546819ba4dfbfa943bd0c897c470f461fc5343855d454bf2075a77ea8e496aac84f9243d9263779bc321524d17edacd9b

Download Submit
C:\Windows\System\isstImk.exe

Filesize
1.9MB

MD5
ff1f4c66ba8c0df6d98fcb9abc694250

SHA1
5bda986313e0033be94588f9e693e297c02dee39

SHA256
9919e4faf5ffbf161ae23b8b89f3e148dadf0bdbc2c2fbc58c08379fea6c2b4a

SHA512
81e10053c0cfe3b73b2c6f2d5f077bc1eaad52c69238ea3287770dcbd85077b46314b3856760c6d61f4b5bebf81dcf7a8536eb80fb51c0288395aead4cf09506

Download Submit
C:\Windows\System\jDKmtJj.exe

Filesize
1.9MB

MD5
d114a622025b0a13cc9a4a6075091155

SHA1
1c0135f8b9ab2ac649abab7587590c024fe457cf

SHA256
7c546fc1f5aab6b6e883b44978bc42842964bd52064dd6c3f3fd9b08235deed4

SHA512
233118f99179be261cf3818b7b87b80e24b56783b8cb3cc339fe49a044808b8ff2d718a4ccb5845bc929eb51719034d236b3d82a35eb7f98a13cd19882ae6468

Download Submit
C:\Windows\System\kdBfdsm.exe

Filesize
1.9MB

MD5
fc8a1c4c0df77d4a9e707257ae21df13

SHA1
0a5d228f32e262fa67de682a2a8ef8b4ee4c8686

SHA256
174144237917958e793466e3eb39a04220934e1660da21a2321204ef9cf923da

SHA512
50dee170701b6b60a66481c6a3de76887759bc9e20b3b2525743aecec13069974c767dd8429c942e26f3a994765270294fd87ed1744a4db7ab74e20dfc5eab79

Download Submit
C:\Windows\System\kewKNdB.exe

Filesize
1.9MB

MD5
126d73de61b67f572bc4dca7935ebcd9

SHA1
60fc156e974b2aac69572a5c4a83ae6177e7e690

SHA256
8bf402d6d3151f0766af37cc6b55c51bf73cf8d47cecc4254cfd12a98b9040f0

SHA512
75b4117c2e6e52387076de1ee23495673fc399e29962e3179cffb907c8f79568cb40744adece2d2bebefddf1aed3404a1991f0d156057451b56eb9f3276b4783

Download Submit
C:\Windows\System\mnLMWcL.exe

Filesize
1.9MB

MD5
074108daa1669e0e556203dbf584d8b1

SHA1
7ca38e735c31218d9fdc78cbbae2923681d4421a

SHA256
7a77ec8b160f3c92915c81354e4999bac104f8d4c0b0f3c74a71872cc66531c4

SHA512
dafdb3a08b2d4eacfff9a715332994570d1d262b5dcd53138d9d7e61704fdadd1a73e8f868ba685ba90692abec5b4946861164d493722a0954dce28d48688c86

Download Submit
C:\Windows\System\nAoVljw.exe

Filesize
1.9MB

MD5
eaed9fd0c373def8297c82290a670b44

SHA1
275530200e6584a5a7e5a8d2bd3859d9f7fa145d

SHA256
5a47d9b766c26a8052641aaff2490a00bf1c566b4e6f07abad753e79b142e580

SHA512
f28db3c4bacb84e1a346e8c08b98cc467953740203281f129294a63787fb9337a784c6229b2959c2255f5236614dda6d97b67b2e531b1b0c666cc973bf35ec5d

Download Submit
C:\Windows\System\nZSuGsx.exe

Filesize
1.9MB

MD5
6667018aa5495953eae2dfae723ffe82

SHA1
6054096e7664687e8628b467c375116dac7fdec1

SHA256
76d65f617fdbc4a9313b5a501ba96ff26a3a51701dda09b855e0bc5d8fc425af

SHA512
63f0535e4c987cce04e212deac4b6e6ce62397926f42560c4bc345abb541d2deae530919ca5d38454d47dc710e70ffb0a477abe8dfd60f5f3944beee21760569

Download Submit
C:\Windows\System\ronuAMq.exe

Filesize
1.9MB

MD5
f36b2f5423a52b5529c3e58bb302def5

SHA1
a6d527a427346ff76d8535604fd77453b93b5508

SHA256
dfbcc9a320cb41a878ca9266ad8987780a636d8e7da41cc3ea8212c0d1adc8c8

SHA512
8b77d633b9c8dfc54102aebca55e14f5452fa42a2d493511158d8fcf6d980ddf64d7e0fac778b4a2ce591dd6ba95a1ea0fba4dc6b025411f785657774218babe

Download Submit
C:\Windows\System\squiZkt.exe

Filesize
1.9MB

MD5
2fc600111330194b18ea46f63221d7b1

SHA1
5a7e4672e6ceadaaff1f3e71f9c8387dd21d7c00

SHA256
74423e7a5deb09b4ce28cc9da2f9c4b49e9f0e966b233c6555b6908f710c8871

SHA512
aa3e7f304395f07bad7a26582c5ba5d172abe94071ccc13bf3e2c64fbec3e6248dd2b11c4955b386a1164066855aae3513e3ce441940ff3027e5684788979a8b

Download Submit
C:\Windows\System\vGOqKwz.exe

Filesize
1.9MB

MD5
5e7e9414cb3d25b63030ed9b89fb9823

SHA1
05602f1c15df7d3b55e25d064a0323a08e4b9d4b

SHA256
618acc6f17d472b8b3d1ca7b79c799218a5dd8ec1249ebd7619dbf83cc9ed187

SHA512
937dd8e827c1d53193602a09c927c2a97e54bf1befc5198c2cc2278441aa064d81682c4ee06734c72db58394f8da026c8180d7df719c661058d594eaed9820cc

Download Submit
C:\Windows\System\vsFQPla.exe

Filesize
1.9MB

MD5
0b998e96533d1fc7154b58efa5153a19

SHA1
af2cfa11e5819d4d5b3046c466249d9fb516b7fe

SHA256
11b34fab7ef476c0e692304b1fb196ff858e94b679b33c07109117ec3ffc0126

SHA512
141e64c2cf7220691304460e9eaf47731ea27c2779522e8a204a63f52f9db47cb15079779e6c9f1387f508d39fefbca5b777651bd1f114feef540f65d8f95270

Download Submit
C:\Windows\System\wFPUDIA.exe

Filesize
1.9MB

MD5
8c50b3ee4624857e3a7d7a68d250f4c7

SHA1
665a524902fb94e79a970a74c7e0aa6c31cdccac

SHA256
3a78eacd3d6ba22bbdfec48f3f1a61b9a021850ff933a2ef4e7f3e9f88b55bd4

SHA512
1dcdb893448a4bfbb53388cbfd54cfe49a825d1c5d2e0379267e9443db7cd213bb754ed96344f8a81522da0b1a687e565f7b6be17bc66dd88394fec9422c9984

Download Submit
C:\Windows\System\zrVfCQD.exe

Filesize
1.9MB

MD5
2356b0725c1077d3ea9882dff3ac5ace

SHA1
19cb82703a25e0812fe4f66fee7bc75c1c56ab41

SHA256
e60c27a15612b1e8a687888e6051c7e22ac2a283174d88edadf59032b239746f

SHA512
8241dd8ef775da1a580f1d93e487752063ccd94451fe3c48118bc7695909d53b4ce9509ddea1be718bb14833cd0136834c0d223f30619d16051686fdd69c5fa4

Download Submit
memory/460-218-0x00007FF7686D0000-0x00007FF768A21000-memory.dmp

Filesize
3.3MB

Download
memory/572-92-0x00007FF7C7C50000-0x00007FF7C7FA1000-memory.dmp

Filesize
3.3MB

Download
memory/664-112-0x00007FF747360000-0x00007FF7476B1000-memory.dmp

Filesize
3.3MB

Download
memory/800-367-0x00007FF6E15C0000-0x00007FF6E1911000-memory.dmp

Filesize
3.3MB

Download
memory/860-255-0x00007FF62C870000-0x00007FF62CBC1000-memory.dmp

Filesize
3.3MB

Download
memory/968-43-0x00007FF69E570000-0x00007FF69E8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1004-372-0x00007FF603050000-0x00007FF6033A1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-267-0x00007FF738B50000-0x00007FF738EA1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-226-0x00007FF7B2FF0000-0x00007FF7B3341000-memory.dmp

Filesize
3.3MB

Download
memory/1124-215-0x00007FF750310000-0x00007FF750661000-memory.dmp

Filesize
3.3MB

Download
memory/1176-348-0x00007FF7B3690000-0x00007FF7B39E1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-238-0x00007FF67E650000-0x00007FF67E9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1208-188-0x00007FF787F50000-0x00007FF7882A1000-memory.dmp

Filesize
3.3MB

Download
memory/1208-60-0x00007FF787F50000-0x00007FF7882A1000-memory.dmp

Filesize
3.3MB

Download
memory/1388-357-0x00007FF60D760000-0x00007FF60DAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1444-254-0x00007FF635850000-0x00007FF635BA1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-178-0x00007FF7545F0000-0x00007FF754941000-memory.dmp

Filesize
3.3MB

Download
memory/1516-40-0x00007FF7545F0000-0x00007FF754941000-memory.dmp

Filesize
3.3MB

Download
memory/1524-32-0x00007FF6674C0000-0x00007FF667811000-memory.dmp

Filesize
3.3MB

Download
memory/1664-343-0x00007FF7A3A90000-0x00007FF7A3DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1748-134-0x00007FF6C0650000-0x00007FF6C09A1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-273-0x00007FF7F1F10000-0x00007FF7F2261000-memory.dmp

Filesize
3.3MB

Download
memory/1760-246-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1968-364-0x00007FF79B4E0000-0x00007FF79B831000-memory.dmp

Filesize
3.3MB

Download
memory/1976-130-0x00007FF632260000-0x00007FF6325B1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-366-0x00007FF7EE720000-0x00007FF7EEA71000-memory.dmp

Filesize
3.3MB

Download
memory/2064-361-0x00007FF6ACF40000-0x00007FF6AD291000-memory.dmp

Filesize
3.3MB

Download
memory/2316-15-0x00007FF702480000-0x00007FF7027D1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-151-0x00007FF702480000-0x00007FF7027D1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-363-0x00007FF7F48E0000-0x00007FF7F4C31000-memory.dmp

Filesize
3.3MB

Download
memory/2404-221-0x00007FF6CB180000-0x00007FF6CB4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-133-0x00007FF7E5160000-0x00007FF7E54B1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-50-0x00007FF7FF630000-0x00007FF7FF981000-memory.dmp

Filesize
3.3MB

Download
memory/2636-185-0x00007FF7FF630000-0x00007FF7FF981000-memory.dmp

Filesize
3.3MB

Download
memory/2660-336-0x00007FF7B3E70000-0x00007FF7B41C1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-244-0x00007FF641AA0000-0x00007FF641DF1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-370-0x00007FF6817D0000-0x00007FF681B21000-memory.dmp

Filesize
3.3MB

Download
memory/3004-71-0x00007FF773F30000-0x00007FF774281000-memory.dmp

Filesize
3.3MB

Download
memory/3056-138-0x00007FF6D6790000-0x00007FF6D6AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-68-0x00007FF7B86A0000-0x00007FF7B89F1000-memory.dmp

Filesize
3.3MB

Download
memory/3196-74-0x00007FF67C110000-0x00007FF67C461000-memory.dmp

Filesize
3.3MB

Download
memory/3196-205-0x00007FF67C110000-0x00007FF67C461000-memory.dmp

Filesize
3.3MB

Download
memory/3448-135-0x00007FF67B170000-0x00007FF67B4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-137-0x00007FF7427D0000-0x00007FF742B21000-memory.dmp

Filesize
3.3MB

Download
memory/3632-136-0x00007FF68BD00000-0x00007FF68C051000-memory.dmp

Filesize
3.3MB

Download
memory/3692-271-0x00007FF6A9A70000-0x00007FF6A9DC1000-memory.dmp

Filesize
3.3MB

Download
memory/3792-225-0x00007FF6B4AD0000-0x00007FF6B4E21000-memory.dmp

Filesize
3.3MB

Download
memory/3836-350-0x00007FF7C3AF0000-0x00007FF7C3E41000-memory.dmp

Filesize
3.3MB

Download
memory/3908-368-0x00007FF6CCFF0000-0x00007FF6CD341000-memory.dmp

Filesize
3.3MB

Download
memory/3912-219-0x00007FF64F9D0000-0x00007FF64FD21000-memory.dmp

Filesize
3.3MB

Download
memory/3976-369-0x00007FF635A10000-0x00007FF635D61000-memory.dmp

Filesize
3.3MB

Download
memory/3996-81-0x00007FF785080000-0x00007FF7853D1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-206-0x00007FF785080000-0x00007FF7853D1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-162-0x00007FF6217B0000-0x00007FF621B01000-memory.dmp

Filesize
3.3MB

Download
memory/4000-21-0x00007FF6217B0000-0x00007FF621B01000-memory.dmp

Filesize
3.3MB

Download
memory/4132-272-0x00007FF703EE0000-0x00007FF704231000-memory.dmp

Filesize
3.3MB

Download
memory/4360-351-0x00007FF6F0CB0000-0x00007FF6F1001000-memory.dmp

Filesize
3.3MB

Download
memory/4416-216-0x00007FF609120000-0x00007FF609471000-memory.dmp

Filesize
3.3MB

Download
memory/4440-101-0x00007FF634B60000-0x00007FF634EB1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-362-0x00007FF7CD2C0000-0x00007FF7CD611000-memory.dmp

Filesize
3.3MB

Download
memory/4508-241-0x00007FF7618C0000-0x00007FF761C11000-memory.dmp

Filesize
3.3MB

Download
memory/4532-0-0x00007FF72B2C0000-0x00007FF72B611000-memory.dmp

Filesize
3.3MB

Download
memory/4532-1-0x000001A724AA0000-0x000001A724AB0000-memory.dmp

Filesize
64KB

Download
memory/4532-145-0x00007FF72B2C0000-0x00007FF72B611000-memory.dmp

Filesize
3.3MB

Download
memory/4620-234-0x00007FF653050000-0x00007FF6533A1000-memory.dmp

Filesize
3.3MB

Download
memory/4856-204-0x00007FF69B010000-0x00007FF69B361000-memory.dmp

Filesize
3.3MB

Download
memory/4856-62-0x00007FF69B010000-0x00007FF69B361000-memory.dmp

Filesize
3.3MB

Download
memory/4896-256-0x00007FF757070000-0x00007FF7573C1000-memory.dmp

Filesize
3.3MB

Download
memory/4924-217-0x00007FF656EC0000-0x00007FF657211000-memory.dmp

Filesize
3.3MB

Download
memory/4944-222-0x00007FF78B240000-0x00007FF78B591000-memory.dmp

Filesize
3.3MB

Download
memory/4956-220-0x00007FF62F070000-0x00007FF62F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-27-0x00007FF730B10000-0x00007FF730E61000-memory.dmp

Filesize
3.3MB

Download
memory/5016-365-0x00007FF75D050000-0x00007FF75D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/5024-349-0x00007FF610A80000-0x00007FF610DD1000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads