xmrig | f4efdf49c91c60f02cb7484c1fd005751de80f7f65b884666cd6d725b04ebdba

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4efdf49c91c60f02cb7484c1fd005751de80f7f65b884666cd6d725b04ebdba.exe
Size

3.3MB
MD5

7191b7e53d9f2672879bbdc041cd3bbe
SHA1

0f2ead04cf5f771066f68dd4231239bfa096d1fb
SHA256

f4efdf49c91c60f02cb7484c1fd005751de80f7f65b884666cd6d725b04ebdba
SHA512

975453ee3b41506c27c3d131cb08c13c467e7fc624ea53563501540a942866fc274c35e5ff83a91f76b8359f4c3b8e9c879c57dc5135a33f805764b58e83790d
SSDEEP

98304:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrWI:SbBeSFkM

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 38 IoCs

resource	yara_rule
behavioral1/memory/3048-0-0x000000013FCF0000-0x00000001400E6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x000d000000014466-6.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0009000000014909-8.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0008000000015264-15.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x002c000000014c67-14.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x000900000001560a-39.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x00070000000155d4-27.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x000f0000000006fd-41.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0008000000016cf0-57.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2524-65-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x000e000000014e3d-63.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0006000000016d24-69.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2720-68-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2756-74-0x000000013F970000-0x000000013FD66000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0006000000016d36-77.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0006000000016d41-82.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x000500000001868c-122.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x000600000001704f-120.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0006000000018ae8-141.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0006000000018b33-149.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/files/0x0006000000018b4a-161.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1656-589-0x000000013F1D0000-0x000000013F5C6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2436-665-0x000000013FB30000-0x000000013FF26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2020-928-0x000000013F780000-0x000000013FB76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/876-967-0x000000013F720000-0x000000013FB16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2112-1158-0x000000013FCE0000-0x00000001400D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2624-1157-0x000000013F870000-0x000000013FC66000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1964-1129-0x000000013FBE0000-0x000000013FFD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1340-1122-0x000000013F200000-0x000000013F5F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2476-1152-0x000000013FF90000-0x0000000140386000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2864-1151-0x000000013FF50000-0x0000000140346000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2276-1150-0x000000013F7E0000-0x000000013FBD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/800-1149-0x000000013F100000-0x000000013F4F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1672-1148-0x000000013FB40000-0x000000013FF36000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2188-1121-0x000000013F8E0000-0x000000013FCD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1012-1139-0x000000013F2C0000-0x000000013F6B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/852-1117-0x000000013FAA0000-0x000000013FE96000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/636-1116-0x000000013FE20000-0x0000000140216000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 37 IoCs

resource	yara_rule
behavioral1/memory/3048-0-0x000000013FCF0000-0x00000001400E6000-memory.dmp	UPX
behavioral1/files/0x000d000000014466-6.dat	UPX
behavioral1/files/0x0009000000014909-8.dat	UPX
behavioral1/files/0x0008000000015264-15.dat	UPX
behavioral1/files/0x002c000000014c67-14.dat	UPX
behavioral1/files/0x000900000001560a-39.dat	UPX
behavioral1/files/0x00070000000155d4-27.dat	UPX
behavioral1/files/0x000f0000000006fd-41.dat	UPX
behavioral1/files/0x0008000000016cf0-57.dat	UPX
behavioral1/memory/2524-65-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	UPX
behavioral1/files/0x000e000000014e3d-63.dat	UPX
behavioral1/files/0x0006000000016d24-69.dat	UPX
behavioral1/memory/2720-68-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	UPX
behavioral1/memory/2756-74-0x000000013F970000-0x000000013FD66000-memory.dmp	UPX
behavioral1/files/0x0006000000016d36-77.dat	UPX
behavioral1/files/0x0006000000016d41-82.dat	UPX
behavioral1/files/0x000500000001868c-122.dat	UPX
behavioral1/files/0x000600000001704f-120.dat	UPX
behavioral1/files/0x0006000000018ae8-141.dat	UPX
behavioral1/files/0x0006000000018b33-149.dat	UPX
behavioral1/files/0x0006000000018b4a-161.dat	UPX
behavioral1/memory/1656-589-0x000000013F1D0000-0x000000013F5C6000-memory.dmp	UPX
behavioral1/memory/2436-665-0x000000013FB30000-0x000000013FF26000-memory.dmp	UPX
behavioral1/memory/2020-928-0x000000013F780000-0x000000013FB76000-memory.dmp	UPX
behavioral1/memory/876-967-0x000000013F720000-0x000000013FB16000-memory.dmp	UPX
behavioral1/memory/2112-1158-0x000000013FCE0000-0x00000001400D6000-memory.dmp	UPX
behavioral1/memory/2624-1157-0x000000013F870000-0x000000013FC66000-memory.dmp	UPX
behavioral1/memory/1964-1129-0x000000013FBE0000-0x000000013FFD6000-memory.dmp	UPX
behavioral1/memory/1340-1122-0x000000013F200000-0x000000013F5F6000-memory.dmp	UPX
behavioral1/memory/2476-1152-0x000000013FF90000-0x0000000140386000-memory.dmp	UPX
behavioral1/memory/2864-1151-0x000000013FF50000-0x0000000140346000-memory.dmp	UPX
behavioral1/memory/2276-1150-0x000000013F7E0000-0x000000013FBD6000-memory.dmp	UPX
behavioral1/memory/800-1149-0x000000013F100000-0x000000013F4F6000-memory.dmp	UPX
behavioral1/memory/1672-1148-0x000000013FB40000-0x000000013FF36000-memory.dmp	UPX
behavioral1/memory/2188-1121-0x000000013F8E0000-0x000000013FCD6000-memory.dmp	UPX
behavioral1/memory/1012-1139-0x000000013F2C0000-0x000000013F6B6000-memory.dmp	UPX
behavioral1/memory/636-1116-0x000000013FE20000-0x0000000140216000-memory.dmp	UPX

XMRig Miner payload 39 IoCs

miner

resource	yara_rule
behavioral1/memory/3048-0-0x000000013FCF0000-0x00000001400E6000-memory.dmp	xmrig
behavioral1/files/0x000d000000014466-6.dat	xmrig
behavioral1/files/0x0009000000014909-8.dat	xmrig
behavioral1/files/0x0008000000015264-15.dat	xmrig
behavioral1/files/0x002c000000014c67-14.dat	xmrig
behavioral1/files/0x000900000001560a-39.dat	xmrig
behavioral1/files/0x00070000000155d4-27.dat	xmrig
behavioral1/files/0x000f0000000006fd-41.dat	xmrig
behavioral1/files/0x0008000000016cf0-57.dat	xmrig
behavioral1/memory/2524-65-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	xmrig
behavioral1/files/0x000e000000014e3d-63.dat	xmrig
behavioral1/files/0x0006000000016d24-69.dat	xmrig
behavioral1/memory/2720-68-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	xmrig
behavioral1/memory/2756-74-0x000000013F970000-0x000000013FD66000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d36-77.dat	xmrig
behavioral1/files/0x0006000000016d41-82.dat	xmrig
behavioral1/files/0x000500000001868c-122.dat	xmrig
behavioral1/files/0x000600000001704f-120.dat	xmrig
behavioral1/files/0x0006000000018ae8-141.dat	xmrig
behavioral1/files/0x0006000000018b33-149.dat	xmrig
behavioral1/files/0x0006000000018b4a-161.dat	xmrig
behavioral1/memory/1656-589-0x000000013F1D0000-0x000000013F5C6000-memory.dmp	xmrig
behavioral1/memory/2436-665-0x000000013FB30000-0x000000013FF26000-memory.dmp	xmrig
behavioral1/memory/3048-884-0x00000000034E0000-0x00000000038D6000-memory.dmp	xmrig
behavioral1/memory/2020-928-0x000000013F780000-0x000000013FB76000-memory.dmp	xmrig
behavioral1/memory/876-967-0x000000013F720000-0x000000013FB16000-memory.dmp	xmrig
behavioral1/memory/2112-1158-0x000000013FCE0000-0x00000001400D6000-memory.dmp	xmrig
behavioral1/memory/2624-1157-0x000000013F870000-0x000000013FC66000-memory.dmp	xmrig
behavioral1/memory/1964-1129-0x000000013FBE0000-0x000000013FFD6000-memory.dmp	xmrig
behavioral1/memory/1340-1122-0x000000013F200000-0x000000013F5F6000-memory.dmp	xmrig
behavioral1/memory/2476-1152-0x000000013FF90000-0x0000000140386000-memory.dmp	xmrig
behavioral1/memory/2864-1151-0x000000013FF50000-0x0000000140346000-memory.dmp	xmrig
behavioral1/memory/2276-1150-0x000000013F7E0000-0x000000013FBD6000-memory.dmp	xmrig
behavioral1/memory/800-1149-0x000000013F100000-0x000000013F4F6000-memory.dmp	xmrig
behavioral1/memory/1672-1148-0x000000013FB40000-0x000000013FF36000-memory.dmp	xmrig
behavioral1/memory/2188-1121-0x000000013F8E0000-0x000000013FCD6000-memory.dmp	xmrig
behavioral1/memory/1012-1139-0x000000013F2C0000-0x000000013F6B6000-memory.dmp	xmrig
behavioral1/memory/852-1117-0x000000013FAA0000-0x000000013FE96000-memory.dmp	xmrig
behavioral1/memory/636-1116-0x000000013FE20000-0x0000000140216000-memory.dmp	xmrig

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3048-0-0x000000013FCF0000-0x00000001400E6000-memory.dmp	upx
behavioral1/files/0x000d000000014466-6.dat	upx
behavioral1/files/0x0009000000014909-8.dat	upx
behavioral1/files/0x0008000000015264-15.dat	upx
behavioral1/files/0x002c000000014c67-14.dat	upx
behavioral1/files/0x000900000001560a-39.dat	upx
behavioral1/files/0x00070000000155d4-27.dat	upx
behavioral1/files/0x000f0000000006fd-41.dat	upx
behavioral1/files/0x0008000000016cf0-57.dat	upx
behavioral1/memory/2524-65-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	upx
behavioral1/files/0x000e000000014e3d-63.dat	upx
behavioral1/files/0x0006000000016d24-69.dat	upx
behavioral1/memory/2720-68-0x000000013FBC0000-0x000000013FFB6000-memory.dmp	upx
behavioral1/memory/2756-74-0x000000013F970000-0x000000013FD66000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-77.dat	upx
behavioral1/files/0x0006000000016d41-82.dat	upx
behavioral1/files/0x000500000001868c-122.dat	upx
behavioral1/files/0x000600000001704f-120.dat	upx
behavioral1/files/0x0006000000018ae8-141.dat	upx
behavioral1/files/0x0006000000018b33-149.dat	upx
behavioral1/files/0x0006000000018b4a-161.dat	upx
behavioral1/memory/1656-589-0x000000013F1D0000-0x000000013F5C6000-memory.dmp	upx
behavioral1/memory/2436-665-0x000000013FB30000-0x000000013FF26000-memory.dmp	upx
behavioral1/memory/2020-928-0x000000013F780000-0x000000013FB76000-memory.dmp	upx
behavioral1/memory/876-967-0x000000013F720000-0x000000013FB16000-memory.dmp	upx
behavioral1/memory/2112-1158-0x000000013FCE0000-0x00000001400D6000-memory.dmp	upx
behavioral1/memory/2624-1157-0x000000013F870000-0x000000013FC66000-memory.dmp	upx
behavioral1/memory/1964-1129-0x000000013FBE0000-0x000000013FFD6000-memory.dmp	upx
behavioral1/memory/1340-1122-0x000000013F200000-0x000000013F5F6000-memory.dmp	upx
behavioral1/memory/2476-1152-0x000000013FF90000-0x0000000140386000-memory.dmp	upx
behavioral1/memory/2864-1151-0x000000013FF50000-0x0000000140346000-memory.dmp	upx
behavioral1/memory/2276-1150-0x000000013F7E0000-0x000000013FBD6000-memory.dmp	upx
behavioral1/memory/800-1149-0x000000013F100000-0x000000013F4F6000-memory.dmp	upx
behavioral1/memory/1672-1148-0x000000013FB40000-0x000000013FF36000-memory.dmp	upx
behavioral1/memory/2188-1121-0x000000013F8E0000-0x000000013FCD6000-memory.dmp	upx
behavioral1/memory/1012-1139-0x000000013F2C0000-0x000000013F6B6000-memory.dmp	upx
behavioral1/memory/852-1117-0x000000013FAA0000-0x000000013FE96000-memory.dmp	upx
behavioral1/memory/636-1116-0x000000013FE20000-0x0000000140216000-memory.dmp	upx

C:\Users\Admin\AppData\Local\Temp\f4efdf49c91c60f02cb7484c1fd005751de80f7f65b884666cd6d725b04ebdba.exe
"C:\Users\Admin\AppData\Local\Temp\f4efdf49c91c60f02cb7484c1fd005751de80f7f65b884666cd6d725b04ebdba.exe"
1⤵
PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  PID:3056
- C:\Windows\System\mOhlNay.exe
  C:\Windows\System\mOhlNay.exe
  2⤵
  PID:2568
- C:\Windows\System\hLYFSdL.exe
  C:\Windows\System\hLYFSdL.exe
  2⤵
  PID:2756
- C:\Windows\System\LHTtvcW.exe
  C:\Windows\System\LHTtvcW.exe
  2⤵
  PID:2524
- C:\Windows\System\BMOhqLk.exe
  C:\Windows\System\BMOhqLk.exe
  2⤵
  PID:2776
- C:\Windows\System\MhmGIhR.exe
  C:\Windows\System\MhmGIhR.exe
  2⤵
  PID:2720
- C:\Windows\System\sFTcCLd.exe
  C:\Windows\System\sFTcCLd.exe
  2⤵
  PID:2556
- C:\Windows\System\EnrIBsj.exe
  C:\Windows\System\EnrIBsj.exe
  2⤵
  PID:2404
- C:\Windows\System\WxJoFeV.exe
  C:\Windows\System\WxJoFeV.exe
  2⤵
  PID:2644
- C:\Windows\System\DOcJXzn.exe
  C:\Windows\System\DOcJXzn.exe
  2⤵
  PID:1840
- C:\Windows\System\qDvytIj.exe
  C:\Windows\System\qDvytIj.exe
  2⤵
  PID:1756
- C:\Windows\System\bZXkrFh.exe
  C:\Windows\System\bZXkrFh.exe
  2⤵
  PID:2092
- C:\Windows\System\osVydso.exe
  C:\Windows\System\osVydso.exe
  2⤵
  PID:1860
- C:\Windows\System\MaRPebW.exe
  C:\Windows\System\MaRPebW.exe
  2⤵
  PID:2792
- C:\Windows\System\TAgwIQk.exe
  C:\Windows\System\TAgwIQk.exe
  2⤵
  PID:636
- C:\Windows\System\zSaFVkt.exe
  C:\Windows\System\zSaFVkt.exe
  2⤵
  PID:2384
- C:\Windows\System\ErMyuzg.exe
  C:\Windows\System\ErMyuzg.exe
  2⤵
  PID:2124
- C:\Windows\System\KgOlSVm.exe
  C:\Windows\System\KgOlSVm.exe
  2⤵
  PID:2476
- C:\Windows\System\WdnaJur.exe
  C:\Windows\System\WdnaJur.exe
  2⤵
  PID:2848
- C:\Windows\System\iKmZvki.exe
  C:\Windows\System\iKmZvki.exe
  2⤵
  PID:592
- C:\Windows\System\tRJypGc.exe
  C:\Windows\System\tRJypGc.exe
  2⤵
  PID:944
- C:\Windows\System\QPLZmZB.exe
  C:\Windows\System\QPLZmZB.exe
  2⤵
  PID:2672
- C:\Windows\System\azUpGPU.exe
  C:\Windows\System\azUpGPU.exe
  2⤵
  PID:2716
- C:\Windows\System\tfzzgXg.exe
  C:\Windows\System\tfzzgXg.exe
  2⤵
  PID:1820
- C:\Windows\System\uUkiYwM.exe
  C:\Windows\System\uUkiYwM.exe
  2⤵
  PID:2376
- C:\Windows\System\hiVPVuc.exe
  C:\Windows\System\hiVPVuc.exe
  2⤵
  PID:1644
- C:\Windows\System\amvETlL.exe
  C:\Windows\System\amvETlL.exe
  2⤵
  PID:2104
- C:\Windows\System\IFbqrwx.exe
  C:\Windows\System\IFbqrwx.exe
  2⤵
  PID:564
- C:\Windows\System\xjCerAk.exe
  C:\Windows\System\xjCerAk.exe
  2⤵
  PID:1608
- C:\Windows\System\gUkoUEW.exe
  C:\Windows\System\gUkoUEW.exe
  2⤵
  PID:1704
- C:\Windows\System\YHsQgWW.exe
  C:\Windows\System\YHsQgWW.exe
  2⤵
  PID:1576
- C:\Windows\System\gEHuMoD.exe
  C:\Windows\System\gEHuMoD.exe
  2⤵
  PID:2888
- C:\Windows\System\TEEDRah.exe
  C:\Windows\System\TEEDRah.exe
  2⤵
  PID:1108
- C:\Windows\System\tJcXmZw.exe
  C:\Windows\System\tJcXmZw.exe
  2⤵
  PID:1500
- C:\Windows\System\DGptYqO.exe
  C:\Windows\System\DGptYqO.exe
  2⤵
  PID:2084
- C:\Windows\System\FEwdNCb.exe
  C:\Windows\System\FEwdNCb.exe
  2⤵
  PID:1948
- C:\Windows\System\QQtZwPc.exe
  C:\Windows\System\QQtZwPc.exe
  2⤵
  PID:1276
- C:\Windows\System\xeRUwqI.exe
  C:\Windows\System\xeRUwqI.exe
  2⤵
  PID:1836
- C:\Windows\System\XMRbreE.exe
  C:\Windows\System\XMRbreE.exe
  2⤵
  PID:1752
- C:\Windows\System\LkNdzCE.exe
  C:\Windows\System\LkNdzCE.exe
  2⤵
  PID:2180
- C:\Windows\System\CdmLaUJ.exe
  C:\Windows\System\CdmLaUJ.exe
  2⤵
  PID:2668
- C:\Windows\System\HgPrekj.exe
  C:\Windows\System\HgPrekj.exe
  2⤵
  PID:1684
- C:\Windows\System\QAtrvAD.exe
  C:\Windows\System\QAtrvAD.exe
  2⤵
  PID:2656
- C:\Windows\System\URkypSU.exe
  C:\Windows\System\URkypSU.exe
  2⤵
  PID:1152
- C:\Windows\System\cHatJpQ.exe
  C:\Windows\System\cHatJpQ.exe
  2⤵
  PID:2248
- C:\Windows\System\FkPMpUV.exe
  C:\Windows\System\FkPMpUV.exe
  2⤵
  PID:792
- C:\Windows\System\EZVpfWx.exe
  C:\Windows\System\EZVpfWx.exe
  2⤵
  PID:2072
- C:\Windows\System\ZmoaNby.exe
  C:\Windows\System\ZmoaNby.exe
  2⤵
  PID:1656
- C:\Windows\System\chmIhrI.exe
  C:\Windows\System\chmIhrI.exe
  2⤵
  PID:2056
- C:\Windows\System\jnGeBIh.exe
  C:\Windows\System\jnGeBIh.exe
  2⤵
  PID:2576
- C:\Windows\System\FaBMNuN.exe
  C:\Windows\System\FaBMNuN.exe
  2⤵
  PID:1544
- C:\Windows\System\YWVKEVe.exe
  C:\Windows\System\YWVKEVe.exe
  2⤵
  PID:3024
- C:\Windows\System\UPORUao.exe
  C:\Windows\System\UPORUao.exe
  2⤵
  PID:2472
- C:\Windows\System\bSmHhMC.exe
  C:\Windows\System\bSmHhMC.exe
  2⤵
  PID:1996
- C:\Windows\System\gmwkoef.exe
  C:\Windows\System\gmwkoef.exe
  2⤵
  PID:2032
- C:\Windows\System\RFiMYPy.exe
  C:\Windows\System\RFiMYPy.exe
  2⤵
  PID:3044
- C:\Windows\System\OEPZSoL.exe
  C:\Windows\System\OEPZSoL.exe
  2⤵
  PID:2788
- C:\Windows\System\OfUYMmL.exe
  C:\Windows\System\OfUYMmL.exe
  2⤵
  PID:2160
- C:\Windows\System\FfAufah.exe
  C:\Windows\System\FfAufah.exe
  2⤵
  PID:1324
- C:\Windows\System\xHTQXoP.exe
  C:\Windows\System\xHTQXoP.exe
  2⤵
  PID:2008
- C:\Windows\System\fEOrdLn.exe
  C:\Windows\System\fEOrdLn.exe
  2⤵
  PID:2428
- C:\Windows\System\YTQkWug.exe
  C:\Windows\System\YTQkWug.exe
  2⤵
  PID:2088
- C:\Windows\System\eMrXeeF.exe
  C:\Windows\System\eMrXeeF.exe
  2⤵
  PID:2200
- C:\Windows\System\BAHVQRB.exe
  C:\Windows\System\BAHVQRB.exe
  2⤵
  PID:2292
- C:\Windows\System\fdpDpap.exe
  C:\Windows\System\fdpDpap.exe
  2⤵
  PID:1492
- C:\Windows\System\FDurJdR.exe
  C:\Windows\System\FDurJdR.exe
  2⤵
  PID:940
- C:\Windows\System\iPYRbnK.exe
  C:\Windows\System\iPYRbnK.exe
  2⤵
  PID:1640
- C:\Windows\System\QaRnIcU.exe
  C:\Windows\System\QaRnIcU.exe
  2⤵
  PID:2488
- C:\Windows\System\jRsBPHQ.exe
  C:\Windows\System\jRsBPHQ.exe
  2⤵
  PID:1604
- C:\Windows\System\rjpgwFN.exe
  C:\Windows\System\rjpgwFN.exe
  2⤵
  PID:904
- C:\Windows\System\lnaAXar.exe
  C:\Windows\System\lnaAXar.exe
  2⤵
  PID:2016
- C:\Windows\System\KPhnUYL.exe
  C:\Windows\System\KPhnUYL.exe
  2⤵
  PID:1272
- C:\Windows\System\wyVjkPk.exe
  C:\Windows\System\wyVjkPk.exe
  2⤵
  PID:2152
- C:\Windows\System\UyeOYJn.exe
  C:\Windows\System\UyeOYJn.exe
  2⤵
  PID:2196
- C:\Windows\System\iriEHtR.exe
  C:\Windows\System\iriEHtR.exe
  2⤵
  PID:2252
- C:\Windows\System\QyasORt.exe
  C:\Windows\System\QyasORt.exe
  2⤵
  PID:2060
- C:\Windows\System\epmuYCT.exe
  C:\Windows\System\epmuYCT.exe
  2⤵
  PID:2932
- C:\Windows\System\MeTcrfc.exe
  C:\Windows\System\MeTcrfc.exe
  2⤵
  PID:2424
- C:\Windows\System\QOMESQn.exe
  C:\Windows\System\QOMESQn.exe
  2⤵
  PID:1928
- C:\Windows\System\WOCdfMb.exe
  C:\Windows\System\WOCdfMb.exe
  2⤵
  PID:320
- C:\Windows\System\zbXbjzO.exe
  C:\Windows\System\zbXbjzO.exe
  2⤵
  PID:2872
- C:\Windows\System\lVCrtgV.exe
  C:\Windows\System\lVCrtgV.exe
  2⤵
  PID:240
- C:\Windows\System\UPWPhfs.exe
  C:\Windows\System\UPWPhfs.exe
  2⤵
  PID:1816
- C:\Windows\System\smKihKm.exe
  C:\Windows\System\smKihKm.exe
  2⤵
  PID:2784
- C:\Windows\System\NsyUfRR.exe
  C:\Windows\System\NsyUfRR.exe
  2⤵
  PID:2224
- C:\Windows\System\CiSQjnd.exe
  C:\Windows\System\CiSQjnd.exe
  2⤵
  PID:3080
- C:\Windows\System\hhKvqYU.exe
  C:\Windows\System\hhKvqYU.exe
  2⤵
  PID:3100
- C:\Windows\System\NJVQFcL.exe
  C:\Windows\System\NJVQFcL.exe
  2⤵
  PID:3116
- C:\Windows\System\rOkeziq.exe
  C:\Windows\System\rOkeziq.exe
  2⤵
  PID:3136
- C:\Windows\System\jDiURxx.exe
  C:\Windows\System\jDiURxx.exe
  2⤵
  PID:3228
- C:\Windows\System\qkZsaje.exe
  C:\Windows\System\qkZsaje.exe
  2⤵
  PID:3244
- C:\Windows\System\yzGBnWf.exe
  C:\Windows\System\yzGBnWf.exe
  2⤵
  PID:3260
- C:\Windows\System\ZSvblYu.exe
  C:\Windows\System\ZSvblYu.exe
  2⤵
  PID:3276
- C:\Windows\System\TsHkOSs.exe
  C:\Windows\System\TsHkOSs.exe
  2⤵
  PID:3292
- C:\Windows\System\hzGmxuo.exe
  C:\Windows\System\hzGmxuo.exe
  2⤵
  PID:3308
- C:\Windows\System\ceTqszP.exe
  C:\Windows\System\ceTqszP.exe
  2⤵
  PID:3328
- C:\Windows\System\DXQFrlm.exe
  C:\Windows\System\DXQFrlm.exe
  2⤵
  PID:3344
- C:\Windows\System\legFvsw.exe
  C:\Windows\System\legFvsw.exe
  2⤵
  PID:3360
- C:\Windows\System\fNtZKcb.exe
  C:\Windows\System\fNtZKcb.exe
  2⤵
  PID:3376
- C:\Windows\System\EHQeMZU.exe
  C:\Windows\System\EHQeMZU.exe
  2⤵
  PID:3392
- C:\Windows\System\HmQfORC.exe
  C:\Windows\System\HmQfORC.exe
  2⤵
  PID:3440
- C:\Windows\System\BDDwhZd.exe
  C:\Windows\System\BDDwhZd.exe
  2⤵
  PID:3456
- C:\Windows\System\NQwAEap.exe
  C:\Windows\System\NQwAEap.exe
  2⤵
  PID:3472
- C:\Windows\System\oKjgnue.exe
  C:\Windows\System\oKjgnue.exe
  2⤵
  PID:3492
- C:\Windows\System\PYEWrgR.exe
  C:\Windows\System\PYEWrgR.exe
  2⤵
  PID:3508
- C:\Windows\System\MrmvtnZ.exe
  C:\Windows\System\MrmvtnZ.exe
  2⤵
  PID:3524
- C:\Windows\System\kBvLcLq.exe
  C:\Windows\System\kBvLcLq.exe
  2⤵
  PID:3540
- C:\Windows\System\WpZUUGd.exe
  C:\Windows\System\WpZUUGd.exe
  2⤵
  PID:3560
- C:\Windows\System\HLtbiKO.exe
  C:\Windows\System\HLtbiKO.exe
  2⤵
  PID:3576
- C:\Windows\System\AyYNYfp.exe
  C:\Windows\System\AyYNYfp.exe
  2⤵
  PID:3592
- C:\Windows\System\smlAWzo.exe
  C:\Windows\System\smlAWzo.exe
  2⤵
  PID:3608
- C:\Windows\System\VkqONfI.exe
  C:\Windows\System\VkqONfI.exe
  2⤵
  PID:3676
- C:\Windows\System\PiGVixX.exe
  C:\Windows\System\PiGVixX.exe
  2⤵
  PID:3692
- C:\Windows\System\OJLizjz.exe
  C:\Windows\System\OJLizjz.exe
  2⤵
  PID:3712
- C:\Windows\System\wnivYYQ.exe
  C:\Windows\System\wnivYYQ.exe
  2⤵
  PID:3728
- C:\Windows\System\qmpzZlZ.exe
  C:\Windows\System\qmpzZlZ.exe
  2⤵
  PID:3748
- C:\Windows\System\NwIESaZ.exe
  C:\Windows\System\NwIESaZ.exe
  2⤵
  PID:3764
- C:\Windows\System\GcISVGT.exe
  C:\Windows\System\GcISVGT.exe
  2⤵
  PID:4068
- C:\Windows\System\RtPEflV.exe
  C:\Windows\System\RtPEflV.exe
  2⤵
  PID:4084
- C:\Windows\System\kvYicBN.exe
  C:\Windows\System\kvYicBN.exe
  2⤵
  PID:3148
- C:\Windows\System\koPkCeZ.exe
  C:\Windows\System\koPkCeZ.exe
  2⤵
  PID:3124
- C:\Windows\System\bZQKfhc.exe
  C:\Windows\System\bZQKfhc.exe
  2⤵
  PID:2284
- C:\Windows\System\ayUaiGU.exe
  C:\Windows\System\ayUaiGU.exe
  2⤵
  PID:1620
- C:\Windows\System\NhwnNXE.exe
  C:\Windows\System\NhwnNXE.exe
  2⤵
  PID:2536
- C:\Windows\System\MLctfiL.exe
  C:\Windows\System\MLctfiL.exe
  2⤵
  PID:3108
- C:\Windows\System\CfyekEZ.exe
  C:\Windows\System\CfyekEZ.exe
  2⤵
  PID:3240
- C:\Windows\System\fPtLztM.exe
  C:\Windows\System\fPtLztM.exe
  2⤵
  PID:3300
- C:\Windows\System\FcpQpVz.exe
  C:\Windows\System\FcpQpVz.exe
  2⤵
  PID:3160
- C:\Windows\System\zYcNiYD.exe
  C:\Windows\System\zYcNiYD.exe
  2⤵
  PID:3408
- C:\Windows\System\FMgWbwB.exe
  C:\Windows\System\FMgWbwB.exe
  2⤵
  PID:3420
- C:\Windows\System\EIxfgcb.exe
  C:\Windows\System\EIxfgcb.exe
  2⤵
  PID:3176
- C:\Windows\System\xJyJSaA.exe
  C:\Windows\System\xJyJSaA.exe
  2⤵
  PID:3196
- C:\Windows\System\ePWOFvG.exe
  C:\Windows\System\ePWOFvG.exe
  2⤵
  PID:2408
- C:\Windows\System\SAOIOzj.exe
  C:\Windows\System\SAOIOzj.exe
  2⤵
  PID:3256
- C:\Windows\System\enuhymm.exe
  C:\Windows\System\enuhymm.exe
  2⤵
  PID:3320
- C:\Windows\System\kPUqFUU.exe
  C:\Windows\System\kPUqFUU.exe
  2⤵
  PID:3464
- C:\Windows\System\hAikdgf.exe
  C:\Windows\System\hAikdgf.exe
  2⤵
  PID:3500
- C:\Windows\System\LGoreJy.exe
  C:\Windows\System\LGoreJy.exe
  2⤵
  PID:3572
- C:\Windows\System\raPMwOj.exe
  C:\Windows\System\raPMwOj.exe
  2⤵
  PID:3584
- C:\Windows\System\xaSdXzx.exe
  C:\Windows\System\xaSdXzx.exe
  2⤵
  PID:3724
- C:\Windows\System\VARyXUU.exe
  C:\Windows\System\VARyXUU.exe
  2⤵
  PID:3384
- C:\Windows\System\kcuBXuw.exe
  C:\Windows\System\kcuBXuw.exe
  2⤵
  PID:3452
- C:\Windows\System\tbRhUbW.exe
  C:\Windows\System\tbRhUbW.exe
  2⤵
  PID:3488
- C:\Windows\System\CXMzRaO.exe
  C:\Windows\System\CXMzRaO.exe
  2⤵
  PID:3648
- C:\Windows\System\dtkWziU.exe
  C:\Windows\System\dtkWziU.exe
  2⤵
  PID:844
- C:\Windows\System\cAHvXZN.exe
  C:\Windows\System\cAHvXZN.exe
  2⤵
  PID:3628
- C:\Windows\System\LziCGbw.exe
  C:\Windows\System\LziCGbw.exe
  2⤵
  PID:3800
- C:\Windows\System\AKZPfEm.exe
  C:\Windows\System\AKZPfEm.exe
  2⤵
  PID:3848
- C:\Windows\System\WzqWuPx.exe
  C:\Windows\System\WzqWuPx.exe
  2⤵
  PID:3888
- C:\Windows\System\XrMJQBi.exe
  C:\Windows\System\XrMJQBi.exe
  2⤵
  PID:3932
- C:\Windows\System\FgNQRGS.exe
  C:\Windows\System\FgNQRGS.exe
  2⤵
  PID:3836
- C:\Windows\System\fIfLHAS.exe
  C:\Windows\System\fIfLHAS.exe
  2⤵
  PID:3756
- C:\Windows\System\ygcxxPt.exe
  C:\Windows\System\ygcxxPt.exe
  2⤵
  PID:2588
- C:\Windows\System\iOuUGCy.exe
  C:\Windows\System\iOuUGCy.exe
  2⤵
  PID:4048
- C:\Windows\System\utGIfSr.exe
  C:\Windows\System\utGIfSr.exe
  2⤵
  PID:3792
- C:\Windows\System\JcAyEIG.exe
  C:\Windows\System\JcAyEIG.exe
  2⤵
  PID:4012
- C:\Windows\System\ZVFxHGA.exe
  C:\Windows\System\ZVFxHGA.exe
  2⤵
  PID:1040
- C:\Windows\System\dgyQHFW.exe
  C:\Windows\System\dgyQHFW.exe
  2⤵
  PID:3484
- C:\Windows\System\gOMkKVF.exe
  C:\Windows\System\gOMkKVF.exe
  2⤵
  PID:3192
- C:\Windows\System\zWjrcvl.exe
  C:\Windows\System\zWjrcvl.exe
  2⤵
  PID:1192
- C:\Windows\System\AjHUOqk.exe
  C:\Windows\System\AjHUOqk.exe
  2⤵
  PID:4112
- C:\Windows\System\KxFpgFc.exe
  C:\Windows\System\KxFpgFc.exe
  2⤵
  PID:4216
- C:\Windows\System\WIIYjbA.exe
  C:\Windows\System\WIIYjbA.exe
  2⤵
  PID:4476
- C:\Windows\System\PUwEvhw.exe
  C:\Windows\System\PUwEvhw.exe
  2⤵
  PID:4884
- C:\Windows\System\EjiaUiM.exe
  C:\Windows\System\EjiaUiM.exe
  2⤵
  PID:4904
- C:\Windows\System\LxXACsw.exe
  C:\Windows\System\LxXACsw.exe
  2⤵
  PID:4920
- C:\Windows\System\ZxjXhaK.exe
  C:\Windows\System\ZxjXhaK.exe
  2⤵
  PID:5056
- C:\Windows\System\ioHUMnz.exe
  C:\Windows\System\ioHUMnz.exe
  2⤵
  PID:5072
- C:\Windows\System\sELkUUf.exe
  C:\Windows\System\sELkUUf.exe
  2⤵
  PID:5088
- C:\Windows\System\kjinNOb.exe
  C:\Windows\System\kjinNOb.exe
  2⤵
  PID:5104
- C:\Windows\System\UpyuTpH.exe
  C:\Windows\System\UpyuTpH.exe
  2⤵
  PID:4196
- C:\Windows\System\pPmSSCH.exe
  C:\Windows\System\pPmSSCH.exe
  2⤵
  PID:4812
- C:\Windows\System\dJMZYXh.exe
  C:\Windows\System\dJMZYXh.exe
  2⤵
  PID:4876
- C:\Windows\System\ZYbFNxH.exe
  C:\Windows\System\ZYbFNxH.exe
  2⤵
  PID:4544
- C:\Windows\System\LEUmynr.exe
  C:\Windows\System\LEUmynr.exe
  2⤵
  PID:4584
- C:\Windows\System\gHfdeVT.exe
  C:\Windows\System\gHfdeVT.exe
  2⤵
  PID:4760
- C:\Windows\System\UMCtvdi.exe
  C:\Windows\System\UMCtvdi.exe
  2⤵
  PID:4892
- C:\Windows\System\eEHxBah.exe
  C:\Windows\System\eEHxBah.exe
  2⤵
  PID:5036
- C:\Windows\System\jJFhqJw.exe
  C:\Windows\System\jJFhqJw.exe
  2⤵
  PID:4972
- C:\Windows\System\NBUzgSE.exe
  C:\Windows\System\NBUzgSE.exe
  2⤵
  PID:2840
- C:\Windows\System\TNdfpGQ.exe
  C:\Windows\System\TNdfpGQ.exe
  2⤵
  PID:4120
- C:\Windows\System\gHtrlki.exe
  C:\Windows\System\gHtrlki.exe
  2⤵
  PID:1444
- C:\Windows\System\jBgejBC.exe
  C:\Windows\System\jBgejBC.exe
  2⤵
  PID:4176
- C:\Windows\System\NwtJEdL.exe
  C:\Windows\System\NwtJEdL.exe
  2⤵
  PID:3368
- C:\Windows\System\PsLVCPa.exe
  C:\Windows\System\PsLVCPa.exe
  2⤵
  PID:2348
- C:\Windows\System\bhnomZn.exe
  C:\Windows\System\bhnomZn.exe
  2⤵
  PID:3008
- C:\Windows\System\gvgHXGw.exe
  C:\Windows\System\gvgHXGw.exe
  2⤵
  PID:2336
- C:\Windows\System\MlCzTng.exe
  C:\Windows\System\MlCzTng.exe
  2⤵
  PID:4536
- C:\Windows\System\yOCJEqm.exe
  C:\Windows\System\yOCJEqm.exe
  2⤵
  PID:1880
- C:\Windows\System\cSEOaXU.exe
  C:\Windows\System\cSEOaXU.exe
  2⤵
  PID:5128
- C:\Windows\System\OdhBqTw.exe
  C:\Windows\System\OdhBqTw.exe
  2⤵
  PID:5144
- C:\Windows\System\zZqiRZR.exe
  C:\Windows\System\zZqiRZR.exe
  2⤵
  PID:5308
- C:\Windows\System\irPsVsD.exe
  C:\Windows\System\irPsVsD.exe
  2⤵
  PID:5764
- C:\Windows\System\DQnLSsd.exe
  C:\Windows\System\DQnLSsd.exe
  2⤵
  PID:5928
- C:\Windows\System\VGmObqw.exe
  C:\Windows\System\VGmObqw.exe
  2⤵
  PID:5952
- C:\Windows\System\GBRptpv.exe
  C:\Windows\System\GBRptpv.exe
  2⤵
  PID:5968
- C:\Windows\System\Fttcgbk.exe
  C:\Windows\System\Fttcgbk.exe
  2⤵
  PID:5984
- C:\Windows\System\zsNUneb.exe
  C:\Windows\System\zsNUneb.exe
  2⤵
  PID:6000
- C:\Windows\System\bdsUGrm.exe
  C:\Windows\System\bdsUGrm.exe
  2⤵
  PID:6016
- C:\Windows\System\XvauNUv.exe
  C:\Windows\System\XvauNUv.exe
  2⤵
  PID:6032
- C:\Windows\System\UKSXOJV.exe
  C:\Windows\System\UKSXOJV.exe
  2⤵
  PID:6048
- C:\Windows\System\hWEGWQL.exe
  C:\Windows\System\hWEGWQL.exe
  2⤵
  PID:6064
- C:\Windows\System\myvvBKu.exe
  C:\Windows\System\myvvBKu.exe
  2⤵
  PID:6080
- C:\Windows\System\ufxiKGv.exe
  C:\Windows\System\ufxiKGv.exe
  2⤵
  PID:6096
- C:\Windows\System\bRwJPrV.exe
  C:\Windows\System\bRwJPrV.exe
  2⤵
  PID:6112
- C:\Windows\System\AFWJBXB.exe
  C:\Windows\System\AFWJBXB.exe
  2⤵
  PID:6128
- C:\Windows\System\FVCiGSm.exe
  C:\Windows\System\FVCiGSm.exe
  2⤵
  PID:5112
- C:\Windows\System\TNAZCwt.exe
  C:\Windows\System\TNAZCwt.exe
  2⤵
  PID:4676
- C:\Windows\System\PTioLiB.exe
  C:\Windows\System\PTioLiB.exe
  2⤵
  PID:4272
- C:\Windows\System\TMYVNma.exe
  C:\Windows\System\TMYVNma.exe
  2⤵
  PID:2172
- C:\Windows\System\iwOifHK.exe
  C:\Windows\System\iwOifHK.exe
  2⤵
  PID:5136
- C:\Windows\System\DyRzdqd.exe
  C:\Windows\System\DyRzdqd.exe
  2⤵
  PID:4448
- C:\Windows\System\FxjyNkB.exe
  C:\Windows\System\FxjyNkB.exe
  2⤵
  PID:2940
- C:\Windows\System\vVVEfzU.exe
  C:\Windows\System\vVVEfzU.exe
  2⤵
  PID:5152
- C:\Windows\System\QsDFFAz.exe
  C:\Windows\System\QsDFFAz.exe
  2⤵
  PID:5236
- C:\Windows\System\OqHWxYl.exe
  C:\Windows\System\OqHWxYl.exe
  2⤵
  PID:5300
- C:\Windows\System\MLLeuqt.exe
  C:\Windows\System\MLLeuqt.exe
  2⤵
  PID:2148
- C:\Windows\System\UVmNCtr.exe
  C:\Windows\System\UVmNCtr.exe
  2⤵
  PID:2240
- C:\Windows\System\VjvOJOQ.exe
  C:\Windows\System\VjvOJOQ.exe
  2⤵
  PID:5124
- C:\Windows\System\vwPgaxC.exe
  C:\Windows\System\vwPgaxC.exe
  2⤵
  PID:5252
- C:\Windows\System\YnxoQeO.exe
  C:\Windows\System\YnxoQeO.exe
  2⤵
  PID:5176
- C:\Windows\System\zejIEqM.exe
  C:\Windows\System\zejIEqM.exe
  2⤵
  PID:5084
- C:\Windows\System\NyurmEO.exe
  C:\Windows\System\NyurmEO.exe
  2⤵
  PID:4580
- C:\Windows\System\vfOHnwj.exe
  C:\Windows\System\vfOHnwj.exe
  2⤵
  PID:5432
- C:\Windows\System\KmVJZRS.exe
  C:\Windows\System\KmVJZRS.exe
  2⤵
  PID:5100
- C:\Windows\System\CfdqbTB.exe
  C:\Windows\System\CfdqbTB.exe
  2⤵
  PID:5096
- C:\Windows\System\zbQxFXW.exe
  C:\Windows\System\zbQxFXW.exe
  2⤵
  PID:5288
- C:\Windows\System\svvdYQB.exe
  C:\Windows\System\svvdYQB.exe
  2⤵
  PID:5384
- C:\Windows\System\PpYtOuX.exe
  C:\Windows\System\PpYtOuX.exe
  2⤵
  PID:5480
- C:\Windows\System\IZGbOva.exe
  C:\Windows\System\IZGbOva.exe
  2⤵
  PID:5500
- C:\Windows\System\dqSdMIG.exe
  C:\Windows\System\dqSdMIG.exe
  2⤵
  PID:5528
- C:\Windows\System\oURZQXl.exe
  C:\Windows\System\oURZQXl.exe
  2⤵
  PID:5560
- C:\Windows\System\EMeXOCx.exe
  C:\Windows\System\EMeXOCx.exe
  2⤵
  PID:5348
- C:\Windows\System\KMCilNs.exe
  C:\Windows\System\KMCilNs.exe
  2⤵
  PID:5496
- C:\Windows\System\dgpZytj.exe
  C:\Windows\System\dgpZytj.exe
  2⤵
  PID:5660
- C:\Windows\System\RmXvAjT.exe
  C:\Windows\System\RmXvAjT.exe
  2⤵
  PID:5724
- C:\Windows\System\HMNzcwt.exe
  C:\Windows\System\HMNzcwt.exe
  2⤵
  PID:5484
- C:\Windows\System\hQcdVNX.exe
  C:\Windows\System\hQcdVNX.exe
  2⤵
  PID:5580
- C:\Windows\System\QTsGlbc.exe
  C:\Windows\System\QTsGlbc.exe
  2⤵
  PID:976
- C:\Windows\System\vIHRYTO.exe
  C:\Windows\System\vIHRYTO.exe
  2⤵
  PID:5796
- C:\Windows\System\NmrnHQJ.exe
  C:\Windows\System\NmrnHQJ.exe
  2⤵
  PID:5828
- C:\Windows\System\uvUFMvF.exe
  C:\Windows\System\uvUFMvF.exe
  2⤵
  PID:2204
- C:\Windows\System\UFNDvlJ.exe
  C:\Windows\System\UFNDvlJ.exe
  2⤵
  PID:5708
- C:\Windows\System\qvxhkWq.exe
  C:\Windows\System\qvxhkWq.exe
  2⤵
  PID:5844
- C:\Windows\System\UhzunIA.exe
  C:\Windows\System\UhzunIA.exe
  2⤵
  PID:5964
- C:\Windows\System\kCVdjKG.exe
  C:\Windows\System\kCVdjKG.exe
  2⤵
  PID:6028
- C:\Windows\System\IaFIXPu.exe
  C:\Windows\System\IaFIXPu.exe
  2⤵
  PID:5644
- C:\Windows\System\TgheuBl.exe
  C:\Windows\System\TgheuBl.exe
  2⤵
  PID:5840
- C:\Windows\System\ukaHfAr.exe
  C:\Windows\System\ukaHfAr.exe
  2⤵
  PID:4268
- C:\Windows\System\scdStQy.exe
  C:\Windows\System\scdStQy.exe
  2⤵
  PID:6092
- C:\Windows\System\rhdSaqU.exe
  C:\Windows\System\rhdSaqU.exe
  2⤵
  PID:4728
- C:\Windows\System\xGMxYiO.exe
  C:\Windows\System\xGMxYiO.exe
  2⤵
  PID:5936
- C:\Windows\System\MyDSSUI.exe
  C:\Windows\System\MyDSSUI.exe
  2⤵
  PID:6012
- C:\Windows\System\zrYgVFR.exe
  C:\Windows\System\zrYgVFR.exe
  2⤵
  PID:6136
- C:\Windows\System\GcYPgyQ.exe
  C:\Windows\System\GcYPgyQ.exe
  2⤵
  PID:1016
- C:\Windows\System\bsMZKyr.exe
  C:\Windows\System\bsMZKyr.exe
  2⤵
  PID:5020
- C:\Windows\System\WGJXBqP.exe
  C:\Windows\System\WGJXBqP.exe
  2⤵
  PID:6072
- C:\Windows\System\tPIkRTL.exe
  C:\Windows\System\tPIkRTL.exe
  2⤵
  PID:6140
- C:\Windows\System\TtxUJrv.exe
  C:\Windows\System\TtxUJrv.exe
  2⤵
  PID:5180
- C:\Windows\System\YSEUybv.exe
  C:\Windows\System\YSEUybv.exe
  2⤵
  PID:4796
- C:\Windows\System\TznFDil.exe
  C:\Windows\System\TznFDil.exe
  2⤵
  PID:4700
- C:\Windows\System\QItXEwo.exe
  C:\Windows\System\QItXEwo.exe
  2⤵
  PID:5304
- C:\Windows\System\CnFrSfR.exe
  C:\Windows\System\CnFrSfR.exe
  2⤵
  PID:4940
- C:\Windows\System\UxddKha.exe
  C:\Windows\System\UxddKha.exe
  2⤵
  PID:5492
- C:\Windows\System\aUxFBHR.exe
  C:\Windows\System\aUxFBHR.exe
  2⤵
  PID:5168
- C:\Windows\System\FVglKEx.exe
  C:\Windows\System\FVglKEx.exe
  2⤵
  PID:5464
- C:\Windows\System\rkHdNEH.exe
  C:\Windows\System\rkHdNEH.exe
  2⤵
  PID:5336
- C:\Windows\System\NBLbOTa.exe
  C:\Windows\System\NBLbOTa.exe
  2⤵
  PID:5760
- C:\Windows\System\tpjLBRY.exe
  C:\Windows\System\tpjLBRY.exe
  2⤵
  PID:5792
- C:\Windows\System\ZFizYRV.exe
  C:\Windows\System\ZFizYRV.exe
  2⤵
  PID:5740
- C:\Windows\System\myCPzns.exe
  C:\Windows\System\myCPzns.exe
  2⤵
  PID:3960
- C:\Windows\System\FWaErkL.exe
  C:\Windows\System\FWaErkL.exe
  2⤵
  PID:936
- C:\Windows\System\RZXLQqv.exe
  C:\Windows\System\RZXLQqv.exe
  2⤵
  PID:5680
- C:\Windows\System\PiwhPmg.exe
  C:\Windows\System\PiwhPmg.exe
  2⤵
  PID:2064
- C:\Windows\System\WspGAwZ.exe
  C:\Windows\System\WspGAwZ.exe
  2⤵
  PID:4524
- C:\Windows\System\uLTLbwU.exe
  C:\Windows\System\uLTLbwU.exe
  2⤵
  PID:3220
- C:\Windows\System\LGrJFwl.exe
  C:\Windows\System\LGrJFwl.exe
  2⤵
  PID:2504
- C:\Windows\System\AIamcGq.exe
  C:\Windows\System\AIamcGq.exe
  2⤵
  PID:5876
- C:\Windows\System\XXxxdfv.exe
  C:\Windows\System\XXxxdfv.exe
  2⤵
  PID:5980
- C:\Windows\System\SpBXKwr.exe
  C:\Windows\System\SpBXKwr.exe
  2⤵
  PID:5160
- C:\Windows\System\SxNdcVy.exe
  C:\Windows\System\SxNdcVy.exe
  2⤵
  PID:5812
- C:\Windows\System\LtoZQvp.exe
  C:\Windows\System\LtoZQvp.exe
  2⤵
  PID:6176
- C:\Windows\System\NFEdDZl.exe
  C:\Windows\System\NFEdDZl.exe
  2⤵
  PID:6192
- C:\Windows\System\GXFwHir.exe
  C:\Windows\System\GXFwHir.exe
  2⤵
  PID:6308
- C:\Windows\System\TQJTfFG.exe
  C:\Windows\System\TQJTfFG.exe
  2⤵
  PID:6404
- C:\Windows\System\nBpzAvh.exe
  C:\Windows\System\nBpzAvh.exe
  2⤵
  PID:6420
- C:\Windows\System\brPNOOq.exe
  C:\Windows\System\brPNOOq.exe
  2⤵
  PID:6436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BESPWIb.exe

Filesize
3.3MB

MD5
a7ba67007f20b8c4f5dcf13b53ec44f3

SHA1
42443cd1cbd19ea368821efdd488c1f8f8b6da71

SHA256
6703e80b9dd35690d0b02878068df8810d36ad98f8f5dca27a3b3aa4cb34b744

SHA512
4fb75adf17cf6da7e1427a23cf3bccb55703cec270f67688d5804920ed7bb1e2caada33015394f0d1a526796429ff5aab294822921e5b9d870952d3235ff8747

Download Submit
C:\Windows\system\BMOhqLk.exe

Filesize
3.3MB

MD5
0e94b841d33d6a52dc25b5208b501130

SHA1
da0cd2ac96add4ad56fc0f5cd2033b1f83d8240e

SHA256
4f8d37f196beab5922556c276c93a63dd0b0d6873071c8d4546ead803df98a85

SHA512
20fb90e5b09175dd868c6e3bd07bb4fea6197a03d61b12b774465980c49ddae662a4deb059ff96865023cc427a8aca02b3b08686c776b8ea1b57e41f91e1ed7b

Download Submit
C:\Windows\system\EnrIBsj.exe

Filesize
3.3MB

MD5
bddb25f0a4558b91a1c0cf439567ccbc

SHA1
75be06e444645c59435627d5856643f50d6bda5f

SHA256
7056c8c25cf816541803d547310173a271c376fcf385110706029b4ed04000d9

SHA512
459f4fff3073b531f17a833d44038b5363d323247a59647cf8bf03641537a5ae79e347e787eeb5ba9b2900483f91c6e25b9bf87a617f686b466ce8466e058336

Download Submit
C:\Windows\system\LHTtvcW.exe

Filesize
3.3MB

MD5
c49cdd9f0b0fa5854943a43c051562fa

SHA1
a992a89528c840c02a8ce0a0d368100e986f89b4

SHA256
95e05044557962e62ea0c6344efd2962ea0a787a8d82f92d3100d4f35116670d

SHA512
10f5482e7a56bddacb46846800923d29056a7adda8b5ca27dcc92b89fff73cab9fc30c4c5823dac5d55adbede0e52e7b5af969cd72ed19a7862c0df890a5920b

Download Submit
C:\Windows\system\OjLCxYK.exe

Filesize
3.3MB

MD5
1c825b791dbe8b47fa3c92156f00f856

SHA1
09ee4dc7ff5c4f426c62a98e08ad63abfc77c25b

SHA256
ab4b36875b22e2dd0ef0c668a23fe4cfe2451d1f747af9cd6c55ba69287fca29

SHA512
8acee726a4ce6b406272375c0d27787d06a68542dd53635729eab4847286f5a7c5bf14ccc792b65f9af4165bd6d62457b1e201c72b5d8de5cb9dd0fa868ae567

Download Submit
C:\Windows\system\SPvusxk.exe

Filesize
3.3MB

MD5
d549529d2cead52603995e0b57be3d98

SHA1
ed00b732c60999322650812d713f931ce0344c8f

SHA256
b693e408b8a45671a65a5eb93b03574473e0f9a958636af4aed31e4f5946ba0f

SHA512
9c603573bc8ff19471c974f3ba1fe1202e76d908c060866764d715685b4cb8101b6d51d10a31dd3501c2bda797b9bd9dee28b7450f2530d3138ba0e046cdb984

Download Submit
C:\Windows\system\YkzsgOl.exe

Filesize
3.3MB

MD5
3261f6eb26d4a23594c88ab84facc24d

SHA1
92bc3481bc1b2f3493857100e5ea96975a9babdd

SHA256
3016798d50120680adba19dc7ff6b697166ee8ab6e1c7a826775850de00bc029

SHA512
25fab26b70f88ebf853ef545b40966b4dd541df7efd9c2a1151682316b77315990a0dca6cbaeec49ef966daa3df013c4b8598acb1674e9205995e25205f3dfa2

Download Submit
C:\Windows\system\bHRdTlg.exe

Filesize
3.3MB

MD5
9fc3beb969fa9a9605d5ab2ce5c772cc

SHA1
b97514a5ab7ddd1d3a6c8daba51fa3fb4e1cc0fa

SHA256
63aba4f85d411ce38f12b1945de15bbad2ff08ee54802c7f75e7ff4837a50ec0

SHA512
5c1a78298a82b344e583646af5d82ee8ae888fbc6ed9518a162859492ef3b8b4085fee724347df8a3883cbfc2ae5803812f839fa1239786a6155b6b5f135205a

Download Submit
C:\Windows\system\lUlOgXS.exe

Filesize
3.3MB

MD5
169edf094a6f2e9737ffe9a771944723

SHA1
e70aca24e248690c844a966458a4f4b214bc4418

SHA256
0a0c7f4280fe37b2a1d3e8d4bfcaff9f1d6d93585d988e94ab7f24745066a085

SHA512
903f49b4d59b529cae8401bbbe40021e000c448bc988c4a8f16229a2b001aacbe02e38152e51e30a436e4030e185fae76f9b641c92068d545f87a830b41c3c95

Download Submit
C:\Windows\system\lsvOmEv.exe

Filesize
3.3MB

MD5
a9802204a49769b9b79580fd978f489c

SHA1
9c75275475c69569a7767a64d0cdfb01e0999d6d

SHA256
2974f7a33a4c42c5e02e8039fb58a539d3e6d169824e4038bb9d36dc79ddad99

SHA512
bd411cf68d93179b63a1c7e6a53ad0308df0e5b7ddd29940461ddf4c004e38520ce3cdb4dd7e486f73ecc0b58635d8c16674a2ff9c03436fdfe9a6e3ab38f50f

Download Submit
C:\Windows\system\mOhlNay.exe

Filesize
3.3MB

MD5
451d029480253a46d375ee70d66f2b4a

SHA1
3ff36d18cdd5f9f7451997f25cb6870950f2b238

SHA256
9ecb48054829130dcb09d59a39fb651cff03d1a0954d2b1bd89f3c510abd8964

SHA512
f0f640f6502b1db91b00cef9c460bd29858b9fd675cf7819fba17b50ee41076458e5114b140fe345bf74126d876b3d70c9cd46a721e97e452817043996992737

Download Submit
C:\Windows\system\qDvytIj.exe

Filesize
3.3MB

MD5
79bfdd079ca7bdd644be82956149317a

SHA1
9501522c2577b818f4dd5daf671495e5e90dd26c

SHA256
ea4339cf80761742d05cef5c7bca842f8ed0824e68e35611880d358f589f4121

SHA512
52f1cb461ecd8548249ffd340b77b292687d36c367b5a16ace76528463a7e3482e900f870ce242635e9c0fa53217f4817001fc33fd8821837415bc5c5389f840

Download Submit
C:\Windows\system\yVpvoqF.exe

Filesize
3.3MB

MD5
53f1cd6d3633a005b40769cf1e7232ff

SHA1
89fd3a692befd114188d515f438e220808b3e2ba

SHA256
b7c5eed999d48f72cc5ec6dd6f6fd1eb716f4dcd12d4328a7ce29d316186bcd6

SHA512
74f7f214779c76212cde74f1a928d1b77d3fd7169a7c85a925539499c780b128c78697bceb62016ad35aceec9682a18769aa8be59b93923f1368ee1bd1a918da

Download Submit
\Windows\system\POWXiJJ.exe

Filesize
3.3MB

MD5
20e930f204fa19fec1d6c1af8b58d7f3

SHA1
c9f67859d12214c06327c9dc5d10847d55e2056d

SHA256
a460da8411ed586655f4b7e02d9f09f070ace2a1c16f84c67096e40026fe2ed4

SHA512
0e727d9921f4d5b8db3c4b7b7b78abbb808b78f619b05fb963cbc897ec9c8a940625774c220ec39489f81c628d4ec74f74fe5e655096ed513977c1b83bd16450

Download Submit
\Windows\system\QaouEqs.exe

Filesize
3.3MB

MD5
c4ce01b84f948f898ae520df60395b1a

SHA1
0bd4c133168f761663a0fcb19205e33c3ab8fbe6

SHA256
43164a7e80b15bdecd44aad8a58eef68ef74e95afa306ef8eb277d774ca67fcd

SHA512
e01290b24f0c66eafc08fcf5a1fa745490f652b8761eb0ed23fd5e4db22c375bfecac982fe083b78460fe4edf049ddadafb22efb897aaf122ec2b66d4d4297b9

Download Submit
\Windows\system\hLYFSdL.exe

Filesize
3.3MB

MD5
41f7d2a1cc1b5c10f68ddc31b459a73c

SHA1
dfd8c4f5e253e0276f2df07acdc457faadbe75fc

SHA256
28e5f0822f4c6fc51d6e5c5a5cdb1f1a167e935a092bb3acc239e72671e5573b

SHA512
f527a20c0e440de4301d34feed8ff9da919f1f5d453c4a9e01ad2c5b653aa5d9890123b22c260e9105ae91b42b18c31492a075ad9d03df7e0865babd9c23bb3f

Download Submit
\Windows\system\sFTcCLd.exe

Filesize
3.3MB

MD5
90cd39215df80bac0534298b7a24de61

SHA1
eb8cd5711abb4921c1a6385996610ffcff164317

SHA256
7a158b1a08db8da5a00e5a26864bdcb51d6c741df8bae05b684660abf2b375c2

SHA512
270c1a1471f5c38fffe7d25aee380f4887c4a6cb9ea594c87131b30ef09f6a372911c5254d948ab79c8e99a8f97a876e4b663f4c68bc502a07cc20087436f968

Download Submit
memory/636-1116-0x000000013FE20000-0x0000000140216000-memory.dmp

Filesize
4.0MB

Download
memory/800-1149-0x000000013F100000-0x000000013F4F6000-memory.dmp

Filesize
4.0MB

Download
memory/852-1117-0x000000013FAA0000-0x000000013FE96000-memory.dmp

Filesize
4.0MB

Download
memory/876-967-0x000000013F720000-0x000000013FB16000-memory.dmp

Filesize
4.0MB

Download
memory/1012-1139-0x000000013F2C0000-0x000000013F6B6000-memory.dmp

Filesize
4.0MB

Download
memory/1340-1122-0x000000013F200000-0x000000013F5F6000-memory.dmp

Filesize
4.0MB

Download
memory/1656-589-0x000000013F1D0000-0x000000013F5C6000-memory.dmp

Filesize
4.0MB

Download
memory/1672-1148-0x000000013FB40000-0x000000013FF36000-memory.dmp

Filesize
4.0MB

Download
memory/1964-1129-0x000000013FBE0000-0x000000013FFD6000-memory.dmp

Filesize
4.0MB

Download
memory/2020-928-0x000000013F780000-0x000000013FB76000-memory.dmp

Filesize
4.0MB

Download
memory/2112-1158-0x000000013FCE0000-0x00000001400D6000-memory.dmp

Filesize
4.0MB

Download
memory/2188-1121-0x000000013F8E0000-0x000000013FCD6000-memory.dmp

Filesize
4.0MB

Download
memory/2276-1150-0x000000013F7E0000-0x000000013FBD6000-memory.dmp

Filesize
4.0MB

Download
memory/2436-665-0x000000013FB30000-0x000000013FF26000-memory.dmp

Filesize
4.0MB

Download
memory/2476-1152-0x000000013FF90000-0x0000000140386000-memory.dmp

Filesize
4.0MB

Download
memory/2524-65-0x000000013FBC0000-0x000000013FFB6000-memory.dmp

Filesize
4.0MB

Download
memory/2624-1157-0x000000013F870000-0x000000013FC66000-memory.dmp

Filesize
4.0MB

Download
memory/2720-68-0x000000013FBC0000-0x000000013FFB6000-memory.dmp

Filesize
4.0MB

Download
memory/2756-74-0x000000013F970000-0x000000013FD66000-memory.dmp

Filesize
4.0MB

Download
memory/2864-1151-0x000000013FF50000-0x0000000140346000-memory.dmp

Filesize
4.0MB

Download
memory/3048-0-0x000000013FCF0000-0x00000001400E6000-memory.dmp

Filesize
4.0MB

Download
memory/3048-884-0x00000000034E0000-0x00000000038D6000-memory.dmp

Filesize
4.0MB

Download
memory/3048-718-0x00000000034E0000-0x00000000038D6000-memory.dmp

Filesize
4.0MB

Download
memory/3048-616-0x00000000034E0000-0x00000000038D6000-memory.dmp

Filesize
4.0MB

Download
memory/3048-530-0x00000000034E0000-0x00000000038D6000-memory.dmp

Filesize
4.0MB

Download
memory/3048-408-0x000000013F300000-0x000000013F6F6000-memory.dmp

Filesize
4.0MB

Download
memory/3048-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/3056-375-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download
memory/3056-376-0x0000000002B04000-0x0000000002B07000-memory.dmp

Filesize
12KB

Download
memory/3056-367-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

Filesize
9.6MB

Download