kpot | 05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9e

Analysis

max time kernel
114s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
Size

1.8MB
MD5

7dd45d54c4602c4d1bed6bf157fc5cc0
SHA1

09a940eb06074a1de8dbe6e18d9fa642abd3c47d
SHA256

05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9e
SHA512

a422f57ec60730897dd03ed660c3f410596bcb4a136981a7969459b5ac8bd0ec4b64b15f1c384f7549c9515494f8e62d369339c48bb4db7255969a450a469af1
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIi5aIwC+Agr6S/Fato:GemTLkNdfE0pZaQw

Score

10^/10

kpot xmrig miner stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 32 IoCs

Processes:

resource	yara_rule
C:\Windows\System\UMNbaNl.exe	family_kpot
C:\Windows\System\bJxLqbw.exe	family_kpot
C:\Windows\System\cmOkIuq.exe	family_kpot
C:\Windows\System\KcMyZIj.exe	family_kpot
C:\Windows\System\OOKEklY.exe	family_kpot
C:\Windows\System\uOjbDBY.exe	family_kpot
C:\Windows\System\liVyart.exe	family_kpot
C:\Windows\System\NAuHUFO.exe	family_kpot
C:\Windows\System\IHzlTIb.exe	family_kpot
C:\Windows\System\OBqkRpJ.exe	family_kpot
C:\Windows\System\VBYdXXV.exe	family_kpot
C:\Windows\System\ssAuBtp.exe	family_kpot
C:\Windows\System\zoBVHOv.exe	family_kpot
C:\Windows\System\RUrkZQQ.exe	family_kpot
C:\Windows\System\WEmGsgb.exe	family_kpot
C:\Windows\System\WMIYLrA.exe	family_kpot
C:\Windows\System\hMEJdLq.exe	family_kpot
C:\Windows\System\VUbezag.exe	family_kpot
C:\Windows\System\AqsBojA.exe	family_kpot
C:\Windows\System\novsqAt.exe	family_kpot
C:\Windows\System\KcJxZQx.exe	family_kpot
C:\Windows\System\rmCdgdd.exe	family_kpot
C:\Windows\System\OdBWfhG.exe	family_kpot
C:\Windows\System\qFxmnBF.exe	family_kpot
C:\Windows\System\hnTcbLy.exe	family_kpot
C:\Windows\System\eACnNkD.exe	family_kpot
C:\Windows\System\vnUXhYL.exe	family_kpot
C:\Windows\System\CrKZXkC.exe	family_kpot
C:\Windows\System\MRDTLDp.exe	family_kpot
C:\Windows\System\uRHqodI.exe	family_kpot
C:\Windows\System\BkdOpKR.exe	family_kpot
C:\Windows\System\wYXFkUU.exe	family_kpot

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 32 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\System\UMNbaNl.exe	xmrig
C:\Windows\System\bJxLqbw.exe	xmrig
C:\Windows\System\cmOkIuq.exe	xmrig
C:\Windows\System\KcMyZIj.exe	xmrig
C:\Windows\System\OOKEklY.exe	xmrig
C:\Windows\System\uOjbDBY.exe	xmrig
C:\Windows\System\liVyart.exe	xmrig
C:\Windows\System\NAuHUFO.exe	xmrig
C:\Windows\System\IHzlTIb.exe	xmrig
C:\Windows\System\OBqkRpJ.exe	xmrig
C:\Windows\System\VBYdXXV.exe	xmrig
C:\Windows\System\ssAuBtp.exe	xmrig
C:\Windows\System\zoBVHOv.exe	xmrig
C:\Windows\System\RUrkZQQ.exe	xmrig
C:\Windows\System\WEmGsgb.exe	xmrig
C:\Windows\System\WMIYLrA.exe	xmrig
C:\Windows\System\hMEJdLq.exe	xmrig
C:\Windows\System\VUbezag.exe	xmrig
C:\Windows\System\AqsBojA.exe	xmrig
C:\Windows\System\novsqAt.exe	xmrig
C:\Windows\System\KcJxZQx.exe	xmrig
C:\Windows\System\rmCdgdd.exe	xmrig
C:\Windows\System\OdBWfhG.exe	xmrig
C:\Windows\System\qFxmnBF.exe	xmrig
C:\Windows\System\hnTcbLy.exe	xmrig
C:\Windows\System\eACnNkD.exe	xmrig
C:\Windows\System\vnUXhYL.exe	xmrig
C:\Windows\System\CrKZXkC.exe	xmrig
C:\Windows\System\MRDTLDp.exe	xmrig
C:\Windows\System\uRHqodI.exe	xmrig
C:\Windows\System\BkdOpKR.exe	xmrig
C:\Windows\System\wYXFkUU.exe	xmrig

Executes dropped EXE 64 IoCs

Processes:

UMNbaNl.exebJxLqbw.execmOkIuq.exeKcMyZIj.exeOOKEklY.exeliVyart.exeBkdOpKR.exeuOjbDBY.exeuRHqodI.exeqFxmnBF.exeNAuHUFO.exeIHzlTIb.exermCdgdd.exeOdBWfhG.exeKcJxZQx.exenovsqAt.exeOBqkRpJ.exeAqsBojA.exeVUbezag.exehMEJdLq.exeWMIYLrA.exeWEmGsgb.exeRUrkZQQ.exezoBVHOv.exessAuBtp.exeVBYdXXV.exevnUXhYL.exehnTcbLy.exeeACnNkD.exeCrKZXkC.exeMRDTLDp.exewYXFkUU.exeGbbNQTa.execmjRaGG.exexSfZKGG.exeVeQUQCt.exeKBCODHk.exeJEGUYpt.exeKNxNorn.exeWLOQfiW.exeuvVRUXj.exeFfMVkbs.exegosuJOB.exeqTURNEY.exeNEaybpz.exeezGbCuh.exepnnmJcW.exeNlkZXqZ.exekkbSwmR.exeMBbeWkK.exejWmeHIy.exeYGhqLTB.exeUavRAPO.exewPdUaDJ.exeNYSpBJs.exeXlhdCxX.exetvgmSbn.exevNHsQnc.exeFtazAFx.exezUJSivO.exeRVLiekD.exewteAPHd.exeWIklbvA.exeUylntXC.exe

pid	process
4016	UMNbaNl.exe
2272	bJxLqbw.exe
116	cmOkIuq.exe
1664	KcMyZIj.exe
4124	OOKEklY.exe
4200	liVyart.exe
3584	BkdOpKR.exe
5100	uOjbDBY.exe
4692	uRHqodI.exe
688	qFxmnBF.exe
1888	NAuHUFO.exe
4868	IHzlTIb.exe
3336	rmCdgdd.exe
4488	OdBWfhG.exe
3520	KcJxZQx.exe
4416	novsqAt.exe
3676	OBqkRpJ.exe
2540	AqsBojA.exe
4904	VUbezag.exe
4668	hMEJdLq.exe
384	WMIYLrA.exe
4848	WEmGsgb.exe
3036	RUrkZQQ.exe
1444	zoBVHOv.exe
1816	ssAuBtp.exe
4880	VBYdXXV.exe
4844	vnUXhYL.exe
2628	hnTcbLy.exe
2192	eACnNkD.exe
2520	CrKZXkC.exe
2972	MRDTLDp.exe
3540	wYXFkUU.exe
816	GbbNQTa.exe
4948	cmjRaGG.exe
3256	xSfZKGG.exe
5028	VeQUQCt.exe
4548	KBCODHk.exe
4372	JEGUYpt.exe
4392	KNxNorn.exe
1004	WLOQfiW.exe
1088	uvVRUXj.exe
5084	FfMVkbs.exe
5036	gosuJOB.exe
1520	qTURNEY.exe
400	NEaybpz.exe
4860	ezGbCuh.exe
4056	pnnmJcW.exe
2560	NlkZXqZ.exe
740	kkbSwmR.exe
4328	MBbeWkK.exe
4320	jWmeHIy.exe
1340	YGhqLTB.exe
2160	UavRAPO.exe
3856	wPdUaDJ.exe
4624	NYSpBJs.exe
2932	XlhdCxX.exe
1948	tvgmSbn.exe
4616	vNHsQnc.exe
3988	FtazAFx.exe
4840	zUJSivO.exe
432	RVLiekD.exe
2040	wteAPHd.exe
3204	WIklbvA.exe
4740	UylntXC.exe

Drops file in Windows directory 64 IoCs

Processes:

05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe

description	ioc	process
File created	C:\Windows\System\HpyMiIH.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\dsFYUxH.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\XlhdCxX.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\BABChnx.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\fwBlCrp.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\NUSTszU.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\NYSpBJs.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\ehBByey.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\cnjiisl.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\jLrELIv.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\fLeZCvQ.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\uRHqodI.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\CrKZXkC.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\JNNhAzl.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\EyWjxWG.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\grTJKzP.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\kbppKGr.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\KShtDiP.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\KToIJVv.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\cmjRaGG.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\JycORpj.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\FSehsJT.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\LWZqlTZ.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\nRBPUYK.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\DzyYSXF.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\BkdOpKR.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\szmuCnA.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\HonWTvT.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\zoBVHOv.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\vvNsLab.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\RohIVoy.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\VFlatPT.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\zPPHbzT.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\uOjbDBY.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\VeQUQCt.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\vENqNTo.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\nCnQoqC.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\mJpfxzA.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\PKkFceU.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\kNtxTKQ.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\OFUqhYR.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\puvEDZB.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\YSzlkVR.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\NIsfLMM.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\eACnNkD.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\QMinWwf.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\ryJhACq.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\KBCODHk.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\tAIBvCi.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\gpsCXJq.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\tkstndU.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\RVLiekD.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\ZYHLMnu.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\NeRXbFY.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\ndXkbZH.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\QcEBWpz.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\nzVEdTx.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\LhePPxa.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\AqsBojA.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\fVCGquN.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\rYIfQVQ.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\PzXjnOJ.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\XLyqYpV.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
File created	C:\Windows\System\DclxWix.exe	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe

description	pid	process
Token: SeLockMemoryPrivilege	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
Token: SeLockMemoryPrivilege	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe

description	pid	process	target process
PID 4384 wrote to memory of 4016	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	UMNbaNl.exe
PID 4384 wrote to memory of 4016	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	UMNbaNl.exe
PID 4384 wrote to memory of 2272	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	bJxLqbw.exe
PID 4384 wrote to memory of 2272	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	bJxLqbw.exe
PID 4384 wrote to memory of 116	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	cmOkIuq.exe
PID 4384 wrote to memory of 116	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	cmOkIuq.exe
PID 4384 wrote to memory of 1664	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	KcMyZIj.exe
PID 4384 wrote to memory of 1664	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	KcMyZIj.exe
PID 4384 wrote to memory of 4124	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	OOKEklY.exe
PID 4384 wrote to memory of 4124	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	OOKEklY.exe
PID 4384 wrote to memory of 4200	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	liVyart.exe
PID 4384 wrote to memory of 4200	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	liVyart.exe
PID 4384 wrote to memory of 3584	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	BkdOpKR.exe
PID 4384 wrote to memory of 3584	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	BkdOpKR.exe
PID 4384 wrote to memory of 5100	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	uOjbDBY.exe
PID 4384 wrote to memory of 5100	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	uOjbDBY.exe
PID 4384 wrote to memory of 4692	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	uRHqodI.exe
PID 4384 wrote to memory of 4692	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	uRHqodI.exe
PID 4384 wrote to memory of 688	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	qFxmnBF.exe
PID 4384 wrote to memory of 688	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	qFxmnBF.exe
PID 4384 wrote to memory of 1888	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	NAuHUFO.exe
PID 4384 wrote to memory of 1888	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	NAuHUFO.exe
PID 4384 wrote to memory of 4868	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	IHzlTIb.exe
PID 4384 wrote to memory of 4868	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	IHzlTIb.exe
PID 4384 wrote to memory of 3336	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	rmCdgdd.exe
PID 4384 wrote to memory of 3336	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	rmCdgdd.exe
PID 4384 wrote to memory of 4488	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	OdBWfhG.exe
PID 4384 wrote to memory of 4488	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	OdBWfhG.exe
PID 4384 wrote to memory of 3520	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	KcJxZQx.exe
PID 4384 wrote to memory of 3520	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	KcJxZQx.exe
PID 4384 wrote to memory of 4416	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	novsqAt.exe
PID 4384 wrote to memory of 4416	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	novsqAt.exe
PID 4384 wrote to memory of 3676	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	OBqkRpJ.exe
PID 4384 wrote to memory of 3676	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	OBqkRpJ.exe
PID 4384 wrote to memory of 2540	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	AqsBojA.exe
PID 4384 wrote to memory of 2540	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	AqsBojA.exe
PID 4384 wrote to memory of 4904	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	VUbezag.exe
PID 4384 wrote to memory of 4904	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	VUbezag.exe
PID 4384 wrote to memory of 4668	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	hMEJdLq.exe
PID 4384 wrote to memory of 4668	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	hMEJdLq.exe
PID 4384 wrote to memory of 384	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	WMIYLrA.exe
PID 4384 wrote to memory of 384	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	WMIYLrA.exe
PID 4384 wrote to memory of 4848	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	WEmGsgb.exe
PID 4384 wrote to memory of 4848	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	WEmGsgb.exe
PID 4384 wrote to memory of 3036	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	RUrkZQQ.exe
PID 4384 wrote to memory of 3036	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	RUrkZQQ.exe
PID 4384 wrote to memory of 1444	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	zoBVHOv.exe
PID 4384 wrote to memory of 1444	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	zoBVHOv.exe
PID 4384 wrote to memory of 1816	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	ssAuBtp.exe
PID 4384 wrote to memory of 1816	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	ssAuBtp.exe
PID 4384 wrote to memory of 4880	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	VBYdXXV.exe
PID 4384 wrote to memory of 4880	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	VBYdXXV.exe
PID 4384 wrote to memory of 2628	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	hnTcbLy.exe
PID 4384 wrote to memory of 2628	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	hnTcbLy.exe
PID 4384 wrote to memory of 4844	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	vnUXhYL.exe
PID 4384 wrote to memory of 4844	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	vnUXhYL.exe
PID 4384 wrote to memory of 2192	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	eACnNkD.exe
PID 4384 wrote to memory of 2192	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	eACnNkD.exe
PID 4384 wrote to memory of 2520	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	CrKZXkC.exe
PID 4384 wrote to memory of 2520	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	CrKZXkC.exe
PID 4384 wrote to memory of 2972	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	MRDTLDp.exe
PID 4384 wrote to memory of 2972	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	MRDTLDp.exe
PID 4384 wrote to memory of 816	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	GbbNQTa.exe
PID 4384 wrote to memory of 816	4384	05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe	GbbNQTa.exe

C:\Users\Admin\AppData\Local\Temp\05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe
"C:\Users\Admin\AppData\Local\Temp\05aa6df331068f19b44779d2af2d1c21e3deb164c5cea53642d6feed7214ff9eN.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\System\UMNbaNl.exe
  C:\Windows\System\UMNbaNl.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\bJxLqbw.exe
  C:\Windows\System\bJxLqbw.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\cmOkIuq.exe
  C:\Windows\System\cmOkIuq.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\KcMyZIj.exe
  C:\Windows\System\KcMyZIj.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\OOKEklY.exe
  C:\Windows\System\OOKEklY.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\liVyart.exe
  C:\Windows\System\liVyart.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\BkdOpKR.exe
  C:\Windows\System\BkdOpKR.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\uOjbDBY.exe
  C:\Windows\System\uOjbDBY.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\uRHqodI.exe
  C:\Windows\System\uRHqodI.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\qFxmnBF.exe
  C:\Windows\System\qFxmnBF.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\NAuHUFO.exe
  C:\Windows\System\NAuHUFO.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\IHzlTIb.exe
  C:\Windows\System\IHzlTIb.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\rmCdgdd.exe
  C:\Windows\System\rmCdgdd.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\OdBWfhG.exe
  C:\Windows\System\OdBWfhG.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\KcJxZQx.exe
  C:\Windows\System\KcJxZQx.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\novsqAt.exe
  C:\Windows\System\novsqAt.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\OBqkRpJ.exe
  C:\Windows\System\OBqkRpJ.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\AqsBojA.exe
  C:\Windows\System\AqsBojA.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\VUbezag.exe
  C:\Windows\System\VUbezag.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\hMEJdLq.exe
  C:\Windows\System\hMEJdLq.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\WMIYLrA.exe
  C:\Windows\System\WMIYLrA.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\WEmGsgb.exe
  C:\Windows\System\WEmGsgb.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\RUrkZQQ.exe
  C:\Windows\System\RUrkZQQ.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\zoBVHOv.exe
  C:\Windows\System\zoBVHOv.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\ssAuBtp.exe
  C:\Windows\System\ssAuBtp.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\VBYdXXV.exe
  C:\Windows\System\VBYdXXV.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\hnTcbLy.exe
  C:\Windows\System\hnTcbLy.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\vnUXhYL.exe
  C:\Windows\System\vnUXhYL.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\eACnNkD.exe
  C:\Windows\System\eACnNkD.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\CrKZXkC.exe
  C:\Windows\System\CrKZXkC.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\MRDTLDp.exe
  C:\Windows\System\MRDTLDp.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\GbbNQTa.exe
  C:\Windows\System\GbbNQTa.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\cmjRaGG.exe
  C:\Windows\System\cmjRaGG.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\wYXFkUU.exe
  C:\Windows\System\wYXFkUU.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\xSfZKGG.exe
  C:\Windows\System\xSfZKGG.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\KBCODHk.exe
  C:\Windows\System\KBCODHk.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\VeQUQCt.exe
  C:\Windows\System\VeQUQCt.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\JEGUYpt.exe
  C:\Windows\System\JEGUYpt.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\KNxNorn.exe
  C:\Windows\System\KNxNorn.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\uvVRUXj.exe
  C:\Windows\System\uvVRUXj.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\WLOQfiW.exe
  C:\Windows\System\WLOQfiW.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\FfMVkbs.exe
  C:\Windows\System\FfMVkbs.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\gosuJOB.exe
  C:\Windows\System\gosuJOB.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\ezGbCuh.exe
  C:\Windows\System\ezGbCuh.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\qTURNEY.exe
  C:\Windows\System\qTURNEY.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\NEaybpz.exe
  C:\Windows\System\NEaybpz.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\pnnmJcW.exe
  C:\Windows\System\pnnmJcW.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\NlkZXqZ.exe
  C:\Windows\System\NlkZXqZ.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\kkbSwmR.exe
  C:\Windows\System\kkbSwmR.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\MBbeWkK.exe
  C:\Windows\System\MBbeWkK.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\jWmeHIy.exe
  C:\Windows\System\jWmeHIy.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\YGhqLTB.exe
  C:\Windows\System\YGhqLTB.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\UavRAPO.exe
  C:\Windows\System\UavRAPO.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\wPdUaDJ.exe
  C:\Windows\System\wPdUaDJ.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\NYSpBJs.exe
  C:\Windows\System\NYSpBJs.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\XlhdCxX.exe
  C:\Windows\System\XlhdCxX.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\tvgmSbn.exe
  C:\Windows\System\tvgmSbn.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\vNHsQnc.exe
  C:\Windows\System\vNHsQnc.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\FtazAFx.exe
  C:\Windows\System\FtazAFx.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\zUJSivO.exe
  C:\Windows\System\zUJSivO.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\RVLiekD.exe
  C:\Windows\System\RVLiekD.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\wteAPHd.exe
  C:\Windows\System\wteAPHd.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\WIklbvA.exe
  C:\Windows\System\WIklbvA.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\UylntXC.exe
  C:\Windows\System\UylntXC.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\puvEDZB.exe
  C:\Windows\System\puvEDZB.exe
  2⤵
  PID:4920
- C:\Windows\System\JNNhAzl.exe
  C:\Windows\System\JNNhAzl.exe
  2⤵
  PID:1456
- C:\Windows\System\qmADcQs.exe
  C:\Windows\System\qmADcQs.exe
  2⤵
  PID:3148
- C:\Windows\System\LcpjZzV.exe
  C:\Windows\System\LcpjZzV.exe
  2⤵
  PID:2080
- C:\Windows\System\TEeqaxl.exe
  C:\Windows\System\TEeqaxl.exe
  2⤵
  PID:2984
- C:\Windows\System\TEQvbmG.exe
  C:\Windows\System\TEQvbmG.exe
  2⤵
  PID:1464
- C:\Windows\System\gzpAjWd.exe
  C:\Windows\System\gzpAjWd.exe
  2⤵
  PID:3140
- C:\Windows\System\szmuCnA.exe
  C:\Windows\System\szmuCnA.exe
  2⤵
  PID:3752
- C:\Windows\System\tAIBvCi.exe
  C:\Windows\System\tAIBvCi.exe
  2⤵
  PID:2016
- C:\Windows\System\mlMnNJY.exe
  C:\Windows\System\mlMnNJY.exe
  2⤵
  PID:3472
- C:\Windows\System\qCRXvpS.exe
  C:\Windows\System\qCRXvpS.exe
  2⤵
  PID:3292
- C:\Windows\System\NcTalpT.exe
  C:\Windows\System\NcTalpT.exe
  2⤵
  PID:2452
- C:\Windows\System\ZmHrQWK.exe
  C:\Windows\System\ZmHrQWK.exe
  2⤵
  PID:2656
- C:\Windows\System\YqmUBHt.exe
  C:\Windows\System\YqmUBHt.exe
  2⤵
  PID:4440
- C:\Windows\System\wNuDbDV.exe
  C:\Windows\System\wNuDbDV.exe
  2⤵
  PID:2020
- C:\Windows\System\UJnWXHx.exe
  C:\Windows\System\UJnWXHx.exe
  2⤵
  PID:3296
- C:\Windows\System\jLrELIv.exe
  C:\Windows\System\jLrELIv.exe
  2⤵
  PID:2884
- C:\Windows\System\fVCGquN.exe
  C:\Windows\System\fVCGquN.exe
  2⤵
  PID:4388
- C:\Windows\System\XFYdJup.exe
  C:\Windows\System\XFYdJup.exe
  2⤵
  PID:3308
- C:\Windows\System\Pcmyoor.exe
  C:\Windows\System\Pcmyoor.exe
  2⤵
  PID:4628
- C:\Windows\System\glxIEyQ.exe
  C:\Windows\System\glxIEyQ.exe
  2⤵
  PID:4136
- C:\Windows\System\ehBByey.exe
  C:\Windows\System\ehBByey.exe
  2⤵
  PID:2276
- C:\Windows\System\UbUJqVG.exe
  C:\Windows\System\UbUJqVG.exe
  2⤵
  PID:4544
- C:\Windows\System\ahyXLkz.exe
  C:\Windows\System\ahyXLkz.exe
  2⤵
  PID:2024
- C:\Windows\System\yXFdiaq.exe
  C:\Windows\System\yXFdiaq.exe
  2⤵
  PID:4368
- C:\Windows\System\kuWvaMF.exe
  C:\Windows\System\kuWvaMF.exe
  2⤵
  PID:3536
- C:\Windows\System\AJOsAwH.exe
  C:\Windows\System\AJOsAwH.exe
  2⤵
  PID:1136
- C:\Windows\System\tMtjFdy.exe
  C:\Windows\System\tMtjFdy.exe
  2⤵
  PID:3332
- C:\Windows\System\SPNFtZl.exe
  C:\Windows\System\SPNFtZl.exe
  2⤵
  PID:2900
- C:\Windows\System\DIsucPj.exe
  C:\Windows\System\DIsucPj.exe
  2⤵
  PID:1284
- C:\Windows\System\RBkvfdn.exe
  C:\Windows\System\RBkvfdn.exe
  2⤵
  PID:2428
- C:\Windows\System\YSzlkVR.exe
  C:\Windows\System\YSzlkVR.exe
  2⤵
  PID:3268
- C:\Windows\System\pIVkkHA.exe
  C:\Windows\System\pIVkkHA.exe
  2⤵
  PID:2672
- C:\Windows\System\rYIfQVQ.exe
  C:\Windows\System\rYIfQVQ.exe
  2⤵
  PID:4244
- C:\Windows\System\sbmvlWK.exe
  C:\Windows\System\sbmvlWK.exe
  2⤵
  PID:1628
- C:\Windows\System\HonWTvT.exe
  C:\Windows\System\HonWTvT.exe
  2⤵
  PID:4804
- C:\Windows\System\pYTcmKH.exe
  C:\Windows\System\pYTcmKH.exe
  2⤵
  PID:1264
- C:\Windows\System\WeNfKAr.exe
  C:\Windows\System\WeNfKAr.exe
  2⤵
  PID:4380
- C:\Windows\System\iivUFKO.exe
  C:\Windows\System\iivUFKO.exe
  2⤵
  PID:4012
- C:\Windows\System\YpiHOUO.exe
  C:\Windows\System\YpiHOUO.exe
  2⤵
  PID:848
- C:\Windows\System\iHOIVVs.exe
  C:\Windows\System\iHOIVVs.exe
  2⤵
  PID:3548
- C:\Windows\System\BmGEJHM.exe
  C:\Windows\System\BmGEJHM.exe
  2⤵
  PID:844
- C:\Windows\System\vNHYUWp.exe
  C:\Windows\System\vNHYUWp.exe
  2⤵
  PID:4332
- C:\Windows\System\NSFkXut.exe
  C:\Windows\System\NSFkXut.exe
  2⤵
  PID:2140
- C:\Windows\System\BwHLHvP.exe
  C:\Windows\System\BwHLHvP.exe
  2⤵
  PID:1776
- C:\Windows\System\lXasNNU.exe
  C:\Windows\System\lXasNNU.exe
  2⤵
  PID:4608
- C:\Windows\System\vENqNTo.exe
  C:\Windows\System\vENqNTo.exe
  2⤵
  PID:4464
- C:\Windows\System\VlvpQAd.exe
  C:\Windows\System\VlvpQAd.exe
  2⤵
  PID:4672
- C:\Windows\System\RNgEYTM.exe
  C:\Windows\System\RNgEYTM.exe
  2⤵
  PID:4076
- C:\Windows\System\tVzqSJS.exe
  C:\Windows\System\tVzqSJS.exe
  2⤵
  PID:4768
- C:\Windows\System\WYohnJB.exe
  C:\Windows\System\WYohnJB.exe
  2⤵
  PID:5116
- C:\Windows\System\yqcaPZI.exe
  C:\Windows\System\yqcaPZI.exe
  2⤵
  PID:536
- C:\Windows\System\JycORpj.exe
  C:\Windows\System\JycORpj.exe
  2⤵
  PID:3616
- C:\Windows\System\NzAhqhB.exe
  C:\Windows\System\NzAhqhB.exe
  2⤵
  PID:5148
- C:\Windows\System\NwhnpNC.exe
  C:\Windows\System\NwhnpNC.exe
  2⤵
  PID:5164
- C:\Windows\System\XvMOsCO.exe
  C:\Windows\System\XvMOsCO.exe
  2⤵
  PID:5184
- C:\Windows\System\RXYgznA.exe
  C:\Windows\System\RXYgznA.exe
  2⤵
  PID:5216
- C:\Windows\System\NIsfLMM.exe
  C:\Windows\System\NIsfLMM.exe
  2⤵
  PID:5248
- C:\Windows\System\nCnQoqC.exe
  C:\Windows\System\nCnQoqC.exe
  2⤵
  PID:5276
- C:\Windows\System\eXIWVfz.exe
  C:\Windows\System\eXIWVfz.exe
  2⤵
  PID:5296
- C:\Windows\System\WxTPlLL.exe
  C:\Windows\System\WxTPlLL.exe
  2⤵
  PID:5324
- C:\Windows\System\IvfpTwq.exe
  C:\Windows\System\IvfpTwq.exe
  2⤵
  PID:5356
- C:\Windows\System\mgJTUxk.exe
  C:\Windows\System\mgJTUxk.exe
  2⤵
  PID:5388
- C:\Windows\System\RohIVoy.exe
  C:\Windows\System\RohIVoy.exe
  2⤵
  PID:5416
- C:\Windows\System\fwuqOLj.exe
  C:\Windows\System\fwuqOLj.exe
  2⤵
  PID:5448
- C:\Windows\System\lusyOuL.exe
  C:\Windows\System\lusyOuL.exe
  2⤵
  PID:5484
- C:\Windows\System\jPYEACs.exe
  C:\Windows\System\jPYEACs.exe
  2⤵
  PID:5500
- C:\Windows\System\EjEliAN.exe
  C:\Windows\System\EjEliAN.exe
  2⤵
  PID:5540
- C:\Windows\System\mJdKIBv.exe
  C:\Windows\System\mJdKIBv.exe
  2⤵
  PID:5560
- C:\Windows\System\gVYYmuK.exe
  C:\Windows\System\gVYYmuK.exe
  2⤵
  PID:5580
- C:\Windows\System\itnvfQL.exe
  C:\Windows\System\itnvfQL.exe
  2⤵
  PID:5600
- C:\Windows\System\bytLmFG.exe
  C:\Windows\System\bytLmFG.exe
  2⤵
  PID:5628
- C:\Windows\System\TCHtogH.exe
  C:\Windows\System\TCHtogH.exe
  2⤵
  PID:5652
- C:\Windows\System\NTdEmNw.exe
  C:\Windows\System\NTdEmNw.exe
  2⤵
  PID:5684
- C:\Windows\System\gpsCXJq.exe
  C:\Windows\System\gpsCXJq.exe
  2⤵
  PID:5716
- C:\Windows\System\nRBPUYK.exe
  C:\Windows\System\nRBPUYK.exe
  2⤵
  PID:5756
- C:\Windows\System\eQQJdHY.exe
  C:\Windows\System\eQQJdHY.exe
  2⤵
  PID:5788
- C:\Windows\System\hGleKfK.exe
  C:\Windows\System\hGleKfK.exe
  2⤵
  PID:5808
- C:\Windows\System\Oatdwvp.exe
  C:\Windows\System\Oatdwvp.exe
  2⤵
  PID:5824
- C:\Windows\System\sESjAZO.exe
  C:\Windows\System\sESjAZO.exe
  2⤵
  PID:5856
- C:\Windows\System\vvNsLab.exe
  C:\Windows\System\vvNsLab.exe
  2⤵
  PID:5892
- C:\Windows\System\FSehsJT.exe
  C:\Windows\System\FSehsJT.exe
  2⤵
  PID:5920
- C:\Windows\System\XAAQrCa.exe
  C:\Windows\System\XAAQrCa.exe
  2⤵
  PID:5948
- C:\Windows\System\lIehZCH.exe
  C:\Windows\System\lIehZCH.exe
  2⤵
  PID:5968
- C:\Windows\System\cYNWmJN.exe
  C:\Windows\System\cYNWmJN.exe
  2⤵
  PID:5992
- C:\Windows\System\LNsJvhv.exe
  C:\Windows\System\LNsJvhv.exe
  2⤵
  PID:6020
- C:\Windows\System\mJpfxzA.exe
  C:\Windows\System\mJpfxzA.exe
  2⤵
  PID:6052
- C:\Windows\System\PzXjnOJ.exe
  C:\Windows\System\PzXjnOJ.exe
  2⤵
  PID:6080
- C:\Windows\System\ddLguli.exe
  C:\Windows\System\ddLguli.exe
  2⤵
  PID:6116
- C:\Windows\System\lUmHFtq.exe
  C:\Windows\System\lUmHFtq.exe
  2⤵
  PID:3252
- C:\Windows\System\VRzfEVx.exe
  C:\Windows\System\VRzfEVx.exe
  2⤵
  PID:5196
- C:\Windows\System\ndXkbZH.exe
  C:\Windows\System\ndXkbZH.exe
  2⤵
  PID:5264
- C:\Windows\System\QcEBWpz.exe
  C:\Windows\System\QcEBWpz.exe
  2⤵
  PID:5376
- C:\Windows\System\lkzUjeA.exe
  C:\Windows\System\lkzUjeA.exe
  2⤵
  PID:5400
- C:\Windows\System\KpBgalZ.exe
  C:\Windows\System\KpBgalZ.exe
  2⤵
  PID:5444
- C:\Windows\System\EbfYkKN.exe
  C:\Windows\System\EbfYkKN.exe
  2⤵
  PID:5492
- C:\Windows\System\PKkFceU.exe
  C:\Windows\System\PKkFceU.exe
  2⤵
  PID:5596
- C:\Windows\System\wPFWsOB.exe
  C:\Windows\System\wPFWsOB.exe
  2⤵
  PID:5620
- C:\Windows\System\SRroXhk.exe
  C:\Windows\System\SRroXhk.exe
  2⤵
  PID:5704
- C:\Windows\System\zTzqaEd.exe
  C:\Windows\System\zTzqaEd.exe
  2⤵
  PID:5768
- C:\Windows\System\XLyqYpV.exe
  C:\Windows\System\XLyqYpV.exe
  2⤵
  PID:5868
- C:\Windows\System\AaaHHhN.exe
  C:\Windows\System\AaaHHhN.exe
  2⤵
  PID:5904
- C:\Windows\System\XunDMbZ.exe
  C:\Windows\System\XunDMbZ.exe
  2⤵
  PID:5980
- C:\Windows\System\ZYHLMnu.exe
  C:\Windows\System\ZYHLMnu.exe
  2⤵
  PID:5956
- C:\Windows\System\vbnYNuR.exe
  C:\Windows\System\vbnYNuR.exe
  2⤵
  PID:6096
- C:\Windows\System\qDXqXnM.exe
  C:\Windows\System\qDXqXnM.exe
  2⤵
  PID:5156
- C:\Windows\System\kfVMUSy.exe
  C:\Windows\System\kfVMUSy.exe
  2⤵
  PID:5344
- C:\Windows\System\VFlatPT.exe
  C:\Windows\System\VFlatPT.exe
  2⤵
  PID:5428
- C:\Windows\System\jyVQCOE.exe
  C:\Windows\System\jyVQCOE.exe
  2⤵
  PID:5572
- C:\Windows\System\FRDuNnN.exe
  C:\Windows\System\FRDuNnN.exe
  2⤵
  PID:5744
- C:\Windows\System\tARzaMp.exe
  C:\Windows\System\tARzaMp.exe
  2⤵
  PID:5848
- C:\Windows\System\EyWjxWG.exe
  C:\Windows\System\EyWjxWG.exe
  2⤵
  PID:6100
- C:\Windows\System\WGvbhFi.exe
  C:\Windows\System\WGvbhFi.exe
  2⤵
  PID:6068
- C:\Windows\System\TjVALmr.exe
  C:\Windows\System\TjVALmr.exe
  2⤵
  PID:5548
- C:\Windows\System\rcqmUrN.exe
  C:\Windows\System\rcqmUrN.exe
  2⤵
  PID:5960
- C:\Windows\System\oGQylQq.exe
  C:\Windows\System\oGQylQq.exe
  2⤵
  PID:5472
- C:\Windows\System\wgceeAE.exe
  C:\Windows\System\wgceeAE.exe
  2⤵
  PID:6160
- C:\Windows\System\dnEbnWU.exe
  C:\Windows\System\dnEbnWU.exe
  2⤵
  PID:6196
- C:\Windows\System\iYFRKiH.exe
  C:\Windows\System\iYFRKiH.exe
  2⤵
  PID:6216
- C:\Windows\System\dOKpVxP.exe
  C:\Windows\System\dOKpVxP.exe
  2⤵
  PID:6244
- C:\Windows\System\WrRDaMk.exe
  C:\Windows\System\WrRDaMk.exe
  2⤵
  PID:6276
- C:\Windows\System\NmEEmsy.exe
  C:\Windows\System\NmEEmsy.exe
  2⤵
  PID:6312
- C:\Windows\System\fMcEFfN.exe
  C:\Windows\System\fMcEFfN.exe
  2⤵
  PID:6328
- C:\Windows\System\eGULOWt.exe
  C:\Windows\System\eGULOWt.exe
  2⤵
  PID:6356
- C:\Windows\System\dTzqsxo.exe
  C:\Windows\System\dTzqsxo.exe
  2⤵
  PID:6388
- C:\Windows\System\PyAmqeJ.exe
  C:\Windows\System\PyAmqeJ.exe
  2⤵
  PID:6408
- C:\Windows\System\LDMCYaG.exe
  C:\Windows\System\LDMCYaG.exe
  2⤵
  PID:6440
- C:\Windows\System\IAIkVBD.exe
  C:\Windows\System\IAIkVBD.exe
  2⤵
  PID:6468
- C:\Windows\System\BNWIDHZ.exe
  C:\Windows\System\BNWIDHZ.exe
  2⤵
  PID:6504
- C:\Windows\System\zZydxJy.exe
  C:\Windows\System\zZydxJy.exe
  2⤵
  PID:6520
- C:\Windows\System\RKAERfw.exe
  C:\Windows\System\RKAERfw.exe
  2⤵
  PID:6544
- C:\Windows\System\RRTsujZ.exe
  C:\Windows\System\RRTsujZ.exe
  2⤵
  PID:6584
- C:\Windows\System\cnjiisl.exe
  C:\Windows\System\cnjiisl.exe
  2⤵
  PID:6612
- C:\Windows\System\aqhjYLE.exe
  C:\Windows\System\aqhjYLE.exe
  2⤵
  PID:6636
- C:\Windows\System\BABChnx.exe
  C:\Windows\System\BABChnx.exe
  2⤵
  PID:6668
- C:\Windows\System\xnjrKDk.exe
  C:\Windows\System\xnjrKDk.exe
  2⤵
  PID:6692
- C:\Windows\System\GfmZsEw.exe
  C:\Windows\System\GfmZsEw.exe
  2⤵
  PID:6724
- C:\Windows\System\aPCzkQV.exe
  C:\Windows\System\aPCzkQV.exe
  2⤵
  PID:6760
- C:\Windows\System\NeRXbFY.exe
  C:\Windows\System\NeRXbFY.exe
  2⤵
  PID:6788
- C:\Windows\System\gNTlSck.exe
  C:\Windows\System\gNTlSck.exe
  2⤵
  PID:6804
- C:\Windows\System\grTJKzP.exe
  C:\Windows\System\grTJKzP.exe
  2⤵
  PID:6836
- C:\Windows\System\fyopBEC.exe
  C:\Windows\System\fyopBEC.exe
  2⤵
  PID:6860
- C:\Windows\System\UGBknxP.exe
  C:\Windows\System\UGBknxP.exe
  2⤵
  PID:6888
- C:\Windows\System\WwEWabQ.exe
  C:\Windows\System\WwEWabQ.exe
  2⤵
  PID:6904
- C:\Windows\System\swZwyJz.exe
  C:\Windows\System\swZwyJz.exe
  2⤵
  PID:6932
- C:\Windows\System\QMinWwf.exe
  C:\Windows\System\QMinWwf.exe
  2⤵
  PID:6968
- C:\Windows\System\xojolJh.exe
  C:\Windows\System\xojolJh.exe
  2⤵
  PID:7000
- C:\Windows\System\HLPXgiX.exe
  C:\Windows\System\HLPXgiX.exe
  2⤵
  PID:7028
- C:\Windows\System\mksznPf.exe
  C:\Windows\System\mksznPf.exe
  2⤵
  PID:7056
- C:\Windows\System\wokZGaw.exe
  C:\Windows\System\wokZGaw.exe
  2⤵
  PID:7096
- C:\Windows\System\pjcOCbc.exe
  C:\Windows\System\pjcOCbc.exe
  2⤵
  PID:7112
- C:\Windows\System\efiFffk.exe
  C:\Windows\System\efiFffk.exe
  2⤵
  PID:7140
- C:\Windows\System\wmvvkJJ.exe
  C:\Windows\System\wmvvkJJ.exe
  2⤵
  PID:6152
- C:\Windows\System\wIOOMig.exe
  C:\Windows\System\wIOOMig.exe
  2⤵
  PID:6208
- C:\Windows\System\sDTkdtA.exe
  C:\Windows\System\sDTkdtA.exe
  2⤵
  PID:6256
- C:\Windows\System\kNtxTKQ.exe
  C:\Windows\System\kNtxTKQ.exe
  2⤵
  PID:6296
- C:\Windows\System\oShrDmP.exe
  C:\Windows\System\oShrDmP.exe
  2⤵
  PID:6404
- C:\Windows\System\roeOkMn.exe
  C:\Windows\System\roeOkMn.exe
  2⤵
  PID:6460
- C:\Windows\System\DclxWix.exe
  C:\Windows\System\DclxWix.exe
  2⤵
  PID:6536
- C:\Windows\System\LmqFEPb.exe
  C:\Windows\System\LmqFEPb.exe
  2⤵
  PID:6568
- C:\Windows\System\kbppKGr.exe
  C:\Windows\System\kbppKGr.exe
  2⤵
  PID:6652
- C:\Windows\System\ryJhACq.exe
  C:\Windows\System\ryJhACq.exe
  2⤵
  PID:6704
- C:\Windows\System\hVEfVFr.exe
  C:\Windows\System\hVEfVFr.exe
  2⤵
  PID:6780
- C:\Windows\System\EZrLisG.exe
  C:\Windows\System\EZrLisG.exe
  2⤵
  PID:6844
- C:\Windows\System\kcAzrkI.exe
  C:\Windows\System\kcAzrkI.exe
  2⤵
  PID:6928
- C:\Windows\System\hLfTlTZ.exe
  C:\Windows\System\hLfTlTZ.exe
  2⤵
  PID:6980
- C:\Windows\System\UKsiCJO.exe
  C:\Windows\System\UKsiCJO.exe
  2⤵
  PID:7040
- C:\Windows\System\HumriLP.exe
  C:\Windows\System\HumriLP.exe
  2⤵
  PID:7104
- C:\Windows\System\cLxIoZJ.exe
  C:\Windows\System\cLxIoZJ.exe
  2⤵
  PID:7152
- C:\Windows\System\uhvvFGa.exe
  C:\Windows\System\uhvvFGa.exe
  2⤵
  PID:6236
- C:\Windows\System\cXufbFk.exe
  C:\Windows\System\cXufbFk.exe
  2⤵
  PID:6340
- C:\Windows\System\VLiYuXs.exe
  C:\Windows\System\VLiYuXs.exe
  2⤵
  PID:6564
- C:\Windows\System\KOKHpoq.exe
  C:\Windows\System\KOKHpoq.exe
  2⤵
  PID:6608
- C:\Windows\System\BrxlDLh.exe
  C:\Windows\System\BrxlDLh.exe
  2⤵
  PID:6676
- C:\Windows\System\fwBlCrp.exe
  C:\Windows\System\fwBlCrp.exe
  2⤵
  PID:6924
- C:\Windows\System\FqrAyoh.exe
  C:\Windows\System\FqrAyoh.exe
  2⤵
  PID:7076
- C:\Windows\System\WinmxBP.exe
  C:\Windows\System\WinmxBP.exe
  2⤵
  PID:6452
- C:\Windows\System\gqixnbp.exe
  C:\Windows\System\gqixnbp.exe
  2⤵
  PID:6744
- C:\Windows\System\elTGIUy.exe
  C:\Windows\System\elTGIUy.exe
  2⤵
  PID:7052
- C:\Windows\System\epGzhJf.exe
  C:\Windows\System\epGzhJf.exe
  2⤵
  PID:6516
- C:\Windows\System\RzSwQqX.exe
  C:\Windows\System\RzSwQqX.exe
  2⤵
  PID:7172
- C:\Windows\System\WWdqjHe.exe
  C:\Windows\System\WWdqjHe.exe
  2⤵
  PID:7204
- C:\Windows\System\bYWYukY.exe
  C:\Windows\System\bYWYukY.exe
  2⤵
  PID:7236
- C:\Windows\System\xrTLYxU.exe
  C:\Windows\System\xrTLYxU.exe
  2⤵
  PID:7264
- C:\Windows\System\zPPHbzT.exe
  C:\Windows\System\zPPHbzT.exe
  2⤵
  PID:7300
- C:\Windows\System\nQfYtRp.exe
  C:\Windows\System\nQfYtRp.exe
  2⤵
  PID:7328
- C:\Windows\System\lEYDtnI.exe
  C:\Windows\System\lEYDtnI.exe
  2⤵
  PID:7360
- C:\Windows\System\qEOUSNN.exe
  C:\Windows\System\qEOUSNN.exe
  2⤵
  PID:7384
- C:\Windows\System\GSOoOrS.exe
  C:\Windows\System\GSOoOrS.exe
  2⤵
  PID:7404
- C:\Windows\System\fLeZCvQ.exe
  C:\Windows\System\fLeZCvQ.exe
  2⤵
  PID:7440
- C:\Windows\System\tefOFYM.exe
  C:\Windows\System\tefOFYM.exe
  2⤵
  PID:7468
- C:\Windows\System\NKHiNql.exe
  C:\Windows\System\NKHiNql.exe
  2⤵
  PID:7496
- C:\Windows\System\mDnvygu.exe
  C:\Windows\System\mDnvygu.exe
  2⤵
  PID:7516
- C:\Windows\System\fSAKnTC.exe
  C:\Windows\System\fSAKnTC.exe
  2⤵
  PID:7540
- C:\Windows\System\CveLdwW.exe
  C:\Windows\System\CveLdwW.exe
  2⤵
  PID:7572
- C:\Windows\System\mzIPwbk.exe
  C:\Windows\System\mzIPwbk.exe
  2⤵
  PID:7596
- C:\Windows\System\nzVEdTx.exe
  C:\Windows\System\nzVEdTx.exe
  2⤵
  PID:7632
- C:\Windows\System\DewFbuO.exe
  C:\Windows\System\DewFbuO.exe
  2⤵
  PID:7656
- C:\Windows\System\whEOGsy.exe
  C:\Windows\System\whEOGsy.exe
  2⤵
  PID:7696
- C:\Windows\System\FpUGSco.exe
  C:\Windows\System\FpUGSco.exe
  2⤵
  PID:7724
- C:\Windows\System\BxPCZOH.exe
  C:\Windows\System\BxPCZOH.exe
  2⤵
  PID:7752
- C:\Windows\System\MAGFncD.exe
  C:\Windows\System\MAGFncD.exe
  2⤵
  PID:7772
- C:\Windows\System\HpyMiIH.exe
  C:\Windows\System\HpyMiIH.exe
  2⤵
  PID:7808
- C:\Windows\System\atvLGrV.exe
  C:\Windows\System\atvLGrV.exe
  2⤵
  PID:7828
- C:\Windows\System\tHyHLvU.exe
  C:\Windows\System\tHyHLvU.exe
  2⤵
  PID:7864
- C:\Windows\System\ZCNoOay.exe
  C:\Windows\System\ZCNoOay.exe
  2⤵
  PID:7892
- C:\Windows\System\iamIQpJ.exe
  C:\Windows\System\iamIQpJ.exe
  2⤵
  PID:7912
- C:\Windows\System\ZKNMfQP.exe
  C:\Windows\System\ZKNMfQP.exe
  2⤵
  PID:7944
- C:\Windows\System\FUJmmZW.exe
  C:\Windows\System\FUJmmZW.exe
  2⤵
  PID:7980
- C:\Windows\System\WgRfVer.exe
  C:\Windows\System\WgRfVer.exe
  2⤵
  PID:8004
- C:\Windows\System\pWCoMEZ.exe
  C:\Windows\System\pWCoMEZ.exe
  2⤵
  PID:8036
- C:\Windows\System\lylDZom.exe
  C:\Windows\System\lylDZom.exe
  2⤵
  PID:8064
- C:\Windows\System\uyODxYf.exe
  C:\Windows\System\uyODxYf.exe
  2⤵
  PID:8096
- C:\Windows\System\sMKqDtM.exe
  C:\Windows\System\sMKqDtM.exe
  2⤵
  PID:8116
- C:\Windows\System\soMJJZE.exe
  C:\Windows\System\soMJJZE.exe
  2⤵
  PID:8144
- C:\Windows\System\QtpOHVU.exe
  C:\Windows\System\QtpOHVU.exe
  2⤵
  PID:8172
- C:\Windows\System\zgYDBbM.exe
  C:\Windows\System\zgYDBbM.exe
  2⤵
  PID:6756
- C:\Windows\System\OmcHTaI.exe
  C:\Windows\System\OmcHTaI.exe
  2⤵
  PID:7224
- C:\Windows\System\RWTEytp.exe
  C:\Windows\System\RWTEytp.exe
  2⤵
  PID:7260
- C:\Windows\System\atRSKcU.exe
  C:\Windows\System\atRSKcU.exe
  2⤵
  PID:7356
- C:\Windows\System\KShtDiP.exe
  C:\Windows\System\KShtDiP.exe
  2⤵
  PID:7448
- C:\Windows\System\pLzIsTt.exe
  C:\Windows\System\pLzIsTt.exe
  2⤵
  PID:7512
- C:\Windows\System\MThjJxF.exe
  C:\Windows\System\MThjJxF.exe
  2⤵
  PID:7532
- C:\Windows\System\LXzZhrF.exe
  C:\Windows\System\LXzZhrF.exe
  2⤵
  PID:7616
- C:\Windows\System\SMXLCMC.exe
  C:\Windows\System\SMXLCMC.exe
  2⤵
  PID:7680
- C:\Windows\System\AUQShDd.exe
  C:\Windows\System\AUQShDd.exe
  2⤵
  PID:7748
- C:\Windows\System\PGBZorL.exe
  C:\Windows\System\PGBZorL.exe
  2⤵
  PID:7816
- C:\Windows\System\KToIJVv.exe
  C:\Windows\System\KToIJVv.exe
  2⤵
  PID:7872
- C:\Windows\System\LWZqlTZ.exe
  C:\Windows\System\LWZqlTZ.exe
  2⤵
  PID:7928
- C:\Windows\System\DzyYSXF.exe
  C:\Windows\System\DzyYSXF.exe
  2⤵
  PID:7976
- C:\Windows\System\FFCrVpD.exe
  C:\Windows\System\FFCrVpD.exe
  2⤵
  PID:8072
- C:\Windows\System\wNZwQie.exe
  C:\Windows\System\wNZwQie.exe
  2⤵
  PID:8128
- C:\Windows\System\JOgqpqc.exe
  C:\Windows\System\JOgqpqc.exe
  2⤵
  PID:8188
- C:\Windows\System\MFvqoZl.exe
  C:\Windows\System\MFvqoZl.exe
  2⤵
  PID:7312
- C:\Windows\System\agipHAA.exe
  C:\Windows\System\agipHAA.exe
  2⤵
  PID:7392
- C:\Windows\System\VdJPRsJ.exe
  C:\Windows\System\VdJPRsJ.exe
  2⤵
  PID:7504
- C:\Windows\System\oXmZvCl.exe
  C:\Windows\System\oXmZvCl.exe
  2⤵
  PID:7668
- C:\Windows\System\tkstndU.exe
  C:\Windows\System\tkstndU.exe
  2⤵
  PID:7856
- C:\Windows\System\NUSTszU.exe
  C:\Windows\System\NUSTszU.exe
  2⤵
  PID:7968
- C:\Windows\System\HzsjIBN.exe
  C:\Windows\System\HzsjIBN.exe
  2⤵
  PID:8180
- C:\Windows\System\XqslfGb.exe
  C:\Windows\System\XqslfGb.exe
  2⤵
  PID:7340
- C:\Windows\System\DvblDHg.exe
  C:\Windows\System\DvblDHg.exe
  2⤵
  PID:7844
- C:\Windows\System\zULJVhV.exe
  C:\Windows\System\zULJVhV.exe
  2⤵
  PID:8160
- C:\Windows\System\AAZJonX.exe
  C:\Windows\System\AAZJonX.exe
  2⤵
  PID:7640
- C:\Windows\System\ggoNJnX.exe
  C:\Windows\System\ggoNJnX.exe
  2⤵
  PID:8216
- C:\Windows\System\XlDllHM.exe
  C:\Windows\System\XlDllHM.exe
  2⤵
  PID:8240
- C:\Windows\System\AQhQkBv.exe
  C:\Windows\System\AQhQkBv.exe
  2⤵
  PID:8268
- C:\Windows\System\PBUTikr.exe
  C:\Windows\System\PBUTikr.exe
  2⤵
  PID:8296
- C:\Windows\System\YqGbekd.exe
  C:\Windows\System\YqGbekd.exe
  2⤵
  PID:8328
- C:\Windows\System\YpVXMEt.exe
  C:\Windows\System\YpVXMEt.exe
  2⤵
  PID:8352
- C:\Windows\System\iivIyrh.exe
  C:\Windows\System\iivIyrh.exe
  2⤵
  PID:8372
- C:\Windows\System\exAzPXE.exe
  C:\Windows\System\exAzPXE.exe
  2⤵
  PID:8412
- C:\Windows\System\hDopJVS.exe
  C:\Windows\System\hDopJVS.exe
  2⤵
  PID:8452
- C:\Windows\System\PRSExsW.exe
  C:\Windows\System\PRSExsW.exe
  2⤵
  PID:8468
- C:\Windows\System\OFUqhYR.exe
  C:\Windows\System\OFUqhYR.exe
  2⤵
  PID:8496
- C:\Windows\System\sNQXyak.exe
  C:\Windows\System\sNQXyak.exe
  2⤵
  PID:8512
- C:\Windows\System\kPpPPrK.exe
  C:\Windows\System\kPpPPrK.exe
  2⤵
  PID:8540
- C:\Windows\System\qAEHxFo.exe
  C:\Windows\System\qAEHxFo.exe
  2⤵
  PID:8560
- C:\Windows\System\RBgwWVU.exe
  C:\Windows\System\RBgwWVU.exe
  2⤵
  PID:8592
- C:\Windows\System\LhePPxa.exe
  C:\Windows\System\LhePPxa.exe
  2⤵
  PID:8628
- C:\Windows\System\dsFYUxH.exe
  C:\Windows\System\dsFYUxH.exe
  2⤵
  PID:8664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AqsBojA.exe

Filesize
1.8MB

MD5
68ff1f2f4965f6237979344b998ad8ee

SHA1
7bfd83ea99ca4c7979a0344c5a751e088577dd4c

SHA256
f4fd619e09abc22141a1588d02d4f168cb2fed06ee87006fd41ea0dc48d2b1d5

SHA512
a8f1b6d2c40657844070581ebb1df093f191b7aefd93b78e1e69705dc5b7fc87c689d31e8fdb7877ce377cbe926302fa7928aab2bbd996412088acc79eb80a48

Download Submit
C:\Windows\System\BkdOpKR.exe

Filesize
1.8MB

MD5
3127b6ddcf58cd8bdf0a46f7ff372b90

SHA1
2f4628edbb38b8bb7bea781f3a15f14c81787626

SHA256
b00e31ccf8cd65bc03d012a58bf8d13d70cff0923163c74431f991208e97ef67

SHA512
05cd1212c247f458867c7644a34168d44a4c62e0d27b597a8c76f18646944c187f47eaae1400eb87bfb34d5134508823ac5d00b93953f409347f343e6cf1fcd9

Download Submit
C:\Windows\System\CrKZXkC.exe

Filesize
1.8MB

MD5
86247d7845c8610cd77f356ace371ca5

SHA1
16a7a14a877bb1394c9c7b56fd6f36bbd8f78ce0

SHA256
cd159aa3c1312c501158e2b699491c44c524455833094c35220c1a08734d77a3

SHA512
4bb89e38b0552a7e5d46cd4949a51c9bd289a4b50ba41faedfed53016c8ae8dc6bc6d4c34f5885a4cc1eb79d6d5dd1c4d40e02045372599c404f07a22ad04e8d

Download Submit
C:\Windows\System\IHzlTIb.exe

Filesize
1.8MB

MD5
78c04164db190ac3e7538f784efd1855

SHA1
51164acab69d01d3b5c79d8d0ed3ca648bb96b12

SHA256
3a8f84ba2c00ae4137160b6a1984dfb265861a5550f9c2eee0a8cb8c28b7ed43

SHA512
095e9267733f18fdfd98d23a4990befff4641562fc311baad737eaf75ff833c58e6afc5ae8c2e89fd56c1f2e251ce3176d4a5fd827969de7e897042bea845d4b

Download Submit
C:\Windows\System\KcJxZQx.exe

Filesize
1.8MB

MD5
bfdea7ab73494e9f78218e453b92df83

SHA1
096c0e0f7c89a9f6f86080cc22e672cf399e7c45

SHA256
04d295c7a72d1df315ead8f9d032d782bb5226f52de9dd083a18c0630c12f008

SHA512
bf2b13b9ab3584ff197061b05ec4bbaf0c3fc0b990c7094ae2e505c98cbaecf6d6917bfb8bbc6bad099020e8db070f7c87f64d6c1272cd50148137b290d6008a

Download Submit
C:\Windows\System\KcMyZIj.exe

Filesize
1.8MB

MD5
866b39e1b542b71f16ba47733fe44e01

SHA1
4d3bddb736294b7c515d8247fe3acd77c901ac96

SHA256
bb40e93d3c0ed9f9b36a72d5d3fa63148b45ae9cd4b36e830c123174c38818e1

SHA512
346f0eff35a01422cc6893c42a289acdaac383d41303fe611ca827ffccab457201df39d1b43d33ace151257436c4d7a3d7e0ec8938073f8913fd154ad6c3d332

Download Submit
C:\Windows\System\MRDTLDp.exe

Filesize
1.8MB

MD5
35f07db5fa8f5e94249ec2121f0e51ee

SHA1
85e57c586bf3a6a58ac9e60a6043305134fe9d03

SHA256
efbcb2e063a4b296cf56b0c384595443091cec1ed7b0757fb1a5b70af0f0a464

SHA512
01b2ca8db3474316a2bab1aa8dffa9f05653fad8fecd22ec7397aa882adaa6380bcd9bc3ebaf4b54ddc7e0d7f9bd7d6b64c9091ae98b54038bc0eada0044211f

Download Submit
C:\Windows\System\NAuHUFO.exe

Filesize
1.8MB

MD5
03045b796dd0020e9e5d8659994e7f4d

SHA1
1154510dd1376fd357d83f4e043ae4a8f8fabde2

SHA256
bb03e118173823f008ce023ee7a835e3d14b394f2502868b11684097e6a89a37

SHA512
e16e88f1f2500ce65f264489f5dffc7185c130aad8a3077959b77806b90e6fe77511ec4c67926cb2b099eae5ea8698e7b7427b58fa2f126449b059ad00304a32

Download Submit
C:\Windows\System\OBqkRpJ.exe

Filesize
1.8MB

MD5
4638ec5fcd6db588a9b66badc8f233e7

SHA1
af0106d528045e269cefd702bac891c9ab8890d8

SHA256
fcea38ce4e2465d527d071a8177718cbfc314ea225c8476cdfe404da8adae9ba

SHA512
f86cc6bc1cce8b1dc9dcb33266afee5957bb0eb89570c7b3804fabec8d82c3b885e71d843500ec8075ecf656bfa21c78363d324f4179db168d6e5bd3f9018bf6

Download Submit
C:\Windows\System\OOKEklY.exe

Filesize
1.8MB

MD5
c51a78b4107b809e5ab8f11f1bcd0aa7

SHA1
c2da29a0f36b328267903828be638f77fb424602

SHA256
eedd31c2f2d497d4e3f92671eb9635528fb04d2f9caf3050a29f320d33e9caac

SHA512
3cf8a2c40063818d5cd4bbd2a6768f9e545363a9c7b02b467a5620b97a80538637f1964e96061f0543beaa81d70895a4f69cb540e143b04668fec4a396a6e468

Download Submit
C:\Windows\System\OdBWfhG.exe

Filesize
1.8MB

MD5
598301fda66cc6d28fbbcf6f7cd13724

SHA1
12fda2c2e7f9529596d4925078769bc7dfe6ace5

SHA256
b7e2aa85a852bef22d0bddb1df72b47bd8b639c7e845537227af11ef23a06ecb

SHA512
df787e5ea928dfb9cd3919929f544dbbb5d59342403478550623ed363af44b5e75495a8c5afc722091be7c93aec4163fe8fc1db1274b7911a7996ead158f5992

Download Submit
C:\Windows\System\RUrkZQQ.exe

Filesize
1.8MB

MD5
38ce4f5f1198d7dee74bd67363c3cec5

SHA1
2a1d9b38a14d613ea5c172e73312f0f25b51f53f

SHA256
88153e7ca6018da4d65f84714c56efb62581325c744291af2c694810418e9e00

SHA512
fda631e35e320ea1a27eead4a6fc999eae0dcff53e4d5b656b414e74e4df833963550e54e94a248089901b54379822dc4ae6f828fb16e8aae4518a0a3f7029ee

Download Submit
C:\Windows\System\UMNbaNl.exe

Filesize
1.8MB

MD5
d846a4fe55cece02a88ceb52dbb35222

SHA1
94271a2b281649f62572d9b492025a81ec029060

SHA256
8048e4f7bd84f1eae43a01bb8132da50d280e993f19b4b8c01e91dc010c7b271

SHA512
7b44f48e33e0e2b631333b1588830754c5b8e23ef4bf5b4231fdf5509e6810a6c2c559d89a13d52a9843986047ae0aba300542bb3c35f5678a062dee81ab99dc

Download Submit
C:\Windows\System\VBYdXXV.exe

Filesize
1.8MB

MD5
a578252619fad2a9da0f414b1c5e1463

SHA1
376413fca2257e208f8ad17310a2f8a799fb442a

SHA256
6d1746c68c0b70fde77ff62017c11bb2d309d69ffd77599424761392fc0738de

SHA512
5d77967d9002b10fddad012d469cb1839e761d1e1679fe437863176bb1b3eb08370f15a6a0eed9bb1e0a6deaa3b6fa13d9a3597f3c79eaf0bd5f0f8ec8fa1415

Download Submit
C:\Windows\System\VUbezag.exe

Filesize
1.8MB

MD5
eac349eba4087b87ce1d3886d90733d9

SHA1
e697c58936530fc7d79744e9bbfdc7fc6ba7216e

SHA256
783cb33ee9695c4618dbfda0f02b5b6b814a809887d41ce8c42eb73fe42d111e

SHA512
32ae5218a0715665ec3e2e0175cb10884714e0193d29acbda01d1eede2c03c7f536bf8480cb00d95e808e757f9d59a22248e91c0e5301cc354056142f2015917

Download Submit
C:\Windows\System\WEmGsgb.exe

Filesize
1.8MB

MD5
aec39eaed987f65ae2e82f873e5fbf72

SHA1
0ff65b665eaafdd81e4eca74d88b289454ad0c72

SHA256
592d8f8e6b085556f8a374390927f2cd42840ecd0ea02628fae5796966824344

SHA512
424d4af4c7f65d38835815a8afb8e1a7b599c09ff4d05211cf627b714a617427ea93eb5a2cd4300135a28d92e4380039d35c9467ac4bb04e66db9cd9c3fb17c7

Download Submit
C:\Windows\System\WMIYLrA.exe

Filesize
1.8MB

MD5
6fb480b9dbd49c4d6542e3a1ac34a621

SHA1
8ddf5adf227a3344bd7c87af0e1e62d260f39472

SHA256
58b7f3bad6b30e0c3ec7183e612b51f855a799bb79efc761a65cad20bd41f1fa

SHA512
7e755ecdf070f1f67013ffc1170808497d9deb9a8a781abd0ee2328995bb7a43d1f6c25371ba5cc26d5b7757f2b6c3a3c65f3fe1b82162fa309f86603f6b4db6

Download Submit
C:\Windows\System\bJxLqbw.exe

Filesize
1.8MB

MD5
e648a493f3f88577df9aa3daa5b4d4ad

SHA1
5fff466267b0ce6c59dc79d0197f11056cb434a6

SHA256
9938484ddbb8be9fd4ea98a66b25f3c8bf9959aa6dcac7678e87ca363d51a567

SHA512
b4ab05d7ee0b79e2217c4cc4a94aa0c1ed743154d74b1e16b3c937d4e96bf6e52503b0ab4abff1f5e3533a335fbf6606a833e727a88131aa3664a06f1eeb9d63

Download Submit
C:\Windows\System\cmOkIuq.exe

Filesize
1.8MB

MD5
a43b56d4b46f06bd8442d0d29b1145fe

SHA1
81074990149c21744f9c01c369f6e516c4974094

SHA256
49e4ee5abce1966d8488747598d8765f8cde27667fd611fce07f3c0dd9cff14a

SHA512
98c34bf2222dd4553275ad56d49c5864bbb8a7847b2e40e69248362035a810834248bde3d591888a4e49e338ac9f980b2afa452518adca3055dfaff96d2bcc66

Download Submit
C:\Windows\System\eACnNkD.exe

Filesize
1.8MB

MD5
a1b1f47ba19c5e74acec68f40f59020b

SHA1
1b214db1e33a7a0b53b0ae6a80a28783a142ea88

SHA256
80bccc916f5a241a796f946930646281f7201a7eefd423f13502801d4a2cf4f4

SHA512
f414b163e153db0b1f1721fbc134194204b5b3c0b0c24ce3b0e7dd801d850064d7020d5c7c82dc5d7beda4d78dbb75bd93c4df1f3bf29d0eeb4eb79e1b8ca158

Download Submit
C:\Windows\System\hMEJdLq.exe

Filesize
1.8MB

MD5
06e6723815f1e6dfa90263ab564337d3

SHA1
081ea6485e04c962e88731864c8de551b99d0992

SHA256
2a8b81593254f3ad58137fc0d90bb006b1ab3881e4c84675abe0d80695e42779

SHA512
70ca8f5d143f33f16e5e8d357da447471b393383bcae52d77534390860af35df4dba035986518343187e89897103b062ca35782e7d06da03031ac94cd1b27ef2

Download Submit
C:\Windows\System\hnTcbLy.exe

Filesize
1.8MB

MD5
c6215a62d3b04a996f22b2bfeca5884d

SHA1
5206b6b43b8e39c87345981314b3f39d803f31ea

SHA256
09feb584b45a0f4c076dfc508dce96d659ae636e874bb4ca143468e6b3b0ddb0

SHA512
c62bc8d59139a1b7eace37c0cffe07b08dc099e6d39773653cfd31c88c6c02ae936922c333d084a2ddfa84d64cd63e4b87a94355a1479283159f59000b30b375

Download Submit
C:\Windows\System\liVyart.exe

Filesize
1.8MB

MD5
16d4caf24d55905fa52d90e50800a8e8

SHA1
1e657f3d3c8edc662dab0879590f2941b3d1a1e8

SHA256
0499f8f058e32739c77fc86c19b277c107626101d171abf4607b331330645487

SHA512
250d17773bae1824d05f9164de1801f23d382055e29a3c160ea950bd6684589a22e8436a317ffb790bc6b5be783e9ea397e54cc07660f00e05c32b0dba2b4a61

Download Submit
C:\Windows\System\novsqAt.exe

Filesize
1.8MB

MD5
7008e857e80a7761f6c169236d950c80

SHA1
e5b65bb5d26ed82b1774c4940a9a9e9f4c72ebb1

SHA256
fb30f73cc5774c3e01557396204c83a4602cdf63cf876649e55d8c49e2960195

SHA512
ecf610ac95b003b77f424eadbed3a8a4b4e6ca87dded7b8244e21f623d76b0387b0ea8158a730148154866265d5e359ef1e5fe54ec24d1b84028cb01f8180791

Download Submit
C:\Windows\System\qFxmnBF.exe

Filesize
1.8MB

MD5
9129e1cc1432d99eb93a7d489315ecbe

SHA1
d8639e64f6a6bba80b0507ca0d1ec0e01c5e3dcd

SHA256
cf48d82900eb76651ec2bd793a79e976306b17827dccc80072ed8e36b720712c

SHA512
3b7e36c90f15b7f9e3332a4a191b1288947fea37e5d69c3beb277a292aa97fdedef0f510b63882130ef7bbcd0284ec20d4b008719c98a64527b3cba703a70315

Download Submit
C:\Windows\System\rmCdgdd.exe

Filesize
1.8MB

MD5
ba28d1ce258fd929bd3aa593d0323b9c

SHA1
d5e20b55dcb122617dfb722694749302e0eba9dc

SHA256
3d626be876cfa5388a375fb2e6503f6483d22f0356b69d622dbf4164ae93ef8a

SHA512
e63a402a95892dea56457f0d45b8d77d13be4a79a110639e8f3e5181051cb9f94a79ba3ce55dca252c0d13126f1f61cdfa31f2b5b2a1628440a52a45fb403393

Download Submit
C:\Windows\System\ssAuBtp.exe

Filesize
1.8MB

MD5
38960874c5c71a9bb89154b716095d89

SHA1
eddf8537a1774bf4641453c4f9624a7ca346dded

SHA256
5cf14820f036723c590c134cf866893f16422a8e5d89f0fb7f060fbcf94747fe

SHA512
78b6dab172f1ebaa41f355d4d03f9d3ecfc23556a5fbeb70f10eb9cb0856b95ccf72943b237c97e6e2d58dd8fd208d36f053e128a485983a070f907b84c33c3b

Download Submit
C:\Windows\System\uOjbDBY.exe

Filesize
1.8MB

MD5
69f4856be76681fa86c3592d69877d5c

SHA1
14e22a5ea3125dc06e157a5334ba6f97489a6999

SHA256
3d1f56f764a4166be34bed3681e494cba4cfa2a37f4f394fab9601334f8cb127

SHA512
5783af7c6806e55d31a42e67f9f8d874c56a5e6929aefbf11e5b52487e5607e8bd9f18ee5497d98aa9b3249b0609fde6504d468b64636c11fab0f64fafc556d5

Download Submit
C:\Windows\System\uRHqodI.exe

Filesize
1.8MB

MD5
4a757854c63041ffcf32306f8ae27a75

SHA1
1d03516ded508f34322467e55c4aae18afe22e32

SHA256
9c93e67bc8c5c6e13f873bb7dea048cf22c98a3d47783cd16cb9f37a95303906

SHA512
f29561f316fa44c50cd196a3f29f035a1ba6db7f670baa57e4aa319643eb19423a75d67dbde20248bf1bd7a9ffc1be609e36079c28eacbe2eb6eb70f4586108a

Download Submit
C:\Windows\System\vnUXhYL.exe

Filesize
1.8MB

MD5
5179a9630ecdc21ba43941ca2d06f8a1

SHA1
86cac9e1e6c4f45747abeccfc24d7a42b3c448b5

SHA256
c0d1b19af57533311e014a21e3ef87398ae2b89783d42466bf435b5e0e6487b3

SHA512
13d29a52e20c39e0e115e716227f730a45880797f19deab53ec196967106bf5b524bede28fe732fbb86ea8deede3e8057871b192ecb8b3a62088438e1e9a0517

Download Submit
C:\Windows\System\wYXFkUU.exe

Filesize
1.8MB

MD5
cb91d629ce3266157c84119fcd6b7f4d

SHA1
49ae2b09cea72c25049e2ea782f115adc6ca18d4

SHA256
cfe305d0c029480423e2217d9115aaebcae313b5a0460b2bd9f02a04e658e7fc

SHA512
06082371ae5acff009aa4def58283afa124c9ee1504e3848d049d9cdb527561ae9564b6de780fbb12b5fb5c29ae5dcdc213d6c72b0388a63a9766f76453c46a7

Download Submit
C:\Windows\System\zoBVHOv.exe

Filesize
1.8MB

MD5
1846d07dc3b144e9c546251f6e234202

SHA1
cb91200a17d59be6b65320d8c2a8c7e4f5de03cc

SHA256
45a002fb3a9284a33fa903926a65fa73bdafac25df1c93001aa9cc7d2a542d5f

SHA512
a83ff4285812ece6b5468eda14464a7f89eed3ff0ef0daa9c38aee263bf29fddd997fbf03dc594c21d0e023ddd3179cfa69f0f4115fd9c9d2aa8e93f4e67b42b

Download Submit
memory/4384-0-0x0000000001EB0000-0x0000000001EC0000-memory.dmp

Filesize
64KB

Download