xmrig | 723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38

Analysis

max time kernel
101s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
Size

1.5MB
MD5

2dcd095dcc942b2b996be80d4456bba0
SHA1

6424a255acf16a89906cbd96d922bfc4d57aa6f3
SHA256

723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38
SHA512

c1d2b725756e8149f4280266049c58f1e325690818c57843a66e31ffae821c41406439f08801a5cc392d75e4ab9ab7a60129af1cd67c5cc7bff00aa7b74c5472
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIO6zRIhRmuSOzuZKzfEro:knw9oUUEEDlGUh+hNzbX

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/320-401-0x00007FF66A8A0000-0x00007FF66AC91000-memory.dmp	xmrig
behavioral2/memory/3476-402-0x00007FF6FFB20000-0x00007FF6FFF11000-memory.dmp	xmrig
behavioral2/memory/1688-403-0x00007FF7B4B50000-0x00007FF7B4F41000-memory.dmp	xmrig
behavioral2/memory/2016-404-0x00007FF65B390000-0x00007FF65B781000-memory.dmp	xmrig
behavioral2/memory/4324-406-0x00007FF6CF150000-0x00007FF6CF541000-memory.dmp	xmrig
behavioral2/memory/3736-405-0x00007FF64A390000-0x00007FF64A781000-memory.dmp	xmrig
behavioral2/memory/4196-418-0x00007FF7B9E30000-0x00007FF7BA221000-memory.dmp	xmrig
behavioral2/memory/4132-423-0x00007FF6F4330000-0x00007FF6F4721000-memory.dmp	xmrig
behavioral2/memory/1064-409-0x00007FF733AD0000-0x00007FF733EC1000-memory.dmp	xmrig
behavioral2/memory/3324-433-0x00007FF61F660000-0x00007FF61FA51000-memory.dmp	xmrig
behavioral2/memory/1832-452-0x00007FF6FF630000-0x00007FF6FFA21000-memory.dmp	xmrig
behavioral2/memory/4044-466-0x00007FF62B450000-0x00007FF62B841000-memory.dmp	xmrig
behavioral2/memory/3224-479-0x00007FF728220000-0x00007FF728611000-memory.dmp	xmrig
behavioral2/memory/4656-486-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp	xmrig
behavioral2/memory/3452-490-0x00007FF712F80000-0x00007FF713371000-memory.dmp	xmrig
behavioral2/memory/4060-502-0x00007FF6AC000000-0x00007FF6AC3F1000-memory.dmp	xmrig
behavioral2/memory/2424-497-0x00007FF70EDB0000-0x00007FF70F1A1000-memory.dmp	xmrig
behavioral2/memory/1376-473-0x00007FF7AE790000-0x00007FF7AEB81000-memory.dmp	xmrig
behavioral2/memory/2256-468-0x00007FF633DA0000-0x00007FF634191000-memory.dmp	xmrig
behavioral2/memory/4152-457-0x00007FF613760000-0x00007FF613B51000-memory.dmp	xmrig
behavioral2/memory/432-439-0x00007FF6DC460000-0x00007FF6DC851000-memory.dmp	xmrig
behavioral2/memory/5040-1204-0x00007FF7BCA50000-0x00007FF7BCE41000-memory.dmp	xmrig
behavioral2/memory/3744-1311-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp	xmrig
behavioral2/memory/1460-1404-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp	xmrig
behavioral2/memory/3668-1413-0x00007FF7963A0000-0x00007FF796791000-memory.dmp	xmrig
behavioral2/memory/3744-2124-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp	xmrig
behavioral2/memory/1460-2126-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp	xmrig
behavioral2/memory/320-2130-0x00007FF66A8A0000-0x00007FF66AC91000-memory.dmp	xmrig
behavioral2/memory/4060-2132-0x00007FF6AC000000-0x00007FF6AC3F1000-memory.dmp	xmrig
behavioral2/memory/3476-2134-0x00007FF6FFB20000-0x00007FF6FFF11000-memory.dmp	xmrig
behavioral2/memory/2016-2137-0x00007FF65B390000-0x00007FF65B781000-memory.dmp	xmrig
behavioral2/memory/1064-2153-0x00007FF733AD0000-0x00007FF733EC1000-memory.dmp	xmrig
behavioral2/memory/1832-2178-0x00007FF6FF630000-0x00007FF6FFA21000-memory.dmp	xmrig
behavioral2/memory/4132-2179-0x00007FF6F4330000-0x00007FF6F4721000-memory.dmp	xmrig
behavioral2/memory/432-2176-0x00007FF6DC460000-0x00007FF6DC851000-memory.dmp	xmrig
behavioral2/memory/3324-2174-0x00007FF61F660000-0x00007FF61FA51000-memory.dmp	xmrig
behavioral2/memory/4196-2151-0x00007FF7B9E30000-0x00007FF7BA221000-memory.dmp	xmrig
behavioral2/memory/3736-2149-0x00007FF64A390000-0x00007FF64A781000-memory.dmp	xmrig
behavioral2/memory/3668-2128-0x00007FF7963A0000-0x00007FF796791000-memory.dmp	xmrig
behavioral2/memory/3452-2228-0x00007FF712F80000-0x00007FF713371000-memory.dmp	xmrig
behavioral2/memory/4656-2230-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp	xmrig
behavioral2/memory/3224-2214-0x00007FF728220000-0x00007FF728611000-memory.dmp	xmrig
behavioral2/memory/1376-2185-0x00007FF7AE790000-0x00007FF7AEB81000-memory.dmp	xmrig
behavioral2/memory/4152-2183-0x00007FF613760000-0x00007FF613B51000-memory.dmp	xmrig
behavioral2/memory/4044-2182-0x00007FF62B450000-0x00007FF62B841000-memory.dmp	xmrig
behavioral2/memory/2256-2187-0x00007FF633DA0000-0x00007FF634191000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

Processes:

FamLKYF.exeqxgNUGt.exeoGMQYdk.exeSPDGKUk.exezxTsLRW.exeuJACtis.exeyVOyioj.exerTbQwcw.exeDPagqZz.exeVZjNocA.exelJehvqt.exeQytYrSM.exeNFYPQjH.exeMINoSEO.exetucarJg.exeZOJZmFF.exeLayGdnT.exexyZxAdr.exeekSPBdX.exeeYnrnIN.exeFjLkcsB.exeFCmATgy.exesAVmWBb.exegFCFmgu.exeZXRGObo.exeINDHFmX.exeYCVvIsM.exekEXxCNq.exeaKQLYpi.exeullhebH.exeDFbGDyF.exeHEamoXd.exeFiEuObP.exetwgBaNT.exeplQpHYi.exeanQJSUG.exeEBDnYht.exeIlcaenw.exeBCTHfiG.exenBWVOCH.exesRIgoFm.exexaDLpNK.exeLmYSZsp.exepobTsPM.exeLqHYXlA.exelJCkCFH.exemyzWCje.exeuLjQfrj.exeiyDlhdS.exeDAmrCqM.exeDWcmYKZ.exeagAcAnd.exehIxolxl.exeCcgEfoG.exeAZbskyG.exeCxixfMU.exeaWmFfEF.exeIDtWyMp.exeqcJkqyr.exeAIIvWwo.exeLhMGrYm.exeoVjqsjE.exePBZalxo.exeICSaXqH.exe

pid	process
3744	FamLKYF.exe
1460	qxgNUGt.exe
3668	oGMQYdk.exe
4060	SPDGKUk.exe
320	zxTsLRW.exe
3476	uJACtis.exe
1688	yVOyioj.exe
2016	rTbQwcw.exe
3736	DPagqZz.exe
4324	VZjNocA.exe
1064	lJehvqt.exe
4196	QytYrSM.exe
4132	NFYPQjH.exe
3324	MINoSEO.exe
432	tucarJg.exe
1832	ZOJZmFF.exe
4152	LayGdnT.exe
4044	xyZxAdr.exe
2256	ekSPBdX.exe
1376	eYnrnIN.exe
3224	FjLkcsB.exe
4656	FCmATgy.exe
3452	sAVmWBb.exe
2424	gFCFmgu.exe
1464	ZXRGObo.exe
2700	INDHFmX.exe
2496	YCVvIsM.exe
2968	kEXxCNq.exe
4128	aKQLYpi.exe
3448	ullhebH.exe
2944	DFbGDyF.exe
4272	HEamoXd.exe
4868	FiEuObP.exe
1836	twgBaNT.exe
2308	plQpHYi.exe
3524	anQJSUG.exe
2452	EBDnYht.exe
2064	Ilcaenw.exe
2852	BCTHfiG.exe
5012	nBWVOCH.exe
4896	sRIgoFm.exe
1136	xaDLpNK.exe
2028	LmYSZsp.exe
3408	pobTsPM.exe
1896	LqHYXlA.exe
4032	lJCkCFH.exe
1632	myzWCje.exe
4852	uLjQfrj.exe
1100	iyDlhdS.exe
3696	DAmrCqM.exe
3100	DWcmYKZ.exe
1356	agAcAnd.exe
4040	hIxolxl.exe
1576	CcgEfoG.exe
4400	AZbskyG.exe
1280	CxixfMU.exe
1748	aWmFfEF.exe
3264	IDtWyMp.exe
4640	qcJkqyr.exe
4652	AIIvWwo.exe
3472	LhMGrYm.exe
2740	oVjqsjE.exe
4228	PBZalxo.exe
4784	ICSaXqH.exe

Drops file in System32 directory 64 IoCs

Processes:

723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe

description	ioc	process
File created	C:\Windows\System32\lMQsgLH.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\VxHMhQp.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\mxyZiGg.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\SyHoTJb.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\RuHOvCv.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\iUbxTCX.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\fpECgxQ.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\AGDayMr.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\WfAJABc.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\KQaONfD.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\EstTXBl.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\vYYXFTT.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\AhROCOA.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\EpGHLGr.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\yFifTNi.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\wKHVYPh.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\KsIXChY.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\GvoLiit.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PaoXhPl.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\GxFSrqO.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\eDMOHsg.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\UlgQFBj.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\dIZdgwL.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\yQwNUXi.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\lJCkCFH.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\zFVQVJI.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PUarLlK.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\oQvuASu.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\GZHQMkv.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PMkwtoa.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\oGMQYdk.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\ekSPBdX.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\sqVRuVk.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PojbsPG.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\pOHrYES.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\QIUommu.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\kNZnfur.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\TEqUBYR.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PiyqAiq.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\tWpBLGX.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\BESskGd.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\QgajlhQ.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\HwJpZQo.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\Thfarfo.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\BgqmSVg.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\oBKqNlA.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\auEraSV.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\MRiRInd.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\tTHdrFT.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\ApbdVHS.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\cWefJhe.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\gaKAsBJ.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\RCIoWYW.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\TGfpmuV.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\gFCFmgu.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\RDqdzzY.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\pjihXWd.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\QgOzyuT.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PkPScvF.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\zxTsLRW.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\iVDrPox.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\wQjwnjh.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PqWKheR.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
File created	C:\Windows\System32\PVFVPes.exe	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5040-0-0x00007FF7BCA50000-0x00007FF7BCE41000-memory.dmp	upx
C:\Windows\System32\FamLKYF.exe	upx
C:\Windows\System32\oGMQYdk.exe	upx
C:\Windows\System32\qxgNUGt.exe	upx
C:\Windows\System32\SPDGKUk.exe	upx
C:\Windows\System32\rTbQwcw.exe	upx
C:\Windows\System32\DPagqZz.exe	upx
C:\Windows\System32\VZjNocA.exe	upx
C:\Windows\System32\QytYrSM.exe	upx
C:\Windows\System32\MINoSEO.exe	upx
C:\Windows\System32\ZOJZmFF.exe	upx
C:\Windows\System32\FjLkcsB.exe	upx
C:\Windows\System32\ZXRGObo.exe	upx
C:\Windows\System32\YCVvIsM.exe	upx
C:\Windows\System32\ullhebH.exe	upx
C:\Windows\System32\HEamoXd.exe	upx
C:\Windows\System32\DFbGDyF.exe	upx
C:\Windows\System32\aKQLYpi.exe	upx
C:\Windows\System32\kEXxCNq.exe	upx
C:\Windows\System32\INDHFmX.exe	upx
C:\Windows\System32\gFCFmgu.exe	upx
C:\Windows\System32\sAVmWBb.exe	upx
C:\Windows\System32\FCmATgy.exe	upx
C:\Windows\System32\eYnrnIN.exe	upx
C:\Windows\System32\ekSPBdX.exe	upx
C:\Windows\System32\xyZxAdr.exe	upx
C:\Windows\System32\LayGdnT.exe	upx
C:\Windows\System32\tucarJg.exe	upx
C:\Windows\System32\NFYPQjH.exe	upx
C:\Windows\System32\lJehvqt.exe	upx
C:\Windows\System32\yVOyioj.exe	upx
C:\Windows\System32\uJACtis.exe	upx
C:\Windows\System32\zxTsLRW.exe	upx
behavioral2/memory/1460-15-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp	upx
behavioral2/memory/3744-9-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp	upx
behavioral2/memory/3668-400-0x00007FF7963A0000-0x00007FF796791000-memory.dmp	upx
behavioral2/memory/320-401-0x00007FF66A8A0000-0x00007FF66AC91000-memory.dmp	upx
behavioral2/memory/3476-402-0x00007FF6FFB20000-0x00007FF6FFF11000-memory.dmp	upx
behavioral2/memory/1688-403-0x00007FF7B4B50000-0x00007FF7B4F41000-memory.dmp	upx
behavioral2/memory/2016-404-0x00007FF65B390000-0x00007FF65B781000-memory.dmp	upx
behavioral2/memory/4324-406-0x00007FF6CF150000-0x00007FF6CF541000-memory.dmp	upx
behavioral2/memory/3736-405-0x00007FF64A390000-0x00007FF64A781000-memory.dmp	upx
behavioral2/memory/4196-418-0x00007FF7B9E30000-0x00007FF7BA221000-memory.dmp	upx
behavioral2/memory/4132-423-0x00007FF6F4330000-0x00007FF6F4721000-memory.dmp	upx
behavioral2/memory/1064-409-0x00007FF733AD0000-0x00007FF733EC1000-memory.dmp	upx
behavioral2/memory/3324-433-0x00007FF61F660000-0x00007FF61FA51000-memory.dmp	upx
behavioral2/memory/1832-452-0x00007FF6FF630000-0x00007FF6FFA21000-memory.dmp	upx
behavioral2/memory/4044-466-0x00007FF62B450000-0x00007FF62B841000-memory.dmp	upx
behavioral2/memory/3224-479-0x00007FF728220000-0x00007FF728611000-memory.dmp	upx
behavioral2/memory/4656-486-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp	upx
behavioral2/memory/3452-490-0x00007FF712F80000-0x00007FF713371000-memory.dmp	upx
behavioral2/memory/4060-502-0x00007FF6AC000000-0x00007FF6AC3F1000-memory.dmp	upx
behavioral2/memory/2424-497-0x00007FF70EDB0000-0x00007FF70F1A1000-memory.dmp	upx
behavioral2/memory/1376-473-0x00007FF7AE790000-0x00007FF7AEB81000-memory.dmp	upx
behavioral2/memory/2256-468-0x00007FF633DA0000-0x00007FF634191000-memory.dmp	upx
behavioral2/memory/4152-457-0x00007FF613760000-0x00007FF613B51000-memory.dmp	upx
behavioral2/memory/432-439-0x00007FF6DC460000-0x00007FF6DC851000-memory.dmp	upx
behavioral2/memory/5040-1204-0x00007FF7BCA50000-0x00007FF7BCE41000-memory.dmp	upx
behavioral2/memory/3744-1311-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp	upx
behavioral2/memory/1460-1404-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp	upx
behavioral2/memory/3668-1413-0x00007FF7963A0000-0x00007FF796791000-memory.dmp	upx
behavioral2/memory/3744-2124-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp	upx
behavioral2/memory/1460-2126-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp	upx
behavioral2/memory/320-2130-0x00007FF66A8A0000-0x00007FF66AC91000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	13728	dwm.exe
Token: SeChangeNotifyPrivilege	13728	dwm.exe
Token: 33	13728	dwm.exe
Token: SeIncBasePriorityPrivilege	13728	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe

description	pid	process	target process
PID 5040 wrote to memory of 3744	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	FamLKYF.exe
PID 5040 wrote to memory of 3744	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	FamLKYF.exe
PID 5040 wrote to memory of 1460	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	qxgNUGt.exe
PID 5040 wrote to memory of 1460	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	qxgNUGt.exe
PID 5040 wrote to memory of 3668	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	oGMQYdk.exe
PID 5040 wrote to memory of 3668	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	oGMQYdk.exe
PID 5040 wrote to memory of 4060	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	SPDGKUk.exe
PID 5040 wrote to memory of 4060	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	SPDGKUk.exe
PID 5040 wrote to memory of 320	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	zxTsLRW.exe
PID 5040 wrote to memory of 320	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	zxTsLRW.exe
PID 5040 wrote to memory of 3476	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	uJACtis.exe
PID 5040 wrote to memory of 3476	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	uJACtis.exe
PID 5040 wrote to memory of 1688	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	yVOyioj.exe
PID 5040 wrote to memory of 1688	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	yVOyioj.exe
PID 5040 wrote to memory of 2016	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	rTbQwcw.exe
PID 5040 wrote to memory of 2016	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	rTbQwcw.exe
PID 5040 wrote to memory of 3736	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	DPagqZz.exe
PID 5040 wrote to memory of 3736	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	DPagqZz.exe
PID 5040 wrote to memory of 4324	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	VZjNocA.exe
PID 5040 wrote to memory of 4324	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	VZjNocA.exe
PID 5040 wrote to memory of 1064	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	lJehvqt.exe
PID 5040 wrote to memory of 1064	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	lJehvqt.exe
PID 5040 wrote to memory of 4196	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	QytYrSM.exe
PID 5040 wrote to memory of 4196	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	QytYrSM.exe
PID 5040 wrote to memory of 4132	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	NFYPQjH.exe
PID 5040 wrote to memory of 4132	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	NFYPQjH.exe
PID 5040 wrote to memory of 3324	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	MINoSEO.exe
PID 5040 wrote to memory of 3324	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	MINoSEO.exe
PID 5040 wrote to memory of 432	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	tucarJg.exe
PID 5040 wrote to memory of 432	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	tucarJg.exe
PID 5040 wrote to memory of 1832	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ZOJZmFF.exe
PID 5040 wrote to memory of 1832	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ZOJZmFF.exe
PID 5040 wrote to memory of 4152	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	LayGdnT.exe
PID 5040 wrote to memory of 4152	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	LayGdnT.exe
PID 5040 wrote to memory of 4044	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	xyZxAdr.exe
PID 5040 wrote to memory of 4044	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	xyZxAdr.exe
PID 5040 wrote to memory of 2256	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ekSPBdX.exe
PID 5040 wrote to memory of 2256	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ekSPBdX.exe
PID 5040 wrote to memory of 1376	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	eYnrnIN.exe
PID 5040 wrote to memory of 1376	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	eYnrnIN.exe
PID 5040 wrote to memory of 3224	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	FjLkcsB.exe
PID 5040 wrote to memory of 3224	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	FjLkcsB.exe
PID 5040 wrote to memory of 4656	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	FCmATgy.exe
PID 5040 wrote to memory of 4656	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	FCmATgy.exe
PID 5040 wrote to memory of 3452	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	sAVmWBb.exe
PID 5040 wrote to memory of 3452	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	sAVmWBb.exe
PID 5040 wrote to memory of 2424	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	gFCFmgu.exe
PID 5040 wrote to memory of 2424	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	gFCFmgu.exe
PID 5040 wrote to memory of 1464	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ZXRGObo.exe
PID 5040 wrote to memory of 1464	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ZXRGObo.exe
PID 5040 wrote to memory of 2700	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	INDHFmX.exe
PID 5040 wrote to memory of 2700	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	INDHFmX.exe
PID 5040 wrote to memory of 2496	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	YCVvIsM.exe
PID 5040 wrote to memory of 2496	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	YCVvIsM.exe
PID 5040 wrote to memory of 2968	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	kEXxCNq.exe
PID 5040 wrote to memory of 2968	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	kEXxCNq.exe
PID 5040 wrote to memory of 4128	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	aKQLYpi.exe
PID 5040 wrote to memory of 4128	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	aKQLYpi.exe
PID 5040 wrote to memory of 3448	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ullhebH.exe
PID 5040 wrote to memory of 3448	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	ullhebH.exe
PID 5040 wrote to memory of 2944	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	DFbGDyF.exe
PID 5040 wrote to memory of 2944	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	DFbGDyF.exe
PID 5040 wrote to memory of 4272	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	HEamoXd.exe
PID 5040 wrote to memory of 4272	5040	723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe	HEamoXd.exe

C:\Users\Admin\AppData\Local\Temp\723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe
"C:\Users\Admin\AppData\Local\Temp\723c63cde2b5bc58d526e7f3fae2f2d6aaba63d3299fb2d0fbcef3cd91cc1b38N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\System32\FamLKYF.exe
  C:\Windows\System32\FamLKYF.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\qxgNUGt.exe
  C:\Windows\System32\qxgNUGt.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System32\oGMQYdk.exe
  C:\Windows\System32\oGMQYdk.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\SPDGKUk.exe
  C:\Windows\System32\SPDGKUk.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System32\zxTsLRW.exe
  C:\Windows\System32\zxTsLRW.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System32\uJACtis.exe
  C:\Windows\System32\uJACtis.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System32\yVOyioj.exe
  C:\Windows\System32\yVOyioj.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System32\rTbQwcw.exe
  C:\Windows\System32\rTbQwcw.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System32\DPagqZz.exe
  C:\Windows\System32\DPagqZz.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\VZjNocA.exe
  C:\Windows\System32\VZjNocA.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System32\lJehvqt.exe
  C:\Windows\System32\lJehvqt.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\QytYrSM.exe
  C:\Windows\System32\QytYrSM.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System32\NFYPQjH.exe
  C:\Windows\System32\NFYPQjH.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\MINoSEO.exe
  C:\Windows\System32\MINoSEO.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System32\tucarJg.exe
  C:\Windows\System32\tucarJg.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System32\ZOJZmFF.exe
  C:\Windows\System32\ZOJZmFF.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System32\LayGdnT.exe
  C:\Windows\System32\LayGdnT.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System32\xyZxAdr.exe
  C:\Windows\System32\xyZxAdr.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System32\ekSPBdX.exe
  C:\Windows\System32\ekSPBdX.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\eYnrnIN.exe
  C:\Windows\System32\eYnrnIN.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System32\FjLkcsB.exe
  C:\Windows\System32\FjLkcsB.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\FCmATgy.exe
  C:\Windows\System32\FCmATgy.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\sAVmWBb.exe
  C:\Windows\System32\sAVmWBb.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System32\gFCFmgu.exe
  C:\Windows\System32\gFCFmgu.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\ZXRGObo.exe
  C:\Windows\System32\ZXRGObo.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System32\INDHFmX.exe
  C:\Windows\System32\INDHFmX.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\YCVvIsM.exe
  C:\Windows\System32\YCVvIsM.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System32\kEXxCNq.exe
  C:\Windows\System32\kEXxCNq.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System32\aKQLYpi.exe
  C:\Windows\System32\aKQLYpi.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System32\ullhebH.exe
  C:\Windows\System32\ullhebH.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System32\DFbGDyF.exe
  C:\Windows\System32\DFbGDyF.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System32\HEamoXd.exe
  C:\Windows\System32\HEamoXd.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System32\FiEuObP.exe
  C:\Windows\System32\FiEuObP.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\twgBaNT.exe
  C:\Windows\System32\twgBaNT.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\plQpHYi.exe
  C:\Windows\System32\plQpHYi.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System32\anQJSUG.exe
  C:\Windows\System32\anQJSUG.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System32\EBDnYht.exe
  C:\Windows\System32\EBDnYht.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System32\Ilcaenw.exe
  C:\Windows\System32\Ilcaenw.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System32\BCTHfiG.exe
  C:\Windows\System32\BCTHfiG.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System32\nBWVOCH.exe
  C:\Windows\System32\nBWVOCH.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\sRIgoFm.exe
  C:\Windows\System32\sRIgoFm.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System32\xaDLpNK.exe
  C:\Windows\System32\xaDLpNK.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System32\LmYSZsp.exe
  C:\Windows\System32\LmYSZsp.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System32\pobTsPM.exe
  C:\Windows\System32\pobTsPM.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System32\LqHYXlA.exe
  C:\Windows\System32\LqHYXlA.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System32\lJCkCFH.exe
  C:\Windows\System32\lJCkCFH.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System32\myzWCje.exe
  C:\Windows\System32\myzWCje.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System32\uLjQfrj.exe
  C:\Windows\System32\uLjQfrj.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\iyDlhdS.exe
  C:\Windows\System32\iyDlhdS.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System32\DAmrCqM.exe
  C:\Windows\System32\DAmrCqM.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System32\DWcmYKZ.exe
  C:\Windows\System32\DWcmYKZ.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\agAcAnd.exe
  C:\Windows\System32\agAcAnd.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System32\hIxolxl.exe
  C:\Windows\System32\hIxolxl.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System32\CcgEfoG.exe
  C:\Windows\System32\CcgEfoG.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System32\AZbskyG.exe
  C:\Windows\System32\AZbskyG.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System32\CxixfMU.exe
  C:\Windows\System32\CxixfMU.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System32\aWmFfEF.exe
  C:\Windows\System32\aWmFfEF.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System32\IDtWyMp.exe
  C:\Windows\System32\IDtWyMp.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\qcJkqyr.exe
  C:\Windows\System32\qcJkqyr.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\AIIvWwo.exe
  C:\Windows\System32\AIIvWwo.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System32\LhMGrYm.exe
  C:\Windows\System32\LhMGrYm.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System32\oVjqsjE.exe
  C:\Windows\System32\oVjqsjE.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System32\PBZalxo.exe
  C:\Windows\System32\PBZalxo.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System32\ICSaXqH.exe
  C:\Windows\System32\ICSaXqH.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\IWdyyIL.exe
  C:\Windows\System32\IWdyyIL.exe
  2⤵
  PID:1760
- C:\Windows\System32\IWCucUB.exe
  C:\Windows\System32\IWCucUB.exe
  2⤵
  PID:5028
- C:\Windows\System32\uuzhhWg.exe
  C:\Windows\System32\uuzhhWg.exe
  2⤵
  PID:3028
- C:\Windows\System32\tSjqRlm.exe
  C:\Windows\System32\tSjqRlm.exe
  2⤵
  PID:4508
- C:\Windows\System32\uCUtPwu.exe
  C:\Windows\System32\uCUtPwu.exe
  2⤵
  PID:3032
- C:\Windows\System32\tkDHvSC.exe
  C:\Windows\System32\tkDHvSC.exe
  2⤵
  PID:976
- C:\Windows\System32\NiFINRm.exe
  C:\Windows\System32\NiFINRm.exe
  2⤵
  PID:3232
- C:\Windows\System32\nHNhpDT.exe
  C:\Windows\System32\nHNhpDT.exe
  2⤵
  PID:736
- C:\Windows\System32\VvlClUw.exe
  C:\Windows\System32\VvlClUw.exe
  2⤵
  PID:1868
- C:\Windows\System32\iVDrPox.exe
  C:\Windows\System32\iVDrPox.exe
  2⤵
  PID:1772
- C:\Windows\System32\DcwlxNe.exe
  C:\Windows\System32\DcwlxNe.exe
  2⤵
  PID:1680
- C:\Windows\System32\ncWnziW.exe
  C:\Windows\System32\ncWnziW.exe
  2⤵
  PID:1796
- C:\Windows\System32\zrECujl.exe
  C:\Windows\System32\zrECujl.exe
  2⤵
  PID:1468
- C:\Windows\System32\FJOTGOl.exe
  C:\Windows\System32\FJOTGOl.exe
  2⤵
  PID:2292
- C:\Windows\System32\ZoquCPk.exe
  C:\Windows\System32\ZoquCPk.exe
  2⤵
  PID:2340
- C:\Windows\System32\LvpwCPg.exe
  C:\Windows\System32\LvpwCPg.exe
  2⤵
  PID:1640
- C:\Windows\System32\GvoLiit.exe
  C:\Windows\System32\GvoLiit.exe
  2⤵
  PID:2580
- C:\Windows\System32\PyrrJVD.exe
  C:\Windows\System32\PyrrJVD.exe
  2⤵
  PID:4908
- C:\Windows\System32\CEWexlU.exe
  C:\Windows\System32\CEWexlU.exe
  2⤵
  PID:5004
- C:\Windows\System32\rFkElyd.exe
  C:\Windows\System32\rFkElyd.exe
  2⤵
  PID:2032
- C:\Windows\System32\HZzxzYp.exe
  C:\Windows\System32\HZzxzYp.exe
  2⤵
  PID:220
- C:\Windows\System32\AYvrybg.exe
  C:\Windows\System32\AYvrybg.exe
  2⤵
  PID:4944
- C:\Windows\System32\YbdVKSE.exe
  C:\Windows\System32\YbdVKSE.exe
  2⤵
  PID:4980
- C:\Windows\System32\sLgIcAh.exe
  C:\Windows\System32\sLgIcAh.exe
  2⤵
  PID:4900
- C:\Windows\System32\QIUommu.exe
  C:\Windows\System32\QIUommu.exe
  2⤵
  PID:4620
- C:\Windows\System32\apRnzdF.exe
  C:\Windows\System32\apRnzdF.exe
  2⤵
  PID:2072
- C:\Windows\System32\cAsyYdz.exe
  C:\Windows\System32\cAsyYdz.exe
  2⤵
  PID:2880
- C:\Windows\System32\EstTXBl.exe
  C:\Windows\System32\EstTXBl.exe
  2⤵
  PID:4504
- C:\Windows\System32\dXUkfOU.exe
  C:\Windows\System32\dXUkfOU.exe
  2⤵
  PID:5080
- C:\Windows\System32\EsLbcMn.exe
  C:\Windows\System32\EsLbcMn.exe
  2⤵
  PID:4568
- C:\Windows\System32\foksmDV.exe
  C:\Windows\System32\foksmDV.exe
  2⤵
  PID:2056
- C:\Windows\System32\cKYdglv.exe
  C:\Windows\System32\cKYdglv.exe
  2⤵
  PID:4424
- C:\Windows\System32\ehjcRjX.exe
  C:\Windows\System32\ehjcRjX.exe
  2⤵
  PID:2168
- C:\Windows\System32\idHzrIR.exe
  C:\Windows\System32\idHzrIR.exe
  2⤵
  PID:3536
- C:\Windows\System32\ChQhwhI.exe
  C:\Windows\System32\ChQhwhI.exe
  2⤵
  PID:5136
- C:\Windows\System32\HZwJAJB.exe
  C:\Windows\System32\HZwJAJB.exe
  2⤵
  PID:5176
- C:\Windows\System32\fXDqwLO.exe
  C:\Windows\System32\fXDqwLO.exe
  2⤵
  PID:5200
- C:\Windows\System32\RuHOvCv.exe
  C:\Windows\System32\RuHOvCv.exe
  2⤵
  PID:5220
- C:\Windows\System32\MstHWpl.exe
  C:\Windows\System32\MstHWpl.exe
  2⤵
  PID:5244
- C:\Windows\System32\FEBDLlI.exe
  C:\Windows\System32\FEBDLlI.exe
  2⤵
  PID:5288
- C:\Windows\System32\KpVfDKy.exe
  C:\Windows\System32\KpVfDKy.exe
  2⤵
  PID:5304
- C:\Windows\System32\nYLXfsv.exe
  C:\Windows\System32\nYLXfsv.exe
  2⤵
  PID:5336
- C:\Windows\System32\puCMwey.exe
  C:\Windows\System32\puCMwey.exe
  2⤵
  PID:5364
- C:\Windows\System32\criXhxC.exe
  C:\Windows\System32\criXhxC.exe
  2⤵
  PID:5400
- C:\Windows\System32\oXMwOhB.exe
  C:\Windows\System32\oXMwOhB.exe
  2⤵
  PID:5428
- C:\Windows\System32\haBUXFC.exe
  C:\Windows\System32\haBUXFC.exe
  2⤵
  PID:5456
- C:\Windows\System32\dIZdgwL.exe
  C:\Windows\System32\dIZdgwL.exe
  2⤵
  PID:5472
- C:\Windows\System32\tRzpeoq.exe
  C:\Windows\System32\tRzpeoq.exe
  2⤵
  PID:5564
- C:\Windows\System32\KtJaIzt.exe
  C:\Windows\System32\KtJaIzt.exe
  2⤵
  PID:5600
- C:\Windows\System32\UgJmHaq.exe
  C:\Windows\System32\UgJmHaq.exe
  2⤵
  PID:5620
- C:\Windows\System32\KqxBgrY.exe
  C:\Windows\System32\KqxBgrY.exe
  2⤵
  PID:5636
- C:\Windows\System32\RcZEstd.exe
  C:\Windows\System32\RcZEstd.exe
  2⤵
  PID:5660
- C:\Windows\System32\EQFzyQh.exe
  C:\Windows\System32\EQFzyQh.exe
  2⤵
  PID:5676
- C:\Windows\System32\PqWKheR.exe
  C:\Windows\System32\PqWKheR.exe
  2⤵
  PID:5696
- C:\Windows\System32\tQFgwcB.exe
  C:\Windows\System32\tQFgwcB.exe
  2⤵
  PID:5712
- C:\Windows\System32\yTtDCcd.exe
  C:\Windows\System32\yTtDCcd.exe
  2⤵
  PID:5732
- C:\Windows\System32\EMEYgQe.exe
  C:\Windows\System32\EMEYgQe.exe
  2⤵
  PID:5756
- C:\Windows\System32\XdOUOFP.exe
  C:\Windows\System32\XdOUOFP.exe
  2⤵
  PID:5800
- C:\Windows\System32\CkfUjGa.exe
  C:\Windows\System32\CkfUjGa.exe
  2⤵
  PID:5816
- C:\Windows\System32\ApwHERW.exe
  C:\Windows\System32\ApwHERW.exe
  2⤵
  PID:5852
- C:\Windows\System32\oZlfyCz.exe
  C:\Windows\System32\oZlfyCz.exe
  2⤵
  PID:5868
- C:\Windows\System32\iUbxTCX.exe
  C:\Windows\System32\iUbxTCX.exe
  2⤵
  PID:5888
- C:\Windows\System32\CSibYqN.exe
  C:\Windows\System32\CSibYqN.exe
  2⤵
  PID:5904
- C:\Windows\System32\PaoXhPl.exe
  C:\Windows\System32\PaoXhPl.exe
  2⤵
  PID:5984
- C:\Windows\System32\GXYYEjg.exe
  C:\Windows\System32\GXYYEjg.exe
  2⤵
  PID:6016
- C:\Windows\System32\gmDcZXR.exe
  C:\Windows\System32\gmDcZXR.exe
  2⤵
  PID:6036
- C:\Windows\System32\xhIVWdj.exe
  C:\Windows\System32\xhIVWdj.exe
  2⤵
  PID:844
- C:\Windows\System32\bGfVjab.exe
  C:\Windows\System32\bGfVjab.exe
  2⤵
  PID:1440
- C:\Windows\System32\OCoTdZE.exe
  C:\Windows\System32\OCoTdZE.exe
  2⤵
  PID:1020
- C:\Windows\System32\fztzDpz.exe
  C:\Windows\System32\fztzDpz.exe
  2⤵
  PID:3844
- C:\Windows\System32\lsJJFBh.exe
  C:\Windows\System32\lsJJFBh.exe
  2⤵
  PID:5124
- C:\Windows\System32\VOiWPam.exe
  C:\Windows\System32\VOiWPam.exe
  2⤵
  PID:5228
- C:\Windows\System32\KMBrqaQ.exe
  C:\Windows\System32\KMBrqaQ.exe
  2⤵
  PID:668
- C:\Windows\System32\RlGZvxy.exe
  C:\Windows\System32\RlGZvxy.exe
  2⤵
  PID:5272
- C:\Windows\System32\qBuuStQ.exe
  C:\Windows\System32\qBuuStQ.exe
  2⤵
  PID:3176
- C:\Windows\System32\WAUUFtH.exe
  C:\Windows\System32\WAUUFtH.exe
  2⤵
  PID:2164
- C:\Windows\System32\TxXGFYE.exe
  C:\Windows\System32\TxXGFYE.exe
  2⤵
  PID:4184
- C:\Windows\System32\lMQsgLH.exe
  C:\Windows\System32\lMQsgLH.exe
  2⤵
  PID:5440
- C:\Windows\System32\dRocsZb.exe
  C:\Windows\System32\dRocsZb.exe
  2⤵
  PID:1588
- C:\Windows\System32\XmEzeGc.exe
  C:\Windows\System32\XmEzeGc.exe
  2⤵
  PID:3428
- C:\Windows\System32\EwPYIce.exe
  C:\Windows\System32\EwPYIce.exe
  2⤵
  PID:5536
- C:\Windows\System32\ftbamNz.exe
  C:\Windows\System32\ftbamNz.exe
  2⤵
  PID:3680
- C:\Windows\System32\kUJaJfm.exe
  C:\Windows\System32\kUJaJfm.exe
  2⤵
  PID:3800
- C:\Windows\System32\PslAVXj.exe
  C:\Windows\System32\PslAVXj.exe
  2⤵
  PID:5556
- C:\Windows\System32\OGCOKZq.exe
  C:\Windows\System32\OGCOKZq.exe
  2⤵
  PID:5628
- C:\Windows\System32\rEFxmBY.exe
  C:\Windows\System32\rEFxmBY.exe
  2⤵
  PID:5644
- C:\Windows\System32\tWpBLGX.exe
  C:\Windows\System32\tWpBLGX.exe
  2⤵
  PID:5672
- C:\Windows\System32\ipwGXlp.exe
  C:\Windows\System32\ipwGXlp.exe
  2⤵
  PID:5704
- C:\Windows\System32\qyQYsgv.exe
  C:\Windows\System32\qyQYsgv.exe
  2⤵
  PID:5828
- C:\Windows\System32\vpEHwtX.exe
  C:\Windows\System32\vpEHwtX.exe
  2⤵
  PID:5900
- C:\Windows\System32\FaKgrIy.exe
  C:\Windows\System32\FaKgrIy.exe
  2⤵
  PID:5916
- C:\Windows\System32\QNzAGcS.exe
  C:\Windows\System32\QNzAGcS.exe
  2⤵
  PID:6072
- C:\Windows\System32\tTHdrFT.exe
  C:\Windows\System32\tTHdrFT.exe
  2⤵
  PID:4100
- C:\Windows\System32\BnNgExu.exe
  C:\Windows\System32\BnNgExu.exe
  2⤵
  PID:3196
- C:\Windows\System32\rQyoknA.exe
  C:\Windows\System32\rQyoknA.exe
  2⤵
  PID:5324
- C:\Windows\System32\wPeUYxW.exe
  C:\Windows\System32\wPeUYxW.exe
  2⤵
  PID:5776
- C:\Windows\System32\iIDFKlJ.exe
  C:\Windows\System32\iIDFKlJ.exe
  2⤵
  PID:5376
- C:\Windows\System32\VxJFPHQ.exe
  C:\Windows\System32\VxJFPHQ.exe
  2⤵
  PID:1196
- C:\Windows\System32\orHmAMG.exe
  C:\Windows\System32\orHmAMG.exe
  2⤵
  PID:6132
- C:\Windows\System32\vUBfIwn.exe
  C:\Windows\System32\vUBfIwn.exe
  2⤵
  PID:5544
- C:\Windows\System32\EUiupKo.exe
  C:\Windows\System32\EUiupKo.exe
  2⤵
  PID:5652
- C:\Windows\System32\tYmkyBp.exe
  C:\Windows\System32\tYmkyBp.exe
  2⤵
  PID:5728
- C:\Windows\System32\LjnEHyX.exe
  C:\Windows\System32\LjnEHyX.exe
  2⤵
  PID:5772
- C:\Windows\System32\OvbwwRt.exe
  C:\Windows\System32\OvbwwRt.exe
  2⤵
  PID:5896
- C:\Windows\System32\rvMphJZ.exe
  C:\Windows\System32\rvMphJZ.exe
  2⤵
  PID:5960
- C:\Windows\System32\PpGgcEk.exe
  C:\Windows\System32\PpGgcEk.exe
  2⤵
  PID:3416
- C:\Windows\System32\ihPCQoJ.exe
  C:\Windows\System32\ihPCQoJ.exe
  2⤵
  PID:5436
- C:\Windows\System32\CUTKvpa.exe
  C:\Windows\System32\CUTKvpa.exe
  2⤵
  PID:5300
- C:\Windows\System32\yQwNUXi.exe
  C:\Windows\System32\yQwNUXi.exe
  2⤵
  PID:5148
- C:\Windows\System32\lVCfyoU.exe
  C:\Windows\System32\lVCfyoU.exe
  2⤵
  PID:5684
- C:\Windows\System32\HPHqcRQ.exe
  C:\Windows\System32\HPHqcRQ.exe
  2⤵
  PID:5160
- C:\Windows\System32\VidiAaS.exe
  C:\Windows\System32\VidiAaS.exe
  2⤵
  PID:5824
- C:\Windows\System32\HwJpZQo.exe
  C:\Windows\System32\HwJpZQo.exe
  2⤵
  PID:6152
- C:\Windows\System32\jqShgPR.exe
  C:\Windows\System32\jqShgPR.exe
  2⤵
  PID:6172
- C:\Windows\System32\vOiRjtt.exe
  C:\Windows\System32\vOiRjtt.exe
  2⤵
  PID:6240
- C:\Windows\System32\zxmXDVt.exe
  C:\Windows\System32\zxmXDVt.exe
  2⤵
  PID:6256
- C:\Windows\System32\FjuTbDK.exe
  C:\Windows\System32\FjuTbDK.exe
  2⤵
  PID:6272
- C:\Windows\System32\vYYXFTT.exe
  C:\Windows\System32\vYYXFTT.exe
  2⤵
  PID:6288
- C:\Windows\System32\NIDxrCc.exe
  C:\Windows\System32\NIDxrCc.exe
  2⤵
  PID:6304
- C:\Windows\System32\ulDZoRX.exe
  C:\Windows\System32\ulDZoRX.exe
  2⤵
  PID:6320
- C:\Windows\System32\GCWlbka.exe
  C:\Windows\System32\GCWlbka.exe
  2⤵
  PID:6340
- C:\Windows\System32\EFBqBQJ.exe
  C:\Windows\System32\EFBqBQJ.exe
  2⤵
  PID:6360
- C:\Windows\System32\gXpNgnG.exe
  C:\Windows\System32\gXpNgnG.exe
  2⤵
  PID:6396
- C:\Windows\System32\zyVBsVq.exe
  C:\Windows\System32\zyVBsVq.exe
  2⤵
  PID:6412
- C:\Windows\System32\zFVQVJI.exe
  C:\Windows\System32\zFVQVJI.exe
  2⤵
  PID:6432
- C:\Windows\System32\LlwTfBG.exe
  C:\Windows\System32\LlwTfBG.exe
  2⤵
  PID:6612
- C:\Windows\System32\QRorUpJ.exe
  C:\Windows\System32\QRorUpJ.exe
  2⤵
  PID:6676
- C:\Windows\System32\PVFVPes.exe
  C:\Windows\System32\PVFVPes.exe
  2⤵
  PID:6704
- C:\Windows\System32\pZBccdA.exe
  C:\Windows\System32\pZBccdA.exe
  2⤵
  PID:6728
- C:\Windows\System32\lSmaYMy.exe
  C:\Windows\System32\lSmaYMy.exe
  2⤵
  PID:6764
- C:\Windows\System32\eDMOHsg.exe
  C:\Windows\System32\eDMOHsg.exe
  2⤵
  PID:6780
- C:\Windows\System32\BksStBO.exe
  C:\Windows\System32\BksStBO.exe
  2⤵
  PID:6832
- C:\Windows\System32\YEiAkKq.exe
  C:\Windows\System32\YEiAkKq.exe
  2⤵
  PID:6856
- C:\Windows\System32\qQFIpjC.exe
  C:\Windows\System32\qQFIpjC.exe
  2⤵
  PID:6880
- C:\Windows\System32\EcSgbgm.exe
  C:\Windows\System32\EcSgbgm.exe
  2⤵
  PID:6904
- C:\Windows\System32\oYZYEjy.exe
  C:\Windows\System32\oYZYEjy.exe
  2⤵
  PID:6924
- C:\Windows\System32\TSuJUQu.exe
  C:\Windows\System32\TSuJUQu.exe
  2⤵
  PID:6940
- C:\Windows\System32\RvILOMX.exe
  C:\Windows\System32\RvILOMX.exe
  2⤵
  PID:6964
- C:\Windows\System32\MCausrr.exe
  C:\Windows\System32\MCausrr.exe
  2⤵
  PID:6980
- C:\Windows\System32\wRjYgfi.exe
  C:\Windows\System32\wRjYgfi.exe
  2⤵
  PID:7008
- C:\Windows\System32\kNZnfur.exe
  C:\Windows\System32\kNZnfur.exe
  2⤵
  PID:7036
- C:\Windows\System32\JHrkYns.exe
  C:\Windows\System32\JHrkYns.exe
  2⤵
  PID:7116
- C:\Windows\System32\hCzIKRh.exe
  C:\Windows\System32\hCzIKRh.exe
  2⤵
  PID:7140
- C:\Windows\System32\AhROCOA.exe
  C:\Windows\System32\AhROCOA.exe
  2⤵
  PID:7160
- C:\Windows\System32\SCmKcte.exe
  C:\Windows\System32\SCmKcte.exe
  2⤵
  PID:4780
- C:\Windows\System32\RDqdzzY.exe
  C:\Windows\System32\RDqdzzY.exe
  2⤵
  PID:4664
- C:\Windows\System32\LnPuMxY.exe
  C:\Windows\System32\LnPuMxY.exe
  2⤵
  PID:6148
- C:\Windows\System32\bMzhSnA.exe
  C:\Windows\System32\bMzhSnA.exe
  2⤵
  PID:6408
- C:\Windows\System32\wnDcEGz.exe
  C:\Windows\System32\wnDcEGz.exe
  2⤵
  PID:6216
- C:\Windows\System32\dlMBYim.exe
  C:\Windows\System32\dlMBYim.exe
  2⤵
  PID:6284
- C:\Windows\System32\JDBvfcY.exe
  C:\Windows\System32\JDBvfcY.exe
  2⤵
  PID:6376
- C:\Windows\System32\CKHhYmV.exe
  C:\Windows\System32\CKHhYmV.exe
  2⤵
  PID:6464
- C:\Windows\System32\URJKgxm.exe
  C:\Windows\System32\URJKgxm.exe
  2⤵
  PID:6296
- C:\Windows\System32\sfHMxCR.exe
  C:\Windows\System32\sfHMxCR.exe
  2⤵
  PID:6532
- C:\Windows\System32\HnrWGPi.exe
  C:\Windows\System32\HnrWGPi.exe
  2⤵
  PID:6440
- C:\Windows\System32\PUarLlK.exe
  C:\Windows\System32\PUarLlK.exe
  2⤵
  PID:6580
- C:\Windows\System32\XbMWqQj.exe
  C:\Windows\System32\XbMWqQj.exe
  2⤵
  PID:6696
- C:\Windows\System32\GEMbdFr.exe
  C:\Windows\System32\GEMbdFr.exe
  2⤵
  PID:6724
- C:\Windows\System32\PmsHnqV.exe
  C:\Windows\System32\PmsHnqV.exe
  2⤵
  PID:6792
- C:\Windows\System32\BESskGd.exe
  C:\Windows\System32\BESskGd.exe
  2⤵
  PID:6844
- C:\Windows\System32\OBowsHO.exe
  C:\Windows\System32\OBowsHO.exe
  2⤵
  PID:6948
- C:\Windows\System32\ZodTqMH.exe
  C:\Windows\System32\ZodTqMH.exe
  2⤵
  PID:7112
- C:\Windows\System32\zJIftEw.exe
  C:\Windows\System32\zJIftEw.exe
  2⤵
  PID:7096
- C:\Windows\System32\fcOXafQ.exe
  C:\Windows\System32\fcOXafQ.exe
  2⤵
  PID:7156
- C:\Windows\System32\fVcltWy.exe
  C:\Windows\System32\fVcltWy.exe
  2⤵
  PID:6196
- C:\Windows\System32\pjihXWd.exe
  C:\Windows\System32\pjihXWd.exe
  2⤵
  PID:5724
- C:\Windows\System32\yHSMJPT.exe
  C:\Windows\System32\yHSMJPT.exe
  2⤵
  PID:6252
- C:\Windows\System32\gRoqVaX.exe
  C:\Windows\System32\gRoqVaX.exe
  2⤵
  PID:6428
- C:\Windows\System32\jhrtccv.exe
  C:\Windows\System32\jhrtccv.exe
  2⤵
  PID:6660
- C:\Windows\System32\oZnItZK.exe
  C:\Windows\System32\oZnItZK.exe
  2⤵
  PID:6652
- C:\Windows\System32\wQGlyQM.exe
  C:\Windows\System32\wQGlyQM.exe
  2⤵
  PID:7124
- C:\Windows\System32\QxoODZo.exe
  C:\Windows\System32\QxoODZo.exe
  2⤵
  PID:6268
- C:\Windows\System32\mcnpOST.exe
  C:\Windows\System32\mcnpOST.exe
  2⤵
  PID:6264
- C:\Windows\System32\ZGPTuyc.exe
  C:\Windows\System32\ZGPTuyc.exe
  2⤵
  PID:6812
- C:\Windows\System32\cumJetz.exe
  C:\Windows\System32\cumJetz.exe
  2⤵
  PID:6548
- C:\Windows\System32\cWefJhe.exe
  C:\Windows\System32\cWefJhe.exe
  2⤵
  PID:6168
- C:\Windows\System32\fpECgxQ.exe
  C:\Windows\System32\fpECgxQ.exe
  2⤵
  PID:7184
- C:\Windows\System32\QAOEwNA.exe
  C:\Windows\System32\QAOEwNA.exe
  2⤵
  PID:7216
- C:\Windows\System32\loFtSkZ.exe
  C:\Windows\System32\loFtSkZ.exe
  2⤵
  PID:7268
- C:\Windows\System32\poFDyhv.exe
  C:\Windows\System32\poFDyhv.exe
  2⤵
  PID:7288
- C:\Windows\System32\Thfarfo.exe
  C:\Windows\System32\Thfarfo.exe
  2⤵
  PID:7332
- C:\Windows\System32\vsvSiwn.exe
  C:\Windows\System32\vsvSiwn.exe
  2⤵
  PID:7352
- C:\Windows\System32\xtigXGR.exe
  C:\Windows\System32\xtigXGR.exe
  2⤵
  PID:7376
- C:\Windows\System32\VxHMhQp.exe
  C:\Windows\System32\VxHMhQp.exe
  2⤵
  PID:7396
- C:\Windows\System32\kGlIUzM.exe
  C:\Windows\System32\kGlIUzM.exe
  2⤵
  PID:7428
- C:\Windows\System32\DVeoMDE.exe
  C:\Windows\System32\DVeoMDE.exe
  2⤵
  PID:7456
- C:\Windows\System32\HhNFRFC.exe
  C:\Windows\System32\HhNFRFC.exe
  2⤵
  PID:7488
- C:\Windows\System32\OlqtyVW.exe
  C:\Windows\System32\OlqtyVW.exe
  2⤵
  PID:7512
- C:\Windows\System32\oQvuASu.exe
  C:\Windows\System32\oQvuASu.exe
  2⤵
  PID:7528
- C:\Windows\System32\DKlHhTK.exe
  C:\Windows\System32\DKlHhTK.exe
  2⤵
  PID:7548
- C:\Windows\System32\xVmgewc.exe
  C:\Windows\System32\xVmgewc.exe
  2⤵
  PID:7568
- C:\Windows\System32\xPkSsFE.exe
  C:\Windows\System32\xPkSsFE.exe
  2⤵
  PID:7584
- C:\Windows\System32\SAmNBDz.exe
  C:\Windows\System32\SAmNBDz.exe
  2⤵
  PID:7656
- C:\Windows\System32\cgIsoZT.exe
  C:\Windows\System32\cgIsoZT.exe
  2⤵
  PID:7672
- C:\Windows\System32\YdTPHhZ.exe
  C:\Windows\System32\YdTPHhZ.exe
  2⤵
  PID:7724
- C:\Windows\System32\XjWZSYc.exe
  C:\Windows\System32\XjWZSYc.exe
  2⤵
  PID:7764
- C:\Windows\System32\sqXRKVZ.exe
  C:\Windows\System32\sqXRKVZ.exe
  2⤵
  PID:7796
- C:\Windows\System32\sKFLIks.exe
  C:\Windows\System32\sKFLIks.exe
  2⤵
  PID:7812
- C:\Windows\System32\HkDRybi.exe
  C:\Windows\System32\HkDRybi.exe
  2⤵
  PID:7836
- C:\Windows\System32\JJbRAsK.exe
  C:\Windows\System32\JJbRAsK.exe
  2⤵
  PID:7852
- C:\Windows\System32\DZnyYEP.exe
  C:\Windows\System32\DZnyYEP.exe
  2⤵
  PID:7876
- C:\Windows\System32\LRdSYAV.exe
  C:\Windows\System32\LRdSYAV.exe
  2⤵
  PID:7892
- C:\Windows\System32\makjYNe.exe
  C:\Windows\System32\makjYNe.exe
  2⤵
  PID:7916
- C:\Windows\System32\GHixcgI.exe
  C:\Windows\System32\GHixcgI.exe
  2⤵
  PID:7936
- C:\Windows\System32\HVZPBWH.exe
  C:\Windows\System32\HVZPBWH.exe
  2⤵
  PID:7956
- C:\Windows\System32\xESlxDv.exe
  C:\Windows\System32\xESlxDv.exe
  2⤵
  PID:7984
- C:\Windows\System32\oweejEp.exe
  C:\Windows\System32\oweejEp.exe
  2⤵
  PID:8008
- C:\Windows\System32\cDOtxsx.exe
  C:\Windows\System32\cDOtxsx.exe
  2⤵
  PID:8024
- C:\Windows\System32\UOKGhpE.exe
  C:\Windows\System32\UOKGhpE.exe
  2⤵
  PID:8048
- C:\Windows\System32\MhnMbVu.exe
  C:\Windows\System32\MhnMbVu.exe
  2⤵
  PID:8120
- C:\Windows\System32\ctrezpA.exe
  C:\Windows\System32\ctrezpA.exe
  2⤵
  PID:8140
- C:\Windows\System32\XJWltvD.exe
  C:\Windows\System32\XJWltvD.exe
  2⤵
  PID:8160
- C:\Windows\System32\fWqxCFZ.exe
  C:\Windows\System32\fWqxCFZ.exe
  2⤵
  PID:6900
- C:\Windows\System32\DTrHwGg.exe
  C:\Windows\System32\DTrHwGg.exe
  2⤵
  PID:7296
- C:\Windows\System32\wQjwnjh.exe
  C:\Windows\System32\wQjwnjh.exe
  2⤵
  PID:7320
- C:\Windows\System32\XmJjKZF.exe
  C:\Windows\System32\XmJjKZF.exe
  2⤵
  PID:7392
- C:\Windows\System32\ZGGXBZU.exe
  C:\Windows\System32\ZGGXBZU.exe
  2⤵
  PID:7388
- C:\Windows\System32\IlYgxAJ.exe
  C:\Windows\System32\IlYgxAJ.exe
  2⤵
  PID:7524
- C:\Windows\System32\niWpVUy.exe
  C:\Windows\System32\niWpVUy.exe
  2⤵
  PID:7504
- C:\Windows\System32\JXBoVyh.exe
  C:\Windows\System32\JXBoVyh.exe
  2⤵
  PID:7520
- C:\Windows\System32\utoDUpX.exe
  C:\Windows\System32\utoDUpX.exe
  2⤵
  PID:7616
- C:\Windows\System32\LSPgogP.exe
  C:\Windows\System32\LSPgogP.exe
  2⤵
  PID:7736
- C:\Windows\System32\GYijYYN.exe
  C:\Windows\System32\GYijYYN.exe
  2⤵
  PID:7808
- C:\Windows\System32\ovtjPrZ.exe
  C:\Windows\System32\ovtjPrZ.exe
  2⤵
  PID:7908
- C:\Windows\System32\KrpBkoe.exe
  C:\Windows\System32\KrpBkoe.exe
  2⤵
  PID:7912
- C:\Windows\System32\LWYxxaH.exe
  C:\Windows\System32\LWYxxaH.exe
  2⤵
  PID:8004
- C:\Windows\System32\oOoLgps.exe
  C:\Windows\System32\oOoLgps.exe
  2⤵
  PID:8040
- C:\Windows\System32\uFIhxVf.exe
  C:\Windows\System32\uFIhxVf.exe
  2⤵
  PID:8104
- C:\Windows\System32\Tgwppbt.exe
  C:\Windows\System32\Tgwppbt.exe
  2⤵
  PID:6524
- C:\Windows\System32\JTSvBTs.exe
  C:\Windows\System32\JTSvBTs.exe
  2⤵
  PID:7172
- C:\Windows\System32\BABKmzS.exe
  C:\Windows\System32\BABKmzS.exe
  2⤵
  PID:7592
- C:\Windows\System32\rVrXiYC.exe
  C:\Windows\System32\rVrXiYC.exe
  2⤵
  PID:7580
- C:\Windows\System32\gJafVWf.exe
  C:\Windows\System32\gJafVWf.exe
  2⤵
  PID:7884
- C:\Windows\System32\TEqUBYR.exe
  C:\Windows\System32\TEqUBYR.exe
  2⤵
  PID:7924
- C:\Windows\System32\UlgQFBj.exe
  C:\Windows\System32\UlgQFBj.exe
  2⤵
  PID:8016
- C:\Windows\System32\CgRJMYh.exe
  C:\Windows\System32\CgRJMYh.exe
  2⤵
  PID:5588
- C:\Windows\System32\wDhhTKm.exe
  C:\Windows\System32\wDhhTKm.exe
  2⤵
  PID:7508
- C:\Windows\System32\hjZBBXG.exe
  C:\Windows\System32\hjZBBXG.exe
  2⤵
  PID:7664
- C:\Windows\System32\aPqeBcQ.exe
  C:\Windows\System32\aPqeBcQ.exe
  2⤵
  PID:8020
- C:\Windows\System32\sqVRuVk.exe
  C:\Windows\System32\sqVRuVk.exe
  2⤵
  PID:8132
- C:\Windows\System32\aPRqUEI.exe
  C:\Windows\System32\aPRqUEI.exe
  2⤵
  PID:7888
- C:\Windows\System32\mpxbQUU.exe
  C:\Windows\System32\mpxbQUU.exe
  2⤵
  PID:8212
- C:\Windows\System32\oeOkFEn.exe
  C:\Windows\System32\oeOkFEn.exe
  2⤵
  PID:8232
- C:\Windows\System32\OLguYgY.exe
  C:\Windows\System32\OLguYgY.exe
  2⤵
  PID:8252
- C:\Windows\System32\nqiuKcW.exe
  C:\Windows\System32\nqiuKcW.exe
  2⤵
  PID:8284
- C:\Windows\System32\PojbsPG.exe
  C:\Windows\System32\PojbsPG.exe
  2⤵
  PID:8364
- C:\Windows\System32\sgWWNqM.exe
  C:\Windows\System32\sgWWNqM.exe
  2⤵
  PID:8396
- C:\Windows\System32\ZlqnDDo.exe
  C:\Windows\System32\ZlqnDDo.exe
  2⤵
  PID:8412
- C:\Windows\System32\pbdCqoR.exe
  C:\Windows\System32\pbdCqoR.exe
  2⤵
  PID:8440
- C:\Windows\System32\PAHTCcg.exe
  C:\Windows\System32\PAHTCcg.exe
  2⤵
  PID:8456
- C:\Windows\System32\AGDayMr.exe
  C:\Windows\System32\AGDayMr.exe
  2⤵
  PID:8476
- C:\Windows\System32\BJsvdDg.exe
  C:\Windows\System32\BJsvdDg.exe
  2⤵
  PID:8516
- C:\Windows\System32\OCwvCnB.exe
  C:\Windows\System32\OCwvCnB.exe
  2⤵
  PID:8540
- C:\Windows\System32\ApbdVHS.exe
  C:\Windows\System32\ApbdVHS.exe
  2⤵
  PID:8560
- C:\Windows\System32\iSdUZqN.exe
  C:\Windows\System32\iSdUZqN.exe
  2⤵
  PID:8600
- C:\Windows\System32\QgajlhQ.exe
  C:\Windows\System32\QgajlhQ.exe
  2⤵
  PID:8616
- C:\Windows\System32\UwnBXLI.exe
  C:\Windows\System32\UwnBXLI.exe
  2⤵
  PID:8676
- C:\Windows\System32\hiMyDUN.exe
  C:\Windows\System32\hiMyDUN.exe
  2⤵
  PID:8696
- C:\Windows\System32\wdAcOOS.exe
  C:\Windows\System32\wdAcOOS.exe
  2⤵
  PID:8716
- C:\Windows\System32\cKwGkhZ.exe
  C:\Windows\System32\cKwGkhZ.exe
  2⤵
  PID:8744
- C:\Windows\System32\ZLLDfAQ.exe
  C:\Windows\System32\ZLLDfAQ.exe
  2⤵
  PID:8760
- C:\Windows\System32\NZCVZIQ.exe
  C:\Windows\System32\NZCVZIQ.exe
  2⤵
  PID:8784
- C:\Windows\System32\hCJkPMo.exe
  C:\Windows\System32\hCJkPMo.exe
  2⤵
  PID:8804
- C:\Windows\System32\rpQbdbH.exe
  C:\Windows\System32\rpQbdbH.exe
  2⤵
  PID:8824
- C:\Windows\System32\QdlVOsT.exe
  C:\Windows\System32\QdlVOsT.exe
  2⤵
  PID:8868
- C:\Windows\System32\fWYoDBU.exe
  C:\Windows\System32\fWYoDBU.exe
  2⤵
  PID:8888
- C:\Windows\System32\fBWnhFK.exe
  C:\Windows\System32\fBWnhFK.exe
  2⤵
  PID:8928
- C:\Windows\System32\TOuxrwl.exe
  C:\Windows\System32\TOuxrwl.exe
  2⤵
  PID:8964
- C:\Windows\System32\wfzbOeM.exe
  C:\Windows\System32\wfzbOeM.exe
  2⤵
  PID:8992
- C:\Windows\System32\gaKAsBJ.exe
  C:\Windows\System32\gaKAsBJ.exe
  2⤵
  PID:9036
- C:\Windows\System32\MQiWpHk.exe
  C:\Windows\System32\MQiWpHk.exe
  2⤵
  PID:9060
- C:\Windows\System32\pAwVQbO.exe
  C:\Windows\System32\pAwVQbO.exe
  2⤵
  PID:9080
- C:\Windows\System32\RubZAgN.exe
  C:\Windows\System32\RubZAgN.exe
  2⤵
  PID:9108
- C:\Windows\System32\JBrnDBw.exe
  C:\Windows\System32\JBrnDBw.exe
  2⤵
  PID:9148
- C:\Windows\System32\aiKJJaP.exe
  C:\Windows\System32\aiKJJaP.exe
  2⤵
  PID:9176
- C:\Windows\System32\afFqFJC.exe
  C:\Windows\System32\afFqFJC.exe
  2⤵
  PID:9196
- C:\Windows\System32\XJRLwRz.exe
  C:\Windows\System32\XJRLwRz.exe
  2⤵
  PID:7300
- C:\Windows\System32\QjbnmBI.exe
  C:\Windows\System32\QjbnmBI.exe
  2⤵
  PID:8204
- C:\Windows\System32\jPlHiQo.exe
  C:\Windows\System32\jPlHiQo.exe
  2⤵
  PID:8300
- C:\Windows\System32\GRFGnpv.exe
  C:\Windows\System32\GRFGnpv.exe
  2⤵
  PID:8380
- C:\Windows\System32\WfAJABc.exe
  C:\Windows\System32\WfAJABc.exe
  2⤵
  PID:8424
- C:\Windows\System32\BxbANvp.exe
  C:\Windows\System32\BxbANvp.exe
  2⤵
  PID:8448
- C:\Windows\System32\xVMAbmv.exe
  C:\Windows\System32\xVMAbmv.exe
  2⤵
  PID:8584
- C:\Windows\System32\sjRMxnm.exe
  C:\Windows\System32\sjRMxnm.exe
  2⤵
  PID:8596
- C:\Windows\System32\HySxKXk.exe
  C:\Windows\System32\HySxKXk.exe
  2⤵
  PID:8668
- C:\Windows\System32\jFTzgnO.exe
  C:\Windows\System32\jFTzgnO.exe
  2⤵
  PID:8728
- C:\Windows\System32\BgqmSVg.exe
  C:\Windows\System32\BgqmSVg.exe
  2⤵
  PID:8860
- C:\Windows\System32\cSejOae.exe
  C:\Windows\System32\cSejOae.exe
  2⤵
  PID:8880
- C:\Windows\System32\pJPwKwh.exe
  C:\Windows\System32\pJPwKwh.exe
  2⤵
  PID:8960
- C:\Windows\System32\armPAtH.exe
  C:\Windows\System32\armPAtH.exe
  2⤵
  PID:9020
- C:\Windows\System32\HWCNYro.exe
  C:\Windows\System32\HWCNYro.exe
  2⤵
  PID:9076
- C:\Windows\System32\ljOJyPt.exe
  C:\Windows\System32\ljOJyPt.exe
  2⤵
  PID:9124
- C:\Windows\System32\pXPcYtJ.exe
  C:\Windows\System32\pXPcYtJ.exe
  2⤵
  PID:9160
- C:\Windows\System32\cdzAFLa.exe
  C:\Windows\System32\cdzAFLa.exe
  2⤵
  PID:8268
- C:\Windows\System32\nqZjomQ.exe
  C:\Windows\System32\nqZjomQ.exe
  2⤵
  PID:8472
- C:\Windows\System32\otBJWcm.exe
  C:\Windows\System32\otBJWcm.exe
  2⤵
  PID:8768
- C:\Windows\System32\zSGvDAy.exe
  C:\Windows\System32\zSGvDAy.exe
  2⤵
  PID:8936
- C:\Windows\System32\PDJVFPM.exe
  C:\Windows\System32\PDJVFPM.exe
  2⤵
  PID:9004
- C:\Windows\System32\VidinTo.exe
  C:\Windows\System32\VidinTo.exe
  2⤵
  PID:9100
- C:\Windows\System32\HXIWYCt.exe
  C:\Windows\System32\HXIWYCt.exe
  2⤵
  PID:8492
- C:\Windows\System32\kttuoLx.exe
  C:\Windows\System32\kttuoLx.exe
  2⤵
  PID:8792
- C:\Windows\System32\UFTmYrk.exe
  C:\Windows\System32\UFTmYrk.exe
  2⤵
  PID:9204
- C:\Windows\System32\mxyZiGg.exe
  C:\Windows\System32\mxyZiGg.exe
  2⤵
  PID:8276
- C:\Windows\System32\WAzSjyt.exe
  C:\Windows\System32\WAzSjyt.exe
  2⤵
  PID:8900
- C:\Windows\System32\xmuTmjS.exe
  C:\Windows\System32\xmuTmjS.exe
  2⤵
  PID:9224
- C:\Windows\System32\KRDWwMJ.exe
  C:\Windows\System32\KRDWwMJ.exe
  2⤵
  PID:9280
- C:\Windows\System32\RHiVzSZ.exe
  C:\Windows\System32\RHiVzSZ.exe
  2⤵
  PID:9300
- C:\Windows\System32\TEbSbOg.exe
  C:\Windows\System32\TEbSbOg.exe
  2⤵
  PID:9320
- C:\Windows\System32\UfnGmrZ.exe
  C:\Windows\System32\UfnGmrZ.exe
  2⤵
  PID:9336
- C:\Windows\System32\eSvWUKr.exe
  C:\Windows\System32\eSvWUKr.exe
  2⤵
  PID:9356
- C:\Windows\System32\HbOusUL.exe
  C:\Windows\System32\HbOusUL.exe
  2⤵
  PID:9380
- C:\Windows\System32\ybXegAE.exe
  C:\Windows\System32\ybXegAE.exe
  2⤵
  PID:9464
- C:\Windows\System32\WBRZStN.exe
  C:\Windows\System32\WBRZStN.exe
  2⤵
  PID:9484
- C:\Windows\System32\ZLyFItU.exe
  C:\Windows\System32\ZLyFItU.exe
  2⤵
  PID:9504
- C:\Windows\System32\rbpvCBs.exe
  C:\Windows\System32\rbpvCBs.exe
  2⤵
  PID:9528
- C:\Windows\System32\XiaPRZw.exe
  C:\Windows\System32\XiaPRZw.exe
  2⤵
  PID:9544
- C:\Windows\System32\ajcsAlM.exe
  C:\Windows\System32\ajcsAlM.exe
  2⤵
  PID:9560
- C:\Windows\System32\AwlRynD.exe
  C:\Windows\System32\AwlRynD.exe
  2⤵
  PID:9580
- C:\Windows\System32\HNkpXCB.exe
  C:\Windows\System32\HNkpXCB.exe
  2⤵
  PID:9604
- C:\Windows\System32\OgbFqTd.exe
  C:\Windows\System32\OgbFqTd.exe
  2⤵
  PID:9676
- C:\Windows\System32\RmdfQzg.exe
  C:\Windows\System32\RmdfQzg.exe
  2⤵
  PID:9700
- C:\Windows\System32\XDncVzY.exe
  C:\Windows\System32\XDncVzY.exe
  2⤵
  PID:9728
- C:\Windows\System32\aNHtxtQ.exe
  C:\Windows\System32\aNHtxtQ.exe
  2⤵
  PID:9744
- C:\Windows\System32\tDOavmE.exe
  C:\Windows\System32\tDOavmE.exe
  2⤵
  PID:9768
- C:\Windows\System32\cfFFwtA.exe
  C:\Windows\System32\cfFFwtA.exe
  2⤵
  PID:9788
- C:\Windows\System32\GZHQMkv.exe
  C:\Windows\System32\GZHQMkv.exe
  2⤵
  PID:9828
- C:\Windows\System32\DYzKqZN.exe
  C:\Windows\System32\DYzKqZN.exe
  2⤵
  PID:9848
- C:\Windows\System32\jZThZbd.exe
  C:\Windows\System32\jZThZbd.exe
  2⤵
  PID:9880
- C:\Windows\System32\raPCVCZ.exe
  C:\Windows\System32\raPCVCZ.exe
  2⤵
  PID:9896
- C:\Windows\System32\QWVWoXo.exe
  C:\Windows\System32\QWVWoXo.exe
  2⤵
  PID:9920
- C:\Windows\System32\xPNAxxz.exe
  C:\Windows\System32\xPNAxxz.exe
  2⤵
  PID:9944
- C:\Windows\System32\QnbHLIU.exe
  C:\Windows\System32\QnbHLIU.exe
  2⤵
  PID:9960
- C:\Windows\System32\yRFkXAt.exe
  C:\Windows\System32\yRFkXAt.exe
  2⤵
  PID:10064
- C:\Windows\System32\LhPCRXm.exe
  C:\Windows\System32\LhPCRXm.exe
  2⤵
  PID:10080
- C:\Windows\System32\SovsoZq.exe
  C:\Windows\System32\SovsoZq.exe
  2⤵
  PID:10104
- C:\Windows\System32\joFRfLs.exe
  C:\Windows\System32\joFRfLs.exe
  2⤵
  PID:10124
- C:\Windows\System32\OocpFCw.exe
  C:\Windows\System32\OocpFCw.exe
  2⤵
  PID:10140
- C:\Windows\System32\EpGHLGr.exe
  C:\Windows\System32\EpGHLGr.exe
  2⤵
  PID:10168
- C:\Windows\System32\WPPKjIg.exe
  C:\Windows\System32\WPPKjIg.exe
  2⤵
  PID:10220
- C:\Windows\System32\NOVafHK.exe
  C:\Windows\System32\NOVafHK.exe
  2⤵
  PID:8532
- C:\Windows\System32\pnNdlan.exe
  C:\Windows\System32\pnNdlan.exe
  2⤵
  PID:9264
- C:\Windows\System32\BTjtBzv.exe
  C:\Windows\System32\BTjtBzv.exe
  2⤵
  PID:9292
- C:\Windows\System32\yjbzWMB.exe
  C:\Windows\System32\yjbzWMB.exe
  2⤵
  PID:9316
- C:\Windows\System32\OHgFYnI.exe
  C:\Windows\System32\OHgFYnI.exe
  2⤵
  PID:9416
- C:\Windows\System32\PKXuJzb.exe
  C:\Windows\System32\PKXuJzb.exe
  2⤵
  PID:9444
- C:\Windows\System32\ftapZze.exe
  C:\Windows\System32\ftapZze.exe
  2⤵
  PID:9524
- C:\Windows\System32\RrRbNJN.exe
  C:\Windows\System32\RrRbNJN.exe
  2⤵
  PID:9576
- C:\Windows\System32\CBaxGyi.exe
  C:\Windows\System32\CBaxGyi.exe
  2⤵
  PID:9632
- C:\Windows\System32\ejbSsqR.exe
  C:\Windows\System32\ejbSsqR.exe
  2⤵
  PID:9656
- C:\Windows\System32\eSQEKIr.exe
  C:\Windows\System32\eSQEKIr.exe
  2⤵
  PID:9784
- C:\Windows\System32\UVNriah.exe
  C:\Windows\System32\UVNriah.exe
  2⤵
  PID:9104
- C:\Windows\System32\KQaONfD.exe
  C:\Windows\System32\KQaONfD.exe
  2⤵
  PID:9908
- C:\Windows\System32\YluJZPC.exe
  C:\Windows\System32\YluJZPC.exe
  2⤵
  PID:9988
- C:\Windows\System32\TAnSTRs.exe
  C:\Windows\System32\TAnSTRs.exe
  2⤵
  PID:10004
- C:\Windows\System32\kZLeDnw.exe
  C:\Windows\System32\kZLeDnw.exe
  2⤵
  PID:10088
- C:\Windows\System32\AXlkEHR.exe
  C:\Windows\System32\AXlkEHR.exe
  2⤵
  PID:10156
- C:\Windows\System32\JkpQrxh.exe
  C:\Windows\System32\JkpQrxh.exe
  2⤵
  PID:8832
- C:\Windows\System32\zktSDqy.exe
  C:\Windows\System32\zktSDqy.exe
  2⤵
  PID:9368
- C:\Windows\System32\BNiRXsw.exe
  C:\Windows\System32\BNiRXsw.exe
  2⤵
  PID:9008
- C:\Windows\System32\LgiXhwW.exe
  C:\Windows\System32\LgiXhwW.exe
  2⤵
  PID:9612
- C:\Windows\System32\fAPNwUI.exe
  C:\Windows\System32\fAPNwUI.exe
  2⤵
  PID:9892
- C:\Windows\System32\VAKVNAk.exe
  C:\Windows\System32\VAKVNAk.exe
  2⤵
  PID:10040
- C:\Windows\System32\omUhhyI.exe
  C:\Windows\System32\omUhhyI.exe
  2⤵
  PID:10160
- C:\Windows\System32\MMHBEbI.exe
  C:\Windows\System32\MMHBEbI.exe
  2⤵
  PID:10228
- C:\Windows\System32\JmHWtFQ.exe
  C:\Windows\System32\JmHWtFQ.exe
  2⤵
  PID:9552
- C:\Windows\System32\OVSdmST.exe
  C:\Windows\System32\OVSdmST.exe
  2⤵
  PID:9712
- C:\Windows\System32\joYDgrb.exe
  C:\Windows\System32\joYDgrb.exe
  2⤵
  PID:8724
- C:\Windows\System32\ZuQUDkE.exe
  C:\Windows\System32\ZuQUDkE.exe
  2⤵
  PID:2504
- C:\Windows\System32\grDrxZH.exe
  C:\Windows\System32\grDrxZH.exe
  2⤵
  PID:9692
- C:\Windows\System32\HAXtruO.exe
  C:\Windows\System32\HAXtruO.exe
  2⤵
  PID:10260
- C:\Windows\System32\MfFxZlE.exe
  C:\Windows\System32\MfFxZlE.exe
  2⤵
  PID:10280
- C:\Windows\System32\rFTFMTK.exe
  C:\Windows\System32\rFTFMTK.exe
  2⤵
  PID:10300
- C:\Windows\System32\vGXBhng.exe
  C:\Windows\System32\vGXBhng.exe
  2⤵
  PID:10336
- C:\Windows\System32\pRMPaQL.exe
  C:\Windows\System32\pRMPaQL.exe
  2⤵
  PID:10400
- C:\Windows\System32\WkvctiU.exe
  C:\Windows\System32\WkvctiU.exe
  2⤵
  PID:10420
- C:\Windows\System32\ZlAlYeg.exe
  C:\Windows\System32\ZlAlYeg.exe
  2⤵
  PID:10464
- C:\Windows\System32\acuXLlX.exe
  C:\Windows\System32\acuXLlX.exe
  2⤵
  PID:10492
- C:\Windows\System32\UIDslAl.exe
  C:\Windows\System32\UIDslAl.exe
  2⤵
  PID:10520
- C:\Windows\System32\bOYoVOi.exe
  C:\Windows\System32\bOYoVOi.exe
  2⤵
  PID:10540
- C:\Windows\System32\Qkxxbyj.exe
  C:\Windows\System32\Qkxxbyj.exe
  2⤵
  PID:10580
- C:\Windows\System32\vraKyRI.exe
  C:\Windows\System32\vraKyRI.exe
  2⤵
  PID:10600
- C:\Windows\System32\bBYbpKI.exe
  C:\Windows\System32\bBYbpKI.exe
  2⤵
  PID:10620
- C:\Windows\System32\vYBVlmY.exe
  C:\Windows\System32\vYBVlmY.exe
  2⤵
  PID:10636
- C:\Windows\System32\QgOzyuT.exe
  C:\Windows\System32\QgOzyuT.exe
  2⤵
  PID:10676
- C:\Windows\System32\lkEMNNm.exe
  C:\Windows\System32\lkEMNNm.exe
  2⤵
  PID:10732
- C:\Windows\System32\bbJfkUz.exe
  C:\Windows\System32\bbJfkUz.exe
  2⤵
  PID:10748
- C:\Windows\System32\RjiOklX.exe
  C:\Windows\System32\RjiOklX.exe
  2⤵
  PID:10772
- C:\Windows\System32\pNevcWF.exe
  C:\Windows\System32\pNevcWF.exe
  2⤵
  PID:10792
- C:\Windows\System32\AaiHhDd.exe
  C:\Windows\System32\AaiHhDd.exe
  2⤵
  PID:10812
- C:\Windows\System32\jqViASV.exe
  C:\Windows\System32\jqViASV.exe
  2⤵
  PID:10840
- C:\Windows\System32\cgupKsQ.exe
  C:\Windows\System32\cgupKsQ.exe
  2⤵
  PID:10888
- C:\Windows\System32\VntjAQL.exe
  C:\Windows\System32\VntjAQL.exe
  2⤵
  PID:10908
- C:\Windows\System32\HFSiCMq.exe
  C:\Windows\System32\HFSiCMq.exe
  2⤵
  PID:10936
- C:\Windows\System32\TFqtKqE.exe
  C:\Windows\System32\TFqtKqE.exe
  2⤵
  PID:10960
- C:\Windows\System32\VVAlYjU.exe
  C:\Windows\System32\VVAlYjU.exe
  2⤵
  PID:10980
- C:\Windows\System32\FUIHcGu.exe
  C:\Windows\System32\FUIHcGu.exe
  2⤵
  PID:11020
- C:\Windows\System32\yyNULvL.exe
  C:\Windows\System32\yyNULvL.exe
  2⤵
  PID:11036
- C:\Windows\System32\RdoGjsN.exe
  C:\Windows\System32\RdoGjsN.exe
  2⤵
  PID:11064
- C:\Windows\System32\EWUdCFS.exe
  C:\Windows\System32\EWUdCFS.exe
  2⤵
  PID:11084
- C:\Windows\System32\DnRolzL.exe
  C:\Windows\System32\DnRolzL.exe
  2⤵
  PID:11104
- C:\Windows\System32\HvCsLwu.exe
  C:\Windows\System32\HvCsLwu.exe
  2⤵
  PID:11120
- C:\Windows\System32\YQMSacq.exe
  C:\Windows\System32\YQMSacq.exe
  2⤵
  PID:11156
- C:\Windows\System32\seLyxnR.exe
  C:\Windows\System32\seLyxnR.exe
  2⤵
  PID:11172
- C:\Windows\System32\vGKMqfa.exe
  C:\Windows\System32\vGKMqfa.exe
  2⤵
  PID:11204
- C:\Windows\System32\VsdLuMC.exe
  C:\Windows\System32\VsdLuMC.exe
  2⤵
  PID:11260
- C:\Windows\System32\usYlVMw.exe
  C:\Windows\System32\usYlVMw.exe
  2⤵
  PID:10272
- C:\Windows\System32\JYGasLy.exe
  C:\Windows\System32\JYGasLy.exe
  2⤵
  PID:10276
- C:\Windows\System32\oxOAEBb.exe
  C:\Windows\System32\oxOAEBb.exe
  2⤵
  PID:10296
- C:\Windows\System32\HBKhLBN.exe
  C:\Windows\System32\HBKhLBN.exe
  2⤵
  PID:10448
- C:\Windows\System32\zwvOQZn.exe
  C:\Windows\System32\zwvOQZn.exe
  2⤵
  PID:10512
- C:\Windows\System32\ecwqzFz.exe
  C:\Windows\System32\ecwqzFz.exe
  2⤵
  PID:10556
- C:\Windows\System32\TMLQpEU.exe
  C:\Windows\System32\TMLQpEU.exe
  2⤵
  PID:10572
- C:\Windows\System32\umyomSr.exe
  C:\Windows\System32\umyomSr.exe
  2⤵
  PID:10688
- C:\Windows\System32\abCnqtz.exe
  C:\Windows\System32\abCnqtz.exe
  2⤵
  PID:10764
- C:\Windows\System32\eTGmotd.exe
  C:\Windows\System32\eTGmotd.exe
  2⤵
  PID:10788
- C:\Windows\System32\lRkiHQp.exe
  C:\Windows\System32\lRkiHQp.exe
  2⤵
  PID:10076
- C:\Windows\System32\qXxAytF.exe
  C:\Windows\System32\qXxAytF.exe
  2⤵
  PID:10944
- C:\Windows\System32\uPaQRPF.exe
  C:\Windows\System32\uPaQRPF.exe
  2⤵
  PID:11016
- C:\Windows\System32\OTDPevp.exe
  C:\Windows\System32\OTDPevp.exe
  2⤵
  PID:11092
- C:\Windows\System32\erBIknA.exe
  C:\Windows\System32\erBIknA.exe
  2⤵
  PID:11116
- C:\Windows\System32\aJRwmxW.exe
  C:\Windows\System32\aJRwmxW.exe
  2⤵
  PID:11180
- C:\Windows\System32\ejjTOYh.exe
  C:\Windows\System32\ejjTOYh.exe
  2⤵
  PID:11184
- C:\Windows\System32\mSbpQhb.exe
  C:\Windows\System32\mSbpQhb.exe
  2⤵
  PID:11164
- C:\Windows\System32\guZNdSy.exe
  C:\Windows\System32\guZNdSy.exe
  2⤵
  PID:10408
- C:\Windows\System32\WjMllPI.exe
  C:\Windows\System32\WjMllPI.exe
  2⤵
  PID:10504
- C:\Windows\System32\hBVGMhk.exe
  C:\Windows\System32\hBVGMhk.exe
  2⤵
  PID:9288
- C:\Windows\System32\spusqDi.exe
  C:\Windows\System32\spusqDi.exe
  2⤵
  PID:10992
- C:\Windows\System32\kCGKnvJ.exe
  C:\Windows\System32\kCGKnvJ.exe
  2⤵
  PID:11192
- C:\Windows\System32\XLlnZhl.exe
  C:\Windows\System32\XLlnZhl.exe
  2⤵
  PID:9996
- C:\Windows\System32\VJJNpsW.exe
  C:\Windows\System32\VJJNpsW.exe
  2⤵
  PID:10308
- C:\Windows\System32\vtdSMnB.exe
  C:\Windows\System32\vtdSMnB.exe
  2⤵
  PID:10956
- C:\Windows\System32\uTvSDIz.exe
  C:\Windows\System32\uTvSDIz.exe
  2⤵
  PID:10856
- C:\Windows\System32\ucRZveK.exe
  C:\Windows\System32\ucRZveK.exe
  2⤵
  PID:11268
- C:\Windows\System32\TnZNuYE.exe
  C:\Windows\System32\TnZNuYE.exe
  2⤵
  PID:11300
- C:\Windows\System32\dKeZLMf.exe
  C:\Windows\System32\dKeZLMf.exe
  2⤵
  PID:11328
- C:\Windows\System32\MEYWubC.exe
  C:\Windows\System32\MEYWubC.exe
  2⤵
  PID:11368
- C:\Windows\System32\MhKFnME.exe
  C:\Windows\System32\MhKFnME.exe
  2⤵
  PID:11384
- C:\Windows\System32\PNZTWFa.exe
  C:\Windows\System32\PNZTWFa.exe
  2⤵
  PID:11404
- C:\Windows\System32\AJZcPbT.exe
  C:\Windows\System32\AJZcPbT.exe
  2⤵
  PID:11452
- C:\Windows\System32\yiOsstB.exe
  C:\Windows\System32\yiOsstB.exe
  2⤵
  PID:11472
- C:\Windows\System32\ilEXChk.exe
  C:\Windows\System32\ilEXChk.exe
  2⤵
  PID:11492
- C:\Windows\System32\lMQvrkn.exe
  C:\Windows\System32\lMQvrkn.exe
  2⤵
  PID:11516
- C:\Windows\System32\VxvJRpJ.exe
  C:\Windows\System32\VxvJRpJ.exe
  2⤵
  PID:11548
- C:\Windows\System32\qQxmfNt.exe
  C:\Windows\System32\qQxmfNt.exe
  2⤵
  PID:11572
- C:\Windows\System32\WmjwPWw.exe
  C:\Windows\System32\WmjwPWw.exe
  2⤵
  PID:11596
- C:\Windows\System32\mnAghYr.exe
  C:\Windows\System32\mnAghYr.exe
  2⤵
  PID:11620
- C:\Windows\System32\TBpbiWF.exe
  C:\Windows\System32\TBpbiWF.exe
  2⤵
  PID:11640
- C:\Windows\System32\FSslatp.exe
  C:\Windows\System32\FSslatp.exe
  2⤵
  PID:11672
- C:\Windows\System32\OIbSNjb.exe
  C:\Windows\System32\OIbSNjb.exe
  2⤵
  PID:11704
- C:\Windows\System32\AOFlSWD.exe
  C:\Windows\System32\AOFlSWD.exe
  2⤵
  PID:11732
- C:\Windows\System32\SpjEfqL.exe
  C:\Windows\System32\SpjEfqL.exe
  2⤵
  PID:11760
- C:\Windows\System32\yFifTNi.exe
  C:\Windows\System32\yFifTNi.exe
  2⤵
  PID:11796
- C:\Windows\System32\SVppaGe.exe
  C:\Windows\System32\SVppaGe.exe
  2⤵
  PID:11824
- C:\Windows\System32\rUvyqMp.exe
  C:\Windows\System32\rUvyqMp.exe
  2⤵
  PID:11852
- C:\Windows\System32\etCLYjr.exe
  C:\Windows\System32\etCLYjr.exe
  2⤵
  PID:11888
- C:\Windows\System32\IJFFbWS.exe
  C:\Windows\System32\IJFFbWS.exe
  2⤵
  PID:11904
- C:\Windows\System32\ChmnNdG.exe
  C:\Windows\System32\ChmnNdG.exe
  2⤵
  PID:11948
- C:\Windows\System32\PvAEXKN.exe
  C:\Windows\System32\PvAEXKN.exe
  2⤵
  PID:11996
- C:\Windows\System32\GxFSrqO.exe
  C:\Windows\System32\GxFSrqO.exe
  2⤵
  PID:12020
- C:\Windows\System32\xDOpMAC.exe
  C:\Windows\System32\xDOpMAC.exe
  2⤵
  PID:12044
- C:\Windows\System32\wKHVYPh.exe
  C:\Windows\System32\wKHVYPh.exe
  2⤵
  PID:12060
- C:\Windows\System32\sGWInDL.exe
  C:\Windows\System32\sGWInDL.exe
  2⤵
  PID:12096
- C:\Windows\System32\CpqXghg.exe
  C:\Windows\System32\CpqXghg.exe
  2⤵
  PID:12116
- C:\Windows\System32\pNAcviy.exe
  C:\Windows\System32\pNAcviy.exe
  2⤵
  PID:12156
- C:\Windows\System32\DrpBXwD.exe
  C:\Windows\System32\DrpBXwD.exe
  2⤵
  PID:12184
- C:\Windows\System32\qBYuVDq.exe
  C:\Windows\System32\qBYuVDq.exe
  2⤵
  PID:12204
- C:\Windows\System32\DhuubAq.exe
  C:\Windows\System32\DhuubAq.exe
  2⤵
  PID:12224
- C:\Windows\System32\xovMEPs.exe
  C:\Windows\System32\xovMEPs.exe
  2⤵
  PID:12256
- C:\Windows\System32\TwbxagX.exe
  C:\Windows\System32\TwbxagX.exe
  2⤵
  PID:11292
- C:\Windows\System32\ybGowBg.exe
  C:\Windows\System32\ybGowBg.exe
  2⤵
  PID:11356
- C:\Windows\System32\THWvnik.exe
  C:\Windows\System32\THWvnik.exe
  2⤵
  PID:11440
- C:\Windows\System32\QVqrkMy.exe
  C:\Windows\System32\QVqrkMy.exe
  2⤵
  PID:11500
- C:\Windows\System32\jSqCjFh.exe
  C:\Windows\System32\jSqCjFh.exe
  2⤵
  PID:11536
- C:\Windows\System32\RWCvTbV.exe
  C:\Windows\System32\RWCvTbV.exe
  2⤵
  PID:11612
- C:\Windows\System32\ZJyVQGG.exe
  C:\Windows\System32\ZJyVQGG.exe
  2⤵
  PID:11664
- C:\Windows\System32\cwJaCud.exe
  C:\Windows\System32\cwJaCud.exe
  2⤵
  PID:11720
- C:\Windows\System32\MRtKDXu.exe
  C:\Windows\System32\MRtKDXu.exe
  2⤵
  PID:11776
- C:\Windows\System32\RdwwLQZ.exe
  C:\Windows\System32\RdwwLQZ.exe
  2⤵
  PID:11900
- C:\Windows\System32\QiTvnYT.exe
  C:\Windows\System32\QiTvnYT.exe
  2⤵
  PID:11864
- C:\Windows\System32\elqGAif.exe
  C:\Windows\System32\elqGAif.exe
  2⤵
  PID:11928
- C:\Windows\System32\kpcxUDE.exe
  C:\Windows\System32\kpcxUDE.exe
  2⤵
  PID:11992
- C:\Windows\System32\WiDvqhQ.exe
  C:\Windows\System32\WiDvqhQ.exe
  2⤵
  PID:12032
- C:\Windows\System32\KVREMRP.exe
  C:\Windows\System32\KVREMRP.exe
  2⤵
  PID:12052
- C:\Windows\System32\klBfyVC.exe
  C:\Windows\System32\klBfyVC.exe
  2⤵
  PID:12144
- C:\Windows\System32\tBAkAvc.exe
  C:\Windows\System32\tBAkAvc.exe
  2⤵
  PID:12284
- C:\Windows\System32\MoeGqiH.exe
  C:\Windows\System32\MoeGqiH.exe
  2⤵
  PID:11316
- C:\Windows\System32\PTdETKo.exe
  C:\Windows\System32\PTdETKo.exe
  2⤵
  PID:11488
- C:\Windows\System32\aYfDABw.exe
  C:\Windows\System32\aYfDABw.exe
  2⤵
  PID:11568
- C:\Windows\System32\BDDPhmD.exe
  C:\Windows\System32\BDDPhmD.exe
  2⤵
  PID:11744
- C:\Windows\System32\iILjvAl.exe
  C:\Windows\System32\iILjvAl.exe
  2⤵
  PID:11880
- C:\Windows\System32\ivKvrsg.exe
  C:\Windows\System32\ivKvrsg.exe
  2⤵
  PID:11968
- C:\Windows\System32\wSyxXCx.exe
  C:\Windows\System32\wSyxXCx.exe
  2⤵
  PID:12140
- C:\Windows\System32\YmsoZZR.exe
  C:\Windows\System32\YmsoZZR.exe
  2⤵
  PID:11380
- C:\Windows\System32\iLGkiCz.exe
  C:\Windows\System32\iLGkiCz.exe
  2⤵
  PID:11636
- C:\Windows\System32\bCbIavd.exe
  C:\Windows\System32\bCbIavd.exe
  2⤵
  PID:12340
- C:\Windows\System32\gzBwzdW.exe
  C:\Windows\System32\gzBwzdW.exe
  2⤵
  PID:12396
- C:\Windows\System32\sXwMZOs.exe
  C:\Windows\System32\sXwMZOs.exe
  2⤵
  PID:12432
- C:\Windows\System32\zcnFtkS.exe
  C:\Windows\System32\zcnFtkS.exe
  2⤵
  PID:12660
- C:\Windows\System32\rsqxYFf.exe
  C:\Windows\System32\rsqxYFf.exe
  2⤵
  PID:12676
- C:\Windows\System32\fgGiSTa.exe
  C:\Windows\System32\fgGiSTa.exe
  2⤵
  PID:12728
- C:\Windows\System32\eyAJpxJ.exe
  C:\Windows\System32\eyAJpxJ.exe
  2⤵
  PID:12768
- C:\Windows\System32\SyHoTJb.exe
  C:\Windows\System32\SyHoTJb.exe
  2⤵
  PID:12784
- C:\Windows\System32\uUjKXbt.exe
  C:\Windows\System32\uUjKXbt.exe
  2⤵
  PID:12808
- C:\Windows\System32\hiAbsBq.exe
  C:\Windows\System32\hiAbsBq.exe
  2⤵
  PID:12832
- C:\Windows\System32\eyadrnT.exe
  C:\Windows\System32\eyadrnT.exe
  2⤵
  PID:12868
- C:\Windows\System32\gETCXph.exe
  C:\Windows\System32\gETCXph.exe
  2⤵
  PID:12900
- C:\Windows\System32\NnQagAY.exe
  C:\Windows\System32\NnQagAY.exe
  2⤵
  PID:12932
- C:\Windows\System32\HAlVVkV.exe
  C:\Windows\System32\HAlVVkV.exe
  2⤵
  PID:12956
- C:\Windows\System32\PkPScvF.exe
  C:\Windows\System32\PkPScvF.exe
  2⤵
  PID:12980
- C:\Windows\System32\hGgezRN.exe
  C:\Windows\System32\hGgezRN.exe
  2⤵
  PID:13000
- C:\Windows\System32\nCPPEwM.exe
  C:\Windows\System32\nCPPEwM.exe
  2⤵
  PID:13024
- C:\Windows\System32\SANTeGA.exe
  C:\Windows\System32\SANTeGA.exe
  2⤵
  PID:13048
- C:\Windows\System32\OFfCmAr.exe
  C:\Windows\System32\OFfCmAr.exe
  2⤵
  PID:13064
- C:\Windows\System32\IgAcnpc.exe
  C:\Windows\System32\IgAcnpc.exe
  2⤵
  PID:13104
- C:\Windows\System32\sWnBtET.exe
  C:\Windows\System32\sWnBtET.exe
  2⤵
  PID:13156
- C:\Windows\System32\RVSMcnN.exe
  C:\Windows\System32\RVSMcnN.exe
  2⤵
  PID:13176
- C:\Windows\System32\qaAXejc.exe
  C:\Windows\System32\qaAXejc.exe
  2⤵
  PID:13208
- C:\Windows\System32\TwKciZs.exe
  C:\Windows\System32\TwKciZs.exe
  2⤵
  PID:13232
- C:\Windows\System32\OvaCARb.exe
  C:\Windows\System32\OvaCARb.exe
  2⤵
  PID:13256
- C:\Windows\System32\NyRvKJa.exe
  C:\Windows\System32\NyRvKJa.exe
  2⤵
  PID:13284
- C:\Windows\System32\oBKqNlA.exe
  C:\Windows\System32\oBKqNlA.exe
  2⤵
  PID:12076
- C:\Windows\System32\NUOTwna.exe
  C:\Windows\System32\NUOTwna.exe
  2⤵
  PID:12328
- C:\Windows\System32\lplAyio.exe
  C:\Windows\System32\lplAyio.exe
  2⤵
  PID:11916
- C:\Windows\System32\pOMFthZ.exe
  C:\Windows\System32\pOMFthZ.exe
  2⤵
  PID:12308
- C:\Windows\System32\HNsSPcN.exe
  C:\Windows\System32\HNsSPcN.exe
  2⤵
  PID:12472
- C:\Windows\System32\tRNwlOP.exe
  C:\Windows\System32\tRNwlOP.exe
  2⤵
  PID:12464
- C:\Windows\System32\AdZshIe.exe
  C:\Windows\System32\AdZshIe.exe
  2⤵
  PID:12492
- C:\Windows\System32\ATlQkVW.exe
  C:\Windows\System32\ATlQkVW.exe
  2⤵
  PID:12512
- C:\Windows\System32\PMkwtoa.exe
  C:\Windows\System32\PMkwtoa.exe
  2⤵
  PID:12536
- C:\Windows\System32\aiGxrzD.exe
  C:\Windows\System32\aiGxrzD.exe
  2⤵
  PID:12628
- C:\Windows\System32\QnnrspJ.exe
  C:\Windows\System32\QnnrspJ.exe
  2⤵
  PID:12560
- C:\Windows\System32\LStqnmo.exe
  C:\Windows\System32\LStqnmo.exe
  2⤵
  PID:12708
- C:\Windows\System32\ajsraEY.exe
  C:\Windows\System32\ajsraEY.exe
  2⤵
  PID:12636
- C:\Windows\System32\yjYAkRW.exe
  C:\Windows\System32\yjYAkRW.exe
  2⤵
  PID:12748
- C:\Windows\System32\pOHrYES.exe
  C:\Windows\System32\pOHrYES.exe
  2⤵
  PID:12828
- C:\Windows\System32\pRczspK.exe
  C:\Windows\System32\pRczspK.exe
  2⤵
  PID:12952
- C:\Windows\System32\vsbBllM.exe
  C:\Windows\System32\vsbBllM.exe
  2⤵
  PID:13012
- C:\Windows\System32\VXYYKrv.exe
  C:\Windows\System32\VXYYKrv.exe
  2⤵
  PID:13060
- C:\Windows\System32\NUCkYMy.exe
  C:\Windows\System32\NUCkYMy.exe
  2⤵
  PID:13084
- C:\Windows\System32\ZlsmYSF.exe
  C:\Windows\System32\ZlsmYSF.exe
  2⤵
  PID:13112
- C:\Windows\System32\onaozeB.exe
  C:\Windows\System32\onaozeB.exe
  2⤵
  PID:13172
- C:\Windows\System32\zVWcuzC.exe
  C:\Windows\System32\zVWcuzC.exe
  2⤵
  PID:13296
- C:\Windows\System32\ZmhuUSc.exe
  C:\Windows\System32\ZmhuUSc.exe
  2⤵
  PID:11320
- C:\Windows\System32\BAhyuuW.exe
  C:\Windows\System32\BAhyuuW.exe
  2⤵
  PID:12420
- C:\Windows\System32\aodhwjR.exe
  C:\Windows\System32\aodhwjR.exe
  2⤵
  PID:12428
- C:\Windows\System32\wUzFkVz.exe
  C:\Windows\System32\wUzFkVz.exe
  2⤵
  PID:12500
- C:\Windows\System32\HVqyKIK.exe
  C:\Windows\System32\HVqyKIK.exe
  2⤵
  PID:12584
- C:\Windows\System32\xMmrBvK.exe
  C:\Windows\System32\xMmrBvK.exe
  2⤵
  PID:12652
- C:\Windows\System32\ScZYGCe.exe
  C:\Windows\System32\ScZYGCe.exe
  2⤵
  PID:12780
- C:\Windows\System32\mSpvpGT.exe
  C:\Windows\System32\mSpvpGT.exe
  2⤵
  PID:12964
- C:\Windows\System32\oeQlHds.exe
  C:\Windows\System32\oeQlHds.exe
  2⤵
  PID:13192
- C:\Windows\System32\FcjWyRC.exe
  C:\Windows\System32\FcjWyRC.exe
  2⤵
  PID:12176
- C:\Windows\System32\HkdouLZ.exe
  C:\Windows\System32\HkdouLZ.exe
  2⤵
  PID:12300
- C:\Windows\System32\xnkUtwX.exe
  C:\Windows\System32\xnkUtwX.exe
  2⤵
  PID:12476
- C:\Windows\System32\esxLQjz.exe
  C:\Windows\System32\esxLQjz.exe
  2⤵
  PID:12848
- C:\Windows\System32\MePKVwL.exe
  C:\Windows\System32\MePKVwL.exe
  2⤵
  PID:13040
- C:\Windows\System32\uBfxpHj.exe
  C:\Windows\System32\uBfxpHj.exe
  2⤵
  PID:12368
- C:\Windows\System32\AuGNQaz.exe
  C:\Windows\System32\AuGNQaz.exe
  2⤵
  PID:12604
- C:\Windows\System32\yRCXNVk.exe
  C:\Windows\System32\yRCXNVk.exe
  2⤵
  PID:13072
- C:\Windows\System32\JhoGQyM.exe
  C:\Windows\System32\JhoGQyM.exe
  2⤵
  PID:13364

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\DFbGDyF.exe

Filesize
1.5MB

MD5
3141a88945f6014eef6a21f5f144cf52

SHA1
9e5786594e546f140f05d7011fd0794a90239ba4

SHA256
c4ceec6b83bfe4e7092f941838da1e583fbd04fbee19a0a9bf4c76d845aa19e4

SHA512
f9f515bc4cdda5b3143ef3d7688873789c0380c570f409beb34107ed3700fd67493c90332d2e50856686a03fad997fafee1e482ad821a84ee51d813ab718d18a

Download Submit
C:\Windows\System32\DPagqZz.exe

Filesize
1.5MB

MD5
30c2e27aefc738410755827fc413d455

SHA1
8935768c9e19baf770ccbf835832ee5e9a85a860

SHA256
093142a183e4581ffaf1110bcd37e2db2c3e297e190438ca24424cdf3795868c

SHA512
6189be6199d6ab9fad44b89cae7af2f1f3355719aaaf3f3a9068a9e0de79d92261225ca05a981b410f64b49ef6f241a18bb7e7ad413d583e415a87a926182b69

Download Submit
C:\Windows\System32\FCmATgy.exe

Filesize
1.5MB

MD5
bf397192af85a27022fe7c230d83449c

SHA1
b243c60d903239f10f1ec9f631c1382fd31ddbe7

SHA256
9305f34ad41b4db6ced6acabcbc36e879ba397aeead6396d2128cced0ec2f436

SHA512
c1aeeecb02b96eca14d37c2388b644643d2785e51faf02f8bd69e62a7dade634ee7a348e19575b14922071c6e76e33a23576d0145adff6113ae265b21fdfce72

Download Submit
C:\Windows\System32\FamLKYF.exe

Filesize
1.5MB

MD5
bda595482c75ef4e287503f9ac1ecfa2

SHA1
7b55b95a707100a24d8c09dd195385ea10547168

SHA256
abd6a288b3200175a9846c035203982e02ccfd32393cb4ee63b56c9c274f4a08

SHA512
f8e23096f0e706c610e4a3d0926b636b83028483d544c31d5335b004c98868829f8095d24835b45fa37b2609ada0b700e8459effcf9daa50faf7fccb87d348c8

Download Submit
C:\Windows\System32\FjLkcsB.exe

Filesize
1.5MB

MD5
5912cb02d340617bc8984bf2041dec21

SHA1
c466b2d25ac0d8721024ca118da7ed0b40ccf5cb

SHA256
2c707b90a1322045b0a1c846bff7a16813f3a75ef3eac25b0ecb26abd2a76f32

SHA512
5885ad5ef0f25792d0254f3a5ea98304c790504d68d0a4f4806243065b7517b797a1082ee828c750a4700242dabcb81127f261ac3e59019abda043132b8cb95c

Download Submit
C:\Windows\System32\HEamoXd.exe

Filesize
1.5MB

MD5
c998eea5b0105b1c18cd1b8c0a8c10cb

SHA1
c8f20895ea1a25b35ab3d6d30256079ac0a186fa

SHA256
aaf5c0c5a34010dca95bfc57f85ca95c9910991f9cb510887a0cd959abe6a5b6

SHA512
d281326ee409159ebefbf9b884be5bdc0f712ee589442c22d8cd5499d89159d8040ccb3b2a2a48963912ff317a85b8090658c3b232150bf2d8f84a0bf53f02a4

Download Submit
C:\Windows\System32\INDHFmX.exe

Filesize
1.5MB

MD5
e6cd35f1ccd8b10d6b85b26d344bf512

SHA1
d7a5450391c942ad2116b8aa7dcfa5a5f352707d

SHA256
c80eab4a5a607f488ee38ce8b21e76d58af2dac06cb37e0e6b22d21006300c24

SHA512
f3451b03e549a34cb16651f9ba8f702d6ea27fa8a295ea768908ed5642a54c54ad5234282ddd4adba76d9a21112bbd2831ede9ce7f30fdab28e2bbbe771d0d3c

Download Submit
C:\Windows\System32\LayGdnT.exe

Filesize
1.5MB

MD5
a6935a1f8c8cb5a8288aaaf9213fd767

SHA1
006319d432bd7ed036d68295516288ae2c33be2d

SHA256
450f0fb33e92306dd775b55d7af574bb318c075b5f5b08fac835f6d0e43ea251

SHA512
5a552918c2555772d89eccc0a1175fea74fdcf5e6548f1f04c5d31f46df825337956e4a97b9dde1c46f2d72dbdd50e421822d6afd291533f5564a99c72731dbd

Download Submit
C:\Windows\System32\MINoSEO.exe

Filesize
1.5MB

MD5
72c83dd80e2956ede3e21cd52e6782cd

SHA1
264e4dc28e720d5ac763fedad2fb72236b4d5ca5

SHA256
30e6f1c7647ca4ba3ea58bf850bb15c478bb25875174424556517f82fe209cf6

SHA512
5f57afcec909aaae2832c3b6ea1fea719833491935b50a8b5f77f137e8d8409ffa053edfe058d9989418c6aed8cfeaab8b26ab56ef0d6355d859fb73891acb7c

Download Submit
C:\Windows\System32\NFYPQjH.exe

Filesize
1.5MB

MD5
4d38f37f74f1c3fe7c7e72cd89f54263

SHA1
a2a1b426f914f19973aac443885f98596c423aa9

SHA256
11acbf8ead9e58a2b6e6065da049dfb0c741175a6ced3df3af87ab9c47ffe71c

SHA512
9b632cfbbed5a7a67d7de7b8d6f26f5aa889f20f5835ba8c941f75b8acfd673d65c1bb35882ee42c7b19957339a9ebcaee3dbc3961b68c72f1eaa255cc73890c

Download Submit
C:\Windows\System32\QytYrSM.exe

Filesize
1.5MB

MD5
2febdefa1294568d39853d5942cc652a

SHA1
ee983baca8e5fbd2d4d6a63cd4a5e4c3ab54362e

SHA256
ec078b63ee2bfd8b9de0e0ad1b56db212e8f94aad60dd5124a9a68aa45e46875

SHA512
c45cc1a9a11e1134d3392a2b03c479644fbc02ca7a3bc94f26a80292a1016b93670723b96d485d47c278c23606eef64cd56de6165aafb21766da179d6ed2d3cb

Download Submit
C:\Windows\System32\SPDGKUk.exe

Filesize
1.5MB

MD5
09f04c7ebdc8b6ff68716964ea7d3269

SHA1
44062f87285ec9234f27bf477fc1101b9fb06142

SHA256
982e2453a4e50735c943f5ff964e32bccd2e221a525bfc1a3fe047344c96dd87

SHA512
b2a7b1b57bd2e085e6217ae3fcccba43dc2100dab107ee5e40d7dc5739f45ca659e4fe82f232237f8ae03ba294695c11e72d809238be62cd561bc159f33bb267

Download Submit
C:\Windows\System32\VZjNocA.exe

Filesize
1.5MB

MD5
a45b12007336a4b2023ced365f2b2d5f

SHA1
5e7cf636501a4c2a9ec46da2b6fd82c383bf06b8

SHA256
613e925cb5e44c6820e4e35d5011b449228b6c3bd79c6074555e2d75f374ad9d

SHA512
5680ab32c282c499a0f9ebe6d1a235878ebff3344efbeb8d52f66e37d8269788bcf74442951c0e1843af34a8ce17da0851695adb35bbb5cd065a268f427b30fc

Download Submit
C:\Windows\System32\YCVvIsM.exe

Filesize
1.5MB

MD5
1b296f2ed902fac58cbe860a7b3beed4

SHA1
e748c98de61562131480f10d86115b8545b9a707

SHA256
18108924b9eee5f7134b6a8f722cadb24bbfe500583215f635bca5f4349879df

SHA512
95817def1ffbcb9def75277042ff86b67adf965e7a7a7496ba31f1de1c731bb909487de6c5fb8fa3b01512423f5b8fe077430ac728d2cc02f851a8f066848982

Download Submit
C:\Windows\System32\ZOJZmFF.exe

Filesize
1.5MB

MD5
5e00811d615fc7a923a26f07ec50e9b7

SHA1
f46ec50542fe0ffae51c07be9a4a7255694e270e

SHA256
fbbcd64a2d70bda67ef42475b3cce5321d7486905adbffe8e0cd25065cd80b8b

SHA512
445a55479c8cd889ee15dccbb2f11bffd6d694d9d216bf34ab0b57f81f9e8ba40b2fff318fdbcae706db122e8040233fa205247d21dee3a0b2e135091b756f95

Download Submit
C:\Windows\System32\ZXRGObo.exe

Filesize
1.5MB

MD5
17c412c720e2ff2f779d16d7bbb6a8b1

SHA1
5debaf156fac067b3f9700309e91120e9a0cb831

SHA256
eaf2b51eee639cfa7054f622a7fc7a7b7aa99ea052391d5bddeb15d3735066af

SHA512
d06ef90b8670e7211722a524340b4c9f7f8749c4dfe9ffca79ea5eec355b56451d7caf0baf3463a90a4d1f52e7c2dfd6ccd9a3bee7f30c9844ba7a07bacefbab

Download Submit
C:\Windows\System32\aKQLYpi.exe

Filesize
1.5MB

MD5
e1bbf676d81d75410b9fa5b2c5152e43

SHA1
88763cde79145e76662c4258d687b73af9ac1d4c

SHA256
87155b669fb62498638e13e6fa0baedbcc38d0b69ed30e1b02dd6d5fd73cfd0c

SHA512
34d0bae00e1c92a9ac21f1d67ebdf35766302703efc6fdfa6c0522c98014a975070626e860847d60be9eb9c44797700e70cf988f289f48269588436287464d56

Download Submit
C:\Windows\System32\eYnrnIN.exe

Filesize
1.5MB

MD5
791c946dacb7d75a31c70cc24145d38f

SHA1
1c51acddd1f9ae27c8d988e21afba3814ff2fc53

SHA256
89b4160591fdad2e446ecb289581ec3fcea9042730cddbb9fc1a84799fbe9c5e

SHA512
890d7db89758de8f9a3c078cb9be822ea49f49db05a5f3f68fb69710469ed00300c82de32ba6d6be33c2b2fcad80f22619617834bc493aa05bb96421360b7b6a

Download Submit
C:\Windows\System32\ekSPBdX.exe

Filesize
1.5MB

MD5
ee2e27332154a3098ef378f42b39dd23

SHA1
18ed0530a76045629cc8092724250802dc473288

SHA256
2d1a3f1ddcf4b543e5c12f2272b2d37e43aa8d9890d9bd5646f1a5463b7d5e72

SHA512
d81942d8995eef5faf5c3c5b872f2d2e90674efcd005a1d81d8b4aaa94770cd8d8f52a2b0df2ceff02fe007e2a47850e65c8a39893538633f7791d4e791ee0d5

Download Submit
C:\Windows\System32\gFCFmgu.exe

Filesize
1.5MB

MD5
6a236c578c2890329740812e09e04f9e

SHA1
b7e20aae53b98e4f99968e9586a2d79e5015542d

SHA256
e5b1c646aa9c7b8cf1cf6774c8874a01974f136ddf99df03858d445220158b34

SHA512
29147858150668c41b570c6202329fdab4a632c69335b24079fa2243d956a5e621225ff8100d57b1b2cdfc563e9eebd6092cb2fe28e55f46bb48bde126d13552

Download Submit
C:\Windows\System32\kEXxCNq.exe

Filesize
1.5MB

MD5
b1e34d2c7b341477d7ad9bdd64c8f6d7

SHA1
7857ebff55fbdfbdc62b9c79952af1c6c304d7d0

SHA256
80a28c4603b585c563a3aaf91fe5dd565c296e80274248fcc41c3f253b679eb3

SHA512
0ef73912cca2314c8aad38182437f7f7b7ed86f4588c62572eab0cbf8f36016411f2f90bc9ac4a5aaa2470366a62abf4e2940363e1f40953193831571bee3ded

Download Submit
C:\Windows\System32\lJehvqt.exe

Filesize
1.5MB

MD5
ed776f77f787628a6f2cfaf0ecb0173b

SHA1
513b852424441f93ff98b36c85f70c593236e940

SHA256
1e62210d25344e0cd8b4a9898ccec197c67e00c208f2251a7cdb30698f8867fd

SHA512
1dbf7e8b852c368a95851e57d0b4b407b8e4dc47f0552e9dc9e5feca17411a35094a2d3836af5a8dd6df16e46d8879d45a5b32ace1367ce4c70cad4e471e2340

Download Submit
C:\Windows\System32\oGMQYdk.exe

Filesize
1.5MB

MD5
cd7016b3c451d473d8547314e27da0f3

SHA1
cede6ba7bf65b4e5d298eae04faa54a00a500473

SHA256
554bd80277691f02eabba550c96905a084327bcebc9470db31d23706eeee6486

SHA512
e2f795d0e6f477d5b244c7f8040a7d22118eabeb8241e7578744fc761128c11eb9b6f39535d93e5e6c517c4da2f0673993974559daf037d59beb1641d0b28878

Download Submit
C:\Windows\System32\qxgNUGt.exe

Filesize
1.5MB

MD5
d39e9346ae110ea38221f2071b6380eb

SHA1
0eda2d691130a9c10d0a0db916103c667f32116b

SHA256
6f18b036c611d2b4bb55ff44469887b41c4b7b61b1158f0a8645ba0a0d2e26a1

SHA512
854227764f234a2e6c469ba84f9081b16639895c99dac5d4b4415e0794759b759d4158535450252b2c433d088a28e8e3dda6156b82853868baf05f1d42750429

Download Submit
C:\Windows\System32\rTbQwcw.exe

Filesize
1.5MB

MD5
98677b5fd9b1de247019ce1e24a5f83d

SHA1
49d01e487f2ec0837eed41e1310650c6f3a2a5b7

SHA256
210c4ba8e71aaee7c45a7c095e522886db755f166769b55fe8e54b66c341317e

SHA512
82bca378f5a4ceaa026f551a0ad834ead548b9b3235175fee41096652f998fd1b76ec330a4a05c87b3f31aa3c9ac7e60071538336a72a7727036cbec976c807d

Download Submit
C:\Windows\System32\sAVmWBb.exe

Filesize
1.5MB

MD5
aadb057fd1ac28ed68a78afc6bb80e98

SHA1
238b2720fbd38b18ee7d909258cb752516823294

SHA256
90af8e9a326044a139211c9f487bd71ead14c2869f1a80da44640b970e25bcc0

SHA512
78375faa36103cf9682375df6b60e00aa4ff7056fa4d813588306198d954d844602657b224516c8acdb22c71ea7cf7fb752d6f969a04441478353d9676403353

Download Submit
C:\Windows\System32\tucarJg.exe

Filesize
1.5MB

MD5
e58f7b07a71b461ad36f075679289c86

SHA1
669443dbf1541a69854297ed42327e914d9858a9

SHA256
110e2ec89d500e7c3407f2ced8fe4030338d7ea01d896d2b8fdbf8ee2d6b2eb1

SHA512
3c94b05e801a576ba067c5a8d0269cea7cd99fc3ffb51c91f9f5a6975bdd62c8796a9af93773eeb60e077952380b67128b7d0469141ca8c7f47316fc296ed58e

Download Submit
C:\Windows\System32\uJACtis.exe

Filesize
1.5MB

MD5
eddb68eda6b624600bc8af00fc6646e3

SHA1
84f3a573ba28d972c3f8689040b99d9060786de1

SHA256
20710f5362bc7b478101ca2694d7c4d6e5fec4bb9dcadd5180a1bdbf90e84764

SHA512
ba98076dc8ffb49cd77fe6bf4fb8da6da9049c0715cc2f8267b50219c1e3669581dbdabaa4740937e57f54afaf9b45cb5785a8b4edb368eaeed60718dad1c780

Download Submit
C:\Windows\System32\ullhebH.exe

Filesize
1.5MB

MD5
65da54d443db928daf2c04c4e585ff5c

SHA1
286ee0617ff7a17a36300bc6a2e9baf21eb88214

SHA256
98087eb63a3da72e0cb46a764015db202e55cd28646008a83614c64c23e8c856

SHA512
653d3a5f7b44f8e1540f3b501fcbbae5f844bfb61714b9d89a10137c39ad4af0b14e1eb3a6fba0147cd0f1ac5fbeac8d9d5456daeaf7ec9a80a2dd2c434ce579

Download Submit
C:\Windows\System32\xyZxAdr.exe

Filesize
1.5MB

MD5
a87078c491248f1891321d9bdef58a78

SHA1
140a331adbe70a849bc83230b5e954cb1487bcf4

SHA256
ea0c8685910249f04b3ac549016cdab4629b8e65cdbde7a4c942b4b22064888b

SHA512
1d6fc6cc0dafcd6125e7e3f5fc7ada8ffc5a778ce0b30fd7e918bb21e0b82ed7fb20551013ee4ac6198148c5849a3f4794c081da6d67b1dbf8b613bb8d7586af

Download Submit
C:\Windows\System32\yVOyioj.exe

Filesize
1.5MB

MD5
b5008fa31637f8e2e9e05a711fe9caa6

SHA1
d0c2234444c357c7bc434ae58257a46849bcdc22

SHA256
97c2e0306a891de24f694b5ce82da113de921e0b8cc0a514ad4ab4bcf520c43b

SHA512
c8494b4ea5deb965be6883574cf223b77be5986141428a830d58a652fbe94e09fa76bba6691b52aeca4660d41cbe84763a5e89459dfb3972b3e1573f9c49af23

Download Submit
C:\Windows\System32\zxTsLRW.exe

Filesize
1.5MB

MD5
d3ef2ec85dc9318ac088d982698cb3bd

SHA1
65cbc31c3289a16683bc7a9523a098437705e008

SHA256
65753a850d38e6c6393c4b688755733cd714fb2e4590c2f5b71bb68c1789cc9e

SHA512
84122e6414f5707de614819acb40b70bb1a5c6681803b27885c3c456a0589e78f1c947ea5abbac43b4ff6ecf5d5cee379cb822b0974c5533417f081300071464

Download Submit
memory/320-2130-0x00007FF66A8A0000-0x00007FF66AC91000-memory.dmp

Filesize
3.9MB

Download
memory/320-401-0x00007FF66A8A0000-0x00007FF66AC91000-memory.dmp

Filesize
3.9MB

Download
memory/432-2176-0x00007FF6DC460000-0x00007FF6DC851000-memory.dmp

Filesize
3.9MB

Download
memory/432-439-0x00007FF6DC460000-0x00007FF6DC851000-memory.dmp

Filesize
3.9MB

Download
memory/1064-409-0x00007FF733AD0000-0x00007FF733EC1000-memory.dmp

Filesize
3.9MB

Download
memory/1064-2153-0x00007FF733AD0000-0x00007FF733EC1000-memory.dmp

Filesize
3.9MB

Download
memory/1376-2185-0x00007FF7AE790000-0x00007FF7AEB81000-memory.dmp

Filesize
3.9MB

Download
memory/1376-473-0x00007FF7AE790000-0x00007FF7AEB81000-memory.dmp

Filesize
3.9MB

Download
memory/1460-2126-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp

Filesize
3.9MB

Download
memory/1460-1404-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp

Filesize
3.9MB

Download
memory/1460-15-0x00007FF7E7B00000-0x00007FF7E7EF1000-memory.dmp

Filesize
3.9MB

Download
memory/1688-403-0x00007FF7B4B50000-0x00007FF7B4F41000-memory.dmp

Filesize
3.9MB

Download
memory/1832-2178-0x00007FF6FF630000-0x00007FF6FFA21000-memory.dmp

Filesize
3.9MB

Download
memory/1832-452-0x00007FF6FF630000-0x00007FF6FFA21000-memory.dmp

Filesize
3.9MB

Download
memory/2016-404-0x00007FF65B390000-0x00007FF65B781000-memory.dmp

Filesize
3.9MB

Download
memory/2016-2137-0x00007FF65B390000-0x00007FF65B781000-memory.dmp

Filesize
3.9MB

Download
memory/2256-468-0x00007FF633DA0000-0x00007FF634191000-memory.dmp

Filesize
3.9MB

Download
memory/2256-2187-0x00007FF633DA0000-0x00007FF634191000-memory.dmp

Filesize
3.9MB

Download
memory/2424-497-0x00007FF70EDB0000-0x00007FF70F1A1000-memory.dmp

Filesize
3.9MB

Download
memory/3224-479-0x00007FF728220000-0x00007FF728611000-memory.dmp

Filesize
3.9MB

Download
memory/3224-2214-0x00007FF728220000-0x00007FF728611000-memory.dmp

Filesize
3.9MB

Download
memory/3324-2174-0x00007FF61F660000-0x00007FF61FA51000-memory.dmp

Filesize
3.9MB

Download
memory/3324-433-0x00007FF61F660000-0x00007FF61FA51000-memory.dmp

Filesize
3.9MB

Download
memory/3452-490-0x00007FF712F80000-0x00007FF713371000-memory.dmp

Filesize
3.9MB

Download
memory/3452-2228-0x00007FF712F80000-0x00007FF713371000-memory.dmp

Filesize
3.9MB

Download
memory/3476-2134-0x00007FF6FFB20000-0x00007FF6FFF11000-memory.dmp

Filesize
3.9MB

Download
memory/3476-402-0x00007FF6FFB20000-0x00007FF6FFF11000-memory.dmp

Filesize
3.9MB

Download
memory/3668-2128-0x00007FF7963A0000-0x00007FF796791000-memory.dmp

Filesize
3.9MB

Download
memory/3668-1413-0x00007FF7963A0000-0x00007FF796791000-memory.dmp

Filesize
3.9MB

Download
memory/3668-400-0x00007FF7963A0000-0x00007FF796791000-memory.dmp

Filesize
3.9MB

Download
memory/3736-2149-0x00007FF64A390000-0x00007FF64A781000-memory.dmp

Filesize
3.9MB

Download
memory/3736-405-0x00007FF64A390000-0x00007FF64A781000-memory.dmp

Filesize
3.9MB

Download
memory/3744-2124-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp

Filesize
3.9MB

Download
memory/3744-9-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp

Filesize
3.9MB

Download
memory/3744-1311-0x00007FF7862D0000-0x00007FF7866C1000-memory.dmp

Filesize
3.9MB

Download
memory/4044-2182-0x00007FF62B450000-0x00007FF62B841000-memory.dmp

Filesize
3.9MB

Download
memory/4044-466-0x00007FF62B450000-0x00007FF62B841000-memory.dmp

Filesize
3.9MB

Download
memory/4060-2132-0x00007FF6AC000000-0x00007FF6AC3F1000-memory.dmp

Filesize
3.9MB

Download
memory/4060-502-0x00007FF6AC000000-0x00007FF6AC3F1000-memory.dmp

Filesize
3.9MB

Download
memory/4132-2179-0x00007FF6F4330000-0x00007FF6F4721000-memory.dmp

Filesize
3.9MB

Download
memory/4132-423-0x00007FF6F4330000-0x00007FF6F4721000-memory.dmp

Filesize
3.9MB

Download
memory/4152-457-0x00007FF613760000-0x00007FF613B51000-memory.dmp

Filesize
3.9MB

Download
memory/4152-2183-0x00007FF613760000-0x00007FF613B51000-memory.dmp

Filesize
3.9MB

Download
memory/4196-2151-0x00007FF7B9E30000-0x00007FF7BA221000-memory.dmp

Filesize
3.9MB

Download
memory/4196-418-0x00007FF7B9E30000-0x00007FF7BA221000-memory.dmp

Filesize
3.9MB

Download
memory/4324-406-0x00007FF6CF150000-0x00007FF6CF541000-memory.dmp

Filesize
3.9MB

Download
memory/4656-2230-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp

Filesize
3.9MB

Download
memory/4656-486-0x00007FF67C8F0000-0x00007FF67CCE1000-memory.dmp

Filesize
3.9MB

Download
memory/5040-1204-0x00007FF7BCA50000-0x00007FF7BCE41000-memory.dmp

Filesize
3.9MB

Download
memory/5040-1-0x0000013BF9750000-0x0000013BF9760000-memory.dmp

Filesize
64KB

Download
memory/5040-0-0x00007FF7BCA50000-0x00007FF7BCE41000-memory.dmp

Filesize
3.9MB

Download