kpot | 04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
02-07-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
Size

2.0MB
MD5

0f25937efc618753bd1f00b247b473e7
SHA1

116f44fc77a492abad6b3c9180c8f0ff9e7700be
SHA256

04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705
SHA512

7198fb0dab91fa7adfeb6cbe006b87fff153d84a7110dcb6690fff5a49dfe31a93dd1d68766b282dabdd810822d0763cad526269e183d8d9e8fc1b529f95eef8
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIi5aIwC+Agr6S/FYqOc2v:GemTLkNdfE0pZaQ3

Score

10^/10

kpot xmrig miner stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 32 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b309-2.dat	family_kpot
behavioral1/files/0x0066000000014afc-6.dat	family_kpot
behavioral1/files/0x000500000001924f-128.dat	family_kpot
behavioral1/files/0x0006000000019006-124.dat	family_kpot
behavioral1/files/0x0006000000018bb3-120.dat	family_kpot
behavioral1/files/0x0006000000018b9f-116.dat	family_kpot
behavioral1/files/0x0006000000018b4c-112.dat	family_kpot
behavioral1/files/0x0005000000018765-104.dat	family_kpot
behavioral1/files/0x000500000001877a-108.dat	family_kpot
behavioral1/files/0x000500000001875e-100.dat	family_kpot
behavioral1/files/0x000500000001874b-96.dat	family_kpot
behavioral1/files/0x00050000000186ea-92.dat	family_kpot
behavioral1/files/0x00050000000186e6-88.dat	family_kpot
behavioral1/files/0x00050000000186d5-81.dat	family_kpot
behavioral1/files/0x00050000000186d6-84.dat	family_kpot
behavioral1/files/0x000d00000001863a-76.dat	family_kpot
behavioral1/files/0x001400000001862f-72.dat	family_kpot
behavioral1/files/0x000600000001753d-68.dat	family_kpot
behavioral1/files/0x00060000000173be-64.dat	family_kpot
behavioral1/files/0x00060000000173b3-60.dat	family_kpot
behavioral1/files/0x00060000000171c4-56.dat	family_kpot
behavioral1/files/0x0006000000017077-52.dat	family_kpot
behavioral1/files/0x0006000000017038-48.dat	family_kpot
behavioral1/files/0x0006000000016da9-44.dat	family_kpot
behavioral1/files/0x0006000000016da2-40.dat	family_kpot
behavioral1/files/0x0007000000016d97-36.dat	family_kpot
behavioral1/files/0x000b000000015d18-33.dat	family_kpot
behavioral1/files/0x000b000000015cf9-29.dat	family_kpot
behavioral1/files/0x0007000000015639-24.dat	family_kpot
behavioral1/files/0x000700000001522b-21.dat	family_kpot
behavioral1/files/0x000b000000014f57-17.dat	family_kpot
behavioral1/files/0x0066000000014b21-13.dat	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 32 IoCs

miner

resource	yara_rule
behavioral1/files/0x000500000000b309-2.dat	xmrig
behavioral1/files/0x0066000000014afc-6.dat	xmrig
behavioral1/files/0x000500000001924f-128.dat	xmrig
behavioral1/files/0x0006000000019006-124.dat	xmrig
behavioral1/files/0x0006000000018bb3-120.dat	xmrig
behavioral1/files/0x0006000000018b9f-116.dat	xmrig
behavioral1/files/0x0006000000018b4c-112.dat	xmrig
behavioral1/files/0x0005000000018765-104.dat	xmrig
behavioral1/files/0x000500000001877a-108.dat	xmrig
behavioral1/files/0x000500000001875e-100.dat	xmrig
behavioral1/files/0x000500000001874b-96.dat	xmrig
behavioral1/files/0x00050000000186ea-92.dat	xmrig
behavioral1/files/0x00050000000186e6-88.dat	xmrig
behavioral1/files/0x00050000000186d5-81.dat	xmrig
behavioral1/files/0x00050000000186d6-84.dat	xmrig
behavioral1/files/0x000d00000001863a-76.dat	xmrig
behavioral1/files/0x001400000001862f-72.dat	xmrig
behavioral1/files/0x000600000001753d-68.dat	xmrig
behavioral1/files/0x00060000000173be-64.dat	xmrig
behavioral1/files/0x00060000000173b3-60.dat	xmrig
behavioral1/files/0x00060000000171c4-56.dat	xmrig
behavioral1/files/0x0006000000017077-52.dat	xmrig
behavioral1/files/0x0006000000017038-48.dat	xmrig
behavioral1/files/0x0006000000016da9-44.dat	xmrig
behavioral1/files/0x0006000000016da2-40.dat	xmrig
behavioral1/files/0x0007000000016d97-36.dat	xmrig
behavioral1/files/0x000b000000015d18-33.dat	xmrig
behavioral1/files/0x000b000000015cf9-29.dat	xmrig
behavioral1/files/0x0007000000015639-24.dat	xmrig
behavioral1/files/0x000700000001522b-21.dat	xmrig
behavioral1/files/0x000b000000014f57-17.dat	xmrig
behavioral1/files/0x0066000000014b21-13.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2908	qhlLitD.exe
2424	OpkCjAh.exe
2312	oXtqpPP.exe
2856	kdXVIux.exe
3020	HctPFLe.exe
3012	yGQLwPa.exe
1112	RSXpQaA.exe
2840	lDThYsN.exe
2928	uysVgdS.exe
1316	YFHsDvj.exe
2748	rvPXKCd.exe
2576	aPbdDEK.exe
2608	eIfwxyw.exe
2700	GmuzbOp.exe
2036	YSVxvII.exe
2116	mTqMyKx.exe
2944	HZAujEi.exe
2992	vevzrhQ.exe
2028	MJgPUsR.exe
1988	FHRBJaM.exe
2140	WpbGgSA.exe
2096	MVWqRhe.exe
1908	JRwnizu.exe
1900	bpVmXaG.exe
2808	erZPQqS.exe
1920	IsoFUVg.exe
1464	WgCLzmm.exe
2536	inAvaTO.exe
1092	DRdrOmu.exe
2236	rWxvynt.exe
3028	zQbWGqi.exe
2408	DEZnFHJ.exe
808	AaDGLoB.exe
1252	XQnzwHG.exe
536	QQmzTwE.exe
684	gYOaYjC.exe
788	pVnYZeQ.exe
1308	NgSOiPB.exe
1484	MCPmUbp.exe
1472	bbKejIi.exe
592	cvevLKE.exe
872	LjSKZSA.exe
1036	ilBrzls.exe
1104	QXREqWp.exe
712	VVUQGns.exe
1508	oNUdvLG.exe
1220	NUcKzOf.exe
1736	BCoPIVG.exe
2372	CKSjQjN.exe
112	bebZLws.exe
2392	JBDbSyc.exe
1492	zBRRlCj.exe
1828	zkouHhF.exe
1632	zCYafDx.exe
2516	lSJIagx.exe
2032	umyEgul.exe
2240	LIRXdJL.exe
916	dnBKHZl.exe
984	PzEItlJ.exe
2432	bWhUyHU.exe
284	SIXVOGI.exe
2192	LXPyJzk.exe
1924	oIigJpd.exe
1936	IZcxCDH.exe

Loads dropped DLL 64 IoCs

pid	Process
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\kPTBnux.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\UNVbWKh.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\wexCxNu.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\apCsPYU.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\JCzTJrC.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\GlnfOsh.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\rQuKlsN.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\hbzNBih.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\dPhwUKU.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\tkJKRfe.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\MTOZVej.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\CdqRFHt.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\JpAlgsf.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\LpoigIe.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\pfnIBFD.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\iZtnxAv.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\SyGtplY.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\STJeuFO.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\mTqMyKx.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\gYOaYjC.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\bHGtjXT.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\qvvUUnF.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\kHKknIG.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\ukWhOdI.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\EDqogKH.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\afvPyuf.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\HctPFLe.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\ZAnrYOL.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\rMrQsKv.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\SmEZfJQ.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\UpqTcKp.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\amygBVm.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\cvevLKE.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\TYBgIsQ.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\ihlCZbp.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\tlNvDIM.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\oVPHiKd.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\rvPXKCd.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\tpmJXmY.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\GUTsDRx.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\nJFKDlA.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\KUuzjei.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\LDzkYei.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\ddlBdsf.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\inAvaTO.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\NkmUbJd.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\QAjMUlG.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\PFoWvRL.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\XdxNnNk.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\VmUjjsg.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\hsRIRpF.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\DfKmfzF.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\sdWtaDQ.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\MmoiCZC.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\HZAujEi.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\InTRkIz.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\kOdwupX.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\ajfDZSG.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\HzpveuF.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\NoQhXgp.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\sViLhhQ.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\BCoPIVG.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\yLNDNvI.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
File created	C:\Windows\System\ZcWGCkg.exe	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
Token: SeLockMemoryPrivilege	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2908	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	29
PID 2540 wrote to memory of 2908	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	29
PID 2540 wrote to memory of 2908	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	29
PID 2540 wrote to memory of 2424	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	30
PID 2540 wrote to memory of 2424	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	30
PID 2540 wrote to memory of 2424	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	30
PID 2540 wrote to memory of 2312	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	31
PID 2540 wrote to memory of 2312	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	31
PID 2540 wrote to memory of 2312	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	31
PID 2540 wrote to memory of 2856	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	32
PID 2540 wrote to memory of 2856	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	32
PID 2540 wrote to memory of 2856	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	32
PID 2540 wrote to memory of 3020	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	33
PID 2540 wrote to memory of 3020	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	33
PID 2540 wrote to memory of 3020	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	33
PID 2540 wrote to memory of 3012	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	34
PID 2540 wrote to memory of 3012	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	34
PID 2540 wrote to memory of 3012	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	34
PID 2540 wrote to memory of 1112	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	35
PID 2540 wrote to memory of 1112	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	35
PID 2540 wrote to memory of 1112	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	35
PID 2540 wrote to memory of 2840	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	36
PID 2540 wrote to memory of 2840	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	36
PID 2540 wrote to memory of 2840	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	36
PID 2540 wrote to memory of 2928	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	37
PID 2540 wrote to memory of 2928	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	37
PID 2540 wrote to memory of 2928	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	37
PID 2540 wrote to memory of 1316	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	38
PID 2540 wrote to memory of 1316	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	38
PID 2540 wrote to memory of 1316	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	38
PID 2540 wrote to memory of 2748	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	39
PID 2540 wrote to memory of 2748	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	39
PID 2540 wrote to memory of 2748	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	39
PID 2540 wrote to memory of 2576	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	40
PID 2540 wrote to memory of 2576	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	40
PID 2540 wrote to memory of 2576	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	40
PID 2540 wrote to memory of 2608	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	41
PID 2540 wrote to memory of 2608	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	41
PID 2540 wrote to memory of 2608	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	41
PID 2540 wrote to memory of 2700	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	42
PID 2540 wrote to memory of 2700	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	42
PID 2540 wrote to memory of 2700	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	42
PID 2540 wrote to memory of 2036	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	43
PID 2540 wrote to memory of 2036	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	43
PID 2540 wrote to memory of 2036	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	43
PID 2540 wrote to memory of 2116	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	44
PID 2540 wrote to memory of 2116	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	44
PID 2540 wrote to memory of 2116	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	44
PID 2540 wrote to memory of 2944	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	45
PID 2540 wrote to memory of 2944	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	45
PID 2540 wrote to memory of 2944	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	45
PID 2540 wrote to memory of 2992	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	46
PID 2540 wrote to memory of 2992	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	46
PID 2540 wrote to memory of 2992	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	46
PID 2540 wrote to memory of 2028	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	47
PID 2540 wrote to memory of 2028	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	47
PID 2540 wrote to memory of 2028	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	47
PID 2540 wrote to memory of 1988	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	48
PID 2540 wrote to memory of 1988	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	48
PID 2540 wrote to memory of 1988	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	48
PID 2540 wrote to memory of 2140	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	49
PID 2540 wrote to memory of 2140	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	49
PID 2540 wrote to memory of 2140	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	49
PID 2540 wrote to memory of 2096	2540	04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe	50

C:\Users\Admin\AppData\Local\Temp\04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe
"C:\Users\Admin\AppData\Local\Temp\04bda957973a1f483760c0025e6e1e0794f549d08f98c15e36019f377c3e3705.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\System\qhlLitD.exe
  C:\Windows\System\qhlLitD.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\OpkCjAh.exe
  C:\Windows\System\OpkCjAh.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\oXtqpPP.exe
  C:\Windows\System\oXtqpPP.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\kdXVIux.exe
  C:\Windows\System\kdXVIux.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\HctPFLe.exe
  C:\Windows\System\HctPFLe.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\yGQLwPa.exe
  C:\Windows\System\yGQLwPa.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\RSXpQaA.exe
  C:\Windows\System\RSXpQaA.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\lDThYsN.exe
  C:\Windows\System\lDThYsN.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\uysVgdS.exe
  C:\Windows\System\uysVgdS.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\YFHsDvj.exe
  C:\Windows\System\YFHsDvj.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\rvPXKCd.exe
  C:\Windows\System\rvPXKCd.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\aPbdDEK.exe
  C:\Windows\System\aPbdDEK.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\eIfwxyw.exe
  C:\Windows\System\eIfwxyw.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\GmuzbOp.exe
  C:\Windows\System\GmuzbOp.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\YSVxvII.exe
  C:\Windows\System\YSVxvII.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\mTqMyKx.exe
  C:\Windows\System\mTqMyKx.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\HZAujEi.exe
  C:\Windows\System\HZAujEi.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\vevzrhQ.exe
  C:\Windows\System\vevzrhQ.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\MJgPUsR.exe
  C:\Windows\System\MJgPUsR.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\FHRBJaM.exe
  C:\Windows\System\FHRBJaM.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\WpbGgSA.exe
  C:\Windows\System\WpbGgSA.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\MVWqRhe.exe
  C:\Windows\System\MVWqRhe.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\JRwnizu.exe
  C:\Windows\System\JRwnizu.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\bpVmXaG.exe
  C:\Windows\System\bpVmXaG.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\erZPQqS.exe
  C:\Windows\System\erZPQqS.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\IsoFUVg.exe
  C:\Windows\System\IsoFUVg.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\WgCLzmm.exe
  C:\Windows\System\WgCLzmm.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\inAvaTO.exe
  C:\Windows\System\inAvaTO.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\DRdrOmu.exe
  C:\Windows\System\DRdrOmu.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\rWxvynt.exe
  C:\Windows\System\rWxvynt.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\zQbWGqi.exe
  C:\Windows\System\zQbWGqi.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\DEZnFHJ.exe
  C:\Windows\System\DEZnFHJ.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\AaDGLoB.exe
  C:\Windows\System\AaDGLoB.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\XQnzwHG.exe
  C:\Windows\System\XQnzwHG.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\QQmzTwE.exe
  C:\Windows\System\QQmzTwE.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\gYOaYjC.exe
  C:\Windows\System\gYOaYjC.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\pVnYZeQ.exe
  C:\Windows\System\pVnYZeQ.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\NgSOiPB.exe
  C:\Windows\System\NgSOiPB.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\MCPmUbp.exe
  C:\Windows\System\MCPmUbp.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\bbKejIi.exe
  C:\Windows\System\bbKejIi.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\cvevLKE.exe
  C:\Windows\System\cvevLKE.exe
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\System\LjSKZSA.exe
  C:\Windows\System\LjSKZSA.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\ilBrzls.exe
  C:\Windows\System\ilBrzls.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\QXREqWp.exe
  C:\Windows\System\QXREqWp.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\VVUQGns.exe
  C:\Windows\System\VVUQGns.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\oNUdvLG.exe
  C:\Windows\System\oNUdvLG.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\NUcKzOf.exe
  C:\Windows\System\NUcKzOf.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\BCoPIVG.exe
  C:\Windows\System\BCoPIVG.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\CKSjQjN.exe
  C:\Windows\System\CKSjQjN.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\bebZLws.exe
  C:\Windows\System\bebZLws.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System\JBDbSyc.exe
  C:\Windows\System\JBDbSyc.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\zBRRlCj.exe
  C:\Windows\System\zBRRlCj.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\zkouHhF.exe
  C:\Windows\System\zkouHhF.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\zCYafDx.exe
  C:\Windows\System\zCYafDx.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\lSJIagx.exe
  C:\Windows\System\lSJIagx.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\umyEgul.exe
  C:\Windows\System\umyEgul.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\LIRXdJL.exe
  C:\Windows\System\LIRXdJL.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\dnBKHZl.exe
  C:\Windows\System\dnBKHZl.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\PzEItlJ.exe
  C:\Windows\System\PzEItlJ.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\bWhUyHU.exe
  C:\Windows\System\bWhUyHU.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\SIXVOGI.exe
  C:\Windows\System\SIXVOGI.exe
  2⤵
  - Executes dropped EXE
  PID:284
- C:\Windows\System\LXPyJzk.exe
  C:\Windows\System\LXPyJzk.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\oIigJpd.exe
  C:\Windows\System\oIigJpd.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\IZcxCDH.exe
  C:\Windows\System\IZcxCDH.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\wexCxNu.exe
  C:\Windows\System\wexCxNu.exe
  2⤵
  PID:1520
- C:\Windows\System\FiMDYuZ.exe
  C:\Windows\System\FiMDYuZ.exe
  2⤵
  PID:2508
- C:\Windows\System\wghZdNS.exe
  C:\Windows\System\wghZdNS.exe
  2⤵
  PID:2436
- C:\Windows\System\rsRDwgu.exe
  C:\Windows\System\rsRDwgu.exe
  2⤵
  PID:1568
- C:\Windows\System\bHGtjXT.exe
  C:\Windows\System\bHGtjXT.exe
  2⤵
  PID:2024
- C:\Windows\System\hdkYgPa.exe
  C:\Windows\System\hdkYgPa.exe
  2⤵
  PID:2356
- C:\Windows\System\kPTBnux.exe
  C:\Windows\System\kPTBnux.exe
  2⤵
  PID:2012
- C:\Windows\System\MhGwruz.exe
  C:\Windows\System\MhGwruz.exe
  2⤵
  PID:2512
- C:\Windows\System\dECanAh.exe
  C:\Windows\System\dECanAh.exe
  2⤵
  PID:1624
- C:\Windows\System\DpLmzrD.exe
  C:\Windows\System\DpLmzrD.exe
  2⤵
  PID:1616
- C:\Windows\System\sdWtaDQ.exe
  C:\Windows\System\sdWtaDQ.exe
  2⤵
  PID:2364
- C:\Windows\System\yAbGPaa.exe
  C:\Windows\System\yAbGPaa.exe
  2⤵
  PID:2844
- C:\Windows\System\tOdIFwd.exe
  C:\Windows\System\tOdIFwd.exe
  2⤵
  PID:2736
- C:\Windows\System\ZoPwvwT.exe
  C:\Windows\System\ZoPwvwT.exe
  2⤵
  PID:2584
- C:\Windows\System\amygBVm.exe
  C:\Windows\System\amygBVm.exe
  2⤵
  PID:2604
- C:\Windows\System\gIGsJAR.exe
  C:\Windows\System\gIGsJAR.exe
  2⤵
  PID:2632
- C:\Windows\System\UPxizAN.exe
  C:\Windows\System\UPxizAN.exe
  2⤵
  PID:2628
- C:\Windows\System\TbTpoxO.exe
  C:\Windows\System\TbTpoxO.exe
  2⤵
  PID:2284
- C:\Windows\System\EJRJiJr.exe
  C:\Windows\System\EJRJiJr.exe
  2⤵
  PID:2984
- C:\Windows\System\hsfXknO.exe
  C:\Windows\System\hsfXknO.exe
  2⤵
  PID:2760
- C:\Windows\System\ODtktFf.exe
  C:\Windows\System\ODtktFf.exe
  2⤵
  PID:2968
- C:\Windows\System\GUTsDRx.exe
  C:\Windows\System\GUTsDRx.exe
  2⤵
  PID:1140
- C:\Windows\System\InTRkIz.exe
  C:\Windows\System\InTRkIz.exe
  2⤵
  PID:1972
- C:\Windows\System\IDoKBVJ.exe
  C:\Windows\System\IDoKBVJ.exe
  2⤵
  PID:1540
- C:\Windows\System\oaFOCCO.exe
  C:\Windows\System\oaFOCCO.exe
  2⤵
  PID:2936
- C:\Windows\System\VpwiFbX.exe
  C:\Windows\System\VpwiFbX.exe
  2⤵
  PID:2824
- C:\Windows\System\svKLDEj.exe
  C:\Windows\System\svKLDEj.exe
  2⤵
  PID:2560
- C:\Windows\System\axWKEjm.exe
  C:\Windows\System\axWKEjm.exe
  2⤵
  PID:1876
- C:\Windows\System\QzXhaEF.exe
  C:\Windows\System\QzXhaEF.exe
  2⤵
  PID:600
- C:\Windows\System\nVYPYak.exe
  C:\Windows\System\nVYPYak.exe
  2⤵
  PID:1168
- C:\Windows\System\UrxChvz.exe
  C:\Windows\System\UrxChvz.exe
  2⤵
  PID:1660
- C:\Windows\System\tEIPcxJ.exe
  C:\Windows\System\tEIPcxJ.exe
  2⤵
  PID:560
- C:\Windows\System\ydDBjyi.exe
  C:\Windows\System\ydDBjyi.exe
  2⤵
  PID:1916
- C:\Windows\System\GvQUfxI.exe
  C:\Windows\System\GvQUfxI.exe
  2⤵
  PID:448
- C:\Windows\System\tcrPRGQ.exe
  C:\Windows\System\tcrPRGQ.exe
  2⤵
  PID:2188
- C:\Windows\System\TYBgIsQ.exe
  C:\Windows\System\TYBgIsQ.exe
  2⤵
  PID:1552
- C:\Windows\System\XYiBbTm.exe
  C:\Windows\System\XYiBbTm.exe
  2⤵
  PID:1556
- C:\Windows\System\AgmCXGp.exe
  C:\Windows\System\AgmCXGp.exe
  2⤵
  PID:1144
- C:\Windows\System\RiaQufh.exe
  C:\Windows\System\RiaQufh.exe
  2⤵
  PID:2448
- C:\Windows\System\LIjtTqS.exe
  C:\Windows\System\LIjtTqS.exe
  2⤵
  PID:1192
- C:\Windows\System\VoTFhqG.exe
  C:\Windows\System\VoTFhqG.exe
  2⤵
  PID:568
- C:\Windows\System\RHgjpLB.exe
  C:\Windows\System\RHgjpLB.exe
  2⤵
  PID:1068
- C:\Windows\System\ZjvXCPb.exe
  C:\Windows\System\ZjvXCPb.exe
  2⤵
  PID:2224
- C:\Windows\System\xbfPkhI.exe
  C:\Windows\System\xbfPkhI.exe
  2⤵
  PID:308
- C:\Windows\System\JpAlgsf.exe
  C:\Windows\System\JpAlgsf.exe
  2⤵
  PID:1456
- C:\Windows\System\NqMMtFv.exe
  C:\Windows\System\NqMMtFv.exe
  2⤵
  PID:1752
- C:\Windows\System\TJZFCJi.exe
  C:\Windows\System\TJZFCJi.exe
  2⤵
  PID:1088
- C:\Windows\System\FDoOfFG.exe
  C:\Windows\System\FDoOfFG.exe
  2⤵
  PID:1612
- C:\Windows\System\qQLTxmV.exe
  C:\Windows\System\qQLTxmV.exe
  2⤵
  PID:2200
- C:\Windows\System\Qpcclno.exe
  C:\Windows\System\Qpcclno.exe
  2⤵
  PID:2768
- C:\Windows\System\tbZamqR.exe
  C:\Windows\System\tbZamqR.exe
  2⤵
  PID:2752
- C:\Windows\System\nXuqVJG.exe
  C:\Windows\System\nXuqVJG.exe
  2⤵
  PID:1424
- C:\Windows\System\aGigfxP.exe
  C:\Windows\System\aGigfxP.exe
  2⤵
  PID:2956
- C:\Windows\System\tyZchFt.exe
  C:\Windows\System\tyZchFt.exe
  2⤵
  PID:2216
- C:\Windows\System\NkmUbJd.exe
  C:\Windows\System\NkmUbJd.exe
  2⤵
  PID:288
- C:\Windows\System\jLSRYgW.exe
  C:\Windows\System\jLSRYgW.exe
  2⤵
  PID:2060
- C:\Windows\System\jyQjadm.exe
  C:\Windows\System\jyQjadm.exe
  2⤵
  PID:3076
- C:\Windows\System\xtUZozx.exe
  C:\Windows\System\xtUZozx.exe
  2⤵
  PID:3092
- C:\Windows\System\MDPnlVf.exe
  C:\Windows\System\MDPnlVf.exe
  2⤵
  PID:3108
- C:\Windows\System\gkdBHzn.exe
  C:\Windows\System\gkdBHzn.exe
  2⤵
  PID:3124
- C:\Windows\System\HAefUPx.exe
  C:\Windows\System\HAefUPx.exe
  2⤵
  PID:3140
- C:\Windows\System\ElUWWGF.exe
  C:\Windows\System\ElUWWGF.exe
  2⤵
  PID:3156
- C:\Windows\System\NVoEdMk.exe
  C:\Windows\System\NVoEdMk.exe
  2⤵
  PID:3172
- C:\Windows\System\JtGAAac.exe
  C:\Windows\System\JtGAAac.exe
  2⤵
  PID:3188
- C:\Windows\System\puFEuew.exe
  C:\Windows\System\puFEuew.exe
  2⤵
  PID:3204
- C:\Windows\System\UUCOwgh.exe
  C:\Windows\System\UUCOwgh.exe
  2⤵
  PID:3220
- C:\Windows\System\lDLZsqw.exe
  C:\Windows\System\lDLZsqw.exe
  2⤵
  PID:3236
- C:\Windows\System\WSctpng.exe
  C:\Windows\System\WSctpng.exe
  2⤵
  PID:3252
- C:\Windows\System\AfQhRJZ.exe
  C:\Windows\System\AfQhRJZ.exe
  2⤵
  PID:3268
- C:\Windows\System\sShlqwb.exe
  C:\Windows\System\sShlqwb.exe
  2⤵
  PID:3284
- C:\Windows\System\OnItQGb.exe
  C:\Windows\System\OnItQGb.exe
  2⤵
  PID:3300
- C:\Windows\System\pAUlhHw.exe
  C:\Windows\System\pAUlhHw.exe
  2⤵
  PID:3316
- C:\Windows\System\LpoigIe.exe
  C:\Windows\System\LpoigIe.exe
  2⤵
  PID:3332
- C:\Windows\System\nJFKDlA.exe
  C:\Windows\System\nJFKDlA.exe
  2⤵
  PID:3348
- C:\Windows\System\JTPlUyW.exe
  C:\Windows\System\JTPlUyW.exe
  2⤵
  PID:3364
- C:\Windows\System\ZAnrYOL.exe
  C:\Windows\System\ZAnrYOL.exe
  2⤵
  PID:3380
- C:\Windows\System\tkJKRfe.exe
  C:\Windows\System\tkJKRfe.exe
  2⤵
  PID:3396
- C:\Windows\System\cZpBYKT.exe
  C:\Windows\System\cZpBYKT.exe
  2⤵
  PID:3412
- C:\Windows\System\rMrQsKv.exe
  C:\Windows\System\rMrQsKv.exe
  2⤵
  PID:3428
- C:\Windows\System\fOtxISh.exe
  C:\Windows\System\fOtxISh.exe
  2⤵
  PID:3444
- C:\Windows\System\HuahBhG.exe
  C:\Windows\System\HuahBhG.exe
  2⤵
  PID:3460
- C:\Windows\System\MZRFIag.exe
  C:\Windows\System\MZRFIag.exe
  2⤵
  PID:3476
- C:\Windows\System\FNdZzQR.exe
  C:\Windows\System\FNdZzQR.exe
  2⤵
  PID:3492
- C:\Windows\System\ITEkIgK.exe
  C:\Windows\System\ITEkIgK.exe
  2⤵
  PID:3508
- C:\Windows\System\zmOglnO.exe
  C:\Windows\System\zmOglnO.exe
  2⤵
  PID:3524
- C:\Windows\System\UQIKuey.exe
  C:\Windows\System\UQIKuey.exe
  2⤵
  PID:3540
- C:\Windows\System\KUuzjei.exe
  C:\Windows\System\KUuzjei.exe
  2⤵
  PID:3556
- C:\Windows\System\mHqAOOZ.exe
  C:\Windows\System\mHqAOOZ.exe
  2⤵
  PID:3572
- C:\Windows\System\yLNDNvI.exe
  C:\Windows\System\yLNDNvI.exe
  2⤵
  PID:3588
- C:\Windows\System\oPmYlXf.exe
  C:\Windows\System\oPmYlXf.exe
  2⤵
  PID:3604
- C:\Windows\System\ITLROZJ.exe
  C:\Windows\System\ITLROZJ.exe
  2⤵
  PID:3620
- C:\Windows\System\laJFrbU.exe
  C:\Windows\System\laJFrbU.exe
  2⤵
  PID:3636
- C:\Windows\System\dmaMSMw.exe
  C:\Windows\System\dmaMSMw.exe
  2⤵
  PID:3652
- C:\Windows\System\SmEZfJQ.exe
  C:\Windows\System\SmEZfJQ.exe
  2⤵
  PID:3668
- C:\Windows\System\gSHyFoz.exe
  C:\Windows\System\gSHyFoz.exe
  2⤵
  PID:3684
- C:\Windows\System\UBBFVie.exe
  C:\Windows\System\UBBFVie.exe
  2⤵
  PID:3700
- C:\Windows\System\CPzocll.exe
  C:\Windows\System\CPzocll.exe
  2⤵
  PID:3716
- C:\Windows\System\LDzkYei.exe
  C:\Windows\System\LDzkYei.exe
  2⤵
  PID:3732
- C:\Windows\System\nQKcWyF.exe
  C:\Windows\System\nQKcWyF.exe
  2⤵
  PID:3748
- C:\Windows\System\afPCKVf.exe
  C:\Windows\System\afPCKVf.exe
  2⤵
  PID:3764
- C:\Windows\System\vUPgQeY.exe
  C:\Windows\System\vUPgQeY.exe
  2⤵
  PID:3780
- C:\Windows\System\WmPvlBo.exe
  C:\Windows\System\WmPvlBo.exe
  2⤵
  PID:3796
- C:\Windows\System\ddlBdsf.exe
  C:\Windows\System\ddlBdsf.exe
  2⤵
  PID:3812
- C:\Windows\System\xSpbfmZ.exe
  C:\Windows\System\xSpbfmZ.exe
  2⤵
  PID:3828
- C:\Windows\System\oAzTtWe.exe
  C:\Windows\System\oAzTtWe.exe
  2⤵
  PID:3844
- C:\Windows\System\ncpmobK.exe
  C:\Windows\System\ncpmobK.exe
  2⤵
  PID:3860
- C:\Windows\System\UuLBUMW.exe
  C:\Windows\System\UuLBUMW.exe
  2⤵
  PID:3876
- C:\Windows\System\WidSDEF.exe
  C:\Windows\System\WidSDEF.exe
  2⤵
  PID:3892
- C:\Windows\System\tDBfZPe.exe
  C:\Windows\System\tDBfZPe.exe
  2⤵
  PID:3908
- C:\Windows\System\qeTzBkC.exe
  C:\Windows\System\qeTzBkC.exe
  2⤵
  PID:3924
- C:\Windows\System\oAGgthk.exe
  C:\Windows\System\oAGgthk.exe
  2⤵
  PID:3940
- C:\Windows\System\ihlCZbp.exe
  C:\Windows\System\ihlCZbp.exe
  2⤵
  PID:3956
- C:\Windows\System\pdcarxk.exe
  C:\Windows\System\pdcarxk.exe
  2⤵
  PID:3972
- C:\Windows\System\apCsPYU.exe
  C:\Windows\System\apCsPYU.exe
  2⤵
  PID:3988
- C:\Windows\System\qpyvAIV.exe
  C:\Windows\System\qpyvAIV.exe
  2⤵
  PID:4004
- C:\Windows\System\iIAzFAr.exe
  C:\Windows\System\iIAzFAr.exe
  2⤵
  PID:4020
- C:\Windows\System\yhinDxq.exe
  C:\Windows\System\yhinDxq.exe
  2⤵
  PID:4036
- C:\Windows\System\mguBdET.exe
  C:\Windows\System\mguBdET.exe
  2⤵
  PID:4052
- C:\Windows\System\JPzXobv.exe
  C:\Windows\System\JPzXobv.exe
  2⤵
  PID:4068
- C:\Windows\System\eFokHxQ.exe
  C:\Windows\System\eFokHxQ.exe
  2⤵
  PID:4084
- C:\Windows\System\GmuLUXL.exe
  C:\Windows\System\GmuLUXL.exe
  2⤵
  PID:320
- C:\Windows\System\aHSGkoJ.exe
  C:\Windows\System\aHSGkoJ.exe
  2⤵
  PID:1656
- C:\Windows\System\qvvUUnF.exe
  C:\Windows\System\qvvUUnF.exe
  2⤵
  PID:1296
- C:\Windows\System\pnlWUrs.exe
  C:\Windows\System\pnlWUrs.exe
  2⤵
  PID:2420
- C:\Windows\System\JCzTJrC.exe
  C:\Windows\System\JCzTJrC.exe
  2⤵
  PID:2304
- C:\Windows\System\UpqTcKp.exe
  C:\Windows\System\UpqTcKp.exe
  2⤵
  PID:1832
- C:\Windows\System\BBOAGUR.exe
  C:\Windows\System\BBOAGUR.exe
  2⤵
  PID:968
- C:\Windows\System\qGeJVxs.exe
  C:\Windows\System\qGeJVxs.exe
  2⤵
  PID:2496
- C:\Windows\System\tlNvDIM.exe
  C:\Windows\System\tlNvDIM.exe
  2⤵
  PID:2244
- C:\Windows\System\ZWvyHDd.exe
  C:\Windows\System\ZWvyHDd.exe
  2⤵
  PID:2248
- C:\Windows\System\cFDHedS.exe
  C:\Windows\System\cFDHedS.exe
  2⤵
  PID:2876
- C:\Windows\System\rWWPzKd.exe
  C:\Windows\System\rWWPzKd.exe
  2⤵
  PID:2888
- C:\Windows\System\OHQOhKP.exe
  C:\Windows\System\OHQOhKP.exe
  2⤵
  PID:2160
- C:\Windows\System\WNhBAVn.exe
  C:\Windows\System\WNhBAVn.exe
  2⤵
  PID:1700
- C:\Windows\System\stVdero.exe
  C:\Windows\System\stVdero.exe
  2⤵
  PID:2068
- C:\Windows\System\zcTXZWe.exe
  C:\Windows\System\zcTXZWe.exe
  2⤵
  PID:3084
- C:\Windows\System\sIHlaou.exe
  C:\Windows\System\sIHlaou.exe
  2⤵
  PID:3104
- C:\Windows\System\pOZPyOZ.exe
  C:\Windows\System\pOZPyOZ.exe
  2⤵
  PID:3136
- C:\Windows\System\vzSuisx.exe
  C:\Windows\System\vzSuisx.exe
  2⤵
  PID:3168
- C:\Windows\System\YGbIutf.exe
  C:\Windows\System\YGbIutf.exe
  2⤵
  PID:3200
- C:\Windows\System\uYDhAWD.exe
  C:\Windows\System\uYDhAWD.exe
  2⤵
  PID:3232
- C:\Windows\System\ewfymtx.exe
  C:\Windows\System\ewfymtx.exe
  2⤵
  PID:3264
- C:\Windows\System\wBQKcMB.exe
  C:\Windows\System\wBQKcMB.exe
  2⤵
  PID:3296
- C:\Windows\System\aYRNSqc.exe
  C:\Windows\System\aYRNSqc.exe
  2⤵
  PID:3328
- C:\Windows\System\Oljkkvi.exe
  C:\Windows\System\Oljkkvi.exe
  2⤵
  PID:3360
- C:\Windows\System\CXpGjjS.exe
  C:\Windows\System\CXpGjjS.exe
  2⤵
  PID:3392
- C:\Windows\System\ryTbzCY.exe
  C:\Windows\System\ryTbzCY.exe
  2⤵
  PID:3424
- C:\Windows\System\nxCAJWg.exe
  C:\Windows\System\nxCAJWg.exe
  2⤵
  PID:3468
- C:\Windows\System\qpFGlTp.exe
  C:\Windows\System\qpFGlTp.exe
  2⤵
  PID:3488
- C:\Windows\System\kUWHSzV.exe
  C:\Windows\System\kUWHSzV.exe
  2⤵
  PID:3520
- C:\Windows\System\LbphDMs.exe
  C:\Windows\System\LbphDMs.exe
  2⤵
  PID:3552
- C:\Windows\System\xzhUfyw.exe
  C:\Windows\System\xzhUfyw.exe
  2⤵
  PID:3600
- C:\Windows\System\zTaFVYc.exe
  C:\Windows\System\zTaFVYc.exe
  2⤵
  PID:3616
- C:\Windows\System\cRDAdFX.exe
  C:\Windows\System\cRDAdFX.exe
  2⤵
  PID:3648
- C:\Windows\System\pfnIBFD.exe
  C:\Windows\System\pfnIBFD.exe
  2⤵
  PID:3680
- C:\Windows\System\XdHYvQg.exe
  C:\Windows\System\XdHYvQg.exe
  2⤵
  PID:3712
- C:\Windows\System\TCsZEAn.exe
  C:\Windows\System\TCsZEAn.exe
  2⤵
  PID:3744
- C:\Windows\System\TGTwEFL.exe
  C:\Windows\System\TGTwEFL.exe
  2⤵
  PID:3788
- C:\Windows\System\HGZGvKR.exe
  C:\Windows\System\HGZGvKR.exe
  2⤵
  PID:3824
- C:\Windows\System\IeRtOCH.exe
  C:\Windows\System\IeRtOCH.exe
  2⤵
  PID:3840
- C:\Windows\System\pDTyWZa.exe
  C:\Windows\System\pDTyWZa.exe
  2⤵
  PID:3872
- C:\Windows\System\wUVsRRJ.exe
  C:\Windows\System\wUVsRRJ.exe
  2⤵
  PID:3904
- C:\Windows\System\GlnfOsh.exe
  C:\Windows\System\GlnfOsh.exe
  2⤵
  PID:3936
- C:\Windows\System\ztakYHJ.exe
  C:\Windows\System\ztakYHJ.exe
  2⤵
  PID:3968
- C:\Windows\System\QAjMUlG.exe
  C:\Windows\System\QAjMUlG.exe
  2⤵
  PID:4000
- C:\Windows\System\YDPfgYo.exe
  C:\Windows\System\YDPfgYo.exe
  2⤵
  PID:4032
- C:\Windows\System\cXkvxJP.exe
  C:\Windows\System\cXkvxJP.exe
  2⤵
  PID:4064
- C:\Windows\System\rQuKlsN.exe
  C:\Windows\System\rQuKlsN.exe
  2⤵
  PID:1948
- C:\Windows\System\LrDMxep.exe
  C:\Windows\System\LrDMxep.exe
  2⤵
  PID:1052
- C:\Windows\System\PFoWvRL.exe
  C:\Windows\System\PFoWvRL.exe
  2⤵
  PID:3548
- C:\Windows\System\CdqRFHt.exe
  C:\Windows\System\CdqRFHt.exe
  2⤵
  PID:3580
- C:\Windows\System\GswksdX.exe
  C:\Windows\System\GswksdX.exe
  2⤵
  PID:3628
- C:\Windows\System\Lskzdxl.exe
  C:\Windows\System\Lskzdxl.exe
  2⤵
  PID:3708
- C:\Windows\System\WhvVNnA.exe
  C:\Windows\System\WhvVNnA.exe
  2⤵
  PID:1888
- C:\Windows\System\AzczidP.exe
  C:\Windows\System\AzczidP.exe
  2⤵
  PID:292
- C:\Windows\System\kIpozJp.exe
  C:\Windows\System\kIpozJp.exe
  2⤵
  PID:3740
- C:\Windows\System\XdxNnNk.exe
  C:\Windows\System\XdxNnNk.exe
  2⤵
  PID:3852
- C:\Windows\System\VmUjjsg.exe
  C:\Windows\System\VmUjjsg.exe
  2⤵
  PID:3964
- C:\Windows\System\JcsBaWi.exe
  C:\Windows\System\JcsBaWi.exe
  2⤵
  PID:596
- C:\Windows\System\kHKknIG.exe
  C:\Windows\System\kHKknIG.exe
  2⤵
  PID:3820
- C:\Windows\System\DRQreLJ.exe
  C:\Windows\System\DRQreLJ.exe
  2⤵
  PID:3932
- C:\Windows\System\SMEOdsv.exe
  C:\Windows\System\SMEOdsv.exe
  2⤵
  PID:4060
- C:\Windows\System\siELHGk.exe
  C:\Windows\System\siELHGk.exe
  2⤵
  PID:1664
- C:\Windows\System\hwQxRYO.exe
  C:\Windows\System\hwQxRYO.exe
  2⤵
  PID:2264
- C:\Windows\System\cmsafoi.exe
  C:\Windows\System\cmsafoi.exe
  2⤵
  PID:2688
- C:\Windows\System\thaRAgp.exe
  C:\Windows\System\thaRAgp.exe
  2⤵
  PID:2292
- C:\Windows\System\JviSeEL.exe
  C:\Windows\System\JviSeEL.exe
  2⤵
  PID:2276
- C:\Windows\System\kWmybZc.exe
  C:\Windows\System\kWmybZc.exe
  2⤵
  PID:3116
- C:\Windows\System\MTOZVej.exe
  C:\Windows\System\MTOZVej.exe
  2⤵
  PID:3180
- C:\Windows\System\ExQDDzO.exe
  C:\Windows\System\ExQDDzO.exe
  2⤵
  PID:3244
- C:\Windows\System\nvtskks.exe
  C:\Windows\System\nvtskks.exe
  2⤵
  PID:3356
- C:\Windows\System\hsRIRpF.exe
  C:\Windows\System\hsRIRpF.exe
  2⤵
  PID:3420
- C:\Windows\System\gbBtyei.exe
  C:\Windows\System\gbBtyei.exe
  2⤵
  PID:3516
- C:\Windows\System\UNVbWKh.exe
  C:\Windows\System\UNVbWKh.exe
  2⤵
  PID:1980
- C:\Windows\System\YtyjcrV.exe
  C:\Windows\System\YtyjcrV.exe
  2⤵
  PID:2868
- C:\Windows\System\cttBOvQ.exe
  C:\Windows\System\cttBOvQ.exe
  2⤵
  PID:4112
- C:\Windows\System\hbzNBih.exe
  C:\Windows\System\hbzNBih.exe
  2⤵
  PID:4132
- C:\Windows\System\bAqBMns.exe
  C:\Windows\System\bAqBMns.exe
  2⤵
  PID:4152
- C:\Windows\System\QuWQRdM.exe
  C:\Windows\System\QuWQRdM.exe
  2⤵
  PID:4176
- C:\Windows\System\iZtnxAv.exe
  C:\Windows\System\iZtnxAv.exe
  2⤵
  PID:4192
- C:\Windows\System\kOdwupX.exe
  C:\Windows\System\kOdwupX.exe
  2⤵
  PID:4212
- C:\Windows\System\vEbXQlS.exe
  C:\Windows\System\vEbXQlS.exe
  2⤵
  PID:4228
- C:\Windows\System\riLgitI.exe
  C:\Windows\System\riLgitI.exe
  2⤵
  PID:4244
- C:\Windows\System\NTUMdKN.exe
  C:\Windows\System\NTUMdKN.exe
  2⤵
  PID:4260
- C:\Windows\System\sgcCtjQ.exe
  C:\Windows\System\sgcCtjQ.exe
  2⤵
  PID:4276
- C:\Windows\System\MmoiCZC.exe
  C:\Windows\System\MmoiCZC.exe
  2⤵
  PID:4292
- C:\Windows\System\bxpdWze.exe
  C:\Windows\System\bxpdWze.exe
  2⤵
  PID:4308
- C:\Windows\System\znMKzUE.exe
  C:\Windows\System\znMKzUE.exe
  2⤵
  PID:4868
- C:\Windows\System\sWUfwtr.exe
  C:\Windows\System\sWUfwtr.exe
  2⤵
  PID:4884
- C:\Windows\System\WGTppGh.exe
  C:\Windows\System\WGTppGh.exe
  2⤵
  PID:4900
- C:\Windows\System\ukXaibj.exe
  C:\Windows\System\ukXaibj.exe
  2⤵
  PID:4916
- C:\Windows\System\AqzlDEN.exe
  C:\Windows\System\AqzlDEN.exe
  2⤵
  PID:4936
- C:\Windows\System\tpmJXmY.exe
  C:\Windows\System\tpmJXmY.exe
  2⤵
  PID:4952
- C:\Windows\System\UyzzrhG.exe
  C:\Windows\System\UyzzrhG.exe
  2⤵
  PID:4968
- C:\Windows\System\ntYaobs.exe
  C:\Windows\System\ntYaobs.exe
  2⤵
  PID:4984
- C:\Windows\System\ukWhOdI.exe
  C:\Windows\System\ukWhOdI.exe
  2⤵
  PID:5000
- C:\Windows\System\zGWijre.exe
  C:\Windows\System\zGWijre.exe
  2⤵
  PID:5016
- C:\Windows\System\BwKqIyb.exe
  C:\Windows\System\BwKqIyb.exe
  2⤵
  PID:5032
- C:\Windows\System\nwdZuDJ.exe
  C:\Windows\System\nwdZuDJ.exe
  2⤵
  PID:5048
- C:\Windows\System\MSBiIKX.exe
  C:\Windows\System\MSBiIKX.exe
  2⤵
  PID:5064
- C:\Windows\System\fGkjyhi.exe
  C:\Windows\System\fGkjyhi.exe
  2⤵
  PID:5080
- C:\Windows\System\wJjyBas.exe
  C:\Windows\System\wJjyBas.exe
  2⤵
  PID:5096
- C:\Windows\System\tGYFRtq.exe
  C:\Windows\System\tGYFRtq.exe
  2⤵
  PID:5112
- C:\Windows\System\ZcWGCkg.exe
  C:\Windows\System\ZcWGCkg.exe
  2⤵
  PID:3692
- C:\Windows\System\oVPHiKd.exe
  C:\Windows\System\oVPHiKd.exe
  2⤵
  PID:3772
- C:\Windows\System\DBhbJvP.exe
  C:\Windows\System\DBhbJvP.exe
  2⤵
  PID:3804
- C:\Windows\System\ajfDZSG.exe
  C:\Windows\System\ajfDZSG.exe
  2⤵
  PID:4028
- C:\Windows\System\btMtwdd.exe
  C:\Windows\System\btMtwdd.exe
  2⤵
  PID:1512
- C:\Windows\System\OtwRjVI.exe
  C:\Windows\System\OtwRjVI.exe
  2⤵
  PID:2340
- C:\Windows\System\QvgnBAb.exe
  C:\Windows\System\QvgnBAb.exe
  2⤵
  PID:2716
- C:\Windows\System\SEfwvft.exe
  C:\Windows\System\SEfwvft.exe
  2⤵
  PID:3260
- C:\Windows\System\HzpveuF.exe
  C:\Windows\System\HzpveuF.exe
  2⤵
  PID:3372
- C:\Windows\System\NoQhXgp.exe
  C:\Windows\System\NoQhXgp.exe
  2⤵
  PID:3324
- C:\Windows\System\dPhwUKU.exe
  C:\Windows\System\dPhwUKU.exe
  2⤵
  PID:3456
- C:\Windows\System\sViLhhQ.exe
  C:\Windows\System\sViLhhQ.exe
  2⤵
  PID:4104
- C:\Windows\System\xkeCxys.exe
  C:\Windows\System\xkeCxys.exe
  2⤵
  PID:1772
- C:\Windows\System\SyGtplY.exe
  C:\Windows\System\SyGtplY.exe
  2⤵
  PID:4144
- C:\Windows\System\AqfjrXn.exe
  C:\Windows\System\AqfjrXn.exe
  2⤵
  PID:4184
- C:\Windows\System\DwtNIGp.exe
  C:\Windows\System\DwtNIGp.exe
  2⤵
  PID:4168
- C:\Windows\System\gTjojsJ.exe
  C:\Windows\System\gTjojsJ.exe
  2⤵
  PID:2704
- C:\Windows\System\EDqogKH.exe
  C:\Windows\System\EDqogKH.exe
  2⤵
  PID:4208
- C:\Windows\System\FQHjLis.exe
  C:\Windows\System\FQHjLis.exe
  2⤵
  PID:4288
- C:\Windows\System\YstZfxD.exe
  C:\Windows\System\YstZfxD.exe
  2⤵
  PID:4320
- C:\Windows\System\dBvISlo.exe
  C:\Windows\System\dBvISlo.exe
  2⤵
  PID:4344
- C:\Windows\System\NJAtALo.exe
  C:\Windows\System\NJAtALo.exe
  2⤵
  PID:4328
- C:\Windows\System\eMZXjIC.exe
  C:\Windows\System\eMZXjIC.exe
  2⤵
  PID:4304
- C:\Windows\System\FLFyvxz.exe
  C:\Windows\System\FLFyvxz.exe
  2⤵
  PID:2712
- C:\Windows\System\afvPyuf.exe
  C:\Windows\System\afvPyuf.exe
  2⤵
  PID:4364
- C:\Windows\System\qMTJLnH.exe
  C:\Windows\System\qMTJLnH.exe
  2⤵
  PID:4380
- C:\Windows\System\cRThyHh.exe
  C:\Windows\System\cRThyHh.exe
  2⤵
  PID:4388
- C:\Windows\System\CQrSjvF.exe
  C:\Windows\System\CQrSjvF.exe
  2⤵
  PID:2896
- C:\Windows\System\DfKmfzF.exe
  C:\Windows\System\DfKmfzF.exe
  2⤵
  PID:4416
- C:\Windows\System\AOXYoXp.exe
  C:\Windows\System\AOXYoXp.exe
  2⤵
  PID:4432
- C:\Windows\System\izebDQa.exe
  C:\Windows\System\izebDQa.exe
  2⤵
  PID:4448
- C:\Windows\System\hXnTXFd.exe
  C:\Windows\System\hXnTXFd.exe
  2⤵
  PID:1224
- C:\Windows\System\cWdooVq.exe
  C:\Windows\System\cWdooVq.exe
  2⤵
  PID:4576
- C:\Windows\System\STJeuFO.exe
  C:\Windows\System\STJeuFO.exe
  2⤵
  PID:4592
- C:\Windows\System\PAGrfDO.exe
  C:\Windows\System\PAGrfDO.exe
  2⤵
  PID:4608
- C:\Windows\System\xxOodwI.exe
  C:\Windows\System\xxOodwI.exe
  2⤵
  PID:4616
- C:\Windows\System\grEGmjx.exe
  C:\Windows\System\grEGmjx.exe
  2⤵
  PID:4632
- C:\Windows\System\ZpPBQwn.exe
  C:\Windows\System\ZpPBQwn.exe
  2⤵
  PID:4648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DEZnFHJ.exe

Filesize
2.0MB

MD5
4dfd021df8699192846bb310e3cc1fde

SHA1
31e26afdcc2fc4296dff210cbd87c2fc6f6d14f8

SHA256
27c1c2e5b19551e87634c68b4541c1e1daa45d7ac9c7c1c2f6ee09db7461aea0

SHA512
5dd377f643274d388e0dfd6d5ba14d326199ba2925400c834e62dea05ec55fe8fd56bdfe013e01378a346f3e1a98def778b748fba5cc0ecdaff0b8181c016252

Download Submit
C:\Windows\system\DRdrOmu.exe

Filesize
2.0MB

MD5
35e6824a9475ba3143a2624489ffda29

SHA1
01c7b2acf98495a501020977076278b37fd0cd80

SHA256
82e11d6ccd2b43eb88a83eda9cb58474cef78a96b8904e7eaaaf42ef7c84624f

SHA512
335f3aefe4dceac4c9614146ee73df3a108311e99a01b12a7809f896903ed7f8d2ac84df9878e627c69984bfb14fc5992a8827f3c51adc0d279325804636ae55

Download Submit
C:\Windows\system\FHRBJaM.exe

Filesize
2.0MB

MD5
348d6ae8a724eabdb78a032988a8d068

SHA1
895e671a546436cf15ae2991b0282e37d47e826f

SHA256
e31003ce0b0a88a80cd46055814e1724ec1274c7414f4de6f2d472abaa927756

SHA512
24c8e5a30794f1bf980490cb3f92c636b51ed7f606ec0e6313a2b06f23783e8c46807ef9442d904d6b5978da957e41634155acf047ff5b633e1a827f83884fe8

Download Submit
C:\Windows\system\GmuzbOp.exe

Filesize
2.0MB

MD5
67459d8faa51f436c04b08b8cdc8f654

SHA1
e810fe8c7f7e347cd74523e57665834bb1488ca1

SHA256
9e47222b3bd65d57b02668dafa152612afb5d657008188c597ce8cd71e1b63f5

SHA512
1190c4b87351ab3a6fbb17aab5fbca1ad836bdd8d5186621bb3696ea614100dbd9ae9c1bbdce3b5cb87fc4ac2056f37ac7599ada05f23b2f70dbbc0c1616a89e

Download Submit
C:\Windows\system\HZAujEi.exe

Filesize
2.0MB

MD5
c5650a41766a2dad40fc206a0f482615

SHA1
3d9dc4cb424a59a0e26f4f55f0868ca3a2b95979

SHA256
aaea4f21759ae200295cc7379f51e51547b068f2fa50703c7ce8d8855a845087

SHA512
9bea1fcc7f74ce6181bd51e9553cf27f8f069a3086980010c4da7ca67e5950dca50cd1ac255315d39b82e97eb54dfec90355f7530e72ffe952a8e8326ac47ba1

Download Submit
C:\Windows\system\HctPFLe.exe

Filesize
2.0MB

MD5
692e8b93ed707b73da187bfe8ac4e07e

SHA1
894a09edc91d6a416cd364ff5ef0cd80023a9022

SHA256
99b71fe01390358f053d38e4c5ffe6d3cb2955a1f55299a76f37b9e46f389f34

SHA512
d00c66f10d8390c99b2252e7eb9048228cb1a11189135512192ee48e792066186aca65ec1a395e1edf9c37344264382580cf0c2754a8d722913e4649ce1fbbfe

Download Submit
C:\Windows\system\IsoFUVg.exe

Filesize
2.0MB

MD5
6522ed21aa6a784d18d9b3b9ef755206

SHA1
58391518ba24293b876ee75a225ea6ceee779d8c

SHA256
e2985c43db79737249b381cc271d6b5f67724f9035547ae3331b478ab994a051

SHA512
aac1ea2d10b00bcaecebf0889ff245b577e5cb42d628dcd20ea3594fb9ebe7857ff86ad0f80ba66f382afdf7b900484b5c5ea7ea67c4626f5d4a810145364bfd

Download Submit
C:\Windows\system\JRwnizu.exe

Filesize
2.0MB

MD5
147f3328f4842b0be907a5dfcb855dee

SHA1
83e21f0cddd24e46eb1114f30d69a88c35685f16

SHA256
4922f35e916df57120ee593f20a06f869487cb8f6307e1347b0d6786c66367ca

SHA512
e3fa809163271c2872971bd6178ff4360277a5794daf14349f51886177d5b44194ce4c046a0ac3aa423ad4a3de095225a38be3bdf73209a7896451135434e798

Download Submit
C:\Windows\system\MJgPUsR.exe

Filesize
2.0MB

MD5
0ee57ebaa2cb9e80f0c21d99e8fddcef

SHA1
6f0227f16252056427959a8f52f871aa7edfd94a

SHA256
1a983b8657bddaf5c70be0c2c89e885b5bf18586319dc2e307c9536b21d10664

SHA512
a734efe3ad9d56545d54827a64f151b7f3350bf88d1e8a3c8cdb583791e654bbab5d9c1bc7114d48a338d989a535655c2454a79b77514d288ad4ae732f398b52

Download Submit
C:\Windows\system\MVWqRhe.exe

Filesize
2.0MB

MD5
e5b75d70d44a3ec81a9760216bc782d1

SHA1
3a8cd2123ce0f34cfd2c11b675c414336c6d1c9d

SHA256
4d210792cad031817296ca09592d77d263ef810ccfa4393c3cf141d4f867d8de

SHA512
ff93ac30c64fa2de0f32b127d7bc8a68248795b47da1ffe0c86879a9cbc4a728202a6df4dc62ff3efb629b94235ccd07faec73878b97d88896caaf5464df5810

Download Submit
C:\Windows\system\RSXpQaA.exe

Filesize
2.0MB

MD5
54cc16f2b8c1f5415296e29e028f2711

SHA1
0a7c29ec4b64c1212662bfb5d2eaea91876da358

SHA256
50e48d77072ddc836b60ee0a1a73c619e564153ad709423ea04bfcc1f37335ef

SHA512
ad9a1ff09668dae92aa3907c7aa0ef94f45ec57e95ac3c26bec68dfa6e0cd5a35aec0fbd652f7883b300006fdf2810ea7c9ba1e0f09f943c5458543d7cb4f066

Download Submit
C:\Windows\system\WgCLzmm.exe

Filesize
2.0MB

MD5
01efd66f5e8359e69122e09f8539bcb5

SHA1
9947ae8ab160e63cac98a6294451d6b8df547ff3

SHA256
da5e3b19b566ab2644e8b9a504d133739018f5858d43a45c1f2dfa742df919ad

SHA512
89fa455eea84a8fbe9ca0a00aa37769c09a6ccafe5dd8edbbf019c3abf2a9ee0d292c52c75baf44b596b37cf6ffd47318f036532ca85b519a18f48297deff888

Download Submit
C:\Windows\system\WpbGgSA.exe

Filesize
2.0MB

MD5
e79fe23b97ed19d8aca1f10f6a14c863

SHA1
fd2aaad698060c4a31601adf85b9af85014779f1

SHA256
bc0d6055cf67d955ec3d788a58ba4a89e33e5b821fcc8c2cf726842ef995a7b6

SHA512
0cfa6183ae0bbed125b44c59d99ed06b7e1e50bd064cc607a63a3232bff1238e79c25349925f07131dbd57ec8581c61079c8f3232869e98361bd89fa65083e0a

Download Submit
C:\Windows\system\YFHsDvj.exe

Filesize
2.0MB

MD5
22bf9ffb39e98a9bb814696ca34bdb58

SHA1
571029cc08649db02b106a93baebc479b42af9b5

SHA256
ed43a8efa05e43761b8ff7b8267e2dee43403ed7ebf76a2b6c269cf8038897f3

SHA512
e45ef0f9e4ecab1bd4fa89e9f4c0afe3f6d4273c02ecd6fdbb0ffd2ec89df460d7ba0e4f910e3c9a6bca412061457e15dd15c75841f2fd712a64b8161d1ef9ba

Download Submit
C:\Windows\system\YSVxvII.exe

Filesize
2.0MB

MD5
021b4a01a201f407764a230a2f05d5b8

SHA1
21151f0c0a08bd7c1a2ed2e0d4c6dc7c45d77827

SHA256
a331df140eb8c9c47f6062ef097c3be336d31a982e125c947716954665537079

SHA512
cd54afb30ed857206a92359c3dd8632295cd532e2c411a485f6f9246ed7bba81caf3e233f09dbf3230ad6564da4bf6858f016ca8fb32aed56c898750b3a13463

Download Submit
C:\Windows\system\aPbdDEK.exe

Filesize
2.0MB

MD5
655940ceb95d0ffbc27bdc381b1c825c

SHA1
68058a51d2586e82833fd91660c7200c7a52874c

SHA256
da1394a574be30e6e41dfab6a99516abebbc5592b76ac9eac90def0db6ddd646

SHA512
f72bf0c65a8ee984973e4e33f1348fc563df37c4120b21464174410f85697e7850ceff23615d1421b4d37a3bdeb8416731621cfde2c7a861966bd0abc59a44c0

Download Submit
C:\Windows\system\bpVmXaG.exe

Filesize
2.0MB

MD5
51cdaf4728ec53ce3e63b031b52137b4

SHA1
5aa8c8fa266f1e70e320cb6fdf96a6ac9be2ddf9

SHA256
9eb3329a55ff1ab02908a271dc073729183bb0c15b136516e56aa428ebdabb1a

SHA512
dcd1d84f4d80fb18bf639e3b6844702e908786fd4f13f822a15aa9b1923eff5b9170f93be1705fb30e7bc5425163de064c73525990528fba442e1e405d121130

Download Submit
C:\Windows\system\eIfwxyw.exe

Filesize
2.0MB

MD5
eb102dc962692c6a83f0e3cdc2b9d4eb

SHA1
6f506417af5522306ebafef22e6546c4ec95e4b9

SHA256
d25d9337811bb95304b1fdea0843a27a5766fc8168d08260711da6cc94b3ad75

SHA512
7f9a5f43c6eb5590e153c42d311c95ccd6d8dfe0eb5c889faaed57e898432250d931080a7e3cfe1d21b272f1ad93fe0489f257488cf93814dc8d4666a34fb4a8

Download Submit
C:\Windows\system\erZPQqS.exe

Filesize
2.0MB

MD5
1332f1fc29f88a0b4aa4a50c0bd7ed87

SHA1
63f531dd4013bbb25a6566f95aafe160baa7e435

SHA256
940f77b611cc7da6db20c4c2f0c203b06864262c800e3bc0551ff28db2f07ca9

SHA512
d8df0a53bbe9457cba38cd9025d5ecc4e59e21d003ba03d5ea2d9196194a404096797b557125960e519a08a90d0ad39d9473a40d489587e370853b082b935c9d

Download Submit
C:\Windows\system\inAvaTO.exe

Filesize
2.0MB

MD5
ae0c3d02e5c411151f43ed200b3012d2

SHA1
f28b1163a9675ddd14cdff39b4c4e42526042789

SHA256
c007dc1c9c7503911d4513af7cc81a5075020306019a928b4ae4912b4ff8d5cb

SHA512
275704dc9feb3cdad74e3251e82839f9e82c5ee2d49cced2659dd91f1b8c447bd2df2e50034035e8c02539d012e71c4cf903dab93947fe92c69f134a4b85a170

Download Submit
C:\Windows\system\kdXVIux.exe

Filesize
2.0MB

MD5
9f68164a5d216d87a0e2154b66014bc1

SHA1
8d559274cd95829532eb5573f522efb02331bb5d

SHA256
aad04d295a75bdb006ef130d2d98de84d271f6aae3be26a40a3fa1ace97398d0

SHA512
743cd591fc0809560d0aa4f5afef20e610244302266e3d2075bd79e24b64f50952ccefca500798793b07bb45dbfd2da77bec6240a3d9be16ae8704d1ce2ee9e3

Download Submit
C:\Windows\system\lDThYsN.exe

Filesize
2.0MB

MD5
f8cf1029fa8a731c66d7fba2da0f1a85

SHA1
451d867a3a609b3341f0543b0d4c1c9dfd3dad48

SHA256
c88380c0a44e0b0a8a5bbf72df35c56fd2920767ca0aeace66728861544984c5

SHA512
f34300f1fe0b862904cecec6c67d6273d4d88683f1142fc0b490101964a72451b510671b4beab186906933935709d44e5b9811bf5295db4dee2a2a106d7ad615

Download Submit
C:\Windows\system\mTqMyKx.exe

Filesize
2.0MB

MD5
4b454851b47f4a09ecc047c8479e567d

SHA1
22c2fd131531e3e87f396485570e973f8b115812

SHA256
2592263d2373a28dbfe0316d0542ab27b404b46d956d5d17a52079306df2648e

SHA512
aa04fb9a14a43c5340e4dd227e69afd2dd976a6fa8dc6c4516daf3648d666782a384ab8698b039824292a2f12d2c1fbe23f81b492f049c2019ec61d31c98a2f8

Download Submit
C:\Windows\system\oXtqpPP.exe

Filesize
2.0MB

MD5
eee56cd98bb1d0858db23f667c2b13e9

SHA1
c94fa2234dc38d531205d4eab39cea83889db2c7

SHA256
e3dc2d1b31fde61f75192df4ccd177a61e49ded60449302bad4cc63ae815b81a

SHA512
1dbc7e1727d7279c7dd66c46f0380b0c5a2d967a21f78d7041eb56ac0f7bc6b820dbebf00114a7aff9a6e533c48e9fa16569e424756ef081178cef22127bcdb2

Download Submit
C:\Windows\system\rWxvynt.exe

Filesize
2.0MB

MD5
d6aee744848b2c4be1c30efae7c41778

SHA1
df91c6322a6f5aa6e27c84aad899c2cd1e93aede

SHA256
fdcdd47f20310bcde21e70eb61f6cceff48e8b7c979d19ff8b35de4f9f1c3a41

SHA512
543356f8f66a140561c567865a26d38ba37490f2fe8cb133004f31195a4e26d5c70d398b2b9d3ac9f24cd768e96b15432cc252a35d96e0563976d81cdba518b0

Download Submit
C:\Windows\system\rvPXKCd.exe

Filesize
2.0MB

MD5
0b488ae80d011691e6d153af34b35df0

SHA1
67a4006ce8045e212607ab0e2ef6bca03b8d11c6

SHA256
c8bea2f3da8dca13bb527d04b45876bc98859f350fcc15d602e91bfaaf2e038f

SHA512
1f91991546495d6bc3c41ce58623bf6ebd47ff7cd29d0ded53956a1dc465c9bab76aa32f72bfe66d688657503414500c30c70a06f8bb7f7fc7006ded9e71e516

Download Submit
C:\Windows\system\uysVgdS.exe

Filesize
2.0MB

MD5
558f5f9a9a243295d1b4a36dd5b94fd7

SHA1
4e32479fa36e02e644f8031307201e20605ee1cd

SHA256
43103f71070c7b4ba2d96e6f91e519245faea18e9683db97b44d04e7294720a5

SHA512
36edcd7399087841698a89e1963850f1e68a07929b62f5a0a7095154b29ab5e832e19d09ffb03df865a192375f3d95efafe12b9f1598fd7fdd63380d0ade2465

Download Submit
C:\Windows\system\vevzrhQ.exe

Filesize
2.0MB

MD5
94ec338f2cef9d9096f80a83f623fd0f

SHA1
e47f7b31954b4b97c6c22be97ecefd7f0d7a8846

SHA256
3928b8ddc10878d67f17caed06a21ea065d3bb4166f03b94b4ab788b528d27ce

SHA512
9a229868828e9d4ff93d743c09b64e357891b717fe68f5977137c8c6221220f4388347ca3b52f2d14c835c9d398d0631f692113a9146471aee5490766e51d1d9

Download Submit
C:\Windows\system\yGQLwPa.exe

Filesize
2.0MB

MD5
0864ad1958b0284aaa43cadcd85c1ef1

SHA1
1f50aff9e2d93687abba3fa6be3bae148e1dea98

SHA256
fb568e3334b99cb261a19e5350c4894a5430d07e6f6cf5ee12c403d2f8cd7302

SHA512
e02eaf7e5b817c37eab045096333f720e15b1f45d5ef39cf273d73df57c0dab858fb76e53abbe395f54250bc30b83c194ce36e821c4dbbd3098c288ef6b1d579

Download Submit
C:\Windows\system\zQbWGqi.exe

Filesize
2.0MB

MD5
17b27a5ee3755b0590371e070b36fe50

SHA1
b11dc92b69f516ed0470cfe3937b8b70685467cf

SHA256
4b1f78cdf2c571f34fae0be0819dcebac9586a810cd79a6605037f77730f5212

SHA512
f91b6e9e2fede433a22d236f533e8f37b98e1c887d2743b25300e96ae4b5c37778c880fb62e34c3c4e59962ff12d7b426253ddde89180eace7c5d5e9b00a4ce2

Download Submit
\Windows\system\OpkCjAh.exe

Filesize
2.0MB

MD5
bf69b4bf477edc5180a9b5d6145470f2

SHA1
a02dca16e222de33388c838d171401a77099a4a8

SHA256
1e7537d72de3b0076d29774093c1c9c74e8506f105945be20f19931e0d81c7a6

SHA512
ebdcbe6c3267235b297636596ce9fa0a566823bf9cbcb11610abf435cf3385ab60836325f570a0ffe567edfdafb1c1554e2db01c053667ebe37cc931e78143b4

Download Submit
\Windows\system\qhlLitD.exe

Filesize
2.0MB

MD5
2be1df78bdee5d0add6b997b318af98f

SHA1
86e755dd11015538fa51f1ac193a23880ceaac30

SHA256
72c7c6b79e1eb45cc07235118b3d05f78a8af18fb2e053364d0bc4c7920793cd

SHA512
e7db2729841d49329aed7c93443d0b08940255af9ad2a892a3fa72e41ab7fb226edb705af35a4379475a3abb68dbbf9f60245ad95e3f4922c6dce5d9fd1485c6

Download Submit
memory/2540-0-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download