xmrig | a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
Size

1.3MB
MD5

4dc9318b1dbc223e8fa1910bd9d2c75a
SHA1

14c62fb5f7b6921a77e667637c77088dbdeed46d
SHA256

a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8
SHA512

abda7cfa15843495a96e8f6348d5d2a6c691e4d819eaccb4caf5371676dfb68f7d84b4ec36023ae6ae49352ee21d82b8bffc13dea1a3f93b6873809036cc14b9
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlia+zzDwd+t56p6aGu4DORZwTkhj0LQ0Z:knw9oUUEEDlnd+XRqJZwTKs

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1588-0-0x00007FF640E20000-0x00007FF641211000-memory.dmp	UPX
behavioral2/files/0x000a000000023ba4-9.dat	UPX
behavioral2/files/0x000c000000023ba0-16.dat	UPX
behavioral2/files/0x000a000000023ba6-21.dat	UPX
behavioral2/memory/3252-37-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp	UPX
behavioral2/memory/1796-40-0x00007FF74D940000-0x00007FF74DD31000-memory.dmp	UPX
behavioral2/files/0x000a000000023ba8-42.dat	UPX
behavioral2/files/0x000a000000023bab-57.dat	UPX
behavioral2/files/0x000a000000023bae-71.dat	UPX
behavioral2/files/0x000a000000023baf-77.dat	UPX
behavioral2/files/0x0031000000023bb4-102.dat	UPX
behavioral2/files/0x0031000000023bb5-107.dat	UPX
behavioral2/files/0x000a000000023bb7-117.dat	UPX
behavioral2/files/0x000a000000023bb9-125.dat	UPX
behavioral2/files/0x000a000000023bbd-147.dat	UPX
behavioral2/files/0x000a000000023bc0-162.dat	UPX
behavioral2/memory/1040-389-0x00007FF6248A0000-0x00007FF624C91000-memory.dmp	UPX
behavioral2/memory/3504-391-0x00007FF736A20000-0x00007FF736E11000-memory.dmp	UPX
behavioral2/memory/4564-392-0x00007FF63D780000-0x00007FF63DB71000-memory.dmp	UPX
behavioral2/memory/392-390-0x00007FF698460000-0x00007FF698851000-memory.dmp	UPX
behavioral2/files/0x000a000000023bc1-167.dat	UPX
behavioral2/files/0x000a000000023bbf-157.dat	UPX
behavioral2/files/0x000a000000023bbe-152.dat	UPX
behavioral2/files/0x000a000000023bbc-142.dat	UPX
behavioral2/files/0x000a000000023bbb-137.dat	UPX
behavioral2/files/0x000a000000023bba-132.dat	UPX
behavioral2/files/0x000a000000023bb8-122.dat	UPX
behavioral2/files/0x0031000000023bb6-112.dat	UPX
behavioral2/files/0x000a000000023bb3-97.dat	UPX
behavioral2/files/0x000a000000023bb2-92.dat	UPX
behavioral2/files/0x000a000000023bb1-87.dat	UPX
behavioral2/files/0x000a000000023bb0-82.dat	UPX
behavioral2/files/0x000a000000023bad-67.dat	UPX
behavioral2/files/0x000a000000023bac-62.dat	UPX
behavioral2/files/0x000a000000023baa-52.dat	UPX
behavioral2/files/0x000a000000023ba9-47.dat	UPX
behavioral2/memory/3180-41-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp	UPX
behavioral2/files/0x000a000000023ba7-39.dat	UPX
behavioral2/memory/1016-38-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp	UPX
behavioral2/memory/5000-29-0x00007FF759DC0000-0x00007FF75A1B1000-memory.dmp	UPX
behavioral2/memory/2220-26-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	UPX
behavioral2/files/0x000a000000023ba5-24.dat	UPX
behavioral2/memory/1812-13-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp	UPX
behavioral2/files/0x000c000000023b47-6.dat	UPX
behavioral2/memory/1920-393-0x00007FF6A8D20000-0x00007FF6A9111000-memory.dmp	UPX
behavioral2/memory/620-395-0x00007FF7D0E80000-0x00007FF7D1271000-memory.dmp	UPX
behavioral2/memory/4620-396-0x00007FF656750000-0x00007FF656B41000-memory.dmp	UPX
behavioral2/memory/3188-397-0x00007FF6ED830000-0x00007FF6EDC21000-memory.dmp	UPX
behavioral2/memory/4928-394-0x00007FF7B26A0000-0x00007FF7B2A91000-memory.dmp	UPX
behavioral2/memory/1276-398-0x00007FF75C4D0000-0x00007FF75C8C1000-memory.dmp	UPX
behavioral2/memory/3540-400-0x00007FF6645C0000-0x00007FF6649B1000-memory.dmp	UPX
behavioral2/memory/4124-399-0x00007FF6939C0000-0x00007FF693DB1000-memory.dmp	UPX
behavioral2/memory/4484-401-0x00007FF6B4B60000-0x00007FF6B4F51000-memory.dmp	UPX
behavioral2/memory/1636-403-0x00007FF7D9F20000-0x00007FF7DA311000-memory.dmp	UPX
behavioral2/memory/3632-404-0x00007FF665E90000-0x00007FF666281000-memory.dmp	UPX
behavioral2/memory/2760-402-0x00007FF7981C0000-0x00007FF7985B1000-memory.dmp	UPX
behavioral2/memory/4840-405-0x00007FF6D2C00000-0x00007FF6D2FF1000-memory.dmp	UPX
behavioral2/memory/1588-2001-0x00007FF640E20000-0x00007FF641211000-memory.dmp	UPX
behavioral2/memory/3252-2037-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp	UPX
behavioral2/memory/2220-2036-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	UPX
behavioral2/memory/1016-2038-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp	UPX
behavioral2/memory/3180-2039-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp	UPX
behavioral2/memory/1812-2041-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp	UPX
behavioral2/memory/2220-2043-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	UPX

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1796-40-0x00007FF74D940000-0x00007FF74DD31000-memory.dmp	xmrig
behavioral2/memory/1040-389-0x00007FF6248A0000-0x00007FF624C91000-memory.dmp	xmrig
behavioral2/memory/3504-391-0x00007FF736A20000-0x00007FF736E11000-memory.dmp	xmrig
behavioral2/memory/4564-392-0x00007FF63D780000-0x00007FF63DB71000-memory.dmp	xmrig
behavioral2/memory/392-390-0x00007FF698460000-0x00007FF698851000-memory.dmp	xmrig
behavioral2/memory/5000-29-0x00007FF759DC0000-0x00007FF75A1B1000-memory.dmp	xmrig
behavioral2/memory/1812-13-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp	xmrig
behavioral2/memory/1920-393-0x00007FF6A8D20000-0x00007FF6A9111000-memory.dmp	xmrig
behavioral2/memory/620-395-0x00007FF7D0E80000-0x00007FF7D1271000-memory.dmp	xmrig
behavioral2/memory/4620-396-0x00007FF656750000-0x00007FF656B41000-memory.dmp	xmrig
behavioral2/memory/3188-397-0x00007FF6ED830000-0x00007FF6EDC21000-memory.dmp	xmrig
behavioral2/memory/4928-394-0x00007FF7B26A0000-0x00007FF7B2A91000-memory.dmp	xmrig
behavioral2/memory/1276-398-0x00007FF75C4D0000-0x00007FF75C8C1000-memory.dmp	xmrig
behavioral2/memory/3540-400-0x00007FF6645C0000-0x00007FF6649B1000-memory.dmp	xmrig
behavioral2/memory/4124-399-0x00007FF6939C0000-0x00007FF693DB1000-memory.dmp	xmrig
behavioral2/memory/4484-401-0x00007FF6B4B60000-0x00007FF6B4F51000-memory.dmp	xmrig
behavioral2/memory/1636-403-0x00007FF7D9F20000-0x00007FF7DA311000-memory.dmp	xmrig
behavioral2/memory/3632-404-0x00007FF665E90000-0x00007FF666281000-memory.dmp	xmrig
behavioral2/memory/2760-402-0x00007FF7981C0000-0x00007FF7985B1000-memory.dmp	xmrig
behavioral2/memory/4840-405-0x00007FF6D2C00000-0x00007FF6D2FF1000-memory.dmp	xmrig
behavioral2/memory/1588-2001-0x00007FF640E20000-0x00007FF641211000-memory.dmp	xmrig
behavioral2/memory/3252-2037-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp	xmrig
behavioral2/memory/2220-2036-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	xmrig
behavioral2/memory/1016-2038-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp	xmrig
behavioral2/memory/3180-2039-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp	xmrig
behavioral2/memory/1812-2041-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp	xmrig
behavioral2/memory/2220-2043-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	xmrig
behavioral2/memory/5000-2045-0x00007FF759DC0000-0x00007FF75A1B1000-memory.dmp	xmrig
behavioral2/memory/3252-2049-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp	xmrig
behavioral2/memory/1796-2047-0x00007FF74D940000-0x00007FF74DD31000-memory.dmp	xmrig
behavioral2/memory/4928-2061-0x00007FF7B26A0000-0x00007FF7B2A91000-memory.dmp	xmrig
behavioral2/memory/1920-2059-0x00007FF6A8D20000-0x00007FF6A9111000-memory.dmp	xmrig
behavioral2/memory/1040-2057-0x00007FF6248A0000-0x00007FF624C91000-memory.dmp	xmrig
behavioral2/memory/4620-2056-0x00007FF656750000-0x00007FF656B41000-memory.dmp	xmrig
behavioral2/memory/392-2053-0x00007FF698460000-0x00007FF698851000-memory.dmp	xmrig
behavioral2/memory/620-2067-0x00007FF7D0E80000-0x00007FF7D1271000-memory.dmp	xmrig
behavioral2/memory/3504-2065-0x00007FF736A20000-0x00007FF736E11000-memory.dmp	xmrig
behavioral2/memory/4564-2063-0x00007FF63D780000-0x00007FF63DB71000-memory.dmp	xmrig
behavioral2/memory/3180-2051-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp	xmrig
behavioral2/memory/3540-2075-0x00007FF6645C0000-0x00007FF6649B1000-memory.dmp	xmrig
behavioral2/memory/1276-2073-0x00007FF75C4D0000-0x00007FF75C8C1000-memory.dmp	xmrig
behavioral2/memory/2760-2087-0x00007FF7981C0000-0x00007FF7985B1000-memory.dmp	xmrig
behavioral2/memory/4124-2071-0x00007FF6939C0000-0x00007FF693DB1000-memory.dmp	xmrig
behavioral2/memory/1636-2083-0x00007FF7D9F20000-0x00007FF7DA311000-memory.dmp	xmrig
behavioral2/memory/3632-2081-0x00007FF665E90000-0x00007FF666281000-memory.dmp	xmrig
behavioral2/memory/3188-2069-0x00007FF6ED830000-0x00007FF6EDC21000-memory.dmp	xmrig
behavioral2/memory/4484-2089-0x00007FF6B4B60000-0x00007FF6B4F51000-memory.dmp	xmrig
behavioral2/memory/4840-2079-0x00007FF6D2C00000-0x00007FF6D2FF1000-memory.dmp	xmrig
behavioral2/memory/1016-2200-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1812	IoVAFbN.exe
2220	UfXDgKY.exe
1796	BoQExVD.exe
5000	BPyFCsp.exe
3252	PDmgsNK.exe
3180	MhQwJIj.exe
1016	UKuTSLu.exe
1040	FEvNkVH.exe
392	zPcNvXS.exe
3504	CuBLBEt.exe
4564	EOmgJCv.exe
1920	FzlEHen.exe
4928	lgVYuME.exe
620	jVHZBHL.exe
4620	ftjGfbc.exe
3188	lSRSjOM.exe
1276	lLMUWKz.exe
4124	KoeRulm.exe
3540	DliAFjp.exe
4484	DrWbkOL.exe
2760	qgeqfxd.exe
1636	JEASjYo.exe
3632	WnkfNiZ.exe
4840	aCOocTb.exe
1712	AsrCwTX.exe
3776	qrRCScl.exe
1836	GVjGQaE.exe
4236	iZYGhBc.exe
1092	MyhePGG.exe
3800	UJRnCiw.exe
2508	Nliblmh.exe
4912	GiOfNrv.exe
2428	juoqlkl.exe
4588	szSOkEr.exe
4092	aUrMFzc.exe
4536	VMGlrCv.exe
3692	agCyBDj.exe
2160	jztDqqL.exe
1156	HgPQsWG.exe
1572	OipLXwS.exe
5112	ACeBASl.exe
4964	SDGwFjK.exe
1740	xUhCyjs.exe
3788	TJZogVN.exe
3320	mUwgJbA.exe
2772	njbcaQC.exe
4668	DnNPZWU.exe
4676	PesjLip.exe
2868	adSSSQp.exe
3976	tbpVKhj.exe
2060	aPBhcmM.exe
3608	PyWcLts.exe
3344	gwwYAqi.exe
2992	XzgQgHS.exe
2716	coHmcAn.exe
3036	LAiJYou.exe
2568	qgaXHEK.exe
4640	dwWeKUd.exe
4364	yhffooB.exe
3080	sFRXcaC.exe
4488	Bitcwhk.exe
3704	wOcIkak.exe
2068	SfOkuKP.exe
2056	rYbPSpQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1588-0-0x00007FF640E20000-0x00007FF641211000-memory.dmp	upx
behavioral2/files/0x000a000000023ba4-9.dat	upx
behavioral2/files/0x000c000000023ba0-16.dat	upx
behavioral2/files/0x000a000000023ba6-21.dat	upx
behavioral2/memory/3252-37-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp	upx
behavioral2/memory/1796-40-0x00007FF74D940000-0x00007FF74DD31000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-42.dat	upx
behavioral2/files/0x000a000000023bab-57.dat	upx
behavioral2/files/0x000a000000023bae-71.dat	upx
behavioral2/files/0x000a000000023baf-77.dat	upx
behavioral2/files/0x0031000000023bb4-102.dat	upx
behavioral2/files/0x0031000000023bb5-107.dat	upx
behavioral2/files/0x000a000000023bb7-117.dat	upx
behavioral2/files/0x000a000000023bb9-125.dat	upx
behavioral2/files/0x000a000000023bbd-147.dat	upx
behavioral2/files/0x000a000000023bc0-162.dat	upx
behavioral2/memory/1040-389-0x00007FF6248A0000-0x00007FF624C91000-memory.dmp	upx
behavioral2/memory/3504-391-0x00007FF736A20000-0x00007FF736E11000-memory.dmp	upx
behavioral2/memory/4564-392-0x00007FF63D780000-0x00007FF63DB71000-memory.dmp	upx
behavioral2/memory/392-390-0x00007FF698460000-0x00007FF698851000-memory.dmp	upx
behavioral2/files/0x000a000000023bc1-167.dat	upx
behavioral2/files/0x000a000000023bbf-157.dat	upx
behavioral2/files/0x000a000000023bbe-152.dat	upx
behavioral2/files/0x000a000000023bbc-142.dat	upx
behavioral2/files/0x000a000000023bbb-137.dat	upx
behavioral2/files/0x000a000000023bba-132.dat	upx
behavioral2/files/0x000a000000023bb8-122.dat	upx
behavioral2/files/0x0031000000023bb6-112.dat	upx
behavioral2/files/0x000a000000023bb3-97.dat	upx
behavioral2/files/0x000a000000023bb2-92.dat	upx
behavioral2/files/0x000a000000023bb1-87.dat	upx
behavioral2/files/0x000a000000023bb0-82.dat	upx
behavioral2/files/0x000a000000023bad-67.dat	upx
behavioral2/files/0x000a000000023bac-62.dat	upx
behavioral2/files/0x000a000000023baa-52.dat	upx
behavioral2/files/0x000a000000023ba9-47.dat	upx
behavioral2/memory/3180-41-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-39.dat	upx
behavioral2/memory/1016-38-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp	upx
behavioral2/memory/5000-29-0x00007FF759DC0000-0x00007FF75A1B1000-memory.dmp	upx
behavioral2/memory/2220-26-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-24.dat	upx
behavioral2/memory/1812-13-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp	upx
behavioral2/files/0x000c000000023b47-6.dat	upx
behavioral2/memory/1920-393-0x00007FF6A8D20000-0x00007FF6A9111000-memory.dmp	upx
behavioral2/memory/620-395-0x00007FF7D0E80000-0x00007FF7D1271000-memory.dmp	upx
behavioral2/memory/4620-396-0x00007FF656750000-0x00007FF656B41000-memory.dmp	upx
behavioral2/memory/3188-397-0x00007FF6ED830000-0x00007FF6EDC21000-memory.dmp	upx
behavioral2/memory/4928-394-0x00007FF7B26A0000-0x00007FF7B2A91000-memory.dmp	upx
behavioral2/memory/1276-398-0x00007FF75C4D0000-0x00007FF75C8C1000-memory.dmp	upx
behavioral2/memory/3540-400-0x00007FF6645C0000-0x00007FF6649B1000-memory.dmp	upx
behavioral2/memory/4124-399-0x00007FF6939C0000-0x00007FF693DB1000-memory.dmp	upx
behavioral2/memory/4484-401-0x00007FF6B4B60000-0x00007FF6B4F51000-memory.dmp	upx
behavioral2/memory/1636-403-0x00007FF7D9F20000-0x00007FF7DA311000-memory.dmp	upx
behavioral2/memory/3632-404-0x00007FF665E90000-0x00007FF666281000-memory.dmp	upx
behavioral2/memory/2760-402-0x00007FF7981C0000-0x00007FF7985B1000-memory.dmp	upx
behavioral2/memory/4840-405-0x00007FF6D2C00000-0x00007FF6D2FF1000-memory.dmp	upx
behavioral2/memory/1588-2001-0x00007FF640E20000-0x00007FF641211000-memory.dmp	upx
behavioral2/memory/3252-2037-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp	upx
behavioral2/memory/2220-2036-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	upx
behavioral2/memory/1016-2038-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp	upx
behavioral2/memory/3180-2039-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp	upx
behavioral2/memory/1812-2041-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp	upx
behavioral2/memory/2220-2043-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\hRvIvjf.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\iGozpHy.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\QYXjEXT.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\szSOkEr.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\tZCPDWX.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\ReGkEmr.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\HOyYyRY.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\zSjmYjn.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\PDmgsNK.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\rkrLjru.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\XAywyKa.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\uUVwmnk.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\JlnVBKm.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\xoUjktc.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\neqATVq.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\afuxryQ.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\AkdazPI.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\SrbtpcW.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\IotOwzI.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\zqvELuY.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\CoJfLtC.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\RndkBEA.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\qgaXHEK.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\UugtBKW.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\UduEBmV.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\UchQOVw.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\WJRianq.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\SEpTeMh.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\MLddNKD.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\QzyYZch.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\WnkfNiZ.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\Aepmgna.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\CBoaxJG.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\DVzMGFB.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\QvMEmgs.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\loWdrIv.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\RyDjvdg.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\nLmDmim.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\pzsmVyA.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\FudWtTM.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\HTQFEcs.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\tuACbOO.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\hEyGVih.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\Mzrlemp.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\DWXxvWf.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\DVCEJwg.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\LAiJYou.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\gKbalkH.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\UlsFbbt.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\PxSbOyh.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\yZKPWfL.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\kixmDqO.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\XZgLCnJ.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\qubTKgv.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\UfBczcU.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\oellQIu.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\qRMoexI.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\aNmbGbi.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\ERGMckJ.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\pEiCqBX.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\coNiUlW.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\qpLqCzP.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\YYCEdKV.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
File created	C:\Windows\System32\vSCsxlf.exe	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13196	dwm.exe
Token: SeChangeNotifyPrivilege	13196	dwm.exe
Token: 33	13196	dwm.exe
Token: SeIncBasePriorityPrivilege	13196	dwm.exe
Token: SeShutdownPrivilege	13196	dwm.exe
Token: SeCreatePagefilePrivilege	13196	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1812	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	86
PID 1588 wrote to memory of 1812	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	86
PID 1588 wrote to memory of 1796	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	87
PID 1588 wrote to memory of 1796	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	87
PID 1588 wrote to memory of 2220	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	88
PID 1588 wrote to memory of 2220	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	88
PID 1588 wrote to memory of 5000	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	89
PID 1588 wrote to memory of 5000	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	89
PID 1588 wrote to memory of 3252	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	90
PID 1588 wrote to memory of 3252	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	90
PID 1588 wrote to memory of 3180	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	91
PID 1588 wrote to memory of 3180	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	91
PID 1588 wrote to memory of 1016	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	92
PID 1588 wrote to memory of 1016	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	92
PID 1588 wrote to memory of 1040	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	93
PID 1588 wrote to memory of 1040	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	93
PID 1588 wrote to memory of 392	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	94
PID 1588 wrote to memory of 392	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	94
PID 1588 wrote to memory of 3504	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	95
PID 1588 wrote to memory of 3504	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	95
PID 1588 wrote to memory of 4564	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	96
PID 1588 wrote to memory of 4564	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	96
PID 1588 wrote to memory of 1920	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	97
PID 1588 wrote to memory of 1920	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	97
PID 1588 wrote to memory of 4928	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	98
PID 1588 wrote to memory of 4928	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	98
PID 1588 wrote to memory of 620	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	99
PID 1588 wrote to memory of 620	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	99
PID 1588 wrote to memory of 4620	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	100
PID 1588 wrote to memory of 4620	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	100
PID 1588 wrote to memory of 3188	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	101
PID 1588 wrote to memory of 3188	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	101
PID 1588 wrote to memory of 1276	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	102
PID 1588 wrote to memory of 1276	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	102
PID 1588 wrote to memory of 4124	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	103
PID 1588 wrote to memory of 4124	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	103
PID 1588 wrote to memory of 3540	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	104
PID 1588 wrote to memory of 3540	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	104
PID 1588 wrote to memory of 4484	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	105
PID 1588 wrote to memory of 4484	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	105
PID 1588 wrote to memory of 2760	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	106
PID 1588 wrote to memory of 2760	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	106
PID 1588 wrote to memory of 1636	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	107
PID 1588 wrote to memory of 1636	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	107
PID 1588 wrote to memory of 3632	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	108
PID 1588 wrote to memory of 3632	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	108
PID 1588 wrote to memory of 4840	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	109
PID 1588 wrote to memory of 4840	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	109
PID 1588 wrote to memory of 1712	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	110
PID 1588 wrote to memory of 1712	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	110
PID 1588 wrote to memory of 3776	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	111
PID 1588 wrote to memory of 3776	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	111
PID 1588 wrote to memory of 1836	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	112
PID 1588 wrote to memory of 1836	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	112
PID 1588 wrote to memory of 4236	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	113
PID 1588 wrote to memory of 4236	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	113
PID 1588 wrote to memory of 1092	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	114
PID 1588 wrote to memory of 1092	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	114
PID 1588 wrote to memory of 3800	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	115
PID 1588 wrote to memory of 3800	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	115
PID 1588 wrote to memory of 2508	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	116
PID 1588 wrote to memory of 2508	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	116
PID 1588 wrote to memory of 4912	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	117
PID 1588 wrote to memory of 4912	1588	a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe	117

C:\Users\Admin\AppData\Local\Temp\a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe
"C:\Users\Admin\AppData\Local\Temp\a01a1418daa7d7dc0a86bfd4f306c32b90f0d7be8e8eb037bc0d5090800105a8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\System32\IoVAFbN.exe
  C:\Windows\System32\IoVAFbN.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System32\BoQExVD.exe
  C:\Windows\System32\BoQExVD.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System32\UfXDgKY.exe
  C:\Windows\System32\UfXDgKY.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System32\BPyFCsp.exe
  C:\Windows\System32\BPyFCsp.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System32\PDmgsNK.exe
  C:\Windows\System32\PDmgsNK.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System32\MhQwJIj.exe
  C:\Windows\System32\MhQwJIj.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\UKuTSLu.exe
  C:\Windows\System32\UKuTSLu.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System32\FEvNkVH.exe
  C:\Windows\System32\FEvNkVH.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System32\zPcNvXS.exe
  C:\Windows\System32\zPcNvXS.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\CuBLBEt.exe
  C:\Windows\System32\CuBLBEt.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System32\EOmgJCv.exe
  C:\Windows\System32\EOmgJCv.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System32\FzlEHen.exe
  C:\Windows\System32\FzlEHen.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\lgVYuME.exe
  C:\Windows\System32\lgVYuME.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System32\jVHZBHL.exe
  C:\Windows\System32\jVHZBHL.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System32\ftjGfbc.exe
  C:\Windows\System32\ftjGfbc.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System32\lSRSjOM.exe
  C:\Windows\System32\lSRSjOM.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\lLMUWKz.exe
  C:\Windows\System32\lLMUWKz.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System32\KoeRulm.exe
  C:\Windows\System32\KoeRulm.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System32\DliAFjp.exe
  C:\Windows\System32\DliAFjp.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System32\DrWbkOL.exe
  C:\Windows\System32\DrWbkOL.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System32\qgeqfxd.exe
  C:\Windows\System32\qgeqfxd.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System32\JEASjYo.exe
  C:\Windows\System32\JEASjYo.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System32\WnkfNiZ.exe
  C:\Windows\System32\WnkfNiZ.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System32\aCOocTb.exe
  C:\Windows\System32\aCOocTb.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System32\AsrCwTX.exe
  C:\Windows\System32\AsrCwTX.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System32\qrRCScl.exe
  C:\Windows\System32\qrRCScl.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\GVjGQaE.exe
  C:\Windows\System32\GVjGQaE.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\iZYGhBc.exe
  C:\Windows\System32\iZYGhBc.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System32\MyhePGG.exe
  C:\Windows\System32\MyhePGG.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System32\UJRnCiw.exe
  C:\Windows\System32\UJRnCiw.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\System32\Nliblmh.exe
  C:\Windows\System32\Nliblmh.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System32\GiOfNrv.exe
  C:\Windows\System32\GiOfNrv.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System32\juoqlkl.exe
  C:\Windows\System32\juoqlkl.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\szSOkEr.exe
  C:\Windows\System32\szSOkEr.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\aUrMFzc.exe
  C:\Windows\System32\aUrMFzc.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- C:\Windows\System32\VMGlrCv.exe
  C:\Windows\System32\VMGlrCv.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\agCyBDj.exe
  C:\Windows\System32\agCyBDj.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\jztDqqL.exe
  C:\Windows\System32\jztDqqL.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System32\HgPQsWG.exe
  C:\Windows\System32\HgPQsWG.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System32\OipLXwS.exe
  C:\Windows\System32\OipLXwS.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System32\ACeBASl.exe
  C:\Windows\System32\ACeBASl.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System32\SDGwFjK.exe
  C:\Windows\System32\SDGwFjK.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\xUhCyjs.exe
  C:\Windows\System32\xUhCyjs.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System32\TJZogVN.exe
  C:\Windows\System32\TJZogVN.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System32\mUwgJbA.exe
  C:\Windows\System32\mUwgJbA.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System32\njbcaQC.exe
  C:\Windows\System32\njbcaQC.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System32\DnNPZWU.exe
  C:\Windows\System32\DnNPZWU.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System32\PesjLip.exe
  C:\Windows\System32\PesjLip.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\adSSSQp.exe
  C:\Windows\System32\adSSSQp.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System32\tbpVKhj.exe
  C:\Windows\System32\tbpVKhj.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System32\aPBhcmM.exe
  C:\Windows\System32\aPBhcmM.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System32\PyWcLts.exe
  C:\Windows\System32\PyWcLts.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\gwwYAqi.exe
  C:\Windows\System32\gwwYAqi.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System32\XzgQgHS.exe
  C:\Windows\System32\XzgQgHS.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\coHmcAn.exe
  C:\Windows\System32\coHmcAn.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System32\LAiJYou.exe
  C:\Windows\System32\LAiJYou.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\qgaXHEK.exe
  C:\Windows\System32\qgaXHEK.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\dwWeKUd.exe
  C:\Windows\System32\dwWeKUd.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\yhffooB.exe
  C:\Windows\System32\yhffooB.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System32\sFRXcaC.exe
  C:\Windows\System32\sFRXcaC.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System32\Bitcwhk.exe
  C:\Windows\System32\Bitcwhk.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System32\wOcIkak.exe
  C:\Windows\System32\wOcIkak.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System32\SfOkuKP.exe
  C:\Windows\System32\SfOkuKP.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System32\rYbPSpQ.exe
  C:\Windows\System32\rYbPSpQ.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System32\rWlNpYl.exe
  C:\Windows\System32\rWlNpYl.exe
  2⤵
  PID:3996
- C:\Windows\System32\gswFKSW.exe
  C:\Windows\System32\gswFKSW.exe
  2⤵
  PID:3136
- C:\Windows\System32\tzQDdyb.exe
  C:\Windows\System32\tzQDdyb.exe
  2⤵
  PID:4392
- C:\Windows\System32\wTRGFGW.exe
  C:\Windows\System32\wTRGFGW.exe
  2⤵
  PID:3240
- C:\Windows\System32\QPTwckW.exe
  C:\Windows\System32\QPTwckW.exe
  2⤵
  PID:1940
- C:\Windows\System32\AkdazPI.exe
  C:\Windows\System32\AkdazPI.exe
  2⤵
  PID:3016
- C:\Windows\System32\nKIZSfF.exe
  C:\Windows\System32\nKIZSfF.exe
  2⤵
  PID:4064
- C:\Windows\System32\OkydSUR.exe
  C:\Windows\System32\OkydSUR.exe
  2⤵
  PID:844
- C:\Windows\System32\HUcgGpV.exe
  C:\Windows\System32\HUcgGpV.exe
  2⤵
  PID:1112
- C:\Windows\System32\sroHCqW.exe
  C:\Windows\System32\sroHCqW.exe
  2⤵
  PID:2388
- C:\Windows\System32\zQtFRxs.exe
  C:\Windows\System32\zQtFRxs.exe
  2⤵
  PID:1236
- C:\Windows\System32\JlnVBKm.exe
  C:\Windows\System32\JlnVBKm.exe
  2⤵
  PID:1076
- C:\Windows\System32\zJHFQtg.exe
  C:\Windows\System32\zJHFQtg.exe
  2⤵
  PID:4316
- C:\Windows\System32\fUKsFEa.exe
  C:\Windows\System32\fUKsFEa.exe
  2⤵
  PID:4672
- C:\Windows\System32\OEPPcRU.exe
  C:\Windows\System32\OEPPcRU.exe
  2⤵
  PID:3232
- C:\Windows\System32\LqgSHii.exe
  C:\Windows\System32\LqgSHii.exe
  2⤵
  PID:4324
- C:\Windows\System32\fbkgoLh.exe
  C:\Windows\System32\fbkgoLh.exe
  2⤵
  PID:2436
- C:\Windows\System32\jHYUUid.exe
  C:\Windows\System32\jHYUUid.exe
  2⤵
  PID:5136
- C:\Windows\System32\rmndYWn.exe
  C:\Windows\System32\rmndYWn.exe
  2⤵
  PID:5164
- C:\Windows\System32\nYmgjdg.exe
  C:\Windows\System32\nYmgjdg.exe
  2⤵
  PID:5188
- C:\Windows\System32\DDkUGbk.exe
  C:\Windows\System32\DDkUGbk.exe
  2⤵
  PID:5220
- C:\Windows\System32\hqxRryv.exe
  C:\Windows\System32\hqxRryv.exe
  2⤵
  PID:5248
- C:\Windows\System32\BHavRnP.exe
  C:\Windows\System32\BHavRnP.exe
  2⤵
  PID:5276
- C:\Windows\System32\JNCPfDh.exe
  C:\Windows\System32\JNCPfDh.exe
  2⤵
  PID:5300
- C:\Windows\System32\tRDESho.exe
  C:\Windows\System32\tRDESho.exe
  2⤵
  PID:5336
- C:\Windows\System32\rbOqIfD.exe
  C:\Windows\System32\rbOqIfD.exe
  2⤵
  PID:5360
- C:\Windows\System32\LvVLNem.exe
  C:\Windows\System32\LvVLNem.exe
  2⤵
  PID:5384
- C:\Windows\System32\ujmWVmx.exe
  C:\Windows\System32\ujmWVmx.exe
  2⤵
  PID:5416
- C:\Windows\System32\UugtBKW.exe
  C:\Windows\System32\UugtBKW.exe
  2⤵
  PID:5444
- C:\Windows\System32\hUdxJMJ.exe
  C:\Windows\System32\hUdxJMJ.exe
  2⤵
  PID:5468
- C:\Windows\System32\enoigcb.exe
  C:\Windows\System32\enoigcb.exe
  2⤵
  PID:5500
- C:\Windows\System32\MwmAoOz.exe
  C:\Windows\System32\MwmAoOz.exe
  2⤵
  PID:5528
- C:\Windows\System32\ebNJyea.exe
  C:\Windows\System32\ebNJyea.exe
  2⤵
  PID:5556
- C:\Windows\System32\FXgCTst.exe
  C:\Windows\System32\FXgCTst.exe
  2⤵
  PID:5584
- C:\Windows\System32\wpCPMFm.exe
  C:\Windows\System32\wpCPMFm.exe
  2⤵
  PID:5608
- C:\Windows\System32\UAegExG.exe
  C:\Windows\System32\UAegExG.exe
  2⤵
  PID:5644
- C:\Windows\System32\OXjjtCH.exe
  C:\Windows\System32\OXjjtCH.exe
  2⤵
  PID:5668
- C:\Windows\System32\QvbrNFy.exe
  C:\Windows\System32\QvbrNFy.exe
  2⤵
  PID:5692
- C:\Windows\System32\ECLtISV.exe
  C:\Windows\System32\ECLtISV.exe
  2⤵
  PID:5724
- C:\Windows\System32\NXRjbpO.exe
  C:\Windows\System32\NXRjbpO.exe
  2⤵
  PID:5756
- C:\Windows\System32\etEtWfX.exe
  C:\Windows\System32\etEtWfX.exe
  2⤵
  PID:5776
- C:\Windows\System32\XaQCflQ.exe
  C:\Windows\System32\XaQCflQ.exe
  2⤵
  PID:5808
- C:\Windows\System32\bdotGhW.exe
  C:\Windows\System32\bdotGhW.exe
  2⤵
  PID:5960
- C:\Windows\System32\tVBpdAb.exe
  C:\Windows\System32\tVBpdAb.exe
  2⤵
  PID:5976
- C:\Windows\System32\NBnMyFq.exe
  C:\Windows\System32\NBnMyFq.exe
  2⤵
  PID:5992
- C:\Windows\System32\KHhmaEs.exe
  C:\Windows\System32\KHhmaEs.exe
  2⤵
  PID:6028
- C:\Windows\System32\NmFqLRK.exe
  C:\Windows\System32\NmFqLRK.exe
  2⤵
  PID:6052
- C:\Windows\System32\AdWsOBz.exe
  C:\Windows\System32\AdWsOBz.exe
  2⤵
  PID:6084
- C:\Windows\System32\UduEBmV.exe
  C:\Windows\System32\UduEBmV.exe
  2⤵
  PID:4948
- C:\Windows\System32\bPJkOAB.exe
  C:\Windows\System32\bPJkOAB.exe
  2⤵
  PID:4720
- C:\Windows\System32\flEoZmQ.exe
  C:\Windows\System32\flEoZmQ.exe
  2⤵
  PID:4800
- C:\Windows\System32\LvnYLSn.exe
  C:\Windows\System32\LvnYLSn.exe
  2⤵
  PID:3972
- C:\Windows\System32\MRBPDDJ.exe
  C:\Windows\System32\MRBPDDJ.exe
  2⤵
  PID:5028
- C:\Windows\System32\fduWNpb.exe
  C:\Windows\System32\fduWNpb.exe
  2⤵
  PID:5144
- C:\Windows\System32\paonyUM.exe
  C:\Windows\System32\paonyUM.exe
  2⤵
  PID:5208
- C:\Windows\System32\kcsLAcH.exe
  C:\Windows\System32\kcsLAcH.exe
  2⤵
  PID:5228
- C:\Windows\System32\UzhdENT.exe
  C:\Windows\System32\UzhdENT.exe
  2⤵
  PID:5292
- C:\Windows\System32\MoTElXM.exe
  C:\Windows\System32\MoTElXM.exe
  2⤵
  PID:788
- C:\Windows\System32\OCJlxPo.exe
  C:\Windows\System32\OCJlxPo.exe
  2⤵
  PID:5352
- C:\Windows\System32\KgNvgBz.exe
  C:\Windows\System32\KgNvgBz.exe
  2⤵
  PID:5392
- C:\Windows\System32\JbqSMrm.exe
  C:\Windows\System32\JbqSMrm.exe
  2⤵
  PID:5488
- C:\Windows\System32\fefaJDt.exe
  C:\Windows\System32\fefaJDt.exe
  2⤵
  PID:5536
- C:\Windows\System32\EgBJqtT.exe
  C:\Windows\System32\EgBJqtT.exe
  2⤵
  PID:4864
- C:\Windows\System32\RtSGIoR.exe
  C:\Windows\System32\RtSGIoR.exe
  2⤵
  PID:5628
- C:\Windows\System32\yznrgzR.exe
  C:\Windows\System32\yznrgzR.exe
  2⤵
  PID:5684
- C:\Windows\System32\SZUEkIz.exe
  C:\Windows\System32\SZUEkIz.exe
  2⤵
  PID:3748
- C:\Windows\System32\MtMCyCY.exe
  C:\Windows\System32\MtMCyCY.exe
  2⤵
  PID:1640
- C:\Windows\System32\bTtUXuC.exe
  C:\Windows\System32\bTtUXuC.exe
  2⤵
  PID:2336
- C:\Windows\System32\bJOzAby.exe
  C:\Windows\System32\bJOzAby.exe
  2⤵
  PID:5772
- C:\Windows\System32\BrPgAqo.exe
  C:\Windows\System32\BrPgAqo.exe
  2⤵
  PID:5840
- C:\Windows\System32\CvrWRBY.exe
  C:\Windows\System32\CvrWRBY.exe
  2⤵
  PID:5852
- C:\Windows\System32\mSsoIHg.exe
  C:\Windows\System32\mSsoIHg.exe
  2⤵
  PID:2892
- C:\Windows\System32\UhAUThX.exe
  C:\Windows\System32\UhAUThX.exe
  2⤵
  PID:5880
- C:\Windows\System32\LQeTTAp.exe
  C:\Windows\System32\LQeTTAp.exe
  2⤵
  PID:5952
- C:\Windows\System32\oXnxVDm.exe
  C:\Windows\System32\oXnxVDm.exe
  2⤵
  PID:6036
- C:\Windows\System32\FudWtTM.exe
  C:\Windows\System32\FudWtTM.exe
  2⤵
  PID:6108
- C:\Windows\System32\HgkJilY.exe
  C:\Windows\System32\HgkJilY.exe
  2⤵
  PID:6116
- C:\Windows\System32\punfnow.exe
  C:\Windows\System32\punfnow.exe
  2⤵
  PID:2444
- C:\Windows\System32\IrXUAib.exe
  C:\Windows\System32\IrXUAib.exe
  2⤵
  PID:2952
- C:\Windows\System32\nAfdWZo.exe
  C:\Windows\System32\nAfdWZo.exe
  2⤵
  PID:2332
- C:\Windows\System32\ZvEkoNP.exe
  C:\Windows\System32\ZvEkoNP.exe
  2⤵
  PID:5332
- C:\Windows\System32\ikludnm.exe
  C:\Windows\System32\ikludnm.exe
  2⤵
  PID:2936
- C:\Windows\System32\SZfMHLa.exe
  C:\Windows\System32\SZfMHLa.exe
  2⤵
  PID:920
- C:\Windows\System32\jJLmBDc.exe
  C:\Windows\System32\jJLmBDc.exe
  2⤵
  PID:5564
- C:\Windows\System32\nbBoxwb.exe
  C:\Windows\System32\nbBoxwb.exe
  2⤵
  PID:5660
- C:\Windows\System32\pQjadxt.exe
  C:\Windows\System32\pQjadxt.exe
  2⤵
  PID:624
- C:\Windows\System32\UchQOVw.exe
  C:\Windows\System32\UchQOVw.exe
  2⤵
  PID:2308
- C:\Windows\System32\zWatBdg.exe
  C:\Windows\System32\zWatBdg.exe
  2⤵
  PID:2404
- C:\Windows\System32\ZCEzpxZ.exe
  C:\Windows\System32\ZCEzpxZ.exe
  2⤵
  PID:6064
- C:\Windows\System32\RCjJHpT.exe
  C:\Windows\System32\RCjJHpT.exe
  2⤵
  PID:2752
- C:\Windows\System32\rfWzGRu.exe
  C:\Windows\System32\rfWzGRu.exe
  2⤵
  PID:5204
- C:\Windows\System32\udFSgsW.exe
  C:\Windows\System32\udFSgsW.exe
  2⤵
  PID:1776
- C:\Windows\System32\Bcvjnir.exe
  C:\Windows\System32\Bcvjnir.exe
  2⤵
  PID:5868
- C:\Windows\System32\eWenCfm.exe
  C:\Windows\System32\eWenCfm.exe
  2⤵
  PID:4448
- C:\Windows\System32\sIwCVQs.exe
  C:\Windows\System32\sIwCVQs.exe
  2⤵
  PID:2848
- C:\Windows\System32\ZUFFCQp.exe
  C:\Windows\System32\ZUFFCQp.exe
  2⤵
  PID:5932
- C:\Windows\System32\NQXyGyL.exe
  C:\Windows\System32\NQXyGyL.exe
  2⤵
  PID:6172
- C:\Windows\System32\ruFwvSo.exe
  C:\Windows\System32\ruFwvSo.exe
  2⤵
  PID:6188
- C:\Windows\System32\gLvVDnG.exe
  C:\Windows\System32\gLvVDnG.exe
  2⤵
  PID:6240
- C:\Windows\System32\ULCAXVf.exe
  C:\Windows\System32\ULCAXVf.exe
  2⤵
  PID:6256
- C:\Windows\System32\EQSDZhk.exe
  C:\Windows\System32\EQSDZhk.exe
  2⤵
  PID:6284
- C:\Windows\System32\tZCPDWX.exe
  C:\Windows\System32\tZCPDWX.exe
  2⤵
  PID:6308
- C:\Windows\System32\FRcEayL.exe
  C:\Windows\System32\FRcEayL.exe
  2⤵
  PID:6336
- C:\Windows\System32\iZJlnaL.exe
  C:\Windows\System32\iZJlnaL.exe
  2⤵
  PID:6356
- C:\Windows\System32\hokZipB.exe
  C:\Windows\System32\hokZipB.exe
  2⤵
  PID:6376
- C:\Windows\System32\SCemoyi.exe
  C:\Windows\System32\SCemoyi.exe
  2⤵
  PID:6404
- C:\Windows\System32\vHaGuLB.exe
  C:\Windows\System32\vHaGuLB.exe
  2⤵
  PID:6432
- C:\Windows\System32\jxzPkAJ.exe
  C:\Windows\System32\jxzPkAJ.exe
  2⤵
  PID:6448
- C:\Windows\System32\aNmbGbi.exe
  C:\Windows\System32\aNmbGbi.exe
  2⤵
  PID:6472
- C:\Windows\System32\iTNuHOJ.exe
  C:\Windows\System32\iTNuHOJ.exe
  2⤵
  PID:6492
- C:\Windows\System32\UcxuvvT.exe
  C:\Windows\System32\UcxuvvT.exe
  2⤵
  PID:6516
- C:\Windows\System32\PyUcKox.exe
  C:\Windows\System32\PyUcKox.exe
  2⤵
  PID:6580
- C:\Windows\System32\qFDHqBT.exe
  C:\Windows\System32\qFDHqBT.exe
  2⤵
  PID:6604
- C:\Windows\System32\fZYhdTE.exe
  C:\Windows\System32\fZYhdTE.exe
  2⤵
  PID:6628
- C:\Windows\System32\btZjaGm.exe
  C:\Windows\System32\btZjaGm.exe
  2⤵
  PID:6648
- C:\Windows\System32\HTIYZIY.exe
  C:\Windows\System32\HTIYZIY.exe
  2⤵
  PID:6720
- C:\Windows\System32\boChOda.exe
  C:\Windows\System32\boChOda.exe
  2⤵
  PID:6736
- C:\Windows\System32\HjcBQpC.exe
  C:\Windows\System32\HjcBQpC.exe
  2⤵
  PID:6760
- C:\Windows\System32\KBSwPNd.exe
  C:\Windows\System32\KBSwPNd.exe
  2⤵
  PID:6776
- C:\Windows\System32\WGBYVNg.exe
  C:\Windows\System32\WGBYVNg.exe
  2⤵
  PID:6800
- C:\Windows\System32\bepdGbH.exe
  C:\Windows\System32\bepdGbH.exe
  2⤵
  PID:6824
- C:\Windows\System32\GVHsvho.exe
  C:\Windows\System32\GVHsvho.exe
  2⤵
  PID:6868
- C:\Windows\System32\hMpiLis.exe
  C:\Windows\System32\hMpiLis.exe
  2⤵
  PID:6888
- C:\Windows\System32\YEjEhWf.exe
  C:\Windows\System32\YEjEhWf.exe
  2⤵
  PID:6904
- C:\Windows\System32\kinooda.exe
  C:\Windows\System32\kinooda.exe
  2⤵
  PID:6932
- C:\Windows\System32\yemAVZR.exe
  C:\Windows\System32\yemAVZR.exe
  2⤵
  PID:6956
- C:\Windows\System32\yapsoWl.exe
  C:\Windows\System32\yapsoWl.exe
  2⤵
  PID:7020
- C:\Windows\System32\IglcfdH.exe
  C:\Windows\System32\IglcfdH.exe
  2⤵
  PID:7048
- C:\Windows\System32\mvWOkYD.exe
  C:\Windows\System32\mvWOkYD.exe
  2⤵
  PID:7068
- C:\Windows\System32\loeGNoY.exe
  C:\Windows\System32\loeGNoY.exe
  2⤵
  PID:7104
- C:\Windows\System32\JwXfDCi.exe
  C:\Windows\System32\JwXfDCi.exe
  2⤵
  PID:7120
- C:\Windows\System32\yiSOrnt.exe
  C:\Windows\System32\yiSOrnt.exe
  2⤵
  PID:7136
- C:\Windows\System32\ggdkYBw.exe
  C:\Windows\System32\ggdkYBw.exe
  2⤵
  PID:6148
- C:\Windows\System32\qubTKgv.exe
  C:\Windows\System32\qubTKgv.exe
  2⤵
  PID:6180
- C:\Windows\System32\dDbxqJB.exe
  C:\Windows\System32\dDbxqJB.exe
  2⤵
  PID:6232
- C:\Windows\System32\EZxqrys.exe
  C:\Windows\System32\EZxqrys.exe
  2⤵
  PID:6300
- C:\Windows\System32\MmroaGQ.exe
  C:\Windows\System32\MmroaGQ.exe
  2⤵
  PID:6372
- C:\Windows\System32\JsDdlNM.exe
  C:\Windows\System32\JsDdlNM.exe
  2⤵
  PID:6428
- C:\Windows\System32\vgoQGki.exe
  C:\Windows\System32\vgoQGki.exe
  2⤵
  PID:6424
- C:\Windows\System32\RQFMTzd.exe
  C:\Windows\System32\RQFMTzd.exe
  2⤵
  PID:6592
- C:\Windows\System32\NAgzZoy.exe
  C:\Windows\System32\NAgzZoy.exe
  2⤵
  PID:6664
- C:\Windows\System32\iYRvYxp.exe
  C:\Windows\System32\iYRvYxp.exe
  2⤵
  PID:6708
- C:\Windows\System32\DVUjZIh.exe
  C:\Windows\System32\DVUjZIh.exe
  2⤵
  PID:6772
- C:\Windows\System32\hjwWKjb.exe
  C:\Windows\System32\hjwWKjb.exe
  2⤵
  PID:6808
- C:\Windows\System32\niaduNv.exe
  C:\Windows\System32\niaduNv.exe
  2⤵
  PID:6944
- C:\Windows\System32\jmtjTEY.exe
  C:\Windows\System32\jmtjTEY.exe
  2⤵
  PID:6992
- C:\Windows\System32\uhSiaFn.exe
  C:\Windows\System32\uhSiaFn.exe
  2⤵
  PID:7032
- C:\Windows\System32\UVKRMZP.exe
  C:\Windows\System32\UVKRMZP.exe
  2⤵
  PID:7092
- C:\Windows\System32\xoUjktc.exe
  C:\Windows\System32\xoUjktc.exe
  2⤵
  PID:7116
- C:\Windows\System32\FGlPJiO.exe
  C:\Windows\System32\FGlPJiO.exe
  2⤵
  PID:5972
- C:\Windows\System32\UAKuddQ.exe
  C:\Windows\System32\UAKuddQ.exe
  2⤵
  PID:7160
- C:\Windows\System32\WNBprQI.exe
  C:\Windows\System32\WNBprQI.exe
  2⤵
  PID:6348
- C:\Windows\System32\OvmXrDp.exe
  C:\Windows\System32\OvmXrDp.exe
  2⤵
  PID:6464
- C:\Windows\System32\CiTjpzc.exe
  C:\Windows\System32\CiTjpzc.exe
  2⤵
  PID:6484
- C:\Windows\System32\VxuhPzu.exe
  C:\Windows\System32\VxuhPzu.exe
  2⤵
  PID:6744
- C:\Windows\System32\eWprQsa.exe
  C:\Windows\System32\eWprQsa.exe
  2⤵
  PID:7084
- C:\Windows\System32\RwZsiNG.exe
  C:\Windows\System32\RwZsiNG.exe
  2⤵
  PID:6544
- C:\Windows\System32\nAwusxV.exe
  C:\Windows\System32\nAwusxV.exe
  2⤵
  PID:6884
- C:\Windows\System32\WiQOwJE.exe
  C:\Windows\System32\WiQOwJE.exe
  2⤵
  PID:6272
- C:\Windows\System32\zCQwRxA.exe
  C:\Windows\System32\zCQwRxA.exe
  2⤵
  PID:7012
- C:\Windows\System32\wAqfjYn.exe
  C:\Windows\System32\wAqfjYn.exe
  2⤵
  PID:6792
- C:\Windows\System32\gVtyaVU.exe
  C:\Windows\System32\gVtyaVU.exe
  2⤵
  PID:7192
- C:\Windows\System32\GvMOCcu.exe
  C:\Windows\System32\GvMOCcu.exe
  2⤵
  PID:7208
- C:\Windows\System32\HTQFEcs.exe
  C:\Windows\System32\HTQFEcs.exe
  2⤵
  PID:7248
- C:\Windows\System32\YVVutTa.exe
  C:\Windows\System32\YVVutTa.exe
  2⤵
  PID:7288
- C:\Windows\System32\KQuMfAI.exe
  C:\Windows\System32\KQuMfAI.exe
  2⤵
  PID:7304
- C:\Windows\System32\LXPeCJM.exe
  C:\Windows\System32\LXPeCJM.exe
  2⤵
  PID:7352
- C:\Windows\System32\tuACbOO.exe
  C:\Windows\System32\tuACbOO.exe
  2⤵
  PID:7376
- C:\Windows\System32\DrIaIlW.exe
  C:\Windows\System32\DrIaIlW.exe
  2⤵
  PID:7396
- C:\Windows\System32\HZXKhfy.exe
  C:\Windows\System32\HZXKhfy.exe
  2⤵
  PID:7428
- C:\Windows\System32\qbGiXwV.exe
  C:\Windows\System32\qbGiXwV.exe
  2⤵
  PID:7452
- C:\Windows\System32\RkZVlnC.exe
  C:\Windows\System32\RkZVlnC.exe
  2⤵
  PID:7468
- C:\Windows\System32\ZKUMmgK.exe
  C:\Windows\System32\ZKUMmgK.exe
  2⤵
  PID:7512
- C:\Windows\System32\xbxGaiG.exe
  C:\Windows\System32\xbxGaiG.exe
  2⤵
  PID:7532
- C:\Windows\System32\iCjfiWi.exe
  C:\Windows\System32\iCjfiWi.exe
  2⤵
  PID:7548
- C:\Windows\System32\YkhvSbd.exe
  C:\Windows\System32\YkhvSbd.exe
  2⤵
  PID:7576
- C:\Windows\System32\hEyGVih.exe
  C:\Windows\System32\hEyGVih.exe
  2⤵
  PID:7592
- C:\Windows\System32\JwVlVGd.exe
  C:\Windows\System32\JwVlVGd.exe
  2⤵
  PID:7624
- C:\Windows\System32\dyNITZV.exe
  C:\Windows\System32\dyNITZV.exe
  2⤵
  PID:7680
- C:\Windows\System32\MgPpOvU.exe
  C:\Windows\System32\MgPpOvU.exe
  2⤵
  PID:7704
- C:\Windows\System32\MAhtBuD.exe
  C:\Windows\System32\MAhtBuD.exe
  2⤵
  PID:7732
- C:\Windows\System32\rcvEhHx.exe
  C:\Windows\System32\rcvEhHx.exe
  2⤵
  PID:7772
- C:\Windows\System32\QORylsh.exe
  C:\Windows\System32\QORylsh.exe
  2⤵
  PID:7792
- C:\Windows\System32\vSCsxlf.exe
  C:\Windows\System32\vSCsxlf.exe
  2⤵
  PID:7816
- C:\Windows\System32\WBVtnof.exe
  C:\Windows\System32\WBVtnof.exe
  2⤵
  PID:7848
- C:\Windows\System32\FQnfhDx.exe
  C:\Windows\System32\FQnfhDx.exe
  2⤵
  PID:7864
- C:\Windows\System32\WZdqMwR.exe
  C:\Windows\System32\WZdqMwR.exe
  2⤵
  PID:7884
- C:\Windows\System32\aXeVtVf.exe
  C:\Windows\System32\aXeVtVf.exe
  2⤵
  PID:7932
- C:\Windows\System32\ReGkEmr.exe
  C:\Windows\System32\ReGkEmr.exe
  2⤵
  PID:7956
- C:\Windows\System32\pWnATxN.exe
  C:\Windows\System32\pWnATxN.exe
  2⤵
  PID:7976
- C:\Windows\System32\XnqqIET.exe
  C:\Windows\System32\XnqqIET.exe
  2⤵
  PID:7992
- C:\Windows\System32\KtKYpXC.exe
  C:\Windows\System32\KtKYpXC.exe
  2⤵
  PID:8020
- C:\Windows\System32\xvBJHaF.exe
  C:\Windows\System32\xvBJHaF.exe
  2⤵
  PID:8048
- C:\Windows\System32\vdIbToj.exe
  C:\Windows\System32\vdIbToj.exe
  2⤵
  PID:8068
- C:\Windows\System32\coNiUlW.exe
  C:\Windows\System32\coNiUlW.exe
  2⤵
  PID:8096
- C:\Windows\System32\ChcRJKH.exe
  C:\Windows\System32\ChcRJKH.exe
  2⤵
  PID:8140
- C:\Windows\System32\zJwVQrm.exe
  C:\Windows\System32\zJwVQrm.exe
  2⤵
  PID:8168
- C:\Windows\System32\rkrLjru.exe
  C:\Windows\System32\rkrLjru.exe
  2⤵
  PID:6440
- C:\Windows\System32\tfgIdWa.exe
  C:\Windows\System32\tfgIdWa.exe
  2⤵
  PID:7204
- C:\Windows\System32\wupqJcB.exe
  C:\Windows\System32\wupqJcB.exe
  2⤵
  PID:7236
- C:\Windows\System32\JPChYgl.exe
  C:\Windows\System32\JPChYgl.exe
  2⤵
  PID:7388
- C:\Windows\System32\mhMtaih.exe
  C:\Windows\System32\mhMtaih.exe
  2⤵
  PID:7440
- C:\Windows\System32\IbUtCyu.exe
  C:\Windows\System32\IbUtCyu.exe
  2⤵
  PID:7524
- C:\Windows\System32\ycGCbMu.exe
  C:\Windows\System32\ycGCbMu.exe
  2⤵
  PID:7568
- C:\Windows\System32\OeoLzTR.exe
  C:\Windows\System32\OeoLzTR.exe
  2⤵
  PID:7652
- C:\Windows\System32\XZgLCnJ.exe
  C:\Windows\System32\XZgLCnJ.exe
  2⤵
  PID:7724
- C:\Windows\System32\ibHexMm.exe
  C:\Windows\System32\ibHexMm.exe
  2⤵
  PID:7784
- C:\Windows\System32\JocGOqo.exe
  C:\Windows\System32\JocGOqo.exe
  2⤵
  PID:7808
- C:\Windows\System32\WJRianq.exe
  C:\Windows\System32\WJRianq.exe
  2⤵
  PID:7876
- C:\Windows\System32\OSlGIQf.exe
  C:\Windows\System32\OSlGIQf.exe
  2⤵
  PID:7856
- C:\Windows\System32\pzsmVyA.exe
  C:\Windows\System32\pzsmVyA.exe
  2⤵
  PID:8076
- C:\Windows\System32\wBpoGqB.exe
  C:\Windows\System32\wBpoGqB.exe
  2⤵
  PID:8188
- C:\Windows\System32\kvTVDma.exe
  C:\Windows\System32\kvTVDma.exe
  2⤵
  PID:7228
- C:\Windows\System32\FPdFLsS.exe
  C:\Windows\System32\FPdFLsS.exe
  2⤵
  PID:7340
- C:\Windows\System32\DQLwnXk.exe
  C:\Windows\System32\DQLwnXk.exe
  2⤵
  PID:7844
- C:\Windows\System32\EOjEKGt.exe
  C:\Windows\System32\EOjEKGt.exe
  2⤵
  PID:7964
- C:\Windows\System32\GDOrLWo.exe
  C:\Windows\System32\GDOrLWo.exe
  2⤵
  PID:7984
- C:\Windows\System32\UHGjshl.exe
  C:\Windows\System32\UHGjshl.exe
  2⤵
  PID:8108
- C:\Windows\System32\kgJuxKk.exe
  C:\Windows\System32\kgJuxKk.exe
  2⤵
  PID:8200
- C:\Windows\System32\CyeFbBm.exe
  C:\Windows\System32\CyeFbBm.exe
  2⤵
  PID:8216
- C:\Windows\System32\rRqvMYh.exe
  C:\Windows\System32\rRqvMYh.exe
  2⤵
  PID:8300
- C:\Windows\System32\xZHhVMs.exe
  C:\Windows\System32\xZHhVMs.exe
  2⤵
  PID:8316
- C:\Windows\System32\DmaEdpX.exe
  C:\Windows\System32\DmaEdpX.exe
  2⤵
  PID:8332
- C:\Windows\System32\gxhpsqL.exe
  C:\Windows\System32\gxhpsqL.exe
  2⤵
  PID:8348
- C:\Windows\System32\QUHMPrT.exe
  C:\Windows\System32\QUHMPrT.exe
  2⤵
  PID:8364
- C:\Windows\System32\uXwKebp.exe
  C:\Windows\System32\uXwKebp.exe
  2⤵
  PID:8380
- C:\Windows\System32\XcIBxBg.exe
  C:\Windows\System32\XcIBxBg.exe
  2⤵
  PID:8396
- C:\Windows\System32\vyWffsA.exe
  C:\Windows\System32\vyWffsA.exe
  2⤵
  PID:8412
- C:\Windows\System32\yRKARFt.exe
  C:\Windows\System32\yRKARFt.exe
  2⤵
  PID:8428
- C:\Windows\System32\rSraEoY.exe
  C:\Windows\System32\rSraEoY.exe
  2⤵
  PID:8448
- C:\Windows\System32\oEnaYBA.exe
  C:\Windows\System32\oEnaYBA.exe
  2⤵
  PID:8468
- C:\Windows\System32\WfGWsKO.exe
  C:\Windows\System32\WfGWsKO.exe
  2⤵
  PID:8484
- C:\Windows\System32\uhajRTt.exe
  C:\Windows\System32\uhajRTt.exe
  2⤵
  PID:8500
- C:\Windows\System32\CxaEjUw.exe
  C:\Windows\System32\CxaEjUw.exe
  2⤵
  PID:8516
- C:\Windows\System32\uAmhbdu.exe
  C:\Windows\System32\uAmhbdu.exe
  2⤵
  PID:8540
- C:\Windows\System32\naFXcTe.exe
  C:\Windows\System32\naFXcTe.exe
  2⤵
  PID:8560
- C:\Windows\System32\uYIcLBc.exe
  C:\Windows\System32\uYIcLBc.exe
  2⤵
  PID:8576
- C:\Windows\System32\ICjjTTd.exe
  C:\Windows\System32\ICjjTTd.exe
  2⤵
  PID:8596
- C:\Windows\System32\tEOwCSZ.exe
  C:\Windows\System32\tEOwCSZ.exe
  2⤵
  PID:8676
- C:\Windows\System32\HIhoplq.exe
  C:\Windows\System32\HIhoplq.exe
  2⤵
  PID:8700
- C:\Windows\System32\PrZGmQO.exe
  C:\Windows\System32\PrZGmQO.exe
  2⤵
  PID:8716
- C:\Windows\System32\VxyjNrK.exe
  C:\Windows\System32\VxyjNrK.exe
  2⤵
  PID:8736
- C:\Windows\System32\IRFwswB.exe
  C:\Windows\System32\IRFwswB.exe
  2⤵
  PID:8944
- C:\Windows\System32\kLPiNxw.exe
  C:\Windows\System32\kLPiNxw.exe
  2⤵
  PID:8968
- C:\Windows\System32\fyHANzd.exe
  C:\Windows\System32\fyHANzd.exe
  2⤵
  PID:9000
- C:\Windows\System32\zdAkYiS.exe
  C:\Windows\System32\zdAkYiS.exe
  2⤵
  PID:9044
- C:\Windows\System32\mAtJOxs.exe
  C:\Windows\System32\mAtJOxs.exe
  2⤵
  PID:9060
- C:\Windows\System32\NzWORhD.exe
  C:\Windows\System32\NzWORhD.exe
  2⤵
  PID:9108
- C:\Windows\System32\Mzrlemp.exe
  C:\Windows\System32\Mzrlemp.exe
  2⤵
  PID:9128
- C:\Windows\System32\nQtdwBI.exe
  C:\Windows\System32\nQtdwBI.exe
  2⤵
  PID:9144
- C:\Windows\System32\hWXcJzc.exe
  C:\Windows\System32\hWXcJzc.exe
  2⤵
  PID:9180
- C:\Windows\System32\VNqDvVq.exe
  C:\Windows\System32\VNqDvVq.exe
  2⤵
  PID:7832
- C:\Windows\System32\rkROBPo.exe
  C:\Windows\System32\rkROBPo.exe
  2⤵
  PID:7712
- C:\Windows\System32\BldDPHL.exe
  C:\Windows\System32\BldDPHL.exe
  2⤵
  PID:8288
- C:\Windows\System32\xoFKuMf.exe
  C:\Windows\System32\xoFKuMf.exe
  2⤵
  PID:7296
- C:\Windows\System32\prDnEMH.exe
  C:\Windows\System32\prDnEMH.exe
  2⤵
  PID:7484
- C:\Windows\System32\ZLKBwOF.exe
  C:\Windows\System32\ZLKBwOF.exe
  2⤵
  PID:7640
- C:\Windows\System32\DnxuhAH.exe
  C:\Windows\System32\DnxuhAH.exe
  2⤵
  PID:8388
- C:\Windows\System32\SrbtpcW.exe
  C:\Windows\System32\SrbtpcW.exe
  2⤵
  PID:8492
- C:\Windows\System32\tgLVqXd.exe
  C:\Windows\System32\tgLVqXd.exe
  2⤵
  PID:8248
- C:\Windows\System32\ALVfIka.exe
  C:\Windows\System32\ALVfIka.exe
  2⤵
  PID:8408
- C:\Windows\System32\UyZLSXb.exe
  C:\Windows\System32\UyZLSXb.exe
  2⤵
  PID:8632
- C:\Windows\System32\JWaYvBm.exe
  C:\Windows\System32\JWaYvBm.exe
  2⤵
  PID:8572
- C:\Windows\System32\PRhRQGj.exe
  C:\Windows\System32\PRhRQGj.exe
  2⤵
  PID:8624
- C:\Windows\System32\WfSHvFA.exe
  C:\Windows\System32\WfSHvFA.exe
  2⤵
  PID:8496
- C:\Windows\System32\oAXBErD.exe
  C:\Windows\System32\oAXBErD.exe
  2⤵
  PID:8800
- C:\Windows\System32\fvEhjzY.exe
  C:\Windows\System32\fvEhjzY.exe
  2⤵
  PID:8868
- C:\Windows\System32\GRcVlnR.exe
  C:\Windows\System32\GRcVlnR.exe
  2⤵
  PID:8728
- C:\Windows\System32\wtSrWGd.exe
  C:\Windows\System32\wtSrWGd.exe
  2⤵
  PID:8964
- C:\Windows\System32\FSoMmbQ.exe
  C:\Windows\System32\FSoMmbQ.exe
  2⤵
  PID:9016
- C:\Windows\System32\hRqZapP.exe
  C:\Windows\System32\hRqZapP.exe
  2⤵
  PID:9164
- C:\Windows\System32\bjslFcF.exe
  C:\Windows\System32\bjslFcF.exe
  2⤵
  PID:9160
- C:\Windows\System32\ckCkxed.exe
  C:\Windows\System32\ckCkxed.exe
  2⤵
  PID:8156
- C:\Windows\System32\PcboiUH.exe
  C:\Windows\System32\PcboiUH.exe
  2⤵
  PID:8212
- C:\Windows\System32\qLRFcan.exe
  C:\Windows\System32\qLRFcan.exe
  2⤵
  PID:8420
- C:\Windows\System32\dVSgmsK.exe
  C:\Windows\System32\dVSgmsK.exe
  2⤵
  PID:8456
- C:\Windows\System32\yAhGKjV.exe
  C:\Windows\System32\yAhGKjV.exe
  2⤵
  PID:8324
- C:\Windows\System32\dEabwgZ.exe
  C:\Windows\System32\dEabwgZ.exe
  2⤵
  PID:8808
- C:\Windows\System32\fDlTDie.exe
  C:\Windows\System32\fDlTDie.exe
  2⤵
  PID:8440
- C:\Windows\System32\IotOwzI.exe
  C:\Windows\System32\IotOwzI.exe
  2⤵
  PID:9104
- C:\Windows\System32\PDugRXi.exe
  C:\Windows\System32\PDugRXi.exe
  2⤵
  PID:9056
- C:\Windows\System32\JiEeeXA.exe
  C:\Windows\System32\JiEeeXA.exe
  2⤵
  PID:7752
- C:\Windows\System32\qpLqCzP.exe
  C:\Windows\System32\qpLqCzP.exe
  2⤵
  PID:8344
- C:\Windows\System32\uPUHAgw.exe
  C:\Windows\System32\uPUHAgw.exe
  2⤵
  PID:8792
- C:\Windows\System32\TsCZDrl.exe
  C:\Windows\System32\TsCZDrl.exe
  2⤵
  PID:8836
- C:\Windows\System32\WOkOssq.exe
  C:\Windows\System32\WOkOssq.exe
  2⤵
  PID:8256
- C:\Windows\System32\xrBlwFZ.exe
  C:\Windows\System32\xrBlwFZ.exe
  2⤵
  PID:8360
- C:\Windows\System32\fuVFjrk.exe
  C:\Windows\System32\fuVFjrk.exe
  2⤵
  PID:9232
- C:\Windows\System32\HIcqRXZ.exe
  C:\Windows\System32\HIcqRXZ.exe
  2⤵
  PID:9256
- C:\Windows\System32\HOyYyRY.exe
  C:\Windows\System32\HOyYyRY.exe
  2⤵
  PID:9276
- C:\Windows\System32\BMLnsxf.exe
  C:\Windows\System32\BMLnsxf.exe
  2⤵
  PID:9300
- C:\Windows\System32\ycmxVlT.exe
  C:\Windows\System32\ycmxVlT.exe
  2⤵
  PID:9328
- C:\Windows\System32\quDwlqZ.exe
  C:\Windows\System32\quDwlqZ.exe
  2⤵
  PID:9360
- C:\Windows\System32\UAyVsRf.exe
  C:\Windows\System32\UAyVsRf.exe
  2⤵
  PID:9420
- C:\Windows\System32\eFzaUvj.exe
  C:\Windows\System32\eFzaUvj.exe
  2⤵
  PID:9448
- C:\Windows\System32\ernshOq.exe
  C:\Windows\System32\ernshOq.exe
  2⤵
  PID:9472
- C:\Windows\System32\lLJNHWE.exe
  C:\Windows\System32\lLJNHWE.exe
  2⤵
  PID:9488
- C:\Windows\System32\vmpMZBO.exe
  C:\Windows\System32\vmpMZBO.exe
  2⤵
  PID:9508
- C:\Windows\System32\gcNWgak.exe
  C:\Windows\System32\gcNWgak.exe
  2⤵
  PID:9528
- C:\Windows\System32\SEpTeMh.exe
  C:\Windows\System32\SEpTeMh.exe
  2⤵
  PID:9544
- C:\Windows\System32\ekoHfam.exe
  C:\Windows\System32\ekoHfam.exe
  2⤵
  PID:9600
- C:\Windows\System32\MNpcXew.exe
  C:\Windows\System32\MNpcXew.exe
  2⤵
  PID:9652
- C:\Windows\System32\sqLKxsL.exe
  C:\Windows\System32\sqLKxsL.exe
  2⤵
  PID:9680
- C:\Windows\System32\BBJEhOF.exe
  C:\Windows\System32\BBJEhOF.exe
  2⤵
  PID:9704
- C:\Windows\System32\KBeqaEu.exe
  C:\Windows\System32\KBeqaEu.exe
  2⤵
  PID:9728
- C:\Windows\System32\QDjlRZh.exe
  C:\Windows\System32\QDjlRZh.exe
  2⤵
  PID:9744
- C:\Windows\System32\emYSJCG.exe
  C:\Windows\System32\emYSJCG.exe
  2⤵
  PID:9792
- C:\Windows\System32\VLIpSwz.exe
  C:\Windows\System32\VLIpSwz.exe
  2⤵
  PID:9812
- C:\Windows\System32\MSFmADJ.exe
  C:\Windows\System32\MSFmADJ.exe
  2⤵
  PID:9836
- C:\Windows\System32\HilVuTn.exe
  C:\Windows\System32\HilVuTn.exe
  2⤵
  PID:9860
- C:\Windows\System32\fBuwFHK.exe
  C:\Windows\System32\fBuwFHK.exe
  2⤵
  PID:9876
- C:\Windows\System32\ymlfmZw.exe
  C:\Windows\System32\ymlfmZw.exe
  2⤵
  PID:9908
- C:\Windows\System32\nBSSntb.exe
  C:\Windows\System32\nBSSntb.exe
  2⤵
  PID:9928
- C:\Windows\System32\DWXxvWf.exe
  C:\Windows\System32\DWXxvWf.exe
  2⤵
  PID:9952
- C:\Windows\System32\uuBFTUn.exe
  C:\Windows\System32\uuBFTUn.exe
  2⤵
  PID:9976
- C:\Windows\System32\rzvGyng.exe
  C:\Windows\System32\rzvGyng.exe
  2⤵
  PID:9992
- C:\Windows\System32\IsbwGfD.exe
  C:\Windows\System32\IsbwGfD.exe
  2⤵
  PID:10024
- C:\Windows\System32\YQkMFeQ.exe
  C:\Windows\System32\YQkMFeQ.exe
  2⤵
  PID:10056
- C:\Windows\System32\TwYiXxD.exe
  C:\Windows\System32\TwYiXxD.exe
  2⤵
  PID:10112
- C:\Windows\System32\zXfoXxE.exe
  C:\Windows\System32\zXfoXxE.exe
  2⤵
  PID:10160
- C:\Windows\System32\sXEBzrx.exe
  C:\Windows\System32\sXEBzrx.exe
  2⤵
  PID:10180
- C:\Windows\System32\UfBczcU.exe
  C:\Windows\System32\UfBczcU.exe
  2⤵
  PID:10204
- C:\Windows\System32\JLPyvGD.exe
  C:\Windows\System32\JLPyvGD.exe
  2⤵
  PID:10224
- C:\Windows\System32\xWHpgll.exe
  C:\Windows\System32\xWHpgll.exe
  2⤵
  PID:9220
- C:\Windows\System32\MLddNKD.exe
  C:\Windows\System32\MLddNKD.exe
  2⤵
  PID:9296
- C:\Windows\System32\uLcMTKw.exe
  C:\Windows\System32\uLcMTKw.exe
  2⤵
  PID:9324
- C:\Windows\System32\xRSsSKR.exe
  C:\Windows\System32\xRSsSKR.exe
  2⤵
  PID:9436
- C:\Windows\System32\fZAHurj.exe
  C:\Windows\System32\fZAHurj.exe
  2⤵
  PID:9496
- C:\Windows\System32\zSjmYjn.exe
  C:\Windows\System32\zSjmYjn.exe
  2⤵
  PID:9560
- C:\Windows\System32\wsarZrx.exe
  C:\Windows\System32\wsarZrx.exe
  2⤵
  PID:9580
- C:\Windows\System32\hRvIvjf.exe
  C:\Windows\System32\hRvIvjf.exe
  2⤵
  PID:9776
- C:\Windows\System32\uVIRirw.exe
  C:\Windows\System32\uVIRirw.exe
  2⤵
  PID:9760
- C:\Windows\System32\kKLFkon.exe
  C:\Windows\System32\kKLFkon.exe
  2⤵
  PID:9832
- C:\Windows\System32\CHWWJde.exe
  C:\Windows\System32\CHWWJde.exe
  2⤵
  PID:9936
- C:\Windows\System32\YiLNuMC.exe
  C:\Windows\System32\YiLNuMC.exe
  2⤵
  PID:9968
- C:\Windows\System32\sjPGVtU.exe
  C:\Windows\System32\sjPGVtU.exe
  2⤵
  PID:10032
- C:\Windows\System32\HjrDxLG.exe
  C:\Windows\System32\HjrDxLG.exe
  2⤵
  PID:10084
- C:\Windows\System32\TvtBArA.exe
  C:\Windows\System32\TvtBArA.exe
  2⤵
  PID:10168
- C:\Windows\System32\BpFTkbz.exe
  C:\Windows\System32\BpFTkbz.exe
  2⤵
  PID:10236
- C:\Windows\System32\mIrlUsi.exe
  C:\Windows\System32\mIrlUsi.exe
  2⤵
  PID:9384
- C:\Windows\System32\avGJyzl.exe
  C:\Windows\System32\avGJyzl.exe
  2⤵
  PID:9268
- C:\Windows\System32\xUZafWM.exe
  C:\Windows\System32\xUZafWM.exe
  2⤵
  PID:9464
- C:\Windows\System32\zSVDprA.exe
  C:\Windows\System32\zSVDprA.exe
  2⤵
  PID:9720
- C:\Windows\System32\mTBqDtQ.exe
  C:\Windows\System32\mTBqDtQ.exe
  2⤵
  PID:9872
- C:\Windows\System32\MzsNhRw.exe
  C:\Windows\System32\MzsNhRw.exe
  2⤵
  PID:10148
- C:\Windows\System32\QzyYZch.exe
  C:\Windows\System32\QzyYZch.exe
  2⤵
  PID:9288
- C:\Windows\System32\ezZQUlb.exe
  C:\Windows\System32\ezZQUlb.exe
  2⤵
  PID:10216
- C:\Windows\System32\LrcqXtZ.exe
  C:\Windows\System32\LrcqXtZ.exe
  2⤵
  PID:9432
- C:\Windows\System32\pEiCqBX.exe
  C:\Windows\System32\pEiCqBX.exe
  2⤵
  PID:9416
- C:\Windows\System32\wHBCVqb.exe
  C:\Windows\System32\wHBCVqb.exe
  2⤵
  PID:9984
- C:\Windows\System32\fHZguIu.exe
  C:\Windows\System32\fHZguIu.exe
  2⤵
  PID:10244
- C:\Windows\System32\wdpEmwC.exe
  C:\Windows\System32\wdpEmwC.exe
  2⤵
  PID:10260
- C:\Windows\System32\zbTlFWK.exe
  C:\Windows\System32\zbTlFWK.exe
  2⤵
  PID:10284
- C:\Windows\System32\WjglyKT.exe
  C:\Windows\System32\WjglyKT.exe
  2⤵
  PID:10300
- C:\Windows\System32\iYJXYdr.exe
  C:\Windows\System32\iYJXYdr.exe
  2⤵
  PID:10328
- C:\Windows\System32\mGrXwox.exe
  C:\Windows\System32\mGrXwox.exe
  2⤵
  PID:10352
- C:\Windows\System32\NdvOuPz.exe
  C:\Windows\System32\NdvOuPz.exe
  2⤵
  PID:10408
- C:\Windows\System32\JxFYfpl.exe
  C:\Windows\System32\JxFYfpl.exe
  2⤵
  PID:10452
- C:\Windows\System32\oCpvHuC.exe
  C:\Windows\System32\oCpvHuC.exe
  2⤵
  PID:10476
- C:\Windows\System32\TYLJVZQ.exe
  C:\Windows\System32\TYLJVZQ.exe
  2⤵
  PID:10496
- C:\Windows\System32\EhJEkbW.exe
  C:\Windows\System32\EhJEkbW.exe
  2⤵
  PID:10516
- C:\Windows\System32\DVzMGFB.exe
  C:\Windows\System32\DVzMGFB.exe
  2⤵
  PID:10540
- C:\Windows\System32\pwsmNKw.exe
  C:\Windows\System32\pwsmNKw.exe
  2⤵
  PID:10592
- C:\Windows\System32\UuzTVzT.exe
  C:\Windows\System32\UuzTVzT.exe
  2⤵
  PID:10624
- C:\Windows\System32\DOLEkGe.exe
  C:\Windows\System32\DOLEkGe.exe
  2⤵
  PID:10640
- C:\Windows\System32\rIlaEXC.exe
  C:\Windows\System32\rIlaEXC.exe
  2⤵
  PID:10684
- C:\Windows\System32\QvMEmgs.exe
  C:\Windows\System32\QvMEmgs.exe
  2⤵
  PID:10700
- C:\Windows\System32\MQDPhYM.exe
  C:\Windows\System32\MQDPhYM.exe
  2⤵
  PID:10724
- C:\Windows\System32\pwkfPOd.exe
  C:\Windows\System32\pwkfPOd.exe
  2⤵
  PID:10760
- C:\Windows\System32\YYCEdKV.exe
  C:\Windows\System32\YYCEdKV.exe
  2⤵
  PID:10784
- C:\Windows\System32\uYpHvgI.exe
  C:\Windows\System32\uYpHvgI.exe
  2⤵
  PID:10808
- C:\Windows\System32\OquIFog.exe
  C:\Windows\System32\OquIFog.exe
  2⤵
  PID:10828
- C:\Windows\System32\vzyWEry.exe
  C:\Windows\System32\vzyWEry.exe
  2⤵
  PID:10856
- C:\Windows\System32\cuIyeyL.exe
  C:\Windows\System32\cuIyeyL.exe
  2⤵
  PID:10908
- C:\Windows\System32\ZmosGLc.exe
  C:\Windows\System32\ZmosGLc.exe
  2⤵
  PID:10928
- C:\Windows\System32\BzHLjIC.exe
  C:\Windows\System32\BzHLjIC.exe
  2⤵
  PID:10948
- C:\Windows\System32\qerYuus.exe
  C:\Windows\System32\qerYuus.exe
  2⤵
  PID:10988
- C:\Windows\System32\BtgkazE.exe
  C:\Windows\System32\BtgkazE.exe
  2⤵
  PID:11016
- C:\Windows\System32\xraVltw.exe
  C:\Windows\System32\xraVltw.exe
  2⤵
  PID:11036
- C:\Windows\System32\OFdpMHV.exe
  C:\Windows\System32\OFdpMHV.exe
  2⤵
  PID:11060
- C:\Windows\System32\nZfcekI.exe
  C:\Windows\System32\nZfcekI.exe
  2⤵
  PID:11104
- C:\Windows\System32\Uaspxzp.exe
  C:\Windows\System32\Uaspxzp.exe
  2⤵
  PID:11132
- C:\Windows\System32\uYNPZBy.exe
  C:\Windows\System32\uYNPZBy.exe
  2⤵
  PID:11156
- C:\Windows\System32\zkCBelj.exe
  C:\Windows\System32\zkCBelj.exe
  2⤵
  PID:11184
- C:\Windows\System32\oeHWAPY.exe
  C:\Windows\System32\oeHWAPY.exe
  2⤵
  PID:11216
- C:\Windows\System32\ktIYpDe.exe
  C:\Windows\System32\ktIYpDe.exe
  2⤵
  PID:11244
- C:\Windows\System32\HRDGQYq.exe
  C:\Windows\System32\HRDGQYq.exe
  2⤵
  PID:10256
- C:\Windows\System32\xIROhZl.exe
  C:\Windows\System32\xIROhZl.exe
  2⤵
  PID:10340
- C:\Windows\System32\eZBdJzR.exe
  C:\Windows\System32\eZBdJzR.exe
  2⤵
  PID:4984
- C:\Windows\System32\DBkJqez.exe
  C:\Windows\System32\DBkJqez.exe
  2⤵
  PID:10400
- C:\Windows\System32\loWdrIv.exe
  C:\Windows\System32\loWdrIv.exe
  2⤵
  PID:10424
- C:\Windows\System32\uDRTBAL.exe
  C:\Windows\System32\uDRTBAL.exe
  2⤵
  PID:10532
- C:\Windows\System32\wSGAkmI.exe
  C:\Windows\System32\wSGAkmI.exe
  2⤵
  PID:10576
- C:\Windows\System32\nSbjHjR.exe
  C:\Windows\System32\nSbjHjR.exe
  2⤵
  PID:10676
- C:\Windows\System32\NxoFQvn.exe
  C:\Windows\System32\NxoFQvn.exe
  2⤵
  PID:10708
- C:\Windows\System32\zlMNMdK.exe
  C:\Windows\System32\zlMNMdK.exe
  2⤵
  PID:10752
- C:\Windows\System32\TlAlfCl.exe
  C:\Windows\System32\TlAlfCl.exe
  2⤵
  PID:10780
- C:\Windows\System32\sDIAacH.exe
  C:\Windows\System32\sDIAacH.exe
  2⤵
  PID:10868
- C:\Windows\System32\XDVOARF.exe
  C:\Windows\System32\XDVOARF.exe
  2⤵
  PID:10956
- C:\Windows\System32\qZFKBew.exe
  C:\Windows\System32\qZFKBew.exe
  2⤵
  PID:11024
- C:\Windows\System32\ipBusqD.exe
  C:\Windows\System32\ipBusqD.exe
  2⤵
  PID:11096
- C:\Windows\System32\MQaorWj.exe
  C:\Windows\System32\MQaorWj.exe
  2⤵
  PID:11168
- C:\Windows\System32\GwAjXSL.exe
  C:\Windows\System32\GwAjXSL.exe
  2⤵
  PID:11236
- C:\Windows\System32\GHGaQVW.exe
  C:\Windows\System32\GHGaQVW.exe
  2⤵
  PID:10320
- C:\Windows\System32\ofrKBnH.exe
  C:\Windows\System32\ofrKBnH.exe
  2⤵
  PID:10492
- C:\Windows\System32\yQAKDJB.exe
  C:\Windows\System32\yQAKDJB.exe
  2⤵
  PID:10508
- C:\Windows\System32\HRCnpdN.exe
  C:\Windows\System32\HRCnpdN.exe
  2⤵
  PID:10568
- C:\Windows\System32\ClVBGKk.exe
  C:\Windows\System32\ClVBGKk.exe
  2⤵
  PID:10692
- C:\Windows\System32\RyDjvdg.exe
  C:\Windows\System32\RyDjvdg.exe
  2⤵
  PID:10836
- C:\Windows\System32\JhqMQZe.exe
  C:\Windows\System32\JhqMQZe.exe
  2⤵
  PID:11116
- C:\Windows\System32\tvZpuGB.exe
  C:\Windows\System32\tvZpuGB.exe
  2⤵
  PID:11144
- C:\Windows\System32\Aepmgna.exe
  C:\Windows\System32\Aepmgna.exe
  2⤵
  PID:11192
- C:\Windows\System32\ZCAxkfG.exe
  C:\Windows\System32\ZCAxkfG.exe
  2⤵
  PID:10720
- C:\Windows\System32\JXMEIKb.exe
  C:\Windows\System32\JXMEIKb.exe
  2⤵
  PID:10888
- C:\Windows\System32\GnKvpwH.exe
  C:\Windows\System32\GnKvpwH.exe
  2⤵
  PID:10280
- C:\Windows\System32\jZoChwK.exe
  C:\Windows\System32\jZoChwK.exe
  2⤵
  PID:10604
- C:\Windows\System32\XOmRraH.exe
  C:\Windows\System32\XOmRraH.exe
  2⤵
  PID:11272
- C:\Windows\System32\zhQJuPo.exe
  C:\Windows\System32\zhQJuPo.exe
  2⤵
  PID:11292
- C:\Windows\System32\cDCCfBM.exe
  C:\Windows\System32\cDCCfBM.exe
  2⤵
  PID:11324
- C:\Windows\System32\uABDmJW.exe
  C:\Windows\System32\uABDmJW.exe
  2⤵
  PID:11352
- C:\Windows\System32\aymEbAV.exe
  C:\Windows\System32\aymEbAV.exe
  2⤵
  PID:11404
- C:\Windows\System32\neqATVq.exe
  C:\Windows\System32\neqATVq.exe
  2⤵
  PID:11420
- C:\Windows\System32\ufscjLr.exe
  C:\Windows\System32\ufscjLr.exe
  2⤵
  PID:11448
- C:\Windows\System32\nPOROYT.exe
  C:\Windows\System32\nPOROYT.exe
  2⤵
  PID:11468
- C:\Windows\System32\XiaHqNA.exe
  C:\Windows\System32\XiaHqNA.exe
  2⤵
  PID:11504
- C:\Windows\System32\oellQIu.exe
  C:\Windows\System32\oellQIu.exe
  2⤵
  PID:11520
- C:\Windows\System32\IXBNhms.exe
  C:\Windows\System32\IXBNhms.exe
  2⤵
  PID:11572
- C:\Windows\System32\PMSrHgI.exe
  C:\Windows\System32\PMSrHgI.exe
  2⤵
  PID:11592
- C:\Windows\System32\vmCsVeP.exe
  C:\Windows\System32\vmCsVeP.exe
  2⤵
  PID:11612
- C:\Windows\System32\TuudExv.exe
  C:\Windows\System32\TuudExv.exe
  2⤵
  PID:11628
- C:\Windows\System32\znWLJpt.exe
  C:\Windows\System32\znWLJpt.exe
  2⤵
  PID:11660
- C:\Windows\System32\qRMoexI.exe
  C:\Windows\System32\qRMoexI.exe
  2⤵
  PID:11692
- C:\Windows\System32\zqvELuY.exe
  C:\Windows\System32\zqvELuY.exe
  2⤵
  PID:11728
- C:\Windows\System32\zJUrpLe.exe
  C:\Windows\System32\zJUrpLe.exe
  2⤵
  PID:11756
- C:\Windows\System32\xIabRiY.exe
  C:\Windows\System32\xIabRiY.exe
  2⤵
  PID:11788
- C:\Windows\System32\PxSbOyh.exe
  C:\Windows\System32\PxSbOyh.exe
  2⤵
  PID:11812
- C:\Windows\System32\MKqNvyw.exe
  C:\Windows\System32\MKqNvyw.exe
  2⤵
  PID:11840
- C:\Windows\System32\IusoTqG.exe
  C:\Windows\System32\IusoTqG.exe
  2⤵
  PID:11860
- C:\Windows\System32\zyvApgg.exe
  C:\Windows\System32\zyvApgg.exe
  2⤵
  PID:11904
- C:\Windows\System32\WtUJsWu.exe
  C:\Windows\System32\WtUJsWu.exe
  2⤵
  PID:11924
- C:\Windows\System32\tjMTrBU.exe
  C:\Windows\System32\tjMTrBU.exe
  2⤵
  PID:11948
- C:\Windows\System32\lHMBpYO.exe
  C:\Windows\System32\lHMBpYO.exe
  2⤵
  PID:11968
- C:\Windows\System32\mWCbXmi.exe
  C:\Windows\System32\mWCbXmi.exe
  2⤵
  PID:11988
- C:\Windows\System32\UzIppIN.exe
  C:\Windows\System32\UzIppIN.exe
  2⤵
  PID:12008
- C:\Windows\System32\FUfOrTt.exe
  C:\Windows\System32\FUfOrTt.exe
  2⤵
  PID:12028
- C:\Windows\System32\cRRXbeh.exe
  C:\Windows\System32\cRRXbeh.exe
  2⤵
  PID:12060
- C:\Windows\System32\QYSYqhc.exe
  C:\Windows\System32\QYSYqhc.exe
  2⤵
  PID:12084
- C:\Windows\System32\BQFvRhf.exe
  C:\Windows\System32\BQFvRhf.exe
  2⤵
  PID:12152
- C:\Windows\System32\IlEMnfC.exe
  C:\Windows\System32\IlEMnfC.exe
  2⤵
  PID:12180
- C:\Windows\System32\jgKzDKt.exe
  C:\Windows\System32\jgKzDKt.exe
  2⤵
  PID:12204
- C:\Windows\System32\XAywyKa.exe
  C:\Windows\System32\XAywyKa.exe
  2⤵
  PID:12220
- C:\Windows\System32\ReUEXHY.exe
  C:\Windows\System32\ReUEXHY.exe
  2⤵
  PID:12252
- C:\Windows\System32\NwrXevQ.exe
  C:\Windows\System32\NwrXevQ.exe
  2⤵
  PID:12276
- C:\Windows\System32\VVNnwHy.exe
  C:\Windows\System32\VVNnwHy.exe
  2⤵
  PID:11320
- C:\Windows\System32\BCUPjkc.exe
  C:\Windows\System32\BCUPjkc.exe
  2⤵
  PID:11384
- C:\Windows\System32\yDSCoNt.exe
  C:\Windows\System32\yDSCoNt.exe
  2⤵
  PID:11464
- C:\Windows\System32\NJdcucR.exe
  C:\Windows\System32\NJdcucR.exe
  2⤵
  PID:11488
- C:\Windows\System32\DFMGdOO.exe
  C:\Windows\System32\DFMGdOO.exe
  2⤵
  PID:2704
- C:\Windows\System32\mOJdlHE.exe
  C:\Windows\System32\mOJdlHE.exe
  2⤵
  PID:11608
- C:\Windows\System32\AwWyZkH.exe
  C:\Windows\System32\AwWyZkH.exe
  2⤵
  PID:11676
- C:\Windows\System32\URcguYN.exe
  C:\Windows\System32\URcguYN.exe
  2⤵
  PID:11672
- C:\Windows\System32\encPwhQ.exe
  C:\Windows\System32\encPwhQ.exe
  2⤵
  PID:11740
- C:\Windows\System32\yDYEgrz.exe
  C:\Windows\System32\yDYEgrz.exe
  2⤵
  PID:11796
- C:\Windows\System32\XAmQqPx.exe
  C:\Windows\System32\XAmQqPx.exe
  2⤵
  PID:11836
- C:\Windows\System32\xGNSNuv.exe
  C:\Windows\System32\xGNSNuv.exe
  2⤵
  PID:11912
- C:\Windows\System32\ALtNtVq.exe
  C:\Windows\System32\ALtNtVq.exe
  2⤵
  PID:12020
- C:\Windows\System32\yMfaLiF.exe
  C:\Windows\System32\yMfaLiF.exe
  2⤵
  PID:12128
- C:\Windows\System32\XCuXSsQ.exe
  C:\Windows\System32\XCuXSsQ.exe
  2⤵
  PID:12188
- C:\Windows\System32\dkCaFuN.exe
  C:\Windows\System32\dkCaFuN.exe
  2⤵
  PID:12232
- C:\Windows\System32\jYgieKK.exe
  C:\Windows\System32\jYgieKK.exe
  2⤵
  PID:11364
- C:\Windows\System32\rfEAPax.exe
  C:\Windows\System32\rfEAPax.exe
  2⤵
  PID:11372
- C:\Windows\System32\sIHXhiK.exe
  C:\Windows\System32\sIHXhiK.exe
  2⤵
  PID:11528
- C:\Windows\System32\OlfOfrL.exe
  C:\Windows\System32\OlfOfrL.exe
  2⤵
  PID:3764
- C:\Windows\System32\wNqzXFc.exe
  C:\Windows\System32\wNqzXFc.exe
  2⤵
  PID:5096
- C:\Windows\System32\xwRswTT.exe
  C:\Windows\System32\xwRswTT.exe
  2⤵
  PID:11964
- C:\Windows\System32\IaXinrJ.exe
  C:\Windows\System32\IaXinrJ.exe
  2⤵
  PID:12068
- C:\Windows\System32\jOmHzRh.exe
  C:\Windows\System32\jOmHzRh.exe
  2⤵
  PID:12212
- C:\Windows\System32\rrsKObq.exe
  C:\Windows\System32\rrsKObq.exe
  2⤵
  PID:11544
- C:\Windows\System32\wuNyfFq.exe
  C:\Windows\System32\wuNyfFq.exe
  2⤵
  PID:11876
- C:\Windows\System32\MHJqQsW.exe
  C:\Windows\System32\MHJqQsW.exe
  2⤵
  PID:11932
- C:\Windows\System32\nVjxcLX.exe
  C:\Windows\System32\nVjxcLX.exe
  2⤵
  PID:10656
- C:\Windows\System32\iFovzjF.exe
  C:\Windows\System32\iFovzjF.exe
  2⤵
  PID:12192
- C:\Windows\System32\xLqDflu.exe
  C:\Windows\System32\xLqDflu.exe
  2⤵
  PID:12308
- C:\Windows\System32\iGozpHy.exe
  C:\Windows\System32\iGozpHy.exe
  2⤵
  PID:12324
- C:\Windows\System32\YAgzHgF.exe
  C:\Windows\System32\YAgzHgF.exe
  2⤵
  PID:12356
- C:\Windows\System32\AzbExkb.exe
  C:\Windows\System32\AzbExkb.exe
  2⤵
  PID:12376
- C:\Windows\System32\kzJWiiQ.exe
  C:\Windows\System32\kzJWiiQ.exe
  2⤵
  PID:12424
- C:\Windows\System32\ojxPXGU.exe
  C:\Windows\System32\ojxPXGU.exe
  2⤵
  PID:12468
- C:\Windows\System32\CXIfXts.exe
  C:\Windows\System32\CXIfXts.exe
  2⤵
  PID:12484
- C:\Windows\System32\QQFqucv.exe
  C:\Windows\System32\QQFqucv.exe
  2⤵
  PID:12532
- C:\Windows\System32\VPdCGWK.exe
  C:\Windows\System32\VPdCGWK.exe
  2⤵
  PID:12552
- C:\Windows\System32\KpGpKit.exe
  C:\Windows\System32\KpGpKit.exe
  2⤵
  PID:12580
- C:\Windows\System32\JDDGStt.exe
  C:\Windows\System32\JDDGStt.exe
  2⤵
  PID:12608
- C:\Windows\System32\fIgIWpP.exe
  C:\Windows\System32\fIgIWpP.exe
  2⤵
  PID:12624
- C:\Windows\System32\uEijWFA.exe
  C:\Windows\System32\uEijWFA.exe
  2⤵
  PID:12672
- C:\Windows\System32\OrNDKBm.exe
  C:\Windows\System32\OrNDKBm.exe
  2⤵
  PID:12692
- C:\Windows\System32\ybLnlzR.exe
  C:\Windows\System32\ybLnlzR.exe
  2⤵
  PID:12720
- C:\Windows\System32\DVCEJwg.exe
  C:\Windows\System32\DVCEJwg.exe
  2⤵
  PID:12752
- C:\Windows\System32\tRideDU.exe
  C:\Windows\System32\tRideDU.exe
  2⤵
  PID:12776
- C:\Windows\System32\ofSjNKy.exe
  C:\Windows\System32\ofSjNKy.exe
  2⤵
  PID:12812
- C:\Windows\System32\jehDPOH.exe
  C:\Windows\System32\jehDPOH.exe
  2⤵
  PID:12852
- C:\Windows\System32\JehPvQA.exe
  C:\Windows\System32\JehPvQA.exe
  2⤵
  PID:12868
- C:\Windows\System32\eiYFyjE.exe
  C:\Windows\System32\eiYFyjE.exe
  2⤵
  PID:12888
- C:\Windows\System32\CBoaxJG.exe
  C:\Windows\System32\CBoaxJG.exe
  2⤵
  PID:12912
- C:\Windows\System32\pknSuWX.exe
  C:\Windows\System32\pknSuWX.exe
  2⤵
  PID:12928
- C:\Windows\System32\npTlIUV.exe
  C:\Windows\System32\npTlIUV.exe
  2⤵
  PID:13000
- C:\Windows\System32\FSaExTE.exe
  C:\Windows\System32\FSaExTE.exe
  2⤵
  PID:13020
- C:\Windows\System32\TUENPWU.exe
  C:\Windows\System32\TUENPWU.exe
  2⤵
  PID:13036
- C:\Windows\System32\QYXjEXT.exe
  C:\Windows\System32\QYXjEXT.exe
  2⤵
  PID:13056
- C:\Windows\System32\wWgZQmj.exe
  C:\Windows\System32\wWgZQmj.exe
  2⤵
  PID:13076
- C:\Windows\System32\ejtyAQp.exe
  C:\Windows\System32\ejtyAQp.exe
  2⤵
  PID:13108
- C:\Windows\System32\akilNoX.exe
  C:\Windows\System32\akilNoX.exe
  2⤵
  PID:13124
- C:\Windows\System32\AnJOZSE.exe
  C:\Windows\System32\AnJOZSE.exe
  2⤵
  PID:13172
- C:\Windows\System32\XQbxhoh.exe
  C:\Windows\System32\XQbxhoh.exe
  2⤵
  PID:13216
- C:\Windows\System32\oJDNkzi.exe
  C:\Windows\System32\oJDNkzi.exe
  2⤵
  PID:13244
- C:\Windows\System32\hbPWoCm.exe
  C:\Windows\System32\hbPWoCm.exe
  2⤵
  PID:13280
- C:\Windows\System32\DhhQvnQ.exe
  C:\Windows\System32\DhhQvnQ.exe
  2⤵
  PID:13300
- C:\Windows\System32\OqcejeA.exe
  C:\Windows\System32\OqcejeA.exe
  2⤵
  PID:12040
- C:\Windows\System32\JgPxltg.exe
  C:\Windows\System32\JgPxltg.exe
  2⤵
  PID:12320
- C:\Windows\System32\lUKnDpk.exe
  C:\Windows\System32\lUKnDpk.exe
  2⤵
  PID:12352
- C:\Windows\System32\WbycOKR.exe
  C:\Windows\System32\WbycOKR.exe
  2⤵
  PID:12444
- C:\Windows\System32\mzMcEZd.exe
  C:\Windows\System32\mzMcEZd.exe
  2⤵
  PID:12548
- C:\Windows\System32\WJRMyDq.exe
  C:\Windows\System32\WJRMyDq.exe
  2⤵
  PID:12616
- C:\Windows\System32\pPsckdP.exe
  C:\Windows\System32\pPsckdP.exe
  2⤵
  PID:12640
- C:\Windows\System32\nHHeRRB.exe
  C:\Windows\System32\nHHeRRB.exe
  2⤵
  PID:12736
- C:\Windows\System32\cHELNcr.exe
  C:\Windows\System32\cHELNcr.exe
  2⤵
  PID:12788
- C:\Windows\System32\qMcezbk.exe
  C:\Windows\System32\qMcezbk.exe
  2⤵
  PID:12832

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AsrCwTX.exe

Filesize
1.3MB

MD5
c426fab7f356715a2d937cedbf8f6b27

SHA1
024958d2ff9f1a075cc9fce5a416e3bb00317257

SHA256
88b964b13b45f66eb0007c67201f100eb83189a3eec22f7cca84ff07239ee5ee

SHA512
04ffef8540495f6413adb7767e960185df31ce4f613dfce6b18aa9a63468bace7a192f45a0b053ffadb3f8601e2073ec33a8f7a4c93a7b29524c9ae03cf6fcfc

Download Submit
C:\Windows\System32\BPyFCsp.exe

Filesize
1.3MB

MD5
16cbc397f8e09484c51d725bb5b395fd

SHA1
259dc2727a535b04d024ba6451930311075de663

SHA256
e9b35fbfd44015fb2cab94a65b982e65350f2b266aadea17b0641a026648e5b3

SHA512
ec73877a60f299497466b0f4a6281ff13eed4041fba00317e8b918347b57db310a93e1986505d9d28fa8ff4e5dfebc8aa6a01c2e4a0ac0d736da90fdffd73218

Download Submit
C:\Windows\System32\BoQExVD.exe

Filesize
1.3MB

MD5
cda9cf51aec41e8c7889e62c48770e2e

SHA1
22e603918c2921dd5fd77b6b8dc3ad24abd09a9b

SHA256
0704dcafa321c9ba961d48f5f7993964b96845f8c1b04f264fadefc7e1741498

SHA512
718df01ae33bf696dfa329e7b64fdbd5994034faf0619f13b88cbdecee553b2c2cca4c0e8adee8c44a532f4411082ba2710dae934021f980a0e39412f694064b

Download Submit
C:\Windows\System32\CuBLBEt.exe

Filesize
1.3MB

MD5
47bcc4c1700f3c67c61ac231e10c8840

SHA1
7fcdef8b81a8ac22bd9797f24398ebca7feb3eb8

SHA256
6d2f084f624733d7418bc5459b4fe52c7423e006bc03d4877c417f5d6b14b210

SHA512
5a60550a746c1deefc29942b38ec43bafb741d393168c546075464519c2b9ceb4d94c201db3255c7a7e1597d2281f8c8d3c5552376366b85790626957debb47c

Download Submit
C:\Windows\System32\DliAFjp.exe

Filesize
1.3MB

MD5
16eeac9d95a329acd63f64611b5f3e09

SHA1
1ebec163df02a656069ae25e3e4caf70c1875989

SHA256
3d76ededcf9c30618687a7fc0a94eb92ea7cebb61477071b477bb8556c2ed494

SHA512
876c153524594a315daad1a90be7f103f8b98319d0569761ea9e817f186ba55dff5ed86724d85e2d8679bd287c168ec430dd241d35cf690ecb3e5b56af8c4746

Download Submit
C:\Windows\System32\DrWbkOL.exe

Filesize
1.3MB

MD5
36a1de36b51dcd5a5c0b1f3f464c6ed7

SHA1
c98d0b1c24a9a279e4d19ab2b08fdcd9b77d770b

SHA256
44d58ef94a94795e9ef5a148dd6c74b55b59fbeb54be6549141815091bf765f6

SHA512
2e5f2c901b527ede442304c09522ee1ba7a3d6003f7ad32848a0b89d43a3ed6f000c2ea132bcff5305dad7bbad1fb47b3b9759efdc1ef8a46c725a1df18e3c96

Download Submit
C:\Windows\System32\EOmgJCv.exe

Filesize
1.3MB

MD5
dd9f55ac0c9ce276b374f9846c007fd5

SHA1
412a9a545599ba90bfbf42c45f45a4930cb4e90c

SHA256
d64053d179cb0add3474093f2cddd36d2d6c99ea70fd939fa4ef2b9189f299dd

SHA512
cdc129129fc9266904c5331ed513ef51a1ca48e7ddec2920c3eb6375f93b17166ebd9761e5b759580a02b91228f29b8d645ab4c7b6c6c7ebe9eaefa2b4262698

Download Submit
C:\Windows\System32\FEvNkVH.exe

Filesize
1.3MB

MD5
0f9b9b368c350d69a543298ad4936e73

SHA1
3f727acbda048a1f35000419eacfef681bb9f311

SHA256
2a14d11dac1a59ee529cfc4fcef14d558c88e536d990169deb25a4b38391967a

SHA512
31e978db06582afbb7c5e61e95655caf033b0481a9525cfc7293fdcfef40d4c54f41ab9f2284eee990ccdcb53e7b5338c34d15707c3a20b0ec34996e1fd1b83c

Download Submit
C:\Windows\System32\FzlEHen.exe

Filesize
1.3MB

MD5
94ab18549b9e81045a8d776072ad53cf

SHA1
ea8e4d43cf9d3379087052b9d80176b7dac17607

SHA256
e68734f8699c279c780a9277b0b69d5ac52fb70cefaeff93664bbd597d5ce4b7

SHA512
2b053ce77cd7d66248f4050612af835d55ef6b4cde0a6510af2c24e2da9d6e3722e3e60d904aa044bee60fe64bbadb33f75c491ed1cca50232b5d0b56cbea3a5

Download Submit
C:\Windows\System32\GVjGQaE.exe

Filesize
1.3MB

MD5
60756be595dd10b8bb60447fa49a6474

SHA1
bd0b5b6615f6e9a6f0caf673ae6bb1d15cef55ab

SHA256
46be72fadb9670fd75befaccc85f28cc1fda1d0816ba669488fc0113a71abca1

SHA512
4c680c67f0f5ca9ad427300b7a5054392cd235142c39b152614d59452de09b8cf0fb6b249d648966b65fcc4a47acb4eaf5e4bef1ca76823535332c0b5d9ab9ea

Download Submit
C:\Windows\System32\GiOfNrv.exe

Filesize
1.3MB

MD5
c55424593a95034cc6bbb18c87a307c9

SHA1
63c9cf92452da45880f2b5e0b9e6b3fae77123fc

SHA256
91713f2fdbbdca4b8d044bf8925afa127c81aa7afb2a1ec9aa2ff956c664b6b0

SHA512
3331e5da2f332797e46814a506fa8d126a943b8207ab82ab926a15f6c59b09dac7630e2b6cd8b14f2151cf8be666e722703c4b9768039418c5d67117e8a94b21

Download Submit
C:\Windows\System32\IoVAFbN.exe

Filesize
1.3MB

MD5
e2c978a1333b1bc8709a32471291655f

SHA1
597b025d3b64eaac37328656765dad77b8ee5c3d

SHA256
0690ded16a8240332e11fe27b7fac0b49cc2315aa4eae4f753522482b8bde1ab

SHA512
21ab209105c4fb7c7158f8be6602ec835e8a77f26afe57e8d1e898230e97e84e61d85676d0d555f23f837fc2a4d9dc05a80f8f0d3ce1295200810d0d0352d3be

Download Submit
C:\Windows\System32\JEASjYo.exe

Filesize
1.3MB

MD5
45d2bf2af12320005286350bea58f5a6

SHA1
3d28892bc1ace13e00db72f5925b87225484e917

SHA256
b650cd4ad2d3e77002f0cc7e16c2623603950b54440a9846ef95d26bf01339e4

SHA512
d8bfd773311423a933023f8569076b127831a4b54baba2c0c09abf9bbbeac2d9ed9388e7709c707c939e846ca7eaf6534f46d1c560ead834cb613a13ed8397db

Download Submit
C:\Windows\System32\KoeRulm.exe

Filesize
1.3MB

MD5
8d37399c9ebd9da85907eb57608cc869

SHA1
7b64ba422a811f3ac32d9281949af09251671dc9

SHA256
7feff555f2540363e30612ad5294b010c5f5989445c9a66674e4b9b5c51fde7b

SHA512
f3c62cd9a3541ae808b55aff297fa229402114a6bec7e3fa13c60d698068da8acb1ea20323f7f60cb9ff33999dd57eb7d1a8e84caab5871c7418a85ae16b5e3d

Download Submit
C:\Windows\System32\MhQwJIj.exe

Filesize
1.3MB

MD5
e7dc2d701932b8781e44dd17557b355c

SHA1
8085289f40c3c4ea4dfad0022e644a820320e8d5

SHA256
96fc11205470b5191814128fcfb9be89c3dd166faac0e66c21043749ccf270ad

SHA512
d87f533690dc9df2261fe3a5451f59d173a6be4ee91fc16ecaf5eeffe5cd7dd27a88a4ff909f2e416c9fdbf51e4e1d6a782a8edd1ebc6f959ba345312a592949

Download Submit
C:\Windows\System32\MyhePGG.exe

Filesize
1.3MB

MD5
883fc0513edc23bb4c6040ba5628c99c

SHA1
1317f501055ca0e08e58eacc2f096f105d6ca387

SHA256
66a78016cc11589d87300c96721149c65b28bd57120f741c83e14091610fa764

SHA512
a6f264b3d7ba8b61108aa0d2fecaa06996c55b830ff32fb5316c9872af5b8a2b42e648790b8679628650c31995b81cbcdf3ae75e876579ba9431d6e8f7bddbf5

Download Submit
C:\Windows\System32\Nliblmh.exe

Filesize
1.3MB

MD5
d04417f613cd8c3c0d2413f966619f1f

SHA1
dde5ad3af87b7c5f7c655040f36edd5461b16493

SHA256
6d15db89cd12b9c9dd5bed7c127ef6d85431f52fd01ae3df01f90af9ac4d6766

SHA512
624540ba814e8f3fb99f5c7c87e74a9ffdbad83e06defd1b06997ec5717b0a537663bf2afd6a9284153227652f4ebb61d2195c8c53a4df3603e8320b09f06c02

Download Submit
C:\Windows\System32\PDmgsNK.exe

Filesize
1.3MB

MD5
aa6ecc05dbed641b51fb785cd66c6c21

SHA1
226951ea8beeac2a88997cecffe95a7a55130a40

SHA256
39f96f2ddcb51f6a811941d49fbd4dff66425e1e89ef7c781a952edadbebf3b6

SHA512
a93765fb6b2a8d3c252ec5c4e479be218b939613e6f8ecf582c19913ea42131713e34280b0b00684175d7470170eb6f4cad12b3284179ef4d90b081a9b043e7a

Download Submit
C:\Windows\System32\UJRnCiw.exe

Filesize
1.3MB

MD5
84dbc6f3804c119f9c5566778ac99f16

SHA1
5d9c232a3be628473c8a93395cac42e30e9541a2

SHA256
c577d9fd1f993f2cc7c70d6b9db4a343cce2c33b5a96e6537841a0ae4ac7dace

SHA512
7497bca45660ab1f0b232954743b268436420475b78c293a1e4aab8955d39647392defffd5ef11ba09548b478d6a789f5178cb53cd464e213d3212a5464ceb14

Download Submit
C:\Windows\System32\UKuTSLu.exe

Filesize
1.3MB

MD5
85063fc4991ea59a9cf0629c0e9fc0f8

SHA1
f7e1da5542b358329f1d778cb9116b29d0be95b8

SHA256
47f7a4ec779ea1ae51a8e10621dbb24b3096f2d999e4e429ce18755a61270338

SHA512
56d9c4d204f0da72fa6889510742faed111103387f34cfa7a689254bfe5e33da4a6cbe818d00e1df136a940996b5984aaab1dfce079542682a0a591aef9879f1

Download Submit
C:\Windows\System32\UfXDgKY.exe

Filesize
1.3MB

MD5
af798f525828cfdfe00b3f6be91c430f

SHA1
2ebe44cdc43702d8e32eae25ad47b4a3026cee99

SHA256
7b050ad4fe7b685c78dbdaf694fec4ef4effd7c19cc0799dbbca8299f354f3f4

SHA512
42914f2cda8ad083dc0b6066191430c806b0c107f82eaa18c0fcf28a73f647e47a4f11aae11d5b1315537a8546519d2c134219f017d81a9a91af62ef2692017d

Download Submit
C:\Windows\System32\WnkfNiZ.exe

Filesize
1.3MB

MD5
509c29ca2a9be2e476520f64d6425d46

SHA1
9dc7def3a292293b38c07764243ecd7d48ec2183

SHA256
bf81aab8793376b7cdfb4943c01b81c2331a098d4251375389f9366b40ac116a

SHA512
ecd3e7cc7bfc160086e036d9a6bfcafee47f157873a536191de4a6dc8f69f74e62eb0f67566db17b5231162d0ae333a91b6e508d98a7e824c698d32944c2159a

Download Submit
C:\Windows\System32\aCOocTb.exe

Filesize
1.3MB

MD5
bc5faba2ebdce9d254f1e904c750f57e

SHA1
c27bc7fed1f18b9a84104ffef159bc7f8903b75f

SHA256
a2fce4d58d916716dc488ddd8f8b7b65a092ea9d47ce8d28fcaebf813b91d496

SHA512
54a88d14b068be6397cf165265a5c90da26520a6fee070303c4347d43cf23346bf136c0824dc1fd5c567314896c331e2dac01102145aee9dfe196f678ca27e5d

Download Submit
C:\Windows\System32\ftjGfbc.exe

Filesize
1.3MB

MD5
f8cb73471673bf35b8e06842c0efc706

SHA1
c09696785254fbc18d28b49ff7f787d13c909585

SHA256
de22422a1ea490da411061ea040d7163546d8da425def5fa5f579aa7c83b61b3

SHA512
400b50813135aaa73b9cbc1b394a1dacb0405cf507641fd1419bbee67ce1942366e711054cad316148afc05f8b9bf3465c8ca1ca04ff31ce5843927afdf30264

Download Submit
C:\Windows\System32\iZYGhBc.exe

Filesize
1.3MB

MD5
162dc740bb395ea27cf9365ca2c1b21d

SHA1
f57d29af4efec39a9ee72fadaeb94910d0f198b1

SHA256
dea9c54354c18bde568a4a456fb97d1f1494e470771a41f1e8733189fd3cd53b

SHA512
270e4a13c946d4f4d7ecee57ba9d173fe32ab5d98a4e98502a0ea1752b9b8a972a952588bd3708e2138296b101c64b9dcb4a1270352c071d4f24e2fb6546ba74

Download Submit
C:\Windows\System32\jVHZBHL.exe

Filesize
1.3MB

MD5
552ed18b55095cbb2af446e177784864

SHA1
3a28e581b594c70ef2b2141fbd1412588e25d972

SHA256
24b03f4016729b78035078bf6287113f6cd5b9150ad67202d7f94b05b4384763

SHA512
76e1575aad80f612b0b6a41950a2899c0bac30803db391a6c98d1738f7e7d8809b81bfc5d75ee957b6871a1f56a3bc4c5c3ff5497b11fa6a8771237f2ed36b7f

Download Submit
C:\Windows\System32\lLMUWKz.exe

Filesize
1.3MB

MD5
d6a4285eefec581419dc2a8be48de807

SHA1
ab4569d43e25abf04dc18eae650ca37d7589fab8

SHA256
e6bdb1109bbb36876e6f2e02b5aeae892e53d087e65bd5236bc5e847234743b0

SHA512
f240b186d1399594adcc69cddc290fe05e6dc1208bcfcd6a6ab32a9b66e82bad59d3bb35ee997ec7b6f933316064ee5dcf8b7833674acaead5052f9fd92e15bf

Download Submit
C:\Windows\System32\lSRSjOM.exe

Filesize
1.3MB

MD5
970043d065a03690d2653a6c33934d06

SHA1
c800a9fefcbd751c4824aaaaf44da457aea0f3f5

SHA256
8db2dfbf23c2baaf8b297d2ddf49f039269690aa9cea6ed1360a5235349bdcff

SHA512
c815d65cd57e25f1c38efdd4a08ab4230176425c36c471f1128935d5f8ddf8ad6f8e32851154824e47370393ac0fbeac864d188674b11691ee1f8e1d0573dd9c

Download Submit
C:\Windows\System32\lgVYuME.exe

Filesize
1.3MB

MD5
a340d5ce5f775c51d60c052cda8be31a

SHA1
5667aada707f79ad28363141dc2d4523d4e453b9

SHA256
3ff4c79d863b3f5f3a7173306181d984f56b5218b1a7b8bdc4af0257b28fa4d7

SHA512
36a1938f4c5a86766c1739c4f087b9e82b23ad419720ae97c493cd246685a75da707d58c16cc65ac7eaac6a3cfff5271e4f1b6ca8b58ec8c42aad91e08cedc6a

Download Submit
C:\Windows\System32\qgeqfxd.exe

Filesize
1.3MB

MD5
57dde5d94d51732636749e0b932a9f08

SHA1
b7447fdaff7c7fe47da26de3affbeb17f49f78ac

SHA256
d2d71b5149cbb2483062eb7b28c4e78e3e832f098bdd6370e4fb585df7082b1b

SHA512
eec0397104adb38616861392dac822ea59f545b5f5d99d93046446e2faeda9904ed00eb6d2bceae423404d15378743e7e46b0e7772a0c25a9b18e64569d12c61

Download Submit
C:\Windows\System32\qrRCScl.exe

Filesize
1.3MB

MD5
cf2af0950e1cb8197c191e54a5f391a1

SHA1
7ed92149204d75ab209b66df6a4ac01e829426e3

SHA256
7af50db08ba9f5701c4fcb1f580c5544e4b0bfe5a98c9896f951c534f8e9a924

SHA512
48512ce3d289099bc505ea8e28990a5af7d04d14523ba87b432235cb660cd71b97f8b9d68958aa362c7507c21ed90ef69e24834b63504a313ff36e8bd49c2a61

Download Submit
C:\Windows\System32\zPcNvXS.exe

Filesize
1.3MB

MD5
f4902232484e42df95cf4c560e047198

SHA1
6c3e0928b58f81fbedda3bb1a94bc74c2a8dc2fd

SHA256
c65c638c024138ec73b3d63ae3eeea4f18a08fa371e73b45145ea18e88829661

SHA512
0a6924d838edc6f2d01bb15053f14dce8969e478b6ecfb1d045a02ab07a43144e0ef1fc4b8a1731aa1d5443107f320df450025cc65ca0750928a28c7c6a5c353

Download Submit
memory/392-390-0x00007FF698460000-0x00007FF698851000-memory.dmp

Filesize
3.9MB

Download
memory/392-2053-0x00007FF698460000-0x00007FF698851000-memory.dmp

Filesize
3.9MB

Download
memory/620-2067-0x00007FF7D0E80000-0x00007FF7D1271000-memory.dmp

Filesize
3.9MB

Download
memory/620-395-0x00007FF7D0E80000-0x00007FF7D1271000-memory.dmp

Filesize
3.9MB

Download
memory/1016-2200-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp

Filesize
3.9MB

Download
memory/1016-2038-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp

Filesize
3.9MB

Download
memory/1016-38-0x00007FF6CFA20000-0x00007FF6CFE11000-memory.dmp

Filesize
3.9MB

Download
memory/1040-2057-0x00007FF6248A0000-0x00007FF624C91000-memory.dmp

Filesize
3.9MB

Download
memory/1040-389-0x00007FF6248A0000-0x00007FF624C91000-memory.dmp

Filesize
3.9MB

Download
memory/1276-398-0x00007FF75C4D0000-0x00007FF75C8C1000-memory.dmp

Filesize
3.9MB

Download
memory/1276-2073-0x00007FF75C4D0000-0x00007FF75C8C1000-memory.dmp

Filesize
3.9MB

Download
memory/1588-0-0x00007FF640E20000-0x00007FF641211000-memory.dmp

Filesize
3.9MB

Download
memory/1588-1-0x0000022519E70000-0x0000022519E80000-memory.dmp

Filesize
64KB

Download
memory/1588-2001-0x00007FF640E20000-0x00007FF641211000-memory.dmp

Filesize
3.9MB

Download
memory/1636-2083-0x00007FF7D9F20000-0x00007FF7DA311000-memory.dmp

Filesize
3.9MB

Download
memory/1636-403-0x00007FF7D9F20000-0x00007FF7DA311000-memory.dmp

Filesize
3.9MB

Download
memory/1796-2047-0x00007FF74D940000-0x00007FF74DD31000-memory.dmp

Filesize
3.9MB

Download
memory/1796-40-0x00007FF74D940000-0x00007FF74DD31000-memory.dmp

Filesize
3.9MB

Download
memory/1812-13-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp

Filesize
3.9MB

Download
memory/1812-2041-0x00007FF7F5060000-0x00007FF7F5451000-memory.dmp

Filesize
3.9MB

Download
memory/1920-2059-0x00007FF6A8D20000-0x00007FF6A9111000-memory.dmp

Filesize
3.9MB

Download
memory/1920-393-0x00007FF6A8D20000-0x00007FF6A9111000-memory.dmp

Filesize
3.9MB

Download
memory/2220-2036-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp

Filesize
3.9MB

Download
memory/2220-2043-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp

Filesize
3.9MB

Download
memory/2220-26-0x00007FF63DF00000-0x00007FF63E2F1000-memory.dmp

Filesize
3.9MB

Download
memory/2760-402-0x00007FF7981C0000-0x00007FF7985B1000-memory.dmp

Filesize
3.9MB

Download
memory/2760-2087-0x00007FF7981C0000-0x00007FF7985B1000-memory.dmp

Filesize
3.9MB

Download
memory/3180-2051-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp

Filesize
3.9MB

Download
memory/3180-41-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp

Filesize
3.9MB

Download
memory/3180-2039-0x00007FF609FC0000-0x00007FF60A3B1000-memory.dmp

Filesize
3.9MB

Download
memory/3188-397-0x00007FF6ED830000-0x00007FF6EDC21000-memory.dmp

Filesize
3.9MB

Download
memory/3188-2069-0x00007FF6ED830000-0x00007FF6EDC21000-memory.dmp

Filesize
3.9MB

Download
memory/3252-37-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-2037-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp

Filesize
3.9MB

Download
memory/3252-2049-0x00007FF7ED2D0000-0x00007FF7ED6C1000-memory.dmp

Filesize
3.9MB

Download
memory/3504-2065-0x00007FF736A20000-0x00007FF736E11000-memory.dmp

Filesize
3.9MB

Download
memory/3504-391-0x00007FF736A20000-0x00007FF736E11000-memory.dmp

Filesize
3.9MB

Download
memory/3540-400-0x00007FF6645C0000-0x00007FF6649B1000-memory.dmp

Filesize
3.9MB

Download
memory/3540-2075-0x00007FF6645C0000-0x00007FF6649B1000-memory.dmp

Filesize
3.9MB

Download
memory/3632-404-0x00007FF665E90000-0x00007FF666281000-memory.dmp

Filesize
3.9MB

Download
memory/3632-2081-0x00007FF665E90000-0x00007FF666281000-memory.dmp

Filesize
3.9MB

Download
memory/4124-399-0x00007FF6939C0000-0x00007FF693DB1000-memory.dmp

Filesize
3.9MB

Download
memory/4124-2071-0x00007FF6939C0000-0x00007FF693DB1000-memory.dmp

Filesize
3.9MB

Download
memory/4484-401-0x00007FF6B4B60000-0x00007FF6B4F51000-memory.dmp

Filesize
3.9MB

Download
memory/4484-2089-0x00007FF6B4B60000-0x00007FF6B4F51000-memory.dmp

Filesize
3.9MB

Download
memory/4564-2063-0x00007FF63D780000-0x00007FF63DB71000-memory.dmp

Filesize
3.9MB

Download
memory/4564-392-0x00007FF63D780000-0x00007FF63DB71000-memory.dmp

Filesize
3.9MB

Download
memory/4620-396-0x00007FF656750000-0x00007FF656B41000-memory.dmp

Filesize
3.9MB

Download
memory/4620-2056-0x00007FF656750000-0x00007FF656B41000-memory.dmp

Filesize
3.9MB

Download
memory/4840-405-0x00007FF6D2C00000-0x00007FF6D2FF1000-memory.dmp

Filesize
3.9MB

Download
memory/4840-2079-0x00007FF6D2C00000-0x00007FF6D2FF1000-memory.dmp

Filesize
3.9MB

Download
memory/4928-2061-0x00007FF7B26A0000-0x00007FF7B2A91000-memory.dmp

Filesize
3.9MB

Download
memory/4928-394-0x00007FF7B26A0000-0x00007FF7B2A91000-memory.dmp

Filesize
3.9MB

Download
memory/5000-29-0x00007FF759DC0000-0x00007FF75A1B1000-memory.dmp

Filesize
3.9MB

Download
memory/5000-2045-0x00007FF759DC0000-0x00007FF75A1B1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads