xmrig | ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779

Analysis

max time kernel
106s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
Size

1.2MB
MD5

dfc446bad8f304bba3cd16d6eddafcd0
SHA1

e004545c9e77e7864a3be4a9c1d95aa142ac4356
SHA256

ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779
SHA512

97d03b22106955d05891519b2c31b7210f60992c4b77c8cd7217abf2ad2fd138171a29faaf05674ac381682795695457196dee620de3c0d9f8822ecbac0f02c9
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zjP+sjI1j/mNJZ:knw9oUUEEDl37jcq4nPWmx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral2/memory/3452-386-0x00007FF626E20000-0x00007FF627211000-memory.dmp	xmrig
behavioral2/memory/1036-390-0x00007FF730350000-0x00007FF730741000-memory.dmp	xmrig
behavioral2/memory/5028-398-0x00007FF770610000-0x00007FF770A01000-memory.dmp	xmrig
behavioral2/memory/2416-394-0x00007FF6DF7C0000-0x00007FF6DFBB1000-memory.dmp	xmrig
behavioral2/memory/2984-393-0x00007FF6656F0000-0x00007FF665AE1000-memory.dmp	xmrig
behavioral2/memory/2024-384-0x00007FF7817C0000-0x00007FF781BB1000-memory.dmp	xmrig
behavioral2/memory/392-399-0x00007FF6D94A0000-0x00007FF6D9891000-memory.dmp	xmrig
behavioral2/memory/116-401-0x00007FF6A3860000-0x00007FF6A3C51000-memory.dmp	xmrig
behavioral2/memory/4352-403-0x00007FF63F930000-0x00007FF63FD21000-memory.dmp	xmrig
behavioral2/memory/1676-406-0x00007FF7814A0000-0x00007FF781891000-memory.dmp	xmrig
behavioral2/memory/756-408-0x00007FF612E60000-0x00007FF613251000-memory.dmp	xmrig
behavioral2/memory/4132-409-0x00007FF6DF6A0000-0x00007FF6DFA91000-memory.dmp	xmrig
behavioral2/memory/932-412-0x00007FF68DE90000-0x00007FF68E281000-memory.dmp	xmrig
behavioral2/memory/424-405-0x00007FF64C5D0000-0x00007FF64C9C1000-memory.dmp	xmrig
behavioral2/memory/4520-404-0x00007FF6040C0000-0x00007FF6044B1000-memory.dmp	xmrig
behavioral2/memory/3996-48-0x00007FF70D560000-0x00007FF70D951000-memory.dmp	xmrig
behavioral2/memory/3952-47-0x00007FF6808D0000-0x00007FF680CC1000-memory.dmp	xmrig
behavioral2/memory/4916-29-0x00007FF7DF370000-0x00007FF7DF761000-memory.dmp	xmrig
behavioral2/memory/1044-843-0x00007FF733220000-0x00007FF733611000-memory.dmp	xmrig
behavioral2/memory/3088-880-0x00007FF67CF10000-0x00007FF67D301000-memory.dmp	xmrig
behavioral2/memory/400-1040-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp	xmrig
behavioral2/memory/4916-1038-0x00007FF7DF370000-0x00007FF7DF761000-memory.dmp	xmrig
behavioral2/memory/3496-1037-0x00007FF78E140000-0x00007FF78E531000-memory.dmp	xmrig
behavioral2/memory/2768-1137-0x00007FF6F4AE0000-0x00007FF6F4ED1000-memory.dmp	xmrig
behavioral2/memory/4308-1279-0x00007FF6A9990000-0x00007FF6A9D81000-memory.dmp	xmrig
behavioral2/memory/4256-1406-0x00007FF62B3E0000-0x00007FF62B7D1000-memory.dmp	xmrig
behavioral2/memory/3496-2112-0x00007FF78E140000-0x00007FF78E531000-memory.dmp	xmrig
behavioral2/memory/3996-2135-0x00007FF70D560000-0x00007FF70D951000-memory.dmp	xmrig
behavioral2/memory/2768-2137-0x00007FF6F4AE0000-0x00007FF6F4ED1000-memory.dmp	xmrig
behavioral2/memory/400-2139-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp	xmrig
behavioral2/memory/4256-2141-0x00007FF62B3E0000-0x00007FF62B7D1000-memory.dmp	xmrig
behavioral2/memory/5028-2143-0x00007FF770610000-0x00007FF770A01000-memory.dmp	xmrig
behavioral2/memory/2416-2150-0x00007FF6DF7C0000-0x00007FF6DFBB1000-memory.dmp	xmrig
behavioral2/memory/932-2155-0x00007FF68DE90000-0x00007FF68E281000-memory.dmp	xmrig
behavioral2/memory/4352-2159-0x00007FF63F930000-0x00007FF63FD21000-memory.dmp	xmrig
behavioral2/memory/424-2161-0x00007FF64C5D0000-0x00007FF64C9C1000-memory.dmp	xmrig
behavioral2/memory/1676-2163-0x00007FF7814A0000-0x00007FF781891000-memory.dmp	xmrig
behavioral2/memory/4520-2158-0x00007FF6040C0000-0x00007FF6044B1000-memory.dmp	xmrig
behavioral2/memory/2984-2145-0x00007FF6656F0000-0x00007FF665AE1000-memory.dmp	xmrig
behavioral2/memory/4132-2198-0x00007FF6DF6A0000-0x00007FF6DFA91000-memory.dmp	xmrig
behavioral2/memory/756-2194-0x00007FF612E60000-0x00007FF613251000-memory.dmp	xmrig
behavioral2/memory/1036-2148-0x00007FF730350000-0x00007FF730741000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3496	YyRGoPF.exe
3088	FUCoXde.exe
4916	iBMqTio.exe
3952	iRmCBqk.exe
2768	gPyyOJD.exe
400	GlCeaWg.exe
3996	joMOuqu.exe
4308	ncKlarD.exe
4256	NKAnUog.exe
932	OoWqUQl.exe
2024	ejSbXOD.exe
3452	oHBdPok.exe
1036	jpfkrlt.exe
2984	BOHawop.exe
2416	YmBPbim.exe
5028	kKjCBsK.exe
392	lZMnKMo.exe
116	dJXJjxn.exe
4352	uxlbAZX.exe
4520	rhSiLFx.exe
424	LMXbRKg.exe
1676	AWPWMAS.exe
756	GbYpVJN.exe
4132	UgAFSsb.exe
4388	zvAHzHh.exe
4672	TaGpead.exe
3320	lIZHqEh.exe
2348	IMBeyYm.exe
2720	STSaNnt.exe
4524	YqzeiyF.exe
1308	fKJyuSH.exe
4696	QXXxPwi.exe
1784	Kysjrku.exe
2248	iUUOdmW.exe
3372	mzhFmLa.exe
4588	thwxVig.exe
1240	MijTdnu.exe
2880	CGIFXgQ.exe
2988	PmPMHRe.exe
3676	UCAWyqi.exe
4288	pHUYKMe.exe
3108	KTFejRK.exe
2732	EYNSyjC.exe
4624	XdCZAcd.exe
3592	oxBhKWL.exe
3236	FQxbLkA.exe
1936	JRoKOWo.exe
2488	glAQKMs.exe
4100	KlcOtCQ.exe
692	edVTVmC.exe
5076	bEfLyPR.exe
624	ZDYogqF.exe
2816	YvrNRxZ.exe
1856	NgSnFTk.exe
4360	uFDrTCw.exe
5016	VKuVDcB.exe
4632	gZDpnUq.exe
2792	uiYlNfg.exe
1276	NhvyZKT.exe
2232	wiBkWQJ.exe
2036	IsozBjX.exe
1192	IxOiNAY.exe
5012	vtpjsCp.exe
3908	rzcfwNe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\ncKlarD.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\sxhOQnk.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\dZVUuQi.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\FaZNalr.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\TOZnLUj.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\iRmCBqk.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\yuDoOAf.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\pOJxROy.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\IIxEDxg.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\IlIvaFb.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\HKWqLRE.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\yOBJvwW.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\iUUOdmW.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\mTjcuNR.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\HxAcXKU.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\fHIFTtY.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\OzvrMrT.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\hpRRtTd.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\oOIGkkP.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\mKjJUss.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\OwiMbIP.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\yGspwfU.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\rmrlPhe.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\OBtupnM.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\KLevLxf.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\pyECSvn.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\VgFbTCA.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\uSUfxOO.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\qVMGjEI.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\JSGPYWi.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\mLbSioV.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\PRdHjBD.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\WhpjCLJ.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\IZeEpWy.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\RMVACLz.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\MrQxRMw.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\nfgtVKG.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\TOwFwNX.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\aNESqAv.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\iYWWAZM.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\trPZXhR.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\lkUUkuO.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\CZvjVHp.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\BbkVNlU.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\IfGKWuk.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\lXacvcm.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\ZtwpRkL.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\kDdJrrv.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\eJUXwzp.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\UylwUQX.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\pywsone.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\dBqcYNF.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\KlcOtCQ.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\EaglUEB.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\oxBhKWL.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\eUTntjp.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\kKjCBsK.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\MYlpUIP.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\KSvLxnh.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\GHmaNwE.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\wJnWgPN.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\jKMsLMm.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\vYDNSaa.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
File created	C:\Windows\System32\rzcfwNe.exe	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1044-0-0x00007FF733220000-0x00007FF733611000-memory.dmp	upx
behavioral2/files/0x00070000000234df-6.dat	upx
behavioral2/files/0x00070000000234e3-27.dat	upx
behavioral2/memory/3496-12-0x00007FF78E140000-0x00007FF78E531000-memory.dmp	upx
behavioral2/files/0x00090000000234ca-11.dat	upx
behavioral2/files/0x00070000000234de-8.dat	upx
behavioral2/files/0x00070000000234e2-26.dat	upx
behavioral2/memory/2768-30-0x00007FF6F4AE0000-0x00007FF6F4ED1000-memory.dmp	upx
behavioral2/memory/400-38-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp	upx
behavioral2/memory/4308-52-0x00007FF6A9990000-0x00007FF6A9D81000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-59.dat	upx
behavioral2/files/0x00070000000234e8-67.dat	upx
behavioral2/files/0x00070000000234ed-94.dat	upx
behavioral2/files/0x00070000000234ef-104.dat	upx
behavioral2/files/0x00070000000234f1-114.dat	upx
behavioral2/files/0x00070000000234f2-119.dat	upx
behavioral2/files/0x00070000000234f5-134.dat	upx
behavioral2/memory/4256-381-0x00007FF62B3E0000-0x00007FF62B7D1000-memory.dmp	upx
behavioral2/memory/3452-386-0x00007FF626E20000-0x00007FF627211000-memory.dmp	upx
behavioral2/memory/1036-390-0x00007FF730350000-0x00007FF730741000-memory.dmp	upx
behavioral2/memory/5028-398-0x00007FF770610000-0x00007FF770A01000-memory.dmp	upx
behavioral2/memory/2416-394-0x00007FF6DF7C0000-0x00007FF6DFBB1000-memory.dmp	upx
behavioral2/memory/2984-393-0x00007FF6656F0000-0x00007FF665AE1000-memory.dmp	upx
behavioral2/memory/2024-384-0x00007FF7817C0000-0x00007FF781BB1000-memory.dmp	upx
behavioral2/memory/392-399-0x00007FF6D94A0000-0x00007FF6D9891000-memory.dmp	upx
behavioral2/memory/116-401-0x00007FF6A3860000-0x00007FF6A3C51000-memory.dmp	upx
behavioral2/memory/4352-403-0x00007FF63F930000-0x00007FF63FD21000-memory.dmp	upx
behavioral2/memory/1676-406-0x00007FF7814A0000-0x00007FF781891000-memory.dmp	upx
behavioral2/memory/756-408-0x00007FF612E60000-0x00007FF613251000-memory.dmp	upx
behavioral2/memory/4132-409-0x00007FF6DF6A0000-0x00007FF6DFA91000-memory.dmp	upx
behavioral2/memory/932-412-0x00007FF68DE90000-0x00007FF68E281000-memory.dmp	upx
behavioral2/memory/424-405-0x00007FF64C5D0000-0x00007FF64C9C1000-memory.dmp	upx
behavioral2/memory/4520-404-0x00007FF6040C0000-0x00007FF6044B1000-memory.dmp	upx
behavioral2/files/0x00070000000234fc-169.dat	upx
behavioral2/files/0x00070000000234fb-164.dat	upx
behavioral2/files/0x00070000000234fa-162.dat	upx
behavioral2/files/0x00070000000234f9-154.dat	upx
behavioral2/files/0x00070000000234f8-149.dat	upx
behavioral2/files/0x00070000000234f7-144.dat	upx
behavioral2/files/0x00070000000234f6-139.dat	upx
behavioral2/files/0x00070000000234f4-129.dat	upx
behavioral2/files/0x00070000000234f3-124.dat	upx
behavioral2/files/0x00070000000234f0-109.dat	upx
behavioral2/files/0x00070000000234ee-99.dat	upx
behavioral2/files/0x00070000000234ec-89.dat	upx
behavioral2/files/0x00070000000234eb-84.dat	upx
behavioral2/files/0x00070000000234ea-79.dat	upx
behavioral2/files/0x00070000000234e9-74.dat	upx
behavioral2/files/0x00070000000234e7-64.dat	upx
behavioral2/files/0x00070000000234e5-57.dat	upx
behavioral2/files/0x00070000000234e4-51.dat	upx
behavioral2/memory/3996-48-0x00007FF70D560000-0x00007FF70D951000-memory.dmp	upx
behavioral2/memory/3952-47-0x00007FF6808D0000-0x00007FF680CC1000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-33.dat	upx
behavioral2/files/0x00070000000234e1-32.dat	upx
behavioral2/memory/4916-29-0x00007FF7DF370000-0x00007FF7DF761000-memory.dmp	upx
behavioral2/memory/3088-23-0x00007FF67CF10000-0x00007FF67D301000-memory.dmp	upx
behavioral2/memory/1044-843-0x00007FF733220000-0x00007FF733611000-memory.dmp	upx
behavioral2/memory/3088-880-0x00007FF67CF10000-0x00007FF67D301000-memory.dmp	upx
behavioral2/memory/400-1040-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp	upx
behavioral2/memory/4916-1038-0x00007FF7DF370000-0x00007FF7DF761000-memory.dmp	upx
behavioral2/memory/3496-1037-0x00007FF78E140000-0x00007FF78E531000-memory.dmp	upx
behavioral2/memory/2768-1137-0x00007FF6F4AE0000-0x00007FF6F4ED1000-memory.dmp	upx
behavioral2/memory/4308-1279-0x00007FF6A9990000-0x00007FF6A9D81000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13432	dwm.exe
Token: SeChangeNotifyPrivilege	13432	dwm.exe
Token: 33	13432	dwm.exe
Token: SeIncBasePriorityPrivilege	13432	dwm.exe
Token: SeCreateGlobalPrivilege	1228	dwm.exe
Token: SeChangeNotifyPrivilege	1228	dwm.exe
Token: 33	1228	dwm.exe
Token: SeIncBasePriorityPrivilege	1228	dwm.exe
Token: SeShutdownPrivilege	1228	dwm.exe
Token: SeCreatePagefilePrivilege	1228	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3496	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	83
PID 1044 wrote to memory of 3496	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	83
PID 1044 wrote to memory of 3088	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	84
PID 1044 wrote to memory of 3088	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	84
PID 1044 wrote to memory of 4916	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	85
PID 1044 wrote to memory of 4916	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	85
PID 1044 wrote to memory of 3996	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	86
PID 1044 wrote to memory of 3996	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	86
PID 1044 wrote to memory of 3952	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	87
PID 1044 wrote to memory of 3952	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	87
PID 1044 wrote to memory of 2768	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	88
PID 1044 wrote to memory of 2768	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	88
PID 1044 wrote to memory of 400	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	89
PID 1044 wrote to memory of 400	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	89
PID 1044 wrote to memory of 4308	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	90
PID 1044 wrote to memory of 4308	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	90
PID 1044 wrote to memory of 4256	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	91
PID 1044 wrote to memory of 4256	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	91
PID 1044 wrote to memory of 932	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	92
PID 1044 wrote to memory of 932	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	92
PID 1044 wrote to memory of 2024	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	93
PID 1044 wrote to memory of 2024	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	93
PID 1044 wrote to memory of 3452	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	94
PID 1044 wrote to memory of 3452	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	94
PID 1044 wrote to memory of 1036	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	95
PID 1044 wrote to memory of 1036	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	95
PID 1044 wrote to memory of 2984	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	96
PID 1044 wrote to memory of 2984	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	96
PID 1044 wrote to memory of 2416	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	97
PID 1044 wrote to memory of 2416	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	97
PID 1044 wrote to memory of 5028	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	98
PID 1044 wrote to memory of 5028	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	98
PID 1044 wrote to memory of 392	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	99
PID 1044 wrote to memory of 392	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	99
PID 1044 wrote to memory of 116	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	100
PID 1044 wrote to memory of 116	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	100
PID 1044 wrote to memory of 4352	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	101
PID 1044 wrote to memory of 4352	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	101
PID 1044 wrote to memory of 4520	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	102
PID 1044 wrote to memory of 4520	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	102
PID 1044 wrote to memory of 424	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	103
PID 1044 wrote to memory of 424	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	103
PID 1044 wrote to memory of 1676	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	104
PID 1044 wrote to memory of 1676	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	104
PID 1044 wrote to memory of 756	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	105
PID 1044 wrote to memory of 756	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	105
PID 1044 wrote to memory of 4132	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	106
PID 1044 wrote to memory of 4132	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	106
PID 1044 wrote to memory of 4388	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	107
PID 1044 wrote to memory of 4388	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	107
PID 1044 wrote to memory of 4672	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	108
PID 1044 wrote to memory of 4672	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	108
PID 1044 wrote to memory of 3320	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	109
PID 1044 wrote to memory of 3320	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	109
PID 1044 wrote to memory of 2348	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	110
PID 1044 wrote to memory of 2348	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	110
PID 1044 wrote to memory of 2720	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	111
PID 1044 wrote to memory of 2720	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	111
PID 1044 wrote to memory of 4524	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	112
PID 1044 wrote to memory of 4524	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	112
PID 1044 wrote to memory of 1308	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	113
PID 1044 wrote to memory of 1308	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	113
PID 1044 wrote to memory of 4696	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	114
PID 1044 wrote to memory of 4696	1044	ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe	114

C:\Users\Admin\AppData\Local\Temp\ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe
"C:\Users\Admin\AppData\Local\Temp\ecc62a91f5997363889aa26310e8537e7235a82ef1d9cc63ce13b276f32d4779N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\System32\YyRGoPF.exe
  C:\Windows\System32\YyRGoPF.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\FUCoXde.exe
  C:\Windows\System32\FUCoXde.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System32\iBMqTio.exe
  C:\Windows\System32\iBMqTio.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\joMOuqu.exe
  C:\Windows\System32\joMOuqu.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System32\iRmCBqk.exe
  C:\Windows\System32\iRmCBqk.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\gPyyOJD.exe
  C:\Windows\System32\gPyyOJD.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System32\GlCeaWg.exe
  C:\Windows\System32\GlCeaWg.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System32\ncKlarD.exe
  C:\Windows\System32\ncKlarD.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\NKAnUog.exe
  C:\Windows\System32\NKAnUog.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\OoWqUQl.exe
  C:\Windows\System32\OoWqUQl.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\ejSbXOD.exe
  C:\Windows\System32\ejSbXOD.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System32\oHBdPok.exe
  C:\Windows\System32\oHBdPok.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System32\jpfkrlt.exe
  C:\Windows\System32\jpfkrlt.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System32\BOHawop.exe
  C:\Windows\System32\BOHawop.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\YmBPbim.exe
  C:\Windows\System32\YmBPbim.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System32\kKjCBsK.exe
  C:\Windows\System32\kKjCBsK.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\lZMnKMo.exe
  C:\Windows\System32\lZMnKMo.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\dJXJjxn.exe
  C:\Windows\System32\dJXJjxn.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System32\uxlbAZX.exe
  C:\Windows\System32\uxlbAZX.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\rhSiLFx.exe
  C:\Windows\System32\rhSiLFx.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System32\LMXbRKg.exe
  C:\Windows\System32\LMXbRKg.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System32\AWPWMAS.exe
  C:\Windows\System32\AWPWMAS.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System32\GbYpVJN.exe
  C:\Windows\System32\GbYpVJN.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System32\UgAFSsb.exe
  C:\Windows\System32\UgAFSsb.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\zvAHzHh.exe
  C:\Windows\System32\zvAHzHh.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\TaGpead.exe
  C:\Windows\System32\TaGpead.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System32\lIZHqEh.exe
  C:\Windows\System32\lIZHqEh.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System32\IMBeyYm.exe
  C:\Windows\System32\IMBeyYm.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System32\STSaNnt.exe
  C:\Windows\System32\STSaNnt.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\YqzeiyF.exe
  C:\Windows\System32\YqzeiyF.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System32\fKJyuSH.exe
  C:\Windows\System32\fKJyuSH.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\QXXxPwi.exe
  C:\Windows\System32\QXXxPwi.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\Kysjrku.exe
  C:\Windows\System32\Kysjrku.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System32\iUUOdmW.exe
  C:\Windows\System32\iUUOdmW.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System32\mzhFmLa.exe
  C:\Windows\System32\mzhFmLa.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System32\thwxVig.exe
  C:\Windows\System32\thwxVig.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System32\MijTdnu.exe
  C:\Windows\System32\MijTdnu.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System32\CGIFXgQ.exe
  C:\Windows\System32\CGIFXgQ.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System32\PmPMHRe.exe
  C:\Windows\System32\PmPMHRe.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System32\UCAWyqi.exe
  C:\Windows\System32\UCAWyqi.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System32\pHUYKMe.exe
  C:\Windows\System32\pHUYKMe.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System32\KTFejRK.exe
  C:\Windows\System32\KTFejRK.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System32\EYNSyjC.exe
  C:\Windows\System32\EYNSyjC.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System32\XdCZAcd.exe
  C:\Windows\System32\XdCZAcd.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System32\oxBhKWL.exe
  C:\Windows\System32\oxBhKWL.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System32\FQxbLkA.exe
  C:\Windows\System32\FQxbLkA.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\JRoKOWo.exe
  C:\Windows\System32\JRoKOWo.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System32\glAQKMs.exe
  C:\Windows\System32\glAQKMs.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\KlcOtCQ.exe
  C:\Windows\System32\KlcOtCQ.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System32\edVTVmC.exe
  C:\Windows\System32\edVTVmC.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System32\bEfLyPR.exe
  C:\Windows\System32\bEfLyPR.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System32\ZDYogqF.exe
  C:\Windows\System32\ZDYogqF.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System32\YvrNRxZ.exe
  C:\Windows\System32\YvrNRxZ.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System32\NgSnFTk.exe
  C:\Windows\System32\NgSnFTk.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System32\uFDrTCw.exe
  C:\Windows\System32\uFDrTCw.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System32\VKuVDcB.exe
  C:\Windows\System32\VKuVDcB.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System32\gZDpnUq.exe
  C:\Windows\System32\gZDpnUq.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System32\uiYlNfg.exe
  C:\Windows\System32\uiYlNfg.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System32\NhvyZKT.exe
  C:\Windows\System32\NhvyZKT.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System32\wiBkWQJ.exe
  C:\Windows\System32\wiBkWQJ.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\IsozBjX.exe
  C:\Windows\System32\IsozBjX.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\IxOiNAY.exe
  C:\Windows\System32\IxOiNAY.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System32\vtpjsCp.exe
  C:\Windows\System32\vtpjsCp.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\rzcfwNe.exe
  C:\Windows\System32\rzcfwNe.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System32\mrSQiDD.exe
  C:\Windows\System32\mrSQiDD.exe
  2⤵
  PID:4776
- C:\Windows\System32\pxaxmIl.exe
  C:\Windows\System32\pxaxmIl.exe
  2⤵
  PID:1984
- C:\Windows\System32\QZXodiP.exe
  C:\Windows\System32\QZXodiP.exe
  2⤵
  PID:4976
- C:\Windows\System32\yuDoOAf.exe
  C:\Windows\System32\yuDoOAf.exe
  2⤵
  PID:3152
- C:\Windows\System32\BPYXoof.exe
  C:\Windows\System32\BPYXoof.exe
  2⤵
  PID:1540
- C:\Windows\System32\jwBZhoL.exe
  C:\Windows\System32\jwBZhoL.exe
  2⤵
  PID:916
- C:\Windows\System32\hpRRtTd.exe
  C:\Windows\System32\hpRRtTd.exe
  2⤵
  PID:2316
- C:\Windows\System32\tzoIvpC.exe
  C:\Windows\System32\tzoIvpC.exe
  2⤵
  PID:428
- C:\Windows\System32\xWLpVfi.exe
  C:\Windows\System32\xWLpVfi.exe
  2⤵
  PID:1660
- C:\Windows\System32\JBfsjbI.exe
  C:\Windows\System32\JBfsjbI.exe
  2⤵
  PID:1928
- C:\Windows\System32\udpUMEN.exe
  C:\Windows\System32\udpUMEN.exe
  2⤵
  PID:3084
- C:\Windows\System32\HmScxbO.exe
  C:\Windows\System32\HmScxbO.exe
  2⤵
  PID:1108
- C:\Windows\System32\LTwjFwS.exe
  C:\Windows\System32\LTwjFwS.exe
  2⤵
  PID:976
- C:\Windows\System32\suHfYtZ.exe
  C:\Windows\System32\suHfYtZ.exe
  2⤵
  PID:3876
- C:\Windows\System32\bfMnfpV.exe
  C:\Windows\System32\bfMnfpV.exe
  2⤵
  PID:3880
- C:\Windows\System32\TlwvINn.exe
  C:\Windows\System32\TlwvINn.exe
  2⤵
  PID:620
- C:\Windows\System32\DDdKXCL.exe
  C:\Windows\System32\DDdKXCL.exe
  2⤵
  PID:532
- C:\Windows\System32\LkiPSqm.exe
  C:\Windows\System32\LkiPSqm.exe
  2⤵
  PID:680
- C:\Windows\System32\EtQJxpo.exe
  C:\Windows\System32\EtQJxpo.exe
  2⤵
  PID:536
- C:\Windows\System32\fDkrrLf.exe
  C:\Windows\System32\fDkrrLf.exe
  2⤵
  PID:464
- C:\Windows\System32\XTKMTCT.exe
  C:\Windows\System32\XTKMTCT.exe
  2⤵
  PID:1100
- C:\Windows\System32\jMeKhEY.exe
  C:\Windows\System32\jMeKhEY.exe
  2⤵
  PID:2032
- C:\Windows\System32\alpWDpR.exe
  C:\Windows\System32\alpWDpR.exe
  2⤵
  PID:4528
- C:\Windows\System32\UVpqQgO.exe
  C:\Windows\System32\UVpqQgO.exe
  2⤵
  PID:1284
- C:\Windows\System32\TOwFwNX.exe
  C:\Windows\System32\TOwFwNX.exe
  2⤵
  PID:4328
- C:\Windows\System32\JuChuQe.exe
  C:\Windows\System32\JuChuQe.exe
  2⤵
  PID:1500
- C:\Windows\System32\UwfuhJx.exe
  C:\Windows\System32\UwfuhJx.exe
  2⤵
  PID:508
- C:\Windows\System32\wuefTiT.exe
  C:\Windows\System32\wuefTiT.exe
  2⤵
  PID:1848
- C:\Windows\System32\kDdJrrv.exe
  C:\Windows\System32\kDdJrrv.exe
  2⤵
  PID:1416
- C:\Windows\System32\ssEslek.exe
  C:\Windows\System32\ssEslek.exe
  2⤵
  PID:3032
- C:\Windows\System32\eJUXwzp.exe
  C:\Windows\System32\eJUXwzp.exe
  2⤵
  PID:3364
- C:\Windows\System32\vadBhny.exe
  C:\Windows\System32\vadBhny.exe
  2⤵
  PID:2296
- C:\Windows\System32\UQbxzmm.exe
  C:\Windows\System32\UQbxzmm.exe
  2⤵
  PID:5064
- C:\Windows\System32\hTTvqkH.exe
  C:\Windows\System32\hTTvqkH.exe
  2⤵
  PID:4592
- C:\Windows\System32\ShOHHfw.exe
  C:\Windows\System32\ShOHHfw.exe
  2⤵
  PID:2832
- C:\Windows\System32\VgFbTCA.exe
  C:\Windows\System32\VgFbTCA.exe
  2⤵
  PID:1168
- C:\Windows\System32\GYSqNuu.exe
  C:\Windows\System32\GYSqNuu.exe
  2⤵
  PID:4560
- C:\Windows\System32\KIRAvcv.exe
  C:\Windows\System32\KIRAvcv.exe
  2⤵
  PID:800
- C:\Windows\System32\NJSwGyP.exe
  C:\Windows\System32\NJSwGyP.exe
  2⤵
  PID:1424
- C:\Windows\System32\gfkNebM.exe
  C:\Windows\System32\gfkNebM.exe
  2⤵
  PID:444
- C:\Windows\System32\kzeKHgt.exe
  C:\Windows\System32\kzeKHgt.exe
  2⤵
  PID:5068
- C:\Windows\System32\NQneWpW.exe
  C:\Windows\System32\NQneWpW.exe
  2⤵
  PID:3596
- C:\Windows\System32\pOJxROy.exe
  C:\Windows\System32\pOJxROy.exe
  2⤵
  PID:1048
- C:\Windows\System32\RTLOazg.exe
  C:\Windows\System32\RTLOazg.exe
  2⤵
  PID:4492
- C:\Windows\System32\SRJUXrQ.exe
  C:\Windows\System32\SRJUXrQ.exe
  2⤵
  PID:4408
- C:\Windows\System32\TetVXJE.exe
  C:\Windows\System32\TetVXJE.exe
  2⤵
  PID:5136
- C:\Windows\System32\xsBWEvG.exe
  C:\Windows\System32\xsBWEvG.exe
  2⤵
  PID:5168
- C:\Windows\System32\nrxfmVO.exe
  C:\Windows\System32\nrxfmVO.exe
  2⤵
  PID:5192
- C:\Windows\System32\AcrAblO.exe
  C:\Windows\System32\AcrAblO.exe
  2⤵
  PID:5224
- C:\Windows\System32\bOuhbyp.exe
  C:\Windows\System32\bOuhbyp.exe
  2⤵
  PID:5244
- C:\Windows\System32\vOFptba.exe
  C:\Windows\System32\vOFptba.exe
  2⤵
  PID:5268
- C:\Windows\System32\SuzcJut.exe
  C:\Windows\System32\SuzcJut.exe
  2⤵
  PID:5296
- C:\Windows\System32\fWjMxxF.exe
  C:\Windows\System32\fWjMxxF.exe
  2⤵
  PID:5328
- C:\Windows\System32\ADbCTRl.exe
  C:\Windows\System32\ADbCTRl.exe
  2⤵
  PID:5352
- C:\Windows\System32\dPDFZmQ.exe
  C:\Windows\System32\dPDFZmQ.exe
  2⤵
  PID:5376
- C:\Windows\System32\sxhOQnk.exe
  C:\Windows\System32\sxhOQnk.exe
  2⤵
  PID:5392
- C:\Windows\System32\zbmVkOM.exe
  C:\Windows\System32\zbmVkOM.exe
  2⤵
  PID:5432
- C:\Windows\System32\wVZHByu.exe
  C:\Windows\System32\wVZHByu.exe
  2⤵
  PID:5448
- C:\Windows\System32\ceqfdMM.exe
  C:\Windows\System32\ceqfdMM.exe
  2⤵
  PID:5472
- C:\Windows\System32\zHDubmb.exe
  C:\Windows\System32\zHDubmb.exe
  2⤵
  PID:5504
- C:\Windows\System32\cCyqSTI.exe
  C:\Windows\System32\cCyqSTI.exe
  2⤵
  PID:5552
- C:\Windows\System32\qGrqNcg.exe
  C:\Windows\System32\qGrqNcg.exe
  2⤵
  PID:5580
- C:\Windows\System32\jlObYpt.exe
  C:\Windows\System32\jlObYpt.exe
  2⤵
  PID:5604
- C:\Windows\System32\PyiKUNA.exe
  C:\Windows\System32\PyiKUNA.exe
  2⤵
  PID:5652
- C:\Windows\System32\SyvRJqG.exe
  C:\Windows\System32\SyvRJqG.exe
  2⤵
  PID:5688
- C:\Windows\System32\dOAyOdK.exe
  C:\Windows\System32\dOAyOdK.exe
  2⤵
  PID:5712
- C:\Windows\System32\yybLBwV.exe
  C:\Windows\System32\yybLBwV.exe
  2⤵
  PID:5728
- C:\Windows\System32\uqqhmde.exe
  C:\Windows\System32\uqqhmde.exe
  2⤵
  PID:5744
- C:\Windows\System32\YZHcZcl.exe
  C:\Windows\System32\YZHcZcl.exe
  2⤵
  PID:5780
- C:\Windows\System32\QPojXuU.exe
  C:\Windows\System32\QPojXuU.exe
  2⤵
  PID:5796
- C:\Windows\System32\HrgLokq.exe
  C:\Windows\System32\HrgLokq.exe
  2⤵
  PID:5820
- C:\Windows\System32\DmrgrEg.exe
  C:\Windows\System32\DmrgrEg.exe
  2⤵
  PID:5880
- C:\Windows\System32\iIJgqyB.exe
  C:\Windows\System32\iIJgqyB.exe
  2⤵
  PID:5924
- C:\Windows\System32\ollSbwB.exe
  C:\Windows\System32\ollSbwB.exe
  2⤵
  PID:5944
- C:\Windows\System32\TWlmMcz.exe
  C:\Windows\System32\TWlmMcz.exe
  2⤵
  PID:5960
- C:\Windows\System32\BEeevaN.exe
  C:\Windows\System32\BEeevaN.exe
  2⤵
  PID:5976
- C:\Windows\System32\jFzSUUK.exe
  C:\Windows\System32\jFzSUUK.exe
  2⤵
  PID:6000
- C:\Windows\System32\FgTbcSq.exe
  C:\Windows\System32\FgTbcSq.exe
  2⤵
  PID:6028
- C:\Windows\System32\obbKDwR.exe
  C:\Windows\System32\obbKDwR.exe
  2⤵
  PID:6088
- C:\Windows\System32\ZfdElMC.exe
  C:\Windows\System32\ZfdElMC.exe
  2⤵
  PID:6108
- C:\Windows\System32\ePGrTHY.exe
  C:\Windows\System32\ePGrTHY.exe
  2⤵
  PID:5096
- C:\Windows\System32\lKhBiSV.exe
  C:\Windows\System32\lKhBiSV.exe
  2⤵
  PID:5148
- C:\Windows\System32\WqUvngZ.exe
  C:\Windows\System32\WqUvngZ.exe
  2⤵
  PID:940
- C:\Windows\System32\tjwbXYG.exe
  C:\Windows\System32\tjwbXYG.exe
  2⤵
  PID:2520
- C:\Windows\System32\KmeRTPs.exe
  C:\Windows\System32\KmeRTPs.exe
  2⤵
  PID:5236
- C:\Windows\System32\DxdQxcY.exe
  C:\Windows\System32\DxdQxcY.exe
  2⤵
  PID:696
- C:\Windows\System32\oecxpFe.exe
  C:\Windows\System32\oecxpFe.exe
  2⤵
  PID:5324
- C:\Windows\System32\YOKLsCh.exe
  C:\Windows\System32\YOKLsCh.exe
  2⤵
  PID:5308
- C:\Windows\System32\BXLfsnF.exe
  C:\Windows\System32\BXLfsnF.exe
  2⤵
  PID:5440
- C:\Windows\System32\HBsVLJd.exe
  C:\Windows\System32\HBsVLJd.exe
  2⤵
  PID:5516
- C:\Windows\System32\bhDKush.exe
  C:\Windows\System32\bhDKush.exe
  2⤵
  PID:5600
- C:\Windows\System32\SOPulsO.exe
  C:\Windows\System32\SOPulsO.exe
  2⤵
  PID:5668
- C:\Windows\System32\KviKnWg.exe
  C:\Windows\System32\KviKnWg.exe
  2⤵
  PID:5724
- C:\Windows\System32\Ccsqkqo.exe
  C:\Windows\System32\Ccsqkqo.exe
  2⤵
  PID:5740
- C:\Windows\System32\WtWKSwL.exe
  C:\Windows\System32\WtWKSwL.exe
  2⤵
  PID:5764
- C:\Windows\System32\DpAORzV.exe
  C:\Windows\System32\DpAORzV.exe
  2⤵
  PID:5840
- C:\Windows\System32\Bjpxbzr.exe
  C:\Windows\System32\Bjpxbzr.exe
  2⤵
  PID:5968
- C:\Windows\System32\binsVDY.exe
  C:\Windows\System32\binsVDY.exe
  2⤵
  PID:6024
- C:\Windows\System32\HPFqfAi.exe
  C:\Windows\System32\HPFqfAi.exe
  2⤵
  PID:6100
- C:\Windows\System32\OFJbhtV.exe
  C:\Windows\System32\OFJbhtV.exe
  2⤵
  PID:5128
- C:\Windows\System32\NxpJriS.exe
  C:\Windows\System32\NxpJriS.exe
  2⤵
  PID:2992
- C:\Windows\System32\MYlpUIP.exe
  C:\Windows\System32\MYlpUIP.exe
  2⤵
  PID:1980
- C:\Windows\System32\WhpjCLJ.exe
  C:\Windows\System32\WhpjCLJ.exe
  2⤵
  PID:3540
- C:\Windows\System32\FMiKFNl.exe
  C:\Windows\System32\FMiKFNl.exe
  2⤵
  PID:5260
- C:\Windows\System32\QEYvMOZ.exe
  C:\Windows\System32\QEYvMOZ.exe
  2⤵
  PID:5360
- C:\Windows\System32\xsiDkeN.exe
  C:\Windows\System32\xsiDkeN.exe
  2⤵
  PID:5548
- C:\Windows\System32\BHeFSma.exe
  C:\Windows\System32\BHeFSma.exe
  2⤵
  PID:5792
- C:\Windows\System32\GbyNoBj.exe
  C:\Windows\System32\GbyNoBj.exe
  2⤵
  PID:5736
- C:\Windows\System32\pJGbByQ.exe
  C:\Windows\System32\pJGbByQ.exe
  2⤵
  PID:5896
- C:\Windows\System32\vKEOHlK.exe
  C:\Windows\System32\vKEOHlK.exe
  2⤵
  PID:6068
- C:\Windows\System32\HEdIKTJ.exe
  C:\Windows\System32\HEdIKTJ.exe
  2⤵
  PID:3060
- C:\Windows\System32\FVzacxL.exe
  C:\Windows\System32\FVzacxL.exe
  2⤵
  PID:5808
- C:\Windows\System32\dZVUuQi.exe
  C:\Windows\System32\dZVUuQi.exe
  2⤵
  PID:6120
- C:\Windows\System32\HiIvvou.exe
  C:\Windows\System32\HiIvvou.exe
  2⤵
  PID:6164
- C:\Windows\System32\UMHrPMq.exe
  C:\Windows\System32\UMHrPMq.exe
  2⤵
  PID:6180
- C:\Windows\System32\dOaAMNz.exe
  C:\Windows\System32\dOaAMNz.exe
  2⤵
  PID:6220
- C:\Windows\System32\bkocOHE.exe
  C:\Windows\System32\bkocOHE.exe
  2⤵
  PID:6236
- C:\Windows\System32\eMnYeXT.exe
  C:\Windows\System32\eMnYeXT.exe
  2⤵
  PID:6252
- C:\Windows\System32\KqGifGq.exe
  C:\Windows\System32\KqGifGq.exe
  2⤵
  PID:6284
- C:\Windows\System32\CQRQrne.exe
  C:\Windows\System32\CQRQrne.exe
  2⤵
  PID:6304
- C:\Windows\System32\UylwUQX.exe
  C:\Windows\System32\UylwUQX.exe
  2⤵
  PID:6364
- C:\Windows\System32\OFjWAfr.exe
  C:\Windows\System32\OFjWAfr.exe
  2⤵
  PID:6420
- C:\Windows\System32\EampnkN.exe
  C:\Windows\System32\EampnkN.exe
  2⤵
  PID:6436
- C:\Windows\System32\oivnIMy.exe
  C:\Windows\System32\oivnIMy.exe
  2⤵
  PID:6460
- C:\Windows\System32\kIpnxQV.exe
  C:\Windows\System32\kIpnxQV.exe
  2⤵
  PID:6476
- C:\Windows\System32\jZSwEQt.exe
  C:\Windows\System32\jZSwEQt.exe
  2⤵
  PID:6508
- C:\Windows\System32\AOpmkfL.exe
  C:\Windows\System32\AOpmkfL.exe
  2⤵
  PID:6528
- C:\Windows\System32\iRdplCt.exe
  C:\Windows\System32\iRdplCt.exe
  2⤵
  PID:6544
- C:\Windows\System32\MWCYzFd.exe
  C:\Windows\System32\MWCYzFd.exe
  2⤵
  PID:6568
- C:\Windows\System32\eujLEjf.exe
  C:\Windows\System32\eujLEjf.exe
  2⤵
  PID:6584
- C:\Windows\System32\sBQOAQe.exe
  C:\Windows\System32\sBQOAQe.exe
  2⤵
  PID:6620
- C:\Windows\System32\FgwZCeS.exe
  C:\Windows\System32\FgwZCeS.exe
  2⤵
  PID:6652
- C:\Windows\System32\jacWwtO.exe
  C:\Windows\System32\jacWwtO.exe
  2⤵
  PID:6700
- C:\Windows\System32\HUVzScO.exe
  C:\Windows\System32\HUVzScO.exe
  2⤵
  PID:6728
- C:\Windows\System32\OPaLnNx.exe
  C:\Windows\System32\OPaLnNx.exe
  2⤵
  PID:6776
- C:\Windows\System32\ZYQJUZp.exe
  C:\Windows\System32\ZYQJUZp.exe
  2⤵
  PID:6808
- C:\Windows\System32\iIfnAZW.exe
  C:\Windows\System32\iIfnAZW.exe
  2⤵
  PID:6824
- C:\Windows\System32\zFVFNOK.exe
  C:\Windows\System32\zFVFNOK.exe
  2⤵
  PID:6852
- C:\Windows\System32\fPKoKJP.exe
  C:\Windows\System32\fPKoKJP.exe
  2⤵
  PID:6880
- C:\Windows\System32\kiJKJYa.exe
  C:\Windows\System32\kiJKJYa.exe
  2⤵
  PID:6896
- C:\Windows\System32\HTixyhi.exe
  C:\Windows\System32\HTixyhi.exe
  2⤵
  PID:6968
- C:\Windows\System32\xrBuADY.exe
  C:\Windows\System32\xrBuADY.exe
  2⤵
  PID:6988
- C:\Windows\System32\HcsvnOj.exe
  C:\Windows\System32\HcsvnOj.exe
  2⤵
  PID:7008
- C:\Windows\System32\ooAdcYQ.exe
  C:\Windows\System32\ooAdcYQ.exe
  2⤵
  PID:7024
- C:\Windows\System32\oRVHUMS.exe
  C:\Windows\System32\oRVHUMS.exe
  2⤵
  PID:7048
- C:\Windows\System32\IZeEpWy.exe
  C:\Windows\System32\IZeEpWy.exe
  2⤵
  PID:7092
- C:\Windows\System32\QBedEkh.exe
  C:\Windows\System32\QBedEkh.exe
  2⤵
  PID:7108
- C:\Windows\System32\BQYuLZb.exe
  C:\Windows\System32\BQYuLZb.exe
  2⤵
  PID:7128
- C:\Windows\System32\WkQvKhJ.exe
  C:\Windows\System32\WkQvKhJ.exe
  2⤵
  PID:7148
- C:\Windows\System32\NDiliIg.exe
  C:\Windows\System32\NDiliIg.exe
  2⤵
  PID:5956
- C:\Windows\System32\UULDXko.exe
  C:\Windows\System32\UULDXko.exe
  2⤵
  PID:5912
- C:\Windows\System32\FaZNalr.exe
  C:\Windows\System32\FaZNalr.exe
  2⤵
  PID:6204
- C:\Windows\System32\lxFXEsF.exe
  C:\Windows\System32\lxFXEsF.exe
  2⤵
  PID:6212
- C:\Windows\System32\tEfizmL.exe
  C:\Windows\System32\tEfizmL.exe
  2⤵
  PID:6296
- C:\Windows\System32\nJDKVNv.exe
  C:\Windows\System32\nJDKVNv.exe
  2⤵
  PID:6484
- C:\Windows\System32\mTjcuNR.exe
  C:\Windows\System32\mTjcuNR.exe
  2⤵
  PID:6540
- C:\Windows\System32\VXIixmU.exe
  C:\Windows\System32\VXIixmU.exe
  2⤵
  PID:6560
- C:\Windows\System32\ixLmwey.exe
  C:\Windows\System32\ixLmwey.exe
  2⤵
  PID:6712
- C:\Windows\System32\FoUBAsb.exe
  C:\Windows\System32\FoUBAsb.exe
  2⤵
  PID:6680
- C:\Windows\System32\CQgcsxD.exe
  C:\Windows\System32\CQgcsxD.exe
  2⤵
  PID:6736
- C:\Windows\System32\xdOwQIZ.exe
  C:\Windows\System32\xdOwQIZ.exe
  2⤵
  PID:6832
- C:\Windows\System32\dkQqvIx.exe
  C:\Windows\System32\dkQqvIx.exe
  2⤵
  PID:6888
- C:\Windows\System32\bZUOYyy.exe
  C:\Windows\System32\bZUOYyy.exe
  2⤵
  PID:6956
- C:\Windows\System32\isdzfUE.exe
  C:\Windows\System32\isdzfUE.exe
  2⤵
  PID:6980
- C:\Windows\System32\NrOJLIc.exe
  C:\Windows\System32\NrOJLIc.exe
  2⤵
  PID:7044
- C:\Windows\System32\YdYEdQn.exe
  C:\Windows\System32\YdYEdQn.exe
  2⤵
  PID:7160
- C:\Windows\System32\MgKRFbJ.exe
  C:\Windows\System32\MgKRFbJ.exe
  2⤵
  PID:5368
- C:\Windows\System32\holPNsO.exe
  C:\Windows\System32\holPNsO.exe
  2⤵
  PID:6264
- C:\Windows\System32\vqdLxtK.exe
  C:\Windows\System32\vqdLxtK.exe
  2⤵
  PID:6336
- C:\Windows\System32\YwGsrFI.exe
  C:\Windows\System32\YwGsrFI.exe
  2⤵
  PID:6444
- C:\Windows\System32\WQMaQxE.exe
  C:\Windows\System32\WQMaQxE.exe
  2⤵
  PID:6744
- C:\Windows\System32\dtZGKzs.exe
  C:\Windows\System32\dtZGKzs.exe
  2⤵
  PID:6984
- C:\Windows\System32\HVQzieT.exe
  C:\Windows\System32\HVQzieT.exe
  2⤵
  PID:6948
- C:\Windows\System32\SkqyAWd.exe
  C:\Windows\System32\SkqyAWd.exe
  2⤵
  PID:6248
- C:\Windows\System32\EaglUEB.exe
  C:\Windows\System32\EaglUEB.exe
  2⤵
  PID:5532
- C:\Windows\System32\Aeihoqz.exe
  C:\Windows\System32\Aeihoqz.exe
  2⤵
  PID:7144
- C:\Windows\System32\TbOAxfq.exe
  C:\Windows\System32\TbOAxfq.exe
  2⤵
  PID:6676
- C:\Windows\System32\XyAuBwH.exe
  C:\Windows\System32\XyAuBwH.exe
  2⤵
  PID:6412
- C:\Windows\System32\MVPKfEm.exe
  C:\Windows\System32\MVPKfEm.exe
  2⤵
  PID:7176
- C:\Windows\System32\CZzZuIW.exe
  C:\Windows\System32\CZzZuIW.exe
  2⤵
  PID:7196
- C:\Windows\System32\wSecuKC.exe
  C:\Windows\System32\wSecuKC.exe
  2⤵
  PID:7244
- C:\Windows\System32\lnekNIO.exe
  C:\Windows\System32\lnekNIO.exe
  2⤵
  PID:7292
- C:\Windows\System32\BbkVNlU.exe
  C:\Windows\System32\BbkVNlU.exe
  2⤵
  PID:7384
- C:\Windows\System32\YmWywNj.exe
  C:\Windows\System32\YmWywNj.exe
  2⤵
  PID:7400
- C:\Windows\System32\DzTZcNI.exe
  C:\Windows\System32\DzTZcNI.exe
  2⤵
  PID:7416
- C:\Windows\System32\sjTSZSf.exe
  C:\Windows\System32\sjTSZSf.exe
  2⤵
  PID:7432
- C:\Windows\System32\XBnYzZe.exe
  C:\Windows\System32\XBnYzZe.exe
  2⤵
  PID:7448
- C:\Windows\System32\XGWqqdS.exe
  C:\Windows\System32\XGWqqdS.exe
  2⤵
  PID:7464
- C:\Windows\System32\QtCoDPJ.exe
  C:\Windows\System32\QtCoDPJ.exe
  2⤵
  PID:7480
- C:\Windows\System32\uxpWXfL.exe
  C:\Windows\System32\uxpWXfL.exe
  2⤵
  PID:7496
- C:\Windows\System32\kpsjYJB.exe
  C:\Windows\System32\kpsjYJB.exe
  2⤵
  PID:7512
- C:\Windows\System32\qPellUp.exe
  C:\Windows\System32\qPellUp.exe
  2⤵
  PID:7528
- C:\Windows\System32\IMtCObm.exe
  C:\Windows\System32\IMtCObm.exe
  2⤵
  PID:7544
- C:\Windows\System32\OCKytTy.exe
  C:\Windows\System32\OCKytTy.exe
  2⤵
  PID:7560
- C:\Windows\System32\LdCGYOq.exe
  C:\Windows\System32\LdCGYOq.exe
  2⤵
  PID:7576
- C:\Windows\System32\RMVACLz.exe
  C:\Windows\System32\RMVACLz.exe
  2⤵
  PID:7592
- C:\Windows\System32\irZMJQi.exe
  C:\Windows\System32\irZMJQi.exe
  2⤵
  PID:7608
- C:\Windows\System32\AaiiYti.exe
  C:\Windows\System32\AaiiYti.exe
  2⤵
  PID:7624
- C:\Windows\System32\QIEWnFh.exe
  C:\Windows\System32\QIEWnFh.exe
  2⤵
  PID:7656
- C:\Windows\System32\ILlmADt.exe
  C:\Windows\System32\ILlmADt.exe
  2⤵
  PID:7680
- C:\Windows\System32\nVPgZPM.exe
  C:\Windows\System32\nVPgZPM.exe
  2⤵
  PID:7772
- C:\Windows\System32\SRJViGW.exe
  C:\Windows\System32\SRJViGW.exe
  2⤵
  PID:7804
- C:\Windows\System32\sgVPSgz.exe
  C:\Windows\System32\sgVPSgz.exe
  2⤵
  PID:7820
- C:\Windows\System32\OzzxEOz.exe
  C:\Windows\System32\OzzxEOz.exe
  2⤵
  PID:7840
- C:\Windows\System32\UUzxGdY.exe
  C:\Windows\System32\UUzxGdY.exe
  2⤵
  PID:7904
- C:\Windows\System32\eLbTVPX.exe
  C:\Windows\System32\eLbTVPX.exe
  2⤵
  PID:8028
- C:\Windows\System32\wClcjoy.exe
  C:\Windows\System32\wClcjoy.exe
  2⤵
  PID:8052
- C:\Windows\System32\uSUfxOO.exe
  C:\Windows\System32\uSUfxOO.exe
  2⤵
  PID:8088
- C:\Windows\System32\zcUeoId.exe
  C:\Windows\System32\zcUeoId.exe
  2⤵
  PID:8136
- C:\Windows\System32\CLsPqFe.exe
  C:\Windows\System32\CLsPqFe.exe
  2⤵
  PID:8168
- C:\Windows\System32\HxAcXKU.exe
  C:\Windows\System32\HxAcXKU.exe
  2⤵
  PID:8184
- C:\Windows\System32\bnTLPOg.exe
  C:\Windows\System32\bnTLPOg.exe
  2⤵
  PID:7164
- C:\Windows\System32\nOGqnyQ.exe
  C:\Windows\System32\nOGqnyQ.exe
  2⤵
  PID:7224
- C:\Windows\System32\eaTdCvS.exe
  C:\Windows\System32\eaTdCvS.exe
  2⤵
  PID:7316
- C:\Windows\System32\SrFoGvb.exe
  C:\Windows\System32\SrFoGvb.exe
  2⤵
  PID:7284
- C:\Windows\System32\tmYnGCf.exe
  C:\Windows\System32\tmYnGCf.exe
  2⤵
  PID:7392
- C:\Windows\System32\PkiGktC.exe
  C:\Windows\System32\PkiGktC.exe
  2⤵
  PID:7476
- C:\Windows\System32\PeXoRSJ.exe
  C:\Windows\System32\PeXoRSJ.exe
  2⤵
  PID:7524
- C:\Windows\System32\ikVniXF.exe
  C:\Windows\System32\ikVniXF.exe
  2⤵
  PID:7620
- C:\Windows\System32\cuWxwua.exe
  C:\Windows\System32\cuWxwua.exe
  2⤵
  PID:7588
- C:\Windows\System32\bivouwE.exe
  C:\Windows\System32\bivouwE.exe
  2⤵
  PID:7672
- C:\Windows\System32\IIxEDxg.exe
  C:\Windows\System32\IIxEDxg.exe
  2⤵
  PID:7764
- C:\Windows\System32\iAoVeAU.exe
  C:\Windows\System32\iAoVeAU.exe
  2⤵
  PID:7788
- C:\Windows\System32\iShChEF.exe
  C:\Windows\System32\iShChEF.exe
  2⤵
  PID:7924
- C:\Windows\System32\unjdVwk.exe
  C:\Windows\System32\unjdVwk.exe
  2⤵
  PID:7856
- C:\Windows\System32\IuitCDA.exe
  C:\Windows\System32\IuitCDA.exe
  2⤵
  PID:7900
- C:\Windows\System32\PCZSvie.exe
  C:\Windows\System32\PCZSvie.exe
  2⤵
  PID:7928
- C:\Windows\System32\jYAYujL.exe
  C:\Windows\System32\jYAYujL.exe
  2⤵
  PID:8020
- C:\Windows\System32\IwMCKMe.exe
  C:\Windows\System32\IwMCKMe.exe
  2⤵
  PID:8148
- C:\Windows\System32\eUTntjp.exe
  C:\Windows\System32\eUTntjp.exe
  2⤵
  PID:7264
- C:\Windows\System32\dUzSoLB.exe
  C:\Windows\System32\dUzSoLB.exe
  2⤵
  PID:7704
- C:\Windows\System32\WcVIcaF.exe
  C:\Windows\System32\WcVIcaF.exe
  2⤵
  PID:7712
- C:\Windows\System32\EitlrDQ.exe
  C:\Windows\System32\EitlrDQ.exe
  2⤵
  PID:7888
- C:\Windows\System32\TfbCBKp.exe
  C:\Windows\System32\TfbCBKp.exe
  2⤵
  PID:7912
- C:\Windows\System32\ioHPVEh.exe
  C:\Windows\System32\ioHPVEh.exe
  2⤵
  PID:7988
- C:\Windows\System32\Zwmnplm.exe
  C:\Windows\System32\Zwmnplm.exe
  2⤵
  PID:7748
- C:\Windows\System32\BsAgRgx.exe
  C:\Windows\System32\BsAgRgx.exe
  2⤵
  PID:7344
- C:\Windows\System32\GYncMJN.exe
  C:\Windows\System32\GYncMJN.exe
  2⤵
  PID:7460
- C:\Windows\System32\uNnYGvm.exe
  C:\Windows\System32\uNnYGvm.exe
  2⤵
  PID:7272
- C:\Windows\System32\TrnKeJy.exe
  C:\Windows\System32\TrnKeJy.exe
  2⤵
  PID:7556
- C:\Windows\System32\sDuSHBY.exe
  C:\Windows\System32\sDuSHBY.exe
  2⤵
  PID:8216
- C:\Windows\System32\cSMWhZb.exe
  C:\Windows\System32\cSMWhZb.exe
  2⤵
  PID:8236
- C:\Windows\System32\MrQxRMw.exe
  C:\Windows\System32\MrQxRMw.exe
  2⤵
  PID:8276
- C:\Windows\System32\ZUnmMjt.exe
  C:\Windows\System32\ZUnmMjt.exe
  2⤵
  PID:8308
- C:\Windows\System32\YIBJAfM.exe
  C:\Windows\System32\YIBJAfM.exe
  2⤵
  PID:8356
- C:\Windows\System32\XQkLrpq.exe
  C:\Windows\System32\XQkLrpq.exe
  2⤵
  PID:8384
- C:\Windows\System32\rNWDUoE.exe
  C:\Windows\System32\rNWDUoE.exe
  2⤵
  PID:8404
- C:\Windows\System32\fHIFTtY.exe
  C:\Windows\System32\fHIFTtY.exe
  2⤵
  PID:8420
- C:\Windows\System32\JNEdxGl.exe
  C:\Windows\System32\JNEdxGl.exe
  2⤵
  PID:8448
- C:\Windows\System32\eqTmsGm.exe
  C:\Windows\System32\eqTmsGm.exe
  2⤵
  PID:8472
- C:\Windows\System32\XNJLyIF.exe
  C:\Windows\System32\XNJLyIF.exe
  2⤵
  PID:8520
- C:\Windows\System32\dbBQjtU.exe
  C:\Windows\System32\dbBQjtU.exe
  2⤵
  PID:8540
- C:\Windows\System32\ZSDOqcE.exe
  C:\Windows\System32\ZSDOqcE.exe
  2⤵
  PID:8556
- C:\Windows\System32\EfbOvyq.exe
  C:\Windows\System32\EfbOvyq.exe
  2⤵
  PID:8580
- C:\Windows\System32\KSvLxnh.exe
  C:\Windows\System32\KSvLxnh.exe
  2⤵
  PID:8600
- C:\Windows\System32\qVMGjEI.exe
  C:\Windows\System32\qVMGjEI.exe
  2⤵
  PID:8624
- C:\Windows\System32\WTfzlqQ.exe
  C:\Windows\System32\WTfzlqQ.exe
  2⤵
  PID:8640
- C:\Windows\System32\HGTNTpp.exe
  C:\Windows\System32\HGTNTpp.exe
  2⤵
  PID:8676
- C:\Windows\System32\JcZnehC.exe
  C:\Windows\System32\JcZnehC.exe
  2⤵
  PID:8700
- C:\Windows\System32\wZVdqAl.exe
  C:\Windows\System32\wZVdqAl.exe
  2⤵
  PID:8720
- C:\Windows\System32\pswzksp.exe
  C:\Windows\System32\pswzksp.exe
  2⤵
  PID:8768
- C:\Windows\System32\PaSrTOG.exe
  C:\Windows\System32\PaSrTOG.exe
  2⤵
  PID:8784
- C:\Windows\System32\ADkkupS.exe
  C:\Windows\System32\ADkkupS.exe
  2⤵
  PID:8816
- C:\Windows\System32\nUAYKTk.exe
  C:\Windows\System32\nUAYKTk.exe
  2⤵
  PID:8856
- C:\Windows\System32\DYrXTxz.exe
  C:\Windows\System32\DYrXTxz.exe
  2⤵
  PID:8896
- C:\Windows\System32\eAnVEEZ.exe
  C:\Windows\System32\eAnVEEZ.exe
  2⤵
  PID:8940
- C:\Windows\System32\hgJSUFu.exe
  C:\Windows\System32\hgJSUFu.exe
  2⤵
  PID:8960
- C:\Windows\System32\mJAHWYW.exe
  C:\Windows\System32\mJAHWYW.exe
  2⤵
  PID:8976
- C:\Windows\System32\AtVuoOu.exe
  C:\Windows\System32\AtVuoOu.exe
  2⤵
  PID:9000
- C:\Windows\System32\GujWSeU.exe
  C:\Windows\System32\GujWSeU.exe
  2⤵
  PID:9024
- C:\Windows\System32\sGtewSW.exe
  C:\Windows\System32\sGtewSW.exe
  2⤵
  PID:9072
- C:\Windows\System32\NHoGgqj.exe
  C:\Windows\System32\NHoGgqj.exe
  2⤵
  PID:9116
- C:\Windows\System32\lRGLZcS.exe
  C:\Windows\System32\lRGLZcS.exe
  2⤵
  PID:9140
- C:\Windows\System32\NcTTaxO.exe
  C:\Windows\System32\NcTTaxO.exe
  2⤵
  PID:9176
- C:\Windows\System32\lkUUkuO.exe
  C:\Windows\System32\lkUUkuO.exe
  2⤵
  PID:9204
- C:\Windows\System32\gQlekby.exe
  C:\Windows\System32\gQlekby.exe
  2⤵
  PID:7424
- C:\Windows\System32\ngOtWjD.exe
  C:\Windows\System32\ngOtWjD.exe
  2⤵
  PID:8224
- C:\Windows\System32\lcnvvOl.exe
  C:\Windows\System32\lcnvvOl.exe
  2⤵
  PID:8288
- C:\Windows\System32\TYWHcmb.exe
  C:\Windows\System32\TYWHcmb.exe
  2⤵
  PID:8344
- C:\Windows\System32\qCxeoVn.exe
  C:\Windows\System32\qCxeoVn.exe
  2⤵
  PID:8260
- C:\Windows\System32\wCPDlqN.exe
  C:\Windows\System32\wCPDlqN.exe
  2⤵
  PID:8428
- C:\Windows\System32\iVwzOCu.exe
  C:\Windows\System32\iVwzOCu.exe
  2⤵
  PID:8516
- C:\Windows\System32\aTElynS.exe
  C:\Windows\System32\aTElynS.exe
  2⤵
  PID:8548
- C:\Windows\System32\hWwwdvc.exe
  C:\Windows\System32\hWwwdvc.exe
  2⤵
  PID:8656
- C:\Windows\System32\qtrWQPC.exe
  C:\Windows\System32\qtrWQPC.exe
  2⤵
  PID:8660
- C:\Windows\System32\UpmeLbQ.exe
  C:\Windows\System32\UpmeLbQ.exe
  2⤵
  PID:8732
- C:\Windows\System32\hVgVADq.exe
  C:\Windows\System32\hVgVADq.exe
  2⤵
  PID:8868
- C:\Windows\System32\SknNApd.exe
  C:\Windows\System32\SknNApd.exe
  2⤵
  PID:8916
- C:\Windows\System32\FkGBagh.exe
  C:\Windows\System32\FkGBagh.exe
  2⤵
  PID:9008
- C:\Windows\System32\XLBEAnG.exe
  C:\Windows\System32\XLBEAnG.exe
  2⤵
  PID:9080
- C:\Windows\System32\MnfDxAF.exe
  C:\Windows\System32\MnfDxAF.exe
  2⤵
  PID:9084
- C:\Windows\System32\DStxMBw.exe
  C:\Windows\System32\DStxMBw.exe
  2⤵
  PID:9168
- C:\Windows\System32\PUnLStm.exe
  C:\Windows\System32\PUnLStm.exe
  2⤵
  PID:8200
- C:\Windows\System32\btgcaOg.exe
  C:\Windows\System32\btgcaOg.exe
  2⤵
  PID:8208
- C:\Windows\System32\gFjxEPP.exe
  C:\Windows\System32\gFjxEPP.exe
  2⤵
  PID:8268
- C:\Windows\System32\GHmaNwE.exe
  C:\Windows\System32\GHmaNwE.exe
  2⤵
  PID:8416
- C:\Windows\System32\LMwqsNA.exe
  C:\Windows\System32\LMwqsNA.exe
  2⤵
  PID:8412
- C:\Windows\System32\TixtlEN.exe
  C:\Windows\System32\TixtlEN.exe
  2⤵
  PID:8752
- C:\Windows\System32\HQrBUey.exe
  C:\Windows\System32\HQrBUey.exe
  2⤵
  PID:9108
- C:\Windows\System32\wJnWgPN.exe
  C:\Windows\System32\wJnWgPN.exe
  2⤵
  PID:9128
- C:\Windows\System32\UKQFOYT.exe
  C:\Windows\System32\UKQFOYT.exe
  2⤵
  PID:8444
- C:\Windows\System32\ptDBBxq.exe
  C:\Windows\System32\ptDBBxq.exe
  2⤵
  PID:8664
- C:\Windows\System32\yCwOEjB.exe
  C:\Windows\System32\yCwOEjB.exe
  2⤵
  PID:8804
- C:\Windows\System32\SwgTTpZ.exe
  C:\Windows\System32\SwgTTpZ.exe
  2⤵
  PID:9192
- C:\Windows\System32\TtqmCjz.exe
  C:\Windows\System32\TtqmCjz.exe
  2⤵
  PID:9232
- C:\Windows\System32\JNmLPoW.exe
  C:\Windows\System32\JNmLPoW.exe
  2⤵
  PID:9252
- C:\Windows\System32\ZvSpRKq.exe
  C:\Windows\System32\ZvSpRKq.exe
  2⤵
  PID:9272
- C:\Windows\System32\rmrlPhe.exe
  C:\Windows\System32\rmrlPhe.exe
  2⤵
  PID:9288
- C:\Windows\System32\khxmkiw.exe
  C:\Windows\System32\khxmkiw.exe
  2⤵
  PID:9316
- C:\Windows\System32\zCWVCaL.exe
  C:\Windows\System32\zCWVCaL.exe
  2⤵
  PID:9336
- C:\Windows\System32\mVjMHSZ.exe
  C:\Windows\System32\mVjMHSZ.exe
  2⤵
  PID:9396
- C:\Windows\System32\mxzwZav.exe
  C:\Windows\System32\mxzwZav.exe
  2⤵
  PID:9424
- C:\Windows\System32\gmgwhmU.exe
  C:\Windows\System32\gmgwhmU.exe
  2⤵
  PID:9440
- C:\Windows\System32\JANLSgQ.exe
  C:\Windows\System32\JANLSgQ.exe
  2⤵
  PID:9480
- C:\Windows\System32\XQlHTBX.exe
  C:\Windows\System32\XQlHTBX.exe
  2⤵
  PID:9504
- C:\Windows\System32\EfuVFem.exe
  C:\Windows\System32\EfuVFem.exe
  2⤵
  PID:9524
- C:\Windows\System32\WKaQXWS.exe
  C:\Windows\System32\WKaQXWS.exe
  2⤵
  PID:9544
- C:\Windows\System32\jKMsLMm.exe
  C:\Windows\System32\jKMsLMm.exe
  2⤵
  PID:9576
- C:\Windows\System32\uBIyhkt.exe
  C:\Windows\System32\uBIyhkt.exe
  2⤵
  PID:9596
- C:\Windows\System32\SaiDnKW.exe
  C:\Windows\System32\SaiDnKW.exe
  2⤵
  PID:9624
- C:\Windows\System32\HoAqQfX.exe
  C:\Windows\System32\HoAqQfX.exe
  2⤵
  PID:9640
- C:\Windows\System32\clZQcYn.exe
  C:\Windows\System32\clZQcYn.exe
  2⤵
  PID:9656
- C:\Windows\System32\ojqsjlI.exe
  C:\Windows\System32\ojqsjlI.exe
  2⤵
  PID:9676
- C:\Windows\System32\ZgEYvIY.exe
  C:\Windows\System32\ZgEYvIY.exe
  2⤵
  PID:9696
- C:\Windows\System32\poLnWSv.exe
  C:\Windows\System32\poLnWSv.exe
  2⤵
  PID:9752
- C:\Windows\System32\pUhfaXo.exe
  C:\Windows\System32\pUhfaXo.exe
  2⤵
  PID:9772
- C:\Windows\System32\KrvwuMc.exe
  C:\Windows\System32\KrvwuMc.exe
  2⤵
  PID:9796
- C:\Windows\System32\FFTDSFW.exe
  C:\Windows\System32\FFTDSFW.exe
  2⤵
  PID:9852
- C:\Windows\System32\NxtaIan.exe
  C:\Windows\System32\NxtaIan.exe
  2⤵
  PID:9888
- C:\Windows\System32\RPOepbv.exe
  C:\Windows\System32\RPOepbv.exe
  2⤵
  PID:9908
- C:\Windows\System32\qodWsfc.exe
  C:\Windows\System32\qodWsfc.exe
  2⤵
  PID:9924
- C:\Windows\System32\sZETVpR.exe
  C:\Windows\System32\sZETVpR.exe
  2⤵
  PID:9956
- C:\Windows\System32\xxgQMcv.exe
  C:\Windows\System32\xxgQMcv.exe
  2⤵
  PID:9996
- C:\Windows\System32\kZzIqqB.exe
  C:\Windows\System32\kZzIqqB.exe
  2⤵
  PID:10044
- C:\Windows\System32\pkcsgnn.exe
  C:\Windows\System32\pkcsgnn.exe
  2⤵
  PID:10072
- C:\Windows\System32\EHKFWrL.exe
  C:\Windows\System32\EHKFWrL.exe
  2⤵
  PID:10092
- C:\Windows\System32\BkbPakL.exe
  C:\Windows\System32\BkbPakL.exe
  2⤵
  PID:10144
- C:\Windows\System32\wtIkLax.exe
  C:\Windows\System32\wtIkLax.exe
  2⤵
  PID:10160
- C:\Windows\System32\kKQJjXD.exe
  C:\Windows\System32\kKQJjXD.exe
  2⤵
  PID:10200
- C:\Windows\System32\GiexUzq.exe
  C:\Windows\System32\GiexUzq.exe
  2⤵
  PID:10224
- C:\Windows\System32\vBTBPfx.exe
  C:\Windows\System32\vBTBPfx.exe
  2⤵
  PID:8828
- C:\Windows\System32\eeCQQFd.exe
  C:\Windows\System32\eeCQQFd.exe
  2⤵
  PID:9244
- C:\Windows\System32\trPZXhR.exe
  C:\Windows\System32\trPZXhR.exe
  2⤵
  PID:9308
- C:\Windows\System32\TpnKJFm.exe
  C:\Windows\System32\TpnKJFm.exe
  2⤵
  PID:9420
- C:\Windows\System32\WhmTKDs.exe
  C:\Windows\System32\WhmTKDs.exe
  2⤵
  PID:9464
- C:\Windows\System32\gmyacBK.exe
  C:\Windows\System32\gmyacBK.exe
  2⤵
  PID:9540
- C:\Windows\System32\aCYvkxl.exe
  C:\Windows\System32\aCYvkxl.exe
  2⤵
  PID:9612
- C:\Windows\System32\fQNaTTv.exe
  C:\Windows\System32\fQNaTTv.exe
  2⤵
  PID:9672
- C:\Windows\System32\QroFkgI.exe
  C:\Windows\System32\QroFkgI.exe
  2⤵
  PID:9724
- C:\Windows\System32\PnXqqFt.exe
  C:\Windows\System32\PnXqqFt.exe
  2⤵
  PID:9748
- C:\Windows\System32\mIvjXyO.exe
  C:\Windows\System32\mIvjXyO.exe
  2⤵
  PID:9860
- C:\Windows\System32\OdeJMAR.exe
  C:\Windows\System32\OdeJMAR.exe
  2⤵
  PID:9832
- C:\Windows\System32\TOZnLUj.exe
  C:\Windows\System32\TOZnLUj.exe
  2⤵
  PID:9968
- C:\Windows\System32\moicQtc.exe
  C:\Windows\System32\moicQtc.exe
  2⤵
  PID:9932
- C:\Windows\System32\tXaNZAr.exe
  C:\Windows\System32\tXaNZAr.exe
  2⤵
  PID:10068
- C:\Windows\System32\FmqoPHO.exe
  C:\Windows\System32\FmqoPHO.exe
  2⤵
  PID:10192
- C:\Windows\System32\HArNRMq.exe
  C:\Windows\System32\HArNRMq.exe
  2⤵
  PID:10236
- C:\Windows\System32\lvhjHQZ.exe
  C:\Windows\System32\lvhjHQZ.exe
  2⤵
  PID:9248
- C:\Windows\System32\RoyWMCx.exe
  C:\Windows\System32\RoyWMCx.exe
  2⤵
  PID:9460
- C:\Windows\System32\PqYlsVG.exe
  C:\Windows\System32\PqYlsVG.exe
  2⤵
  PID:9652
- C:\Windows\System32\IfGKWuk.exe
  C:\Windows\System32\IfGKWuk.exe
  2⤵
  PID:9744
- C:\Windows\System32\CBdcSQR.exe
  C:\Windows\System32\CBdcSQR.exe
  2⤵
  PID:9848
- C:\Windows\System32\QgoTSQS.exe
  C:\Windows\System32\QgoTSQS.exe
  2⤵
  PID:10056
- C:\Windows\System32\dwLvaIl.exe
  C:\Windows\System32\dwLvaIl.exe
  2⤵
  PID:10232
- C:\Windows\System32\jxSLBxn.exe
  C:\Windows\System32\jxSLBxn.exe
  2⤵
  PID:9604
- C:\Windows\System32\yICBSAU.exe
  C:\Windows\System32\yICBSAU.exe
  2⤵
  PID:9784
- C:\Windows\System32\pJhTTys.exe
  C:\Windows\System32\pJhTTys.exe
  2⤵
  PID:9228
- C:\Windows\System32\NEDNFXW.exe
  C:\Windows\System32\NEDNFXW.exe
  2⤵
  PID:10248
- C:\Windows\System32\shAhFon.exe
  C:\Windows\System32\shAhFon.exe
  2⤵
  PID:10296
- C:\Windows\System32\ukFQkkh.exe
  C:\Windows\System32\ukFQkkh.exe
  2⤵
  PID:10328
- C:\Windows\System32\aEGqnmz.exe
  C:\Windows\System32\aEGqnmz.exe
  2⤵
  PID:10360
- C:\Windows\System32\OBtupnM.exe
  C:\Windows\System32\OBtupnM.exe
  2⤵
  PID:10376
- C:\Windows\System32\JiHpKWU.exe
  C:\Windows\System32\JiHpKWU.exe
  2⤵
  PID:10408
- C:\Windows\System32\FZKddOq.exe
  C:\Windows\System32\FZKddOq.exe
  2⤵
  PID:10428
- C:\Windows\System32\YrqHZlb.exe
  C:\Windows\System32\YrqHZlb.exe
  2⤵
  PID:10468
- C:\Windows\System32\BaAwkxS.exe
  C:\Windows\System32\BaAwkxS.exe
  2⤵
  PID:10500
- C:\Windows\System32\WrvpWvM.exe
  C:\Windows\System32\WrvpWvM.exe
  2⤵
  PID:10516
- C:\Windows\System32\QlXgpHi.exe
  C:\Windows\System32\QlXgpHi.exe
  2⤵
  PID:10600
- C:\Windows\System32\PyecRnh.exe
  C:\Windows\System32\PyecRnh.exe
  2⤵
  PID:10616
- C:\Windows\System32\GEXUzep.exe
  C:\Windows\System32\GEXUzep.exe
  2⤵
  PID:10644
- C:\Windows\System32\KLevLxf.exe
  C:\Windows\System32\KLevLxf.exe
  2⤵
  PID:10660
- C:\Windows\System32\kTguSGo.exe
  C:\Windows\System32\kTguSGo.exe
  2⤵
  PID:10688
- C:\Windows\System32\IlIvaFb.exe
  C:\Windows\System32\IlIvaFb.exe
  2⤵
  PID:10716
- C:\Windows\System32\iEGBVWr.exe
  C:\Windows\System32\iEGBVWr.exe
  2⤵
  PID:10744
- C:\Windows\System32\xnBoPlr.exe
  C:\Windows\System32\xnBoPlr.exe
  2⤵
  PID:10772
- C:\Windows\System32\BUUEXtE.exe
  C:\Windows\System32\BUUEXtE.exe
  2⤵
  PID:10788
- C:\Windows\System32\exDOiwu.exe
  C:\Windows\System32\exDOiwu.exe
  2⤵
  PID:10816
- C:\Windows\System32\AUzTnjJ.exe
  C:\Windows\System32\AUzTnjJ.exe
  2⤵
  PID:10844
- C:\Windows\System32\sgIraeY.exe
  C:\Windows\System32\sgIraeY.exe
  2⤵
  PID:10864
- C:\Windows\System32\QzgyRDP.exe
  C:\Windows\System32\QzgyRDP.exe
  2⤵
  PID:10896
- C:\Windows\System32\GhKjqUP.exe
  C:\Windows\System32\GhKjqUP.exe
  2⤵
  PID:10916
- C:\Windows\System32\oOIGkkP.exe
  C:\Windows\System32\oOIGkkP.exe
  2⤵
  PID:10960
- C:\Windows\System32\hPrviHg.exe
  C:\Windows\System32\hPrviHg.exe
  2⤵
  PID:11008
- C:\Windows\System32\dhKnogM.exe
  C:\Windows\System32\dhKnogM.exe
  2⤵
  PID:11028
- C:\Windows\System32\jQDHSjm.exe
  C:\Windows\System32\jQDHSjm.exe
  2⤵
  PID:11052
- C:\Windows\System32\giwOcWO.exe
  C:\Windows\System32\giwOcWO.exe
  2⤵
  PID:11080
- C:\Windows\System32\aNESqAv.exe
  C:\Windows\System32\aNESqAv.exe
  2⤵
  PID:11120
- C:\Windows\System32\AreBTpY.exe
  C:\Windows\System32\AreBTpY.exe
  2⤵
  PID:11136
- C:\Windows\System32\NcGUpQV.exe
  C:\Windows\System32\NcGUpQV.exe
  2⤵
  PID:11188
- C:\Windows\System32\njWFtmS.exe
  C:\Windows\System32\njWFtmS.exe
  2⤵
  PID:11204
- C:\Windows\System32\DgThfHO.exe
  C:\Windows\System32\DgThfHO.exe
  2⤵
  PID:11228
- C:\Windows\System32\rKtpGdC.exe
  C:\Windows\System32\rKtpGdC.exe
  2⤵
  PID:11252
- C:\Windows\System32\iYWWAZM.exe
  C:\Windows\System32\iYWWAZM.exe
  2⤵
  PID:9988
- C:\Windows\System32\XumGxqq.exe
  C:\Windows\System32\XumGxqq.exe
  2⤵
  PID:10276
- C:\Windows\System32\kmZlGwf.exe
  C:\Windows\System32\kmZlGwf.exe
  2⤵
  PID:10312
- C:\Windows\System32\hnUcxbC.exe
  C:\Windows\System32\hnUcxbC.exe
  2⤵
  PID:10460
- C:\Windows\System32\afSWaPD.exe
  C:\Windows\System32\afSWaPD.exe
  2⤵
  PID:10464
- C:\Windows\System32\bsSSTHZ.exe
  C:\Windows\System32\bsSSTHZ.exe
  2⤵
  PID:10488
- C:\Windows\System32\zVFdrDA.exe
  C:\Windows\System32\zVFdrDA.exe
  2⤵
  PID:10632
- C:\Windows\System32\LYBFERs.exe
  C:\Windows\System32\LYBFERs.exe
  2⤵
  PID:10652
- C:\Windows\System32\qBhevsk.exe
  C:\Windows\System32\qBhevsk.exe
  2⤵
  PID:10700
- C:\Windows\System32\sUxHhfD.exe
  C:\Windows\System32\sUxHhfD.exe
  2⤵
  PID:10728
- C:\Windows\System32\HZboLiB.exe
  C:\Windows\System32\HZboLiB.exe
  2⤵
  PID:10784
- C:\Windows\System32\XbDImXX.exe
  C:\Windows\System32\XbDImXX.exe
  2⤵
  PID:10876
- C:\Windows\System32\VFdDdxa.exe
  C:\Windows\System32\VFdDdxa.exe
  2⤵
  PID:10988
- C:\Windows\System32\mKjJUss.exe
  C:\Windows\System32\mKjJUss.exe
  2⤵
  PID:11040
- C:\Windows\System32\mRXUEvy.exe
  C:\Windows\System32\mRXUEvy.exe
  2⤵
  PID:11100
- C:\Windows\System32\hVsBCVQ.exe
  C:\Windows\System32\hVsBCVQ.exe
  2⤵
  PID:11152
- C:\Windows\System32\toSXeNg.exe
  C:\Windows\System32\toSXeNg.exe
  2⤵
  PID:11200
- C:\Windows\System32\tnuZhFt.exe
  C:\Windows\System32\tnuZhFt.exe
  2⤵
  PID:11240
- C:\Windows\System32\GslkdNZ.exe
  C:\Windows\System32\GslkdNZ.exe
  2⤵
  PID:10416
- C:\Windows\System32\uHVhMSu.exe
  C:\Windows\System32\uHVhMSu.exe
  2⤵
  PID:10560
- C:\Windows\System32\dNQuIJJ.exe
  C:\Windows\System32\dNQuIJJ.exe
  2⤵
  PID:10596
- C:\Windows\System32\ghfFZzn.exe
  C:\Windows\System32\ghfFZzn.exe
  2⤵
  PID:10860
- C:\Windows\System32\PAksUHW.exe
  C:\Windows\System32\PAksUHW.exe
  2⤵
  PID:11024
- C:\Windows\System32\mrJAKqk.exe
  C:\Windows\System32\mrJAKqk.exe
  2⤵
  PID:11260
- C:\Windows\System32\RXfuplA.exe
  C:\Windows\System32\RXfuplA.exe
  2⤵
  PID:10656
- C:\Windows\System32\MciXFRn.exe
  C:\Windows\System32\MciXFRn.exe
  2⤵
  PID:11116
- C:\Windows\System32\KjwFqMz.exe
  C:\Windows\System32\KjwFqMz.exe
  2⤵
  PID:11276
- C:\Windows\System32\NEZDPHX.exe
  C:\Windows\System32\NEZDPHX.exe
  2⤵
  PID:11292
- C:\Windows\System32\aJRWVUl.exe
  C:\Windows\System32\aJRWVUl.exe
  2⤵
  PID:11316
- C:\Windows\System32\MszjSbr.exe
  C:\Windows\System32\MszjSbr.exe
  2⤵
  PID:11348
- C:\Windows\System32\bJKHcik.exe
  C:\Windows\System32\bJKHcik.exe
  2⤵
  PID:11368
- C:\Windows\System32\TGZVaWe.exe
  C:\Windows\System32\TGZVaWe.exe
  2⤵
  PID:11384
- C:\Windows\System32\OwiMbIP.exe
  C:\Windows\System32\OwiMbIP.exe
  2⤵
  PID:11412
- C:\Windows\System32\gBvnYwE.exe
  C:\Windows\System32\gBvnYwE.exe
  2⤵
  PID:11440
- C:\Windows\System32\FDVjGYe.exe
  C:\Windows\System32\FDVjGYe.exe
  2⤵
  PID:11468
- C:\Windows\System32\xjOgBGd.exe
  C:\Windows\System32\xjOgBGd.exe
  2⤵
  PID:11508
- C:\Windows\System32\YelNEWW.exe
  C:\Windows\System32\YelNEWW.exe
  2⤵
  PID:11524
- C:\Windows\System32\PqSFuCX.exe
  C:\Windows\System32\PqSFuCX.exe
  2⤵
  PID:11548
- C:\Windows\System32\SPBtTDR.exe
  C:\Windows\System32\SPBtTDR.exe
  2⤵
  PID:11596
- C:\Windows\System32\WSzyaUe.exe
  C:\Windows\System32\WSzyaUe.exe
  2⤵
  PID:11636
- C:\Windows\System32\rNTBiTt.exe
  C:\Windows\System32\rNTBiTt.exe
  2⤵
  PID:11656
- C:\Windows\System32\ZWfmZtO.exe
  C:\Windows\System32\ZWfmZtO.exe
  2⤵
  PID:11672
- C:\Windows\System32\fnHnhPw.exe
  C:\Windows\System32\fnHnhPw.exe
  2⤵
  PID:11716
- C:\Windows\System32\MmPVuIW.exe
  C:\Windows\System32\MmPVuIW.exe
  2⤵
  PID:11740
- C:\Windows\System32\RuYLyBa.exe
  C:\Windows\System32\RuYLyBa.exe
  2⤵
  PID:11780
- C:\Windows\System32\akXPRfj.exe
  C:\Windows\System32\akXPRfj.exe
  2⤵
  PID:11808
- C:\Windows\System32\izMIayB.exe
  C:\Windows\System32\izMIayB.exe
  2⤵
  PID:11836
- C:\Windows\System32\WOIJovU.exe
  C:\Windows\System32\WOIJovU.exe
  2⤵
  PID:11856
- C:\Windows\System32\lXacvcm.exe
  C:\Windows\System32\lXacvcm.exe
  2⤵
  PID:11888
- C:\Windows\System32\pywsone.exe
  C:\Windows\System32\pywsone.exe
  2⤵
  PID:11916
- C:\Windows\System32\UUyUbPl.exe
  C:\Windows\System32\UUyUbPl.exe
  2⤵
  PID:11936
- C:\Windows\System32\ejtkMLb.exe
  C:\Windows\System32\ejtkMLb.exe
  2⤵
  PID:11956
- C:\Windows\System32\kJjcqOH.exe
  C:\Windows\System32\kJjcqOH.exe
  2⤵
  PID:11972
- C:\Windows\System32\PfuOYhg.exe
  C:\Windows\System32\PfuOYhg.exe
  2⤵
  PID:12000
- C:\Windows\System32\EDoaEci.exe
  C:\Windows\System32\EDoaEci.exe
  2⤵
  PID:12024
- C:\Windows\System32\lfXyZWo.exe
  C:\Windows\System32\lfXyZWo.exe
  2⤵
  PID:12040
- C:\Windows\System32\sDaFasO.exe
  C:\Windows\System32\sDaFasO.exe
  2⤵
  PID:12108
- C:\Windows\System32\aBLbjvg.exe
  C:\Windows\System32\aBLbjvg.exe
  2⤵
  PID:12124
- C:\Windows\System32\zdRRqam.exe
  C:\Windows\System32\zdRRqam.exe
  2⤵
  PID:12148
- C:\Windows\System32\yGspwfU.exe
  C:\Windows\System32\yGspwfU.exe
  2⤵
  PID:12176
- C:\Windows\System32\vNgqZws.exe
  C:\Windows\System32\vNgqZws.exe
  2⤵
  PID:12192
- C:\Windows\System32\TTWmTuY.exe
  C:\Windows\System32\TTWmTuY.exe
  2⤵
  PID:12264
- C:\Windows\System32\wKGPYql.exe
  C:\Windows\System32\wKGPYql.exe
  2⤵
  PID:11268
- C:\Windows\System32\uuPnMSn.exe
  C:\Windows\System32\uuPnMSn.exe
  2⤵
  PID:11332
- C:\Windows\System32\dOFvgOX.exe
  C:\Windows\System32\dOFvgOX.exe
  2⤵
  PID:11376
- C:\Windows\System32\FXhxKlw.exe
  C:\Windows\System32\FXhxKlw.exe
  2⤵
  PID:11460
- C:\Windows\System32\NqoaHDj.exe
  C:\Windows\System32\NqoaHDj.exe
  2⤵
  PID:11532
- C:\Windows\System32\uZhOTUo.exe
  C:\Windows\System32\uZhOTUo.exe
  2⤵
  PID:11492
- C:\Windows\System32\ZtwpRkL.exe
  C:\Windows\System32\ZtwpRkL.exe
  2⤵
  PID:11692
- C:\Windows\System32\JSGPYWi.exe
  C:\Windows\System32\JSGPYWi.exe
  2⤵
  PID:11768
- C:\Windows\System32\qArLMqe.exe
  C:\Windows\System32\qArLMqe.exe
  2⤵
  PID:11872
- C:\Windows\System32\uRimPrb.exe
  C:\Windows\System32\uRimPrb.exe
  2⤵
  PID:11948
- C:\Windows\System32\WbgOpNX.exe
  C:\Windows\System32\WbgOpNX.exe
  2⤵
  PID:12036
- C:\Windows\System32\qOpuDmQ.exe
  C:\Windows\System32\qOpuDmQ.exe
  2⤵
  PID:12048
- C:\Windows\System32\CbesAHY.exe
  C:\Windows\System32\CbesAHY.exe
  2⤵
  PID:12164
- C:\Windows\System32\elRxClG.exe
  C:\Windows\System32\elRxClG.exe
  2⤵
  PID:12244
- C:\Windows\System32\HgajYno.exe
  C:\Windows\System32\HgajYno.exe
  2⤵
  PID:11364
- C:\Windows\System32\nfgtVKG.exe
  C:\Windows\System32\nfgtVKG.exe
  2⤵
  PID:11588
- C:\Windows\System32\cWkQdil.exe
  C:\Windows\System32\cWkQdil.exe
  2⤵
  PID:11708
- C:\Windows\System32\UlWOCqQ.exe
  C:\Windows\System32\UlWOCqQ.exe
  2⤵
  PID:11924
- C:\Windows\System32\mLbSioV.exe
  C:\Windows\System32\mLbSioV.exe
  2⤵
  PID:12116
- C:\Windows\System32\cWdOIKZ.exe
  C:\Windows\System32\cWdOIKZ.exe
  2⤵
  PID:12188
- C:\Windows\System32\OzvrMrT.exe
  C:\Windows\System32\OzvrMrT.exe
  2⤵
  PID:11424
- C:\Windows\System32\EIwqWoJ.exe
  C:\Windows\System32\EIwqWoJ.exe
  2⤵
  PID:12068
- C:\Windows\System32\icZJkjO.exe
  C:\Windows\System32\icZJkjO.exe
  2⤵
  PID:12296
- C:\Windows\System32\ZogFQrn.exe
  C:\Windows\System32\ZogFQrn.exe
  2⤵
  PID:12324
- C:\Windows\System32\QXAxiLB.exe
  C:\Windows\System32\QXAxiLB.exe
  2⤵
  PID:12372
- C:\Windows\System32\aRfAgxm.exe
  C:\Windows\System32\aRfAgxm.exe
  2⤵
  PID:12416
- C:\Windows\System32\GKSqmLm.exe
  C:\Windows\System32\GKSqmLm.exe
  2⤵
  PID:12448
- C:\Windows\System32\SppWwlZ.exe
  C:\Windows\System32\SppWwlZ.exe
  2⤵
  PID:12476
- C:\Windows\System32\dYAYtxR.exe
  C:\Windows\System32\dYAYtxR.exe
  2⤵
  PID:12500
- C:\Windows\System32\SCeoQpX.exe
  C:\Windows\System32\SCeoQpX.exe
  2⤵
  PID:12516
- C:\Windows\System32\hnTEMOD.exe
  C:\Windows\System32\hnTEMOD.exe
  2⤵
  PID:12560
- C:\Windows\System32\PMkSQAe.exe
  C:\Windows\System32\PMkSQAe.exe
  2⤵
  PID:12580
- C:\Windows\System32\IIuYMiC.exe
  C:\Windows\System32\IIuYMiC.exe
  2⤵
  PID:12616
- C:\Windows\System32\wFmYLea.exe
  C:\Windows\System32\wFmYLea.exe
  2⤵
  PID:12652
- C:\Windows\System32\zcAqeLW.exe
  C:\Windows\System32\zcAqeLW.exe
  2⤵
  PID:12688
- C:\Windows\System32\nvQivZA.exe
  C:\Windows\System32\nvQivZA.exe
  2⤵
  PID:12712
- C:\Windows\System32\eXFXUAQ.exe
  C:\Windows\System32\eXFXUAQ.exe
  2⤵
  PID:12760
- C:\Windows\System32\vykdUeW.exe
  C:\Windows\System32\vykdUeW.exe
  2⤵
  PID:12776
- C:\Windows\System32\Rvrpjgu.exe
  C:\Windows\System32\Rvrpjgu.exe
  2⤵
  PID:12800
- C:\Windows\System32\fbgqSYM.exe
  C:\Windows\System32\fbgqSYM.exe
  2⤵
  PID:12832
- C:\Windows\System32\nIWHYmf.exe
  C:\Windows\System32\nIWHYmf.exe
  2⤵
  PID:12860
- C:\Windows\System32\lvMwybK.exe
  C:\Windows\System32\lvMwybK.exe
  2⤵
  PID:12884
- C:\Windows\System32\bnqvFxp.exe
  C:\Windows\System32\bnqvFxp.exe
  2⤵
  PID:12916
- C:\Windows\System32\HKWqLRE.exe
  C:\Windows\System32\HKWqLRE.exe
  2⤵
  PID:12956
- C:\Windows\System32\UadvpKX.exe
  C:\Windows\System32\UadvpKX.exe
  2⤵
  PID:12976
- C:\Windows\System32\efBAmdu.exe
  C:\Windows\System32\efBAmdu.exe
  2⤵
  PID:13000
- C:\Windows\System32\DSamfOC.exe
  C:\Windows\System32\DSamfOC.exe
  2⤵
  PID:13048
- C:\Windows\System32\PRdHjBD.exe
  C:\Windows\System32\PRdHjBD.exe
  2⤵
  PID:13064
- C:\Windows\System32\FtyPlDb.exe
  C:\Windows\System32\FtyPlDb.exe
  2⤵
  PID:13104
- C:\Windows\System32\DoGTbnT.exe
  C:\Windows\System32\DoGTbnT.exe
  2⤵
  PID:13132
- C:\Windows\System32\cJyEyhK.exe
  C:\Windows\System32\cJyEyhK.exe
  2⤵
  PID:13156
- C:\Windows\System32\smhPVOJ.exe
  C:\Windows\System32\smhPVOJ.exe
  2⤵
  PID:13172
- C:\Windows\System32\Yrxarug.exe
  C:\Windows\System32\Yrxarug.exe
  2⤵
  PID:13220
- C:\Windows\System32\RSNYQWo.exe
  C:\Windows\System32\RSNYQWo.exe
  2⤵
  PID:13240
- C:\Windows\System32\xGYxudp.exe
  C:\Windows\System32\xGYxudp.exe
  2⤵
  PID:13268
- C:\Windows\System32\uDVCWAY.exe
  C:\Windows\System32\uDVCWAY.exe
  2⤵
  PID:13300
- C:\Windows\System32\kBwEupx.exe
  C:\Windows\System32\kBwEupx.exe
  2⤵
  PID:12308
- C:\Windows\System32\JhFkcOc.exe
  C:\Windows\System32\JhFkcOc.exe
  2⤵
  PID:12484
- C:\Windows\System32\VFPPVDB.exe
  C:\Windows\System32\VFPPVDB.exe
  2⤵
  PID:12488
- C:\Windows\System32\uxIUCPX.exe
  C:\Windows\System32\uxIUCPX.exe
  2⤵
  PID:12532
- C:\Windows\System32\kEcQMVI.exe
  C:\Windows\System32\kEcQMVI.exe
  2⤵
  PID:12736
- C:\Windows\System32\CzBfhph.exe
  C:\Windows\System32\CzBfhph.exe
  2⤵
  PID:12772
- C:\Windows\System32\znIDSYs.exe
  C:\Windows\System32\znIDSYs.exe
  2⤵
  PID:12788
- C:\Windows\System32\imTXXIt.exe
  C:\Windows\System32\imTXXIt.exe
  2⤵
  PID:12848
- C:\Windows\System32\OtUqmJa.exe
  C:\Windows\System32\OtUqmJa.exe
  2⤵
  PID:12880
- C:\Windows\System32\RanyPJH.exe
  C:\Windows\System32\RanyPJH.exe
  2⤵
  PID:13020
- C:\Windows\System32\wQVmlMq.exe
  C:\Windows\System32\wQVmlMq.exe
  2⤵
  PID:13092
- C:\Windows\System32\CCEgTYT.exe
  C:\Windows\System32\CCEgTYT.exe
  2⤵
  PID:13148
- C:\Windows\System32\lyAYizK.exe
  C:\Windows\System32\lyAYizK.exe
  2⤵
  PID:13208
- C:\Windows\System32\NVdaIOU.exe
  C:\Windows\System32\NVdaIOU.exe
  2⤵
  PID:13296
- C:\Windows\System32\uBSKoVs.exe
  C:\Windows\System32\uBSKoVs.exe
  2⤵
  PID:12392
- C:\Windows\System32\OEkFbvC.exe
  C:\Windows\System32\OEkFbvC.exe
  2⤵
  PID:12600
- C:\Windows\System32\vwsmFuU.exe
  C:\Windows\System32\vwsmFuU.exe
  2⤵
  PID:12852
- C:\Windows\System32\duDPAGA.exe
  C:\Windows\System32\duDPAGA.exe
  2⤵
  PID:13036
- C:\Windows\System32\GkDKBbQ.exe
  C:\Windows\System32\GkDKBbQ.exe
  2⤵
  PID:13140
- C:\Windows\System32\fUjrptq.exe
  C:\Windows\System32\fUjrptq.exe
  2⤵
  PID:13260
- C:\Windows\System32\poXoTsA.exe
  C:\Windows\System32\poXoTsA.exe
  2⤵
  PID:12576
- C:\Windows\System32\vYDNSaa.exe
  C:\Windows\System32\vYDNSaa.exe
  2⤵
  PID:13080
- C:\Windows\System32\yUyQXRW.exe
  C:\Windows\System32\yUyQXRW.exe
  2⤵
  PID:11668
- C:\Windows\System32\HDjPIpH.exe
  C:\Windows\System32\HDjPIpH.exe
  2⤵
  PID:13320
- C:\Windows\System32\sZgKuEa.exe
  C:\Windows\System32\sZgKuEa.exe
  2⤵
  PID:13340
- C:\Windows\System32\LdSoohb.exe
  C:\Windows\System32\LdSoohb.exe
  2⤵
  PID:13380
- C:\Windows\System32\nPyBUkY.exe
  C:\Windows\System32\nPyBUkY.exe
  2⤵
  PID:13404
- C:\Windows\System32\AqPcvWe.exe
  C:\Windows\System32\AqPcvWe.exe
  2⤵
  PID:13424
- C:\Windows\System32\ueDrhjI.exe
  C:\Windows\System32\ueDrhjI.exe
  2⤵
  PID:13452
- C:\Windows\System32\FXGJDpo.exe
  C:\Windows\System32\FXGJDpo.exe
  2⤵
  PID:13488
- C:\Windows\System32\dsVbMOg.exe
  C:\Windows\System32\dsVbMOg.exe
  2⤵
  PID:13520
- C:\Windows\System32\GtJhKwa.exe
  C:\Windows\System32\GtJhKwa.exe
  2⤵
  PID:13540
- C:\Windows\System32\znIUEwI.exe
  C:\Windows\System32\znIUEwI.exe
  2⤵
  PID:13580
- C:\Windows\System32\mDeShSv.exe
  C:\Windows\System32\mDeShSv.exe
  2⤵
  PID:13604
- C:\Windows\System32\wRPiKDz.exe
  C:\Windows\System32\wRPiKDz.exe
  2⤵
  PID:13632
- C:\Windows\System32\dBqcYNF.exe
  C:\Windows\System32\dBqcYNF.exe
  2⤵
  PID:13672
- C:\Windows\System32\gtNUHrD.exe
  C:\Windows\System32\gtNUHrD.exe
  2⤵
  PID:13688
- C:\Windows\System32\CZvjVHp.exe
  C:\Windows\System32\CZvjVHp.exe
  2⤵
  PID:13716
- C:\Windows\System32\yOBJvwW.exe
  C:\Windows\System32\yOBJvwW.exe
  2⤵
  PID:13732
- C:\Windows\System32\PbOJVfF.exe
  C:\Windows\System32\PbOJVfF.exe
  2⤵
  PID:13772
- C:\Windows\System32\ksiHbDl.exe
  C:\Windows\System32\ksiHbDl.exe
  2⤵
  PID:13788
- C:\Windows\System32\Jugiuzi.exe
  C:\Windows\System32\Jugiuzi.exe
  2⤵
  PID:13816
- C:\Windows\System32\MvGgGos.exe
  C:\Windows\System32\MvGgGos.exe
  2⤵
  PID:13836
- C:\Windows\System32\BvoHiyW.exe
  C:\Windows\System32\BvoHiyW.exe
  2⤵
  PID:13852
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 13852 -s 244
    3⤵
    PID:14184

C:\Windows\system32\WerFaultSecure.exe
C:\Windows\system32\WerFaultSecure.exe -u -p 4536 -s 2216
1⤵
PID:14220

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 14220 -i 14220 -h 452 -j 456 -s 468 -d 14272
1⤵
PID:14312

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13432

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AWPWMAS.exe

Filesize
1.2MB

MD5
fa68b4289676cbc34997fc0dad6908a9

SHA1
31a401f3f8e5fcd8c26ad277c744073f5e23b26e

SHA256
5beebb1297bec73f3a9f3f06091ab3f0aedfc7ad4e115630e9f0180533bde853

SHA512
8c6661dcce0049410021f25101a4cb9fc0270468e0ba2b070d21465d6ad0353e0e7b3a633ed6c3a9afb24064890a39471fa91274d4b471cdc60d574842fd8f4f

Download Submit
C:\Windows\System32\BOHawop.exe

Filesize
1.2MB

MD5
2e06227ac81ab366cdc665dc5998d813

SHA1
4c8022d55d827ef069fab2444a1b2b316e06061b

SHA256
e148dda167853790f8b46a00647449cb08a81a5ec0a6408bf47f54ddac7fe02c

SHA512
f15b2af7dab4a5be8f5285616747e9cf0890a1053b0ed5470c055ddd6f5b01811a722663dc500317f9ee319a1ce4dd5c6b9638d269581dc4fd62083c7071a324

Download Submit
C:\Windows\System32\FUCoXde.exe

Filesize
1.2MB

MD5
009d8a74ad4742a9460a8ef071b46281

SHA1
7a312aed4d1e6a4b78e1854fd3a6078e3d892fa9

SHA256
3c2678034ad0b58801874966cf38ddb536abed6540ada50f47899e68eb59b02d

SHA512
5c664d206a79559f2e64bb7d8a9009b7c432b1fe3ace138ad6fe8287267d30883116027bb283128776ece5788e862be92a82ccfb448b55b24b990613f84034ae

Download Submit
C:\Windows\System32\GbYpVJN.exe

Filesize
1.2MB

MD5
1323d8869534a1f370bc88e58ef026e5

SHA1
4a546a9488968a122142404becef217e59dd313a

SHA256
5e92c4a4b83020b4bad4560f116efaf52a5d5ae7b7f4dcf7f8d93d06d4758c5b

SHA512
6331d392069cbd340cab4621c56ea6a778137491157eb726100faa9c6ded3aa0ee3197c5665b135934720237cf0ca6fdd848055ca6f7e8aa7cd18981db59ae2e

Download Submit
C:\Windows\System32\GlCeaWg.exe

Filesize
1.2MB

MD5
8fd880e1c0881d829f8d3d5577d30a74

SHA1
ed9a70b43f4d561cf84c65a47ebaac5197fff898

SHA256
445f57415b234e18d215ad0120d2ebe42db797264640012f8dd132dbfb071767

SHA512
f6f3334266bdd8a779a2ee1a25a0c1f1b106b8c9925f87d90eb327fa8d580319bc832dbe31e1983641338c652bb6bb2ec3352de40b698aebf19a1a9e2041aeff

Download Submit
C:\Windows\System32\IMBeyYm.exe

Filesize
1.2MB

MD5
59d7a3d11d2d6ef45fac06c6aae754e3

SHA1
329c4036fb38a1f20471d4b6ba58cb94b78374df

SHA256
b70e7fd4c959c8a4815a3babe5296ced2eb4a72533c6c726b305a73128911b5e

SHA512
4861d8163eeb0b608386b2b9565675d2cf8444feca8631c07601291b8f1f7af0c72a46eb813690a18bb9f247b052aa26c91649396add99e47587e6b857ba1c2d

Download Submit
C:\Windows\System32\LMXbRKg.exe

Filesize
1.2MB

MD5
372a7c0bdaa5a0bd39c238589f2c780d

SHA1
f1f012c0a3394d725438d570f604fd3248e83274

SHA256
20a3a28f77b3afc2b39eda4ad17e8e48d9592e76b110a2ccbbe2626e043b6daf

SHA512
fb452b960611784ba41f23a8bed54dbbdf07e54d29ee3a9efa370459b29a78d60c249af73bef94fb7308497d4d5b06ef69783e539c6fe2d49a1c643f56be5ff9

Download Submit
C:\Windows\System32\NKAnUog.exe

Filesize
1.2MB

MD5
3dc3b902b0f30b64d43772f930ecfdb1

SHA1
3b8e8b1787be6051ca791b84e9b4e7b5f888ace8

SHA256
c3cb74d1b25067486ec06cff84850699c47dbe12eddaec500d60f5b6ed0d5d92

SHA512
85674b5eca0d90528abe5b0d8b3b335bdb4ee8f27e529f7ae590a2e4084c5ce70efec77d983d00ef18980e14c9b55cb9cdd5b9d3797c4893999ebca35a810bda

Download Submit
C:\Windows\System32\OoWqUQl.exe

Filesize
1.2MB

MD5
c51497e36827d5cbe5912bbe642301a9

SHA1
1a38a254314d3f8cd6b1d2c0adf9f4c77e85dd35

SHA256
769186b9a7234f1d609d6cb3d8f753a32e03dee5a9f3d582473bd66aef6566a7

SHA512
deef4f877123c2e7049ad3fc50f82dde96dc7965552387fb90eafa7da12cb8595f40d6f967732f1f823fa5509aea781a70cb1d73f8b31efe5873ea1644b35ef2

Download Submit
C:\Windows\System32\QXXxPwi.exe

Filesize
1.2MB

MD5
c035da69a31854edd075f2052c0dc3a4

SHA1
29373006a199b3bb13edd5b2e06e1398c1146905

SHA256
3cc8ce4d5651aee3f2648d2478826c481a50436f86c5a3343940f82e54a0dffb

SHA512
c443fc545ef202528d38a86bdc2ecd71b85f7aca42397a946b7457cdd9db9108d63ae550499e18be6a30a6a4604815e542a9e294658e79c2c189cca5e07bd115

Download Submit
C:\Windows\System32\STSaNnt.exe

Filesize
1.2MB

MD5
5fbce82309f6787b335fe481120090bb

SHA1
37da9ef3ae47cc1d39c324218723e8407c5cf096

SHA256
48c6055ce09044fe90d85f45317c95f65a5d81ad2d678d5e16545c0b17d9a158

SHA512
9be5be05b16cef50730d136853bf1b1223569d9ab51d7e12594d56e6827d4256aeec475cffc251d99713d2dbe49a24daf9c8cdc5f63abf39004a82af01f04989

Download Submit
C:\Windows\System32\TaGpead.exe

Filesize
1.2MB

MD5
e63d650e1cb74a2b4823e331a0cfc843

SHA1
1a8f1147fa3859edd0b61052c2379958fe3fc8c6

SHA256
6ff344719fad7bddfcdf12c931f94b86b8caf12bbc385768c8010a8ee41a5924

SHA512
e7e1de919454dc089b11bdcb36896125f77179d060428f524995ecb45594c18ae6594798eea69a9eb3e25b36e730412af6984336aa0ff88463f51dc58cd120ba

Download Submit
C:\Windows\System32\UgAFSsb.exe

Filesize
1.2MB

MD5
4fddc9fa4a23af61eb60a0ee17ca4089

SHA1
f3ea12d541fe702ff010f68768a8e1deb86f53e7

SHA256
bd34fa25f32e36ba04b268b94eb3f73e49c50c05c1fb509a6211b0b325d5cf8d

SHA512
708c06260bdddf264b25bd976a0c3214dc055ea0d14ff904a0af1d3455760993bb04acf68547ec01a476c36860ff21484e87a1d7f7dbfee5b32db1f6c42161c7

Download Submit
C:\Windows\System32\YmBPbim.exe

Filesize
1.2MB

MD5
bc32c25157b625be85ce3120f468b11b

SHA1
04d13f85948d1e48c761ca652d8142470e3d3cf2

SHA256
adaee77ebf1028842c36c859c843e6db78b2d63db9c68a6ab3c1ecda06587467

SHA512
c829e731622d0a33d0a4618a1c2d6f0284af90b3ae6900beaad9962c0b6c57576575f5f33dd338a0505205fcbef046e99fa511d5ba5c6a6f0dd6adc302f944d4

Download Submit
C:\Windows\System32\YqzeiyF.exe

Filesize
1.2MB

MD5
ae7d085da8db099cd9a10a904c53f962

SHA1
90992301519fc180132314f8f2a364ce426fd3ec

SHA256
73319755046160acdadf4d879c1d8f06c59d876b52edcd0272d1dc85faef2880

SHA512
e01a4d32ea111f519411bfcd966e1881ad4efa052f65bd71783b115213aee6eecb381ec9ef15462b6c45d9038ab32800db2fba79f676cc4ffbe59d1bd7533e84

Download Submit
C:\Windows\System32\YyRGoPF.exe

Filesize
1.2MB

MD5
6f9c40263e0a4a93739af013611fd1e0

SHA1
95d0d87f7f86e8850880bb9aa36675e7e13e4fb9

SHA256
d720675e07e3dbf84b905c83e2f889c5f0f80660d3ff57d6e8844c765bafe19d

SHA512
9e2ebf8c6abf7535569cdae3ccef0fc25da1e230c952a051a2e25a06cf2fd2a3ba65bd5e28001d23315879cb942f2874ebf1f22d94c79fa729f193e956ed96d9

Download Submit
C:\Windows\System32\dJXJjxn.exe

Filesize
1.2MB

MD5
7be74aaf03ab8f37a10508a620536eb6

SHA1
d48a227879070422f68dfcc2173b56c0d92eba05

SHA256
d09ea0450cd307f206b7a62c3f642af0c8b2dda6f4ec387812fb9182a91b3a28

SHA512
d35ef5d09741e2320435b452e70b642dac06d712e769c61c55270e767f2c73f9cedbdaa80705110a5a7c05ae1835e4ccbaf6d9732a795ca117ad1f838e001f66

Download Submit
C:\Windows\System32\ejSbXOD.exe

Filesize
1.2MB

MD5
e3d229630fd029c056ed310c44e76b71

SHA1
45ba3fbe4459afbdda566e570250c43d280be07d

SHA256
489fb35d089b86e1d246ea352382e002c9f783dc9103f9bc225a34018f84c2a8

SHA512
5074a51d2be869c02dada5c814bf3f7526f93671c6141fa41ca1b557746af7c7399a8ee4b37ac174f93e06e17cac2fe614a2ca468d719d9a7c7db4a70930930c

Download Submit
C:\Windows\System32\fKJyuSH.exe

Filesize
1.2MB

MD5
a4d725fb7cc41e1f0be0d57b16fa1646

SHA1
6e09f34f7cb2c249dd0d90609ee90ec72f87e710

SHA256
378bb236717bb13386e9b60ee6d0d99716f8e330294e755c6d726a1350d46904

SHA512
95208c469d820303456f8c95d3af40b4de190eefb8f884918571e49191965c560b86cde6fe9826b90d2e991e03650f7d61a7f3772b7b49a9dab121420a89021c

Download Submit
C:\Windows\System32\gPyyOJD.exe

Filesize
1.2MB

MD5
68a8d0674eed5d2a4f792c84feebc26b

SHA1
823c76a98e756df1bdeeb1574a90ba485756e3fb

SHA256
87e24a8cdb2df766833cb57402c5c2b24e036f10c8569fcd3fc0f63efff2d850

SHA512
71d6404fd9d6ce6ed71d47248a506d82ae417b945d53375dfe15327ab1380831cf346115c2ee5b07bd2e149f54d12ca2522efc33dce9fe4a9f4787a3d38c7b7e

Download Submit
C:\Windows\System32\iBMqTio.exe

Filesize
1.2MB

MD5
aeb4d34ede0f2e6178bf6137c0b73ae3

SHA1
bcd8a9f3381637994d31c3cd910ef087fef006fe

SHA256
2fd6ea6274a70b606abceda75aff969b0fea78061b4f3303acf200ebbdaad764

SHA512
e4591ea68206d86a9231cf638fc89fc2880399e62aaf6491e9d4d83d89ca600df296f7d398ce8ffbf0beb130bac8f596fa018fadc87c413e4297e8ae6793320f

Download Submit
C:\Windows\System32\iRmCBqk.exe

Filesize
1.2MB

MD5
678d18942caa959d463aaa58bd2733f0

SHA1
46e6dcc2a957005c4f4c40ae15b1cd972a143b56

SHA256
e47fd454af1754cf8e73fb9c0f69efa768b6458fc47ae4bba363ade41388a2ee

SHA512
f9d4f919293fae759e050077c828c572b4cbfe9b573a22b2cc3f98b899b12cbf9c85fb7a5142a97c15a5253aa9c694b266e16771c22f1e45d36bed2a64e29c16

Download Submit
C:\Windows\System32\joMOuqu.exe

Filesize
1.2MB

MD5
d30926df4b8f73c0e1bd4887c185ee5f

SHA1
19fa68734817ee4211c5cbe6f3ff1612421e8fd4

SHA256
53d92b64e40fd2a316487a4f8cdc20e6ac1a956f7e95b07648913403a319f74a

SHA512
9f817801ba009d715f438c289d72fa08fde801367d0e73899823f07f44f3ce2d4a3f28532cffb842ad6b57a4db5481ebc930e213db68e6508072d7e72eb64075

Download Submit
C:\Windows\System32\jpfkrlt.exe

Filesize
1.2MB

MD5
77848a27161c52327c607eea5a326ace

SHA1
fa99ff7296a92b0b496f7808b5f00196cb1e6733

SHA256
e9dd1b379dcd52e8a941732e67259eeb42e91be2e5e1e568f199dcf976eece26

SHA512
c8d9762ea81f353b7460e4ac017239fdead87eb9c692201022fc9222b9a8172772ae01ba6fcf42921fedec599a605f1464a25a3871848b70eaaf956051bb414b

Download Submit
C:\Windows\System32\kKjCBsK.exe

Filesize
1.2MB

MD5
a603c45366fc0755518a8d3618f882ab

SHA1
2252607bb3a76a0c04e2cc35a78128d6015ff925

SHA256
3ae8cd4688a73ed28a47eee7d88e5bc13dc980356908016317759e6f8847e464

SHA512
cd5bc910cdce2b391e1bb8c16f439e3ce10384ba3bb32b16148f72b6596daa5b512e767098891e261efc6ca392b717ccad760e978b249ab11033e17130c6563a

Download Submit
C:\Windows\System32\lIZHqEh.exe

Filesize
1.2MB

MD5
79f027059aa801e2f1d975584fc292e4

SHA1
0ac00ad9892503898d15cdfcf11ac562883b0f84

SHA256
9c1dd9f8d198b93e0533a54fdcba1cacc626fdbc6c1e9558b97efa2eba2270c7

SHA512
351fe9ba4c982d0a58c280fc763870c038376ba20a2dc5020b11560a17bb2db888ae54b7ece6620f466434f16de7dab729a9cbb3d7ce3469702befa95278ab4f

Download Submit
C:\Windows\System32\lZMnKMo.exe

Filesize
1.2MB

MD5
02c979fa7c899af84297652a1aea0969

SHA1
eea1426f9fbc75f27562c5e4a76daaeb0520f8a6

SHA256
ecb5cd3e9a5de413e928e910bbb072ab95c008f28217002efc9b7882be7b65a3

SHA512
290e443115b4b02f5c9747950da38ef0cfa2bdfca96a9d093a92d4ff728f276adc37db85019e0d6d3aaa8d5c9ab375f6f9d4bb2414b70235ecefd703092b3058

Download Submit
C:\Windows\System32\ncKlarD.exe

Filesize
1.2MB

MD5
17c77de5ef69111fe13d44f326f5dc13

SHA1
e04d76e4162b44fdf541b44a208720d9ceb5e92a

SHA256
c0c631079068a968148083026231ab6e6427a86443b40f459ba5264214d5c4cd

SHA512
03adf767cb7e8789b46afdb441c6130e064f9c38476e0e885198ed48cfab78b1bc03ad7a90bead019680ea7902b9d263f11113ca3d065b7ca97fd0c5ad5f3ac8

Download Submit
C:\Windows\System32\oHBdPok.exe

Filesize
1.2MB

MD5
19367965760c869b01adeb4437a609ec

SHA1
acb755007712a2fa039eb616443cd0afdca8ab8b

SHA256
d034fa1592d3a1f5977a8f11225ec5c4d16d11e5f5650e249e7d608cd0fd669c

SHA512
c85482477d32234a1cbe595d9151287ba774aa36abe02a4f3cd5663bf332503751c6ef47b2b46a2f797b4394948ab7768372ca9d9acb1c0ebe32bcfac52691c4

Download Submit
C:\Windows\System32\rhSiLFx.exe

Filesize
1.2MB

MD5
b7a189c3a62f3ad882e43b67c8763814

SHA1
c7c52cb2d9704ab2d5d56923e7385191ea696563

SHA256
cd7de21de66e113806a55b90ae2cd615f5564b9626d8c951c84e8b98b906b131

SHA512
00a068c29ceb8090ecec1cec18006d5db73797f461ecf9a5e0ca0362839d039be36dd08a888e9abd11dbdc49f25646eff606c168f0783e8254939636725a5540

Download Submit
C:\Windows\System32\uxlbAZX.exe

Filesize
1.2MB

MD5
d19995bd38980e9cfdd5553ed7247cdb

SHA1
6773db91d77719f6134827b2b2af7b1addd60494

SHA256
14c89d2a0305710380c1f16e9a3f2c33e2062ea83c2ee8cf1e71f39c9426b227

SHA512
08e66f60225c3083e8735e767e39f2d7904b8235ac53a2e892eda6f217d529c8ee82a993975672cc699a54d25c0b32a9a1813fc8ca0c2e2141fa4884094c0db1

Download Submit
C:\Windows\System32\zvAHzHh.exe

Filesize
1.2MB

MD5
0a9ace76a6e50fcea27040e0582a0d08

SHA1
297ece71c73bbac6585f5d4d48de97415df69967

SHA256
63df81e076c049c3dd8f58b222415701aa9f0d0817c1d0156c1f2a1b8e54d97e

SHA512
8fcbaab78683e5efa4704890593edc2570c0b90ac0ec75ad5a45060ff69696d102da1a657c724a13db8597cbd9c0e0fe2f26996a7dd5741bdc95be18b6ca1c35

Download Submit
memory/116-401-0x00007FF6A3860000-0x00007FF6A3C51000-memory.dmp

Filesize
3.9MB

Download
memory/392-399-0x00007FF6D94A0000-0x00007FF6D9891000-memory.dmp

Filesize
3.9MB

Download
memory/400-1040-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp

Filesize
3.9MB

Download
memory/400-38-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp

Filesize
3.9MB

Download
memory/400-2139-0x00007FF6774E0000-0x00007FF6778D1000-memory.dmp

Filesize
3.9MB

Download
memory/424-2161-0x00007FF64C5D0000-0x00007FF64C9C1000-memory.dmp

Filesize
3.9MB

Download
memory/424-405-0x00007FF64C5D0000-0x00007FF64C9C1000-memory.dmp

Filesize
3.9MB

Download
memory/756-2194-0x00007FF612E60000-0x00007FF613251000-memory.dmp

Filesize
3.9MB

Download
memory/756-408-0x00007FF612E60000-0x00007FF613251000-memory.dmp

Filesize
3.9MB

Download
memory/932-412-0x00007FF68DE90000-0x00007FF68E281000-memory.dmp

Filesize
3.9MB

Download
memory/932-2155-0x00007FF68DE90000-0x00007FF68E281000-memory.dmp

Filesize
3.9MB

Download
memory/1036-2148-0x00007FF730350000-0x00007FF730741000-memory.dmp

Filesize
3.9MB

Download
memory/1036-390-0x00007FF730350000-0x00007FF730741000-memory.dmp

Filesize
3.9MB

Download
memory/1044-0-0x00007FF733220000-0x00007FF733611000-memory.dmp

Filesize
3.9MB

Download
memory/1044-843-0x00007FF733220000-0x00007FF733611000-memory.dmp

Filesize
3.9MB

Download
memory/1044-1-0x0000022646660000-0x0000022646670000-memory.dmp

Filesize
64KB

Download
memory/1676-2163-0x00007FF7814A0000-0x00007FF781891000-memory.dmp

Filesize
3.9MB

Download
memory/1676-406-0x00007FF7814A0000-0x00007FF781891000-memory.dmp

Filesize
3.9MB

Download
memory/2024-384-0x00007FF7817C0000-0x00007FF781BB1000-memory.dmp

Filesize
3.9MB

Download
memory/2416-394-0x00007FF6DF7C0000-0x00007FF6DFBB1000-memory.dmp

Filesize
3.9MB

Download
memory/2416-2150-0x00007FF6DF7C0000-0x00007FF6DFBB1000-memory.dmp

Filesize
3.9MB

Download
memory/2768-2137-0x00007FF6F4AE0000-0x00007FF6F4ED1000-memory.dmp

Filesize
3.9MB

Download
memory/2768-1137-0x00007FF6F4AE0000-0x00007FF6F4ED1000-memory.dmp

Filesize
3.9MB

Download
memory/2768-30-0x00007FF6F4AE0000-0x00007FF6F4ED1000-memory.dmp

Filesize
3.9MB

Download
memory/2984-393-0x00007FF6656F0000-0x00007FF665AE1000-memory.dmp

Filesize
3.9MB

Download
memory/2984-2145-0x00007FF6656F0000-0x00007FF665AE1000-memory.dmp

Filesize
3.9MB

Download
memory/3088-880-0x00007FF67CF10000-0x00007FF67D301000-memory.dmp

Filesize
3.9MB

Download
memory/3088-23-0x00007FF67CF10000-0x00007FF67D301000-memory.dmp

Filesize
3.9MB

Download
memory/3452-386-0x00007FF626E20000-0x00007FF627211000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2112-0x00007FF78E140000-0x00007FF78E531000-memory.dmp

Filesize
3.9MB

Download
memory/3496-12-0x00007FF78E140000-0x00007FF78E531000-memory.dmp

Filesize
3.9MB

Download
memory/3496-1037-0x00007FF78E140000-0x00007FF78E531000-memory.dmp

Filesize
3.9MB

Download
memory/3952-47-0x00007FF6808D0000-0x00007FF680CC1000-memory.dmp

Filesize
3.9MB

Download
memory/3996-48-0x00007FF70D560000-0x00007FF70D951000-memory.dmp

Filesize
3.9MB

Download
memory/3996-2135-0x00007FF70D560000-0x00007FF70D951000-memory.dmp

Filesize
3.9MB

Download
memory/4132-2198-0x00007FF6DF6A0000-0x00007FF6DFA91000-memory.dmp

Filesize
3.9MB

Download
memory/4132-409-0x00007FF6DF6A0000-0x00007FF6DFA91000-memory.dmp

Filesize
3.9MB

Download
memory/4256-1406-0x00007FF62B3E0000-0x00007FF62B7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2141-0x00007FF62B3E0000-0x00007FF62B7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-381-0x00007FF62B3E0000-0x00007FF62B7D1000-memory.dmp

Filesize
3.9MB

Download
memory/4308-1279-0x00007FF6A9990000-0x00007FF6A9D81000-memory.dmp

Filesize
3.9MB

Download
memory/4308-52-0x00007FF6A9990000-0x00007FF6A9D81000-memory.dmp

Filesize
3.9MB

Download
memory/4352-2159-0x00007FF63F930000-0x00007FF63FD21000-memory.dmp

Filesize
3.9MB

Download
memory/4352-403-0x00007FF63F930000-0x00007FF63FD21000-memory.dmp

Filesize
3.9MB

Download
memory/4520-2158-0x00007FF6040C0000-0x00007FF6044B1000-memory.dmp

Filesize
3.9MB

Download
memory/4520-404-0x00007FF6040C0000-0x00007FF6044B1000-memory.dmp

Filesize
3.9MB

Download
memory/4916-1038-0x00007FF7DF370000-0x00007FF7DF761000-memory.dmp

Filesize
3.9MB

Download
memory/4916-29-0x00007FF7DF370000-0x00007FF7DF761000-memory.dmp

Filesize
3.9MB

Download
memory/5028-398-0x00007FF770610000-0x00007FF770A01000-memory.dmp

Filesize
3.9MB

Download
memory/5028-2143-0x00007FF770610000-0x00007FF770A01000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads