xmrig | 6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9a

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
Size

1.3MB
MD5

71ed27b2743a55a7b993f171831d6000
SHA1

209af792df6bcfd43b00b906df1525d434c2fc9b
SHA256

6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9a
SHA512

e5362899c0aacea112bb7d00a6f62e0b539fc0b830c68f062c9423a5bca5ab9ea859018ec462b1d5758a974becbc084c0cc080cee9806ae2bb5d3fcad7f904be
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XCGiApbVUqK73GUhU/S:knw9oUUEEDlGUrGiAAqK7R1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4804-115-0x00007FF7DB2D0000-0x00007FF7DB6C1000-memory.dmp	xmrig
behavioral2/memory/3172-194-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp	xmrig
behavioral2/memory/4676-200-0x00007FF71BD40000-0x00007FF71C131000-memory.dmp	xmrig
behavioral2/memory/1044-199-0x00007FF682F70000-0x00007FF683361000-memory.dmp	xmrig
behavioral2/memory/3208-198-0x00007FF628B30000-0x00007FF628F21000-memory.dmp	xmrig
behavioral2/memory/3276-197-0x00007FF72A540000-0x00007FF72A931000-memory.dmp	xmrig
behavioral2/memory/3516-196-0x00007FF715300000-0x00007FF7156F1000-memory.dmp	xmrig
behavioral2/memory/2428-193-0x00007FF71ABA0000-0x00007FF71AF91000-memory.dmp	xmrig
behavioral2/memory/244-148-0x00007FF6FE270000-0x00007FF6FE661000-memory.dmp	xmrig
behavioral2/memory/4084-86-0x00007FF6CF200000-0x00007FF6CF5F1000-memory.dmp	xmrig
behavioral2/memory/3440-77-0x00007FF78E990000-0x00007FF78ED81000-memory.dmp	xmrig
behavioral2/memory/4884-73-0x00007FF60DFE0000-0x00007FF60E3D1000-memory.dmp	xmrig
behavioral2/memory/2996-72-0x00007FF68A100000-0x00007FF68A4F1000-memory.dmp	xmrig
behavioral2/memory/1436-61-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp	xmrig
behavioral2/memory/1436-201-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp	xmrig
behavioral2/memory/2692-209-0x00007FF6308D0000-0x00007FF630CC1000-memory.dmp	xmrig
behavioral2/memory/1064-212-0x00007FF6253D0000-0x00007FF6257C1000-memory.dmp	xmrig
behavioral2/memory/4468-497-0x00007FF7EA840000-0x00007FF7EAC31000-memory.dmp	xmrig
behavioral2/memory/4964-656-0x00007FF78D3D0000-0x00007FF78D7C1000-memory.dmp	xmrig
behavioral2/memory/4700-645-0x00007FF727100000-0x00007FF7274F1000-memory.dmp	xmrig
behavioral2/memory/1884-880-0x00007FF78C8A0000-0x00007FF78CC91000-memory.dmp	xmrig
behavioral2/memory/2296-885-0x00007FF609EA0000-0x00007FF60A291000-memory.dmp	xmrig
behavioral2/memory/4932-1019-0x00007FF6540A0000-0x00007FF654491000-memory.dmp	xmrig
behavioral2/memory/3588-1023-0x00007FF7BC200000-0x00007FF7BC5F1000-memory.dmp	xmrig
behavioral2/memory/2680-1010-0x00007FF71FC10000-0x00007FF720001000-memory.dmp	xmrig
behavioral2/memory/4256-1012-0x00007FF6551B0000-0x00007FF6555A1000-memory.dmp	xmrig
behavioral2/memory/1436-2133-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp	xmrig
behavioral2/memory/4884-2135-0x00007FF60DFE0000-0x00007FF60E3D1000-memory.dmp	xmrig
behavioral2/memory/2996-2138-0x00007FF68A100000-0x00007FF68A4F1000-memory.dmp	xmrig
behavioral2/memory/4804-2145-0x00007FF7DB2D0000-0x00007FF7DB6C1000-memory.dmp	xmrig
behavioral2/memory/244-2143-0x00007FF6FE270000-0x00007FF6FE661000-memory.dmp	xmrig
behavioral2/memory/1044-2147-0x00007FF682F70000-0x00007FF683361000-memory.dmp	xmrig
behavioral2/memory/2692-2149-0x00007FF6308D0000-0x00007FF630CC1000-memory.dmp	xmrig
behavioral2/memory/4084-2142-0x00007FF6CF200000-0x00007FF6CF5F1000-memory.dmp	xmrig
behavioral2/memory/3440-2139-0x00007FF78E990000-0x00007FF78ED81000-memory.dmp	xmrig
behavioral2/memory/1064-2172-0x00007FF6253D0000-0x00007FF6257C1000-memory.dmp	xmrig
behavioral2/memory/4468-2170-0x00007FF7EA840000-0x00007FF7EAC31000-memory.dmp	xmrig
behavioral2/memory/4256-2195-0x00007FF6551B0000-0x00007FF6555A1000-memory.dmp	xmrig
behavioral2/memory/1884-2196-0x00007FF78C8A0000-0x00007FF78CC91000-memory.dmp	xmrig
behavioral2/memory/4932-2198-0x00007FF6540A0000-0x00007FF654491000-memory.dmp	xmrig
behavioral2/memory/2680-2192-0x00007FF71FC10000-0x00007FF720001000-memory.dmp	xmrig
behavioral2/memory/2296-2190-0x00007FF609EA0000-0x00007FF60A291000-memory.dmp	xmrig
behavioral2/memory/4964-2188-0x00007FF78D3D0000-0x00007FF78D7C1000-memory.dmp	xmrig
behavioral2/memory/2428-2205-0x00007FF71ABA0000-0x00007FF71AF91000-memory.dmp	xmrig
behavioral2/memory/3172-2231-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp	xmrig
behavioral2/memory/3516-2201-0x00007FF715300000-0x00007FF7156F1000-memory.dmp	xmrig
behavioral2/memory/3208-2239-0x00007FF628B30000-0x00007FF628F21000-memory.dmp	xmrig
behavioral2/memory/3588-2187-0x00007FF7BC200000-0x00007FF7BC5F1000-memory.dmp	xmrig
behavioral2/memory/4700-2184-0x00007FF727100000-0x00007FF7274F1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2996	WlyorRr.exe
4884	CWmBcWl.exe
3440	mifFXwX.exe
4084	vljLuZL.exe
4804	oetjTEz.exe
244	rRiJnwt.exe
1044	JTfMeZs.exe
2692	LvTIXOf.exe
1064	BMazGZo.exe
4468	RrPcBjE.exe
4700	wedrlNN.exe
4964	ajFGbAs.exe
1884	DYfeCQi.exe
2680	SjzMFBF.exe
2296	GOqBTpW.exe
4256	EMCXyYT.exe
4932	KtYhSHu.exe
3588	oUIcylF.exe
2428	wyPAafX.exe
3172	DGHvCOK.exe
3516	tRugmvv.exe
4676	xbskmqu.exe
3276	hIzhEjV.exe
3208	AuJcHcz.exe
5048	MvwKJEd.exe
4160	GrTbiEY.exe
3212	yYkQALt.exe
4136	RfvLgCO.exe
1520	vgendzU.exe
1920	aCjBeOJ.exe
3496	GTRoOOc.exe
680	jQYRWwW.exe
2744	YAgfVlr.exe
4808	HrDIvys.exe
1664	CpZKGcd.exe
2328	kBtnnWD.exe
1868	UOOKRvN.exe
548	NhcSGgP.exe
4432	eKWJbgu.exe
4376	lZIqGIg.exe
3120	sqIHwRi.exe
392	FODGHme.exe
1368	YPBjENF.exe
2552	xXyoUYZ.exe
3480	ughZKQF.exe
4916	pLqxyYp.exe
4436	bKzcNEQ.exe
2368	XzHUpnS.exe
4536	TFgVEIa.exe
2448	cIxbwiC.exe
468	TgKVwAP.exe
928	ojNOcyO.exe
3176	bVYJSQb.exe
2916	mlNbqXQ.exe
2852	eUDnGrR.exe
1952	OqpGBWz.exe
3692	VssHzXw.exe
2844	uRnhEgw.exe
4792	cEmCmKw.exe
3180	zBHNnyB.exe
4504	byqxHqO.exe
1428	LwEiGrp.exe
2784	qiDaPQY.exe
892	wvRfXkE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DRWqnkM.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\jrHTPUg.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\JOLlUYf.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\ughZKQF.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\civFlTL.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\KgIrNec.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\kuKCzpf.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\HpVVvEW.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\NlEEGID.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\OyYiiuX.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\QkFtRAz.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\tAiVatb.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\BmKJIgq.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\DOVWVBP.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\mPthhQn.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\OWTWhbp.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\ALkhBab.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\rpDcwWh.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\GatjKaJ.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\mCaJCcK.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\gUiXDFT.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\zyzZmhE.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\vOxMNBT.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\CqxYDcQ.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\skiENgq.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\FPnNJMY.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\WWrtfuy.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\EfJvwPG.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\OptLspo.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\jGKAvmd.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\DWsyjuU.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\nXcEmGh.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\XpIBqoX.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\VyJoGqU.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\iLNIJaC.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\PRiQcYC.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\pZJOrkS.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\apaUQVY.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\ifFZBEf.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\ZTNTfJY.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\HCBPvyK.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\nbIeDoJ.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\SjzMFBF.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\XgxcbMG.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\oetjTEz.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\zAIDrsE.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\mcSeyHD.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\mYhWfuf.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\fThBAXx.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\RXFVwXV.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\Dzmndnd.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\VsDISfv.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\nTUZjRb.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\REuPMnQ.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\oUIcylF.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\CpZKGcd.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\VZpeZPs.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\PjaZLbC.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\NodAVsg.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\BHJjnNz.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\GTRoOOc.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\agRTnwj.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\GqwvgKL.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
File created	C:\Windows\System32\HbcAdVi.exe	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1436-0-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp	upx
behavioral2/files/0x000b000000023b65-4.dat	upx
behavioral2/memory/2996-8-0x00007FF68A100000-0x00007FF68A4F1000-memory.dmp	upx
behavioral2/files/0x000a000000023b66-9.dat	upx
behavioral2/files/0x000a000000023b67-12.dat	upx
behavioral2/files/0x000a000000023b69-25.dat	upx
behavioral2/files/0x000a000000023b68-29.dat	upx
behavioral2/memory/244-36-0x00007FF6FE270000-0x00007FF6FE661000-memory.dmp	upx
behavioral2/memory/1044-42-0x00007FF682F70000-0x00007FF683361000-memory.dmp	upx
behavioral2/files/0x000a000000023b6d-51.dat	upx
behavioral2/files/0x000a000000023b6e-56.dat	upx
behavioral2/memory/4468-62-0x00007FF7EA840000-0x00007FF7EAC31000-memory.dmp	upx
behavioral2/memory/4964-76-0x00007FF78D3D0000-0x00007FF78D7C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6f-78.dat	upx
behavioral2/files/0x000a000000023b76-95.dat	upx
behavioral2/files/0x000a000000023b70-99.dat	upx
behavioral2/memory/4804-115-0x00007FF7DB2D0000-0x00007FF7DB6C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-134.dat	upx
behavioral2/files/0x000a000000023b79-165.dat	upx
behavioral2/files/0x000a000000023b82-176.dat	upx
behavioral2/memory/3172-194-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp	upx
behavioral2/memory/4676-200-0x00007FF71BD40000-0x00007FF71C131000-memory.dmp	upx
behavioral2/memory/1044-199-0x00007FF682F70000-0x00007FF683361000-memory.dmp	upx
behavioral2/memory/3208-198-0x00007FF628B30000-0x00007FF628F21000-memory.dmp	upx
behavioral2/memory/3276-197-0x00007FF72A540000-0x00007FF72A931000-memory.dmp	upx
behavioral2/memory/3516-196-0x00007FF715300000-0x00007FF7156F1000-memory.dmp	upx
behavioral2/memory/2428-193-0x00007FF71ABA0000-0x00007FF71AF91000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-187.dat	upx
behavioral2/files/0x000a000000023b7d-186.dat	upx
behavioral2/files/0x000a000000023b7c-184.dat	upx
behavioral2/files/0x000a000000023b7b-182.dat	upx
behavioral2/files/0x000a000000023b7a-180.dat	upx
behavioral2/files/0x000a000000023b84-174.dat	upx
behavioral2/files/0x000a000000023b85-172.dat	upx
behavioral2/files/0x000a000000023b83-166.dat	upx
behavioral2/files/0x000b000000023b63-163.dat	upx
behavioral2/files/0x000a000000023b77-162.dat	upx
behavioral2/files/0x000a000000023b81-157.dat	upx
behavioral2/files/0x000a000000023b80-156.dat	upx
behavioral2/files/0x000a000000023b7f-155.dat	upx
behavioral2/memory/244-148-0x00007FF6FE270000-0x00007FF6FE661000-memory.dmp	upx
behavioral2/files/0x000a000000023b72-113.dat	upx
behavioral2/files/0x000a000000023b75-109.dat	upx
behavioral2/files/0x000a000000023b73-107.dat	upx
behavioral2/files/0x000a000000023b74-105.dat	upx
behavioral2/memory/3588-104-0x00007FF7BC200000-0x00007FF7BC5F1000-memory.dmp	upx
behavioral2/memory/4932-103-0x00007FF6540A0000-0x00007FF654491000-memory.dmp	upx
behavioral2/memory/4256-102-0x00007FF6551B0000-0x00007FF6555A1000-memory.dmp	upx
behavioral2/files/0x000a000000023b71-101.dat	upx
behavioral2/memory/2296-98-0x00007FF609EA0000-0x00007FF60A291000-memory.dmp	upx
behavioral2/memory/2680-96-0x00007FF71FC10000-0x00007FF720001000-memory.dmp	upx
behavioral2/memory/4084-86-0x00007FF6CF200000-0x00007FF6CF5F1000-memory.dmp	upx
behavioral2/memory/1884-81-0x00007FF78C8A0000-0x00007FF78CC91000-memory.dmp	upx
behavioral2/memory/3440-77-0x00007FF78E990000-0x00007FF78ED81000-memory.dmp	upx
behavioral2/memory/4884-73-0x00007FF60DFE0000-0x00007FF60E3D1000-memory.dmp	upx
behavioral2/memory/2996-72-0x00007FF68A100000-0x00007FF68A4F1000-memory.dmp	upx
behavioral2/memory/4700-67-0x00007FF727100000-0x00007FF7274F1000-memory.dmp	upx
behavioral2/memory/1436-61-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp	upx
behavioral2/memory/1064-58-0x00007FF6253D0000-0x00007FF6257C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6c-52.dat	upx
behavioral2/memory/2692-47-0x00007FF6308D0000-0x00007FF630CC1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6b-46.dat	upx
behavioral2/files/0x000a000000023b6a-37.dat	upx
behavioral2/memory/4804-28-0x00007FF7DB2D0000-0x00007FF7DB6C1000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13920	dwm.exe
Token: SeChangeNotifyPrivilege	13920	dwm.exe
Token: 33	13920	dwm.exe
Token: SeIncBasePriorityPrivilege	13920	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 2996	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	84
PID 1436 wrote to memory of 2996	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	84
PID 1436 wrote to memory of 4884	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	85
PID 1436 wrote to memory of 4884	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	85
PID 1436 wrote to memory of 3440	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	86
PID 1436 wrote to memory of 3440	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	86
PID 1436 wrote to memory of 4084	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	87
PID 1436 wrote to memory of 4084	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	87
PID 1436 wrote to memory of 4804	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	88
PID 1436 wrote to memory of 4804	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	88
PID 1436 wrote to memory of 244	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	89
PID 1436 wrote to memory of 244	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	89
PID 1436 wrote to memory of 1044	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	90
PID 1436 wrote to memory of 1044	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	90
PID 1436 wrote to memory of 2692	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	91
PID 1436 wrote to memory of 2692	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	91
PID 1436 wrote to memory of 1064	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	92
PID 1436 wrote to memory of 1064	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	92
PID 1436 wrote to memory of 4468	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	93
PID 1436 wrote to memory of 4468	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	93
PID 1436 wrote to memory of 4700	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	94
PID 1436 wrote to memory of 4700	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	94
PID 1436 wrote to memory of 4964	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	95
PID 1436 wrote to memory of 4964	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	95
PID 1436 wrote to memory of 1884	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	96
PID 1436 wrote to memory of 1884	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	96
PID 1436 wrote to memory of 2680	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	97
PID 1436 wrote to memory of 2680	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	97
PID 1436 wrote to memory of 2296	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	98
PID 1436 wrote to memory of 2296	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	98
PID 1436 wrote to memory of 4256	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	99
PID 1436 wrote to memory of 4256	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	99
PID 1436 wrote to memory of 4932	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	100
PID 1436 wrote to memory of 4932	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	100
PID 1436 wrote to memory of 3588	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	101
PID 1436 wrote to memory of 3588	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	101
PID 1436 wrote to memory of 2428	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	102
PID 1436 wrote to memory of 2428	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	102
PID 1436 wrote to memory of 3172	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	103
PID 1436 wrote to memory of 3172	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	103
PID 1436 wrote to memory of 3516	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	104
PID 1436 wrote to memory of 3516	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	104
PID 1436 wrote to memory of 2744	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	105
PID 1436 wrote to memory of 2744	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	105
PID 1436 wrote to memory of 4676	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	106
PID 1436 wrote to memory of 4676	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	106
PID 1436 wrote to memory of 3276	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	107
PID 1436 wrote to memory of 3276	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	107
PID 1436 wrote to memory of 3208	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	108
PID 1436 wrote to memory of 3208	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	108
PID 1436 wrote to memory of 5048	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	109
PID 1436 wrote to memory of 5048	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	109
PID 1436 wrote to memory of 4160	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	110
PID 1436 wrote to memory of 4160	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	110
PID 1436 wrote to memory of 3212	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	111
PID 1436 wrote to memory of 3212	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	111
PID 1436 wrote to memory of 4136	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	112
PID 1436 wrote to memory of 4136	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	112
PID 1436 wrote to memory of 1520	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	113
PID 1436 wrote to memory of 1520	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	113
PID 1436 wrote to memory of 1920	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	114
PID 1436 wrote to memory of 1920	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	114
PID 1436 wrote to memory of 3496	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	115
PID 1436 wrote to memory of 3496	1436	6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe	115

C:\Users\Admin\AppData\Local\Temp\6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe
"C:\Users\Admin\AppData\Local\Temp\6ac42bc91f332e22456e16cf019b1fcda1036a631a3eac3cdcd4288ef63afe9aN.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\System32\WlyorRr.exe
  C:\Windows\System32\WlyorRr.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System32\CWmBcWl.exe
  C:\Windows\System32\CWmBcWl.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\mifFXwX.exe
  C:\Windows\System32\mifFXwX.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System32\vljLuZL.exe
  C:\Windows\System32\vljLuZL.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System32\oetjTEz.exe
  C:\Windows\System32\oetjTEz.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System32\rRiJnwt.exe
  C:\Windows\System32\rRiJnwt.exe
  2⤵
  - Executes dropped EXE
  PID:244
- C:\Windows\System32\JTfMeZs.exe
  C:\Windows\System32\JTfMeZs.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System32\LvTIXOf.exe
  C:\Windows\System32\LvTIXOf.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System32\BMazGZo.exe
  C:\Windows\System32\BMazGZo.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System32\RrPcBjE.exe
  C:\Windows\System32\RrPcBjE.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System32\wedrlNN.exe
  C:\Windows\System32\wedrlNN.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System32\ajFGbAs.exe
  C:\Windows\System32\ajFGbAs.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System32\DYfeCQi.exe
  C:\Windows\System32\DYfeCQi.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System32\SjzMFBF.exe
  C:\Windows\System32\SjzMFBF.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System32\GOqBTpW.exe
  C:\Windows\System32\GOqBTpW.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System32\EMCXyYT.exe
  C:\Windows\System32\EMCXyYT.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System32\KtYhSHu.exe
  C:\Windows\System32\KtYhSHu.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System32\oUIcylF.exe
  C:\Windows\System32\oUIcylF.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System32\wyPAafX.exe
  C:\Windows\System32\wyPAafX.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System32\DGHvCOK.exe
  C:\Windows\System32\DGHvCOK.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\tRugmvv.exe
  C:\Windows\System32\tRugmvv.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\YAgfVlr.exe
  C:\Windows\System32\YAgfVlr.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\xbskmqu.exe
  C:\Windows\System32\xbskmqu.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\hIzhEjV.exe
  C:\Windows\System32\hIzhEjV.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System32\AuJcHcz.exe
  C:\Windows\System32\AuJcHcz.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System32\MvwKJEd.exe
  C:\Windows\System32\MvwKJEd.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\GrTbiEY.exe
  C:\Windows\System32\GrTbiEY.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System32\yYkQALt.exe
  C:\Windows\System32\yYkQALt.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System32\RfvLgCO.exe
  C:\Windows\System32\RfvLgCO.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\vgendzU.exe
  C:\Windows\System32\vgendzU.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System32\aCjBeOJ.exe
  C:\Windows\System32\aCjBeOJ.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\GTRoOOc.exe
  C:\Windows\System32\GTRoOOc.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\jQYRWwW.exe
  C:\Windows\System32\jQYRWwW.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System32\HrDIvys.exe
  C:\Windows\System32\HrDIvys.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\CpZKGcd.exe
  C:\Windows\System32\CpZKGcd.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System32\kBtnnWD.exe
  C:\Windows\System32\kBtnnWD.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System32\UOOKRvN.exe
  C:\Windows\System32\UOOKRvN.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System32\NhcSGgP.exe
  C:\Windows\System32\NhcSGgP.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\eKWJbgu.exe
  C:\Windows\System32\eKWJbgu.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System32\lZIqGIg.exe
  C:\Windows\System32\lZIqGIg.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System32\sqIHwRi.exe
  C:\Windows\System32\sqIHwRi.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System32\FODGHme.exe
  C:\Windows\System32\FODGHme.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\YPBjENF.exe
  C:\Windows\System32\YPBjENF.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System32\xXyoUYZ.exe
  C:\Windows\System32\xXyoUYZ.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\ughZKQF.exe
  C:\Windows\System32\ughZKQF.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System32\pLqxyYp.exe
  C:\Windows\System32\pLqxyYp.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System32\bKzcNEQ.exe
  C:\Windows\System32\bKzcNEQ.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\XzHUpnS.exe
  C:\Windows\System32\XzHUpnS.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System32\TFgVEIa.exe
  C:\Windows\System32\TFgVEIa.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\cIxbwiC.exe
  C:\Windows\System32\cIxbwiC.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System32\TgKVwAP.exe
  C:\Windows\System32\TgKVwAP.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System32\ojNOcyO.exe
  C:\Windows\System32\ojNOcyO.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System32\bVYJSQb.exe
  C:\Windows\System32\bVYJSQb.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System32\mlNbqXQ.exe
  C:\Windows\System32\mlNbqXQ.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System32\eUDnGrR.exe
  C:\Windows\System32\eUDnGrR.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System32\OqpGBWz.exe
  C:\Windows\System32\OqpGBWz.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System32\VssHzXw.exe
  C:\Windows\System32\VssHzXw.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System32\uRnhEgw.exe
  C:\Windows\System32\uRnhEgw.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System32\cEmCmKw.exe
  C:\Windows\System32\cEmCmKw.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System32\zBHNnyB.exe
  C:\Windows\System32\zBHNnyB.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\byqxHqO.exe
  C:\Windows\System32\byqxHqO.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System32\LwEiGrp.exe
  C:\Windows\System32\LwEiGrp.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\qiDaPQY.exe
  C:\Windows\System32\qiDaPQY.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System32\wvRfXkE.exe
  C:\Windows\System32\wvRfXkE.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System32\iJhsAYC.exe
  C:\Windows\System32\iJhsAYC.exe
  2⤵
  PID:936
- C:\Windows\System32\HWpHoVj.exe
  C:\Windows\System32\HWpHoVj.exe
  2⤵
  PID:744
- C:\Windows\System32\llBCvCP.exe
  C:\Windows\System32\llBCvCP.exe
  2⤵
  PID:4012
- C:\Windows\System32\RWzRkRA.exe
  C:\Windows\System32\RWzRkRA.exe
  2⤵
  PID:2864
- C:\Windows\System32\GvNIXPW.exe
  C:\Windows\System32\GvNIXPW.exe
  2⤵
  PID:1848
- C:\Windows\System32\AfeuIex.exe
  C:\Windows\System32\AfeuIex.exe
  2⤵
  PID:4484
- C:\Windows\System32\zyzZmhE.exe
  C:\Windows\System32\zyzZmhE.exe
  2⤵
  PID:4588
- C:\Windows\System32\NUBRwqa.exe
  C:\Windows\System32\NUBRwqa.exe
  2⤵
  PID:3784
- C:\Windows\System32\dmGKXkH.exe
  C:\Windows\System32\dmGKXkH.exe
  2⤵
  PID:1912
- C:\Windows\System32\dopxltO.exe
  C:\Windows\System32\dopxltO.exe
  2⤵
  PID:3044
- C:\Windows\System32\SOlRQvw.exe
  C:\Windows\System32\SOlRQvw.exe
  2⤵
  PID:4092
- C:\Windows\System32\MAWQsyL.exe
  C:\Windows\System32\MAWQsyL.exe
  2⤵
  PID:4972
- C:\Windows\System32\gqxbYOI.exe
  C:\Windows\System32\gqxbYOI.exe
  2⤵
  PID:1300
- C:\Windows\System32\GqwvgKL.exe
  C:\Windows\System32\GqwvgKL.exe
  2⤵
  PID:2472
- C:\Windows\System32\qpWfFkX.exe
  C:\Windows\System32\qpWfFkX.exe
  2⤵
  PID:3776
- C:\Windows\System32\rxuufKv.exe
  C:\Windows\System32\rxuufKv.exe
  2⤵
  PID:4564
- C:\Windows\System32\HvmNjpB.exe
  C:\Windows\System32\HvmNjpB.exe
  2⤵
  PID:2700
- C:\Windows\System32\skJrebc.exe
  C:\Windows\System32\skJrebc.exe
  2⤵
  PID:3116
- C:\Windows\System32\NthIjOe.exe
  C:\Windows\System32\NthIjOe.exe
  2⤵
  PID:3604
- C:\Windows\System32\QclavHa.exe
  C:\Windows\System32\QclavHa.exe
  2⤵
  PID:2180
- C:\Windows\System32\GoEZkBn.exe
  C:\Windows\System32\GoEZkBn.exe
  2⤵
  PID:1984
- C:\Windows\System32\HxYcVdN.exe
  C:\Windows\System32\HxYcVdN.exe
  2⤵
  PID:224
- C:\Windows\System32\lBBnbLi.exe
  C:\Windows\System32\lBBnbLi.exe
  2⤵
  PID:4844
- C:\Windows\System32\ClsXHrJ.exe
  C:\Windows\System32\ClsXHrJ.exe
  2⤵
  PID:4168
- C:\Windows\System32\Dzmndnd.exe
  C:\Windows\System32\Dzmndnd.exe
  2⤵
  PID:4276
- C:\Windows\System32\OYNNJCS.exe
  C:\Windows\System32\OYNNJCS.exe
  2⤵
  PID:448
- C:\Windows\System32\yPTmprB.exe
  C:\Windows\System32\yPTmprB.exe
  2⤵
  PID:3532
- C:\Windows\System32\jsSLjtr.exe
  C:\Windows\System32\jsSLjtr.exe
  2⤵
  PID:4312
- C:\Windows\System32\GUQYhHB.exe
  C:\Windows\System32\GUQYhHB.exe
  2⤵
  PID:764
- C:\Windows\System32\eQIvxgG.exe
  C:\Windows\System32\eQIvxgG.exe
  2⤵
  PID:2100
- C:\Windows\System32\wfDrgEh.exe
  C:\Windows\System32\wfDrgEh.exe
  2⤵
  PID:1192
- C:\Windows\System32\MXiPVHo.exe
  C:\Windows\System32\MXiPVHo.exe
  2⤵
  PID:540
- C:\Windows\System32\VPUWCft.exe
  C:\Windows\System32\VPUWCft.exe
  2⤵
  PID:4980
- C:\Windows\System32\GPspcHS.exe
  C:\Windows\System32\GPspcHS.exe
  2⤵
  PID:1940
- C:\Windows\System32\vjSOGjk.exe
  C:\Windows\System32\vjSOGjk.exe
  2⤵
  PID:2480
- C:\Windows\System32\HCTDwuq.exe
  C:\Windows\System32\HCTDwuq.exe
  2⤵
  PID:5108
- C:\Windows\System32\StsYuJn.exe
  C:\Windows\System32\StsYuJn.exe
  2⤵
  PID:4488
- C:\Windows\System32\IDiBYyR.exe
  C:\Windows\System32\IDiBYyR.exe
  2⤵
  PID:2152
- C:\Windows\System32\vejLDHX.exe
  C:\Windows\System32\vejLDHX.exe
  2⤵
  PID:4752
- C:\Windows\System32\VLCquhT.exe
  C:\Windows\System32\VLCquhT.exe
  2⤵
  PID:4628
- C:\Windows\System32\wUMlujW.exe
  C:\Windows\System32\wUMlujW.exe
  2⤵
  PID:624
- C:\Windows\System32\pJVMRvT.exe
  C:\Windows\System32\pJVMRvT.exe
  2⤵
  PID:3916
- C:\Windows\System32\zSeWoGq.exe
  C:\Windows\System32\zSeWoGq.exe
  2⤵
  PID:3828
- C:\Windows\System32\yRPuWgl.exe
  C:\Windows\System32\yRPuWgl.exe
  2⤵
  PID:4500
- C:\Windows\System32\UmqkbzL.exe
  C:\Windows\System32\UmqkbzL.exe
  2⤵
  PID:1812
- C:\Windows\System32\VsDISfv.exe
  C:\Windows\System32\VsDISfv.exe
  2⤵
  PID:3696
- C:\Windows\System32\YwBAFvU.exe
  C:\Windows\System32\YwBAFvU.exe
  2⤵
  PID:2752
- C:\Windows\System32\DTnRYZx.exe
  C:\Windows\System32\DTnRYZx.exe
  2⤵
  PID:4928
- C:\Windows\System32\aKlKwmz.exe
  C:\Windows\System32\aKlKwmz.exe
  2⤵
  PID:2160
- C:\Windows\System32\DMhILOZ.exe
  C:\Windows\System32\DMhILOZ.exe
  2⤵
  PID:1604
- C:\Windows\System32\HbcAdVi.exe
  C:\Windows\System32\HbcAdVi.exe
  2⤵
  PID:3660
- C:\Windows\System32\XgxcbMG.exe
  C:\Windows\System32\XgxcbMG.exe
  2⤵
  PID:4876
- C:\Windows\System32\xbPGplg.exe
  C:\Windows\System32\xbPGplg.exe
  2⤵
  PID:5132
- C:\Windows\System32\yhUqxMp.exe
  C:\Windows\System32\yhUqxMp.exe
  2⤵
  PID:5152
- C:\Windows\System32\WskCIJh.exe
  C:\Windows\System32\WskCIJh.exe
  2⤵
  PID:5172
- C:\Windows\System32\OzBGozP.exe
  C:\Windows\System32\OzBGozP.exe
  2⤵
  PID:5188
- C:\Windows\System32\YPtCaBL.exe
  C:\Windows\System32\YPtCaBL.exe
  2⤵
  PID:5252
- C:\Windows\System32\sUlUyCf.exe
  C:\Windows\System32\sUlUyCf.exe
  2⤵
  PID:5284
- C:\Windows\System32\EyDqCjg.exe
  C:\Windows\System32\EyDqCjg.exe
  2⤵
  PID:5348
- C:\Windows\System32\fTlsWeQ.exe
  C:\Windows\System32\fTlsWeQ.exe
  2⤵
  PID:5368
- C:\Windows\System32\SrVtKtu.exe
  C:\Windows\System32\SrVtKtu.exe
  2⤵
  PID:5388
- C:\Windows\System32\qsWabyv.exe
  C:\Windows\System32\qsWabyv.exe
  2⤵
  PID:5404
- C:\Windows\System32\aveyjqv.exe
  C:\Windows\System32\aveyjqv.exe
  2⤵
  PID:5444
- C:\Windows\System32\HszyHQr.exe
  C:\Windows\System32\HszyHQr.exe
  2⤵
  PID:5468
- C:\Windows\System32\ozvIjUY.exe
  C:\Windows\System32\ozvIjUY.exe
  2⤵
  PID:5488
- C:\Windows\System32\EfJvwPG.exe
  C:\Windows\System32\EfJvwPG.exe
  2⤵
  PID:5520
- C:\Windows\System32\NgRdbGO.exe
  C:\Windows\System32\NgRdbGO.exe
  2⤵
  PID:5552
- C:\Windows\System32\JanrzVu.exe
  C:\Windows\System32\JanrzVu.exe
  2⤵
  PID:5568
- C:\Windows\System32\RBHHiZa.exe
  C:\Windows\System32\RBHHiZa.exe
  2⤵
  PID:5612
- C:\Windows\System32\kAWnBEj.exe
  C:\Windows\System32\kAWnBEj.exe
  2⤵
  PID:5628
- C:\Windows\System32\bjUzSuG.exe
  C:\Windows\System32\bjUzSuG.exe
  2⤵
  PID:5652
- C:\Windows\System32\DWukXht.exe
  C:\Windows\System32\DWukXht.exe
  2⤵
  PID:5668
- C:\Windows\System32\AWWwVUY.exe
  C:\Windows\System32\AWWwVUY.exe
  2⤵
  PID:5692
- C:\Windows\System32\OlIMcVJ.exe
  C:\Windows\System32\OlIMcVJ.exe
  2⤵
  PID:5712
- C:\Windows\System32\VXcVyvc.exe
  C:\Windows\System32\VXcVyvc.exe
  2⤵
  PID:5732
- C:\Windows\System32\RnDiHQo.exe
  C:\Windows\System32\RnDiHQo.exe
  2⤵
  PID:5748
- C:\Windows\System32\VRZiUHC.exe
  C:\Windows\System32\VRZiUHC.exe
  2⤵
  PID:5780
- C:\Windows\System32\KQNJcDP.exe
  C:\Windows\System32\KQNJcDP.exe
  2⤵
  PID:5804
- C:\Windows\System32\lniZDDS.exe
  C:\Windows\System32\lniZDDS.exe
  2⤵
  PID:5820
- C:\Windows\System32\LvXXPXo.exe
  C:\Windows\System32\LvXXPXo.exe
  2⤵
  PID:5840
- C:\Windows\System32\EowMeTR.exe
  C:\Windows\System32\EowMeTR.exe
  2⤵
  PID:5856
- C:\Windows\System32\eQYvkVA.exe
  C:\Windows\System32\eQYvkVA.exe
  2⤵
  PID:5948
- C:\Windows\System32\jJypLMV.exe
  C:\Windows\System32\jJypLMV.exe
  2⤵
  PID:5972
- C:\Windows\System32\VRLOohV.exe
  C:\Windows\System32\VRLOohV.exe
  2⤵
  PID:6000
- C:\Windows\System32\YAUclBm.exe
  C:\Windows\System32\YAUclBm.exe
  2⤵
  PID:6016
- C:\Windows\System32\dJgMWSp.exe
  C:\Windows\System32\dJgMWSp.exe
  2⤵
  PID:6044
- C:\Windows\System32\civFlTL.exe
  C:\Windows\System32\civFlTL.exe
  2⤵
  PID:6064
- C:\Windows\System32\BivmOmB.exe
  C:\Windows\System32\BivmOmB.exe
  2⤵
  PID:6084
- C:\Windows\System32\pTDqpLa.exe
  C:\Windows\System32\pTDqpLa.exe
  2⤵
  PID:6104
- C:\Windows\System32\lywtzjC.exe
  C:\Windows\System32\lywtzjC.exe
  2⤵
  PID:6136
- C:\Windows\System32\agRTnwj.exe
  C:\Windows\System32\agRTnwj.exe
  2⤵
  PID:5144
- C:\Windows\System32\WDMiWDY.exe
  C:\Windows\System32\WDMiWDY.exe
  2⤵
  PID:5360
- C:\Windows\System32\vWenckM.exe
  C:\Windows\System32\vWenckM.exe
  2⤵
  PID:5432
- C:\Windows\System32\VRGefGN.exe
  C:\Windows\System32\VRGefGN.exe
  2⤵
  PID:5512
- C:\Windows\System32\AMjNymi.exe
  C:\Windows\System32\AMjNymi.exe
  2⤵
  PID:5544
- C:\Windows\System32\oDFEDXh.exe
  C:\Windows\System32\oDFEDXh.exe
  2⤵
  PID:5580
- C:\Windows\System32\tsZYjLC.exe
  C:\Windows\System32\tsZYjLC.exe
  2⤵
  PID:5624
- C:\Windows\System32\uFwULWJ.exe
  C:\Windows\System32\uFwULWJ.exe
  2⤵
  PID:5664
- C:\Windows\System32\xClAZkN.exe
  C:\Windows\System32\xClAZkN.exe
  2⤵
  PID:5816
- C:\Windows\System32\VZpeZPs.exe
  C:\Windows\System32\VZpeZPs.exe
  2⤵
  PID:5812
- C:\Windows\System32\yKDMLuc.exe
  C:\Windows\System32\yKDMLuc.exe
  2⤵
  PID:5852
- C:\Windows\System32\uLxzEoy.exe
  C:\Windows\System32\uLxzEoy.exe
  2⤵
  PID:5944
- C:\Windows\System32\DNTskqa.exe
  C:\Windows\System32\DNTskqa.exe
  2⤵
  PID:5980
- C:\Windows\System32\KaOHpdS.exe
  C:\Windows\System32\KaOHpdS.exe
  2⤵
  PID:6036
- C:\Windows\System32\DGAHZFU.exe
  C:\Windows\System32\DGAHZFU.exe
  2⤵
  PID:6060
- C:\Windows\System32\fxuktyE.exe
  C:\Windows\System32\fxuktyE.exe
  2⤵
  PID:5168
- C:\Windows\System32\CtumwGE.exe
  C:\Windows\System32\CtumwGE.exe
  2⤵
  PID:6096
- C:\Windows\System32\vOxMNBT.exe
  C:\Windows\System32\vOxMNBT.exe
  2⤵
  PID:5148
- C:\Windows\System32\YdBCTpu.exe
  C:\Windows\System32\YdBCTpu.exe
  2⤵
  PID:5276
- C:\Windows\System32\ZsYWyio.exe
  C:\Windows\System32\ZsYWyio.exe
  2⤵
  PID:5600
- C:\Windows\System32\BJHkKHD.exe
  C:\Windows\System32\BJHkKHD.exe
  2⤵
  PID:5532
- C:\Windows\System32\PjqDCNY.exe
  C:\Windows\System32\PjqDCNY.exe
  2⤵
  PID:5688
- C:\Windows\System32\EqlzVNP.exe
  C:\Windows\System32\EqlzVNP.exe
  2⤵
  PID:5708
- C:\Windows\System32\TYXfFZx.exe
  C:\Windows\System32\TYXfFZx.exe
  2⤵
  PID:5876
- C:\Windows\System32\wEzYpMt.exe
  C:\Windows\System32\wEzYpMt.exe
  2⤵
  PID:6040
- C:\Windows\System32\RstVKiQ.exe
  C:\Windows\System32\RstVKiQ.exe
  2⤵
  PID:6228
- C:\Windows\System32\opIyrRO.exe
  C:\Windows\System32\opIyrRO.exe
  2⤵
  PID:6252
- C:\Windows\System32\ScqAhFk.exe
  C:\Windows\System32\ScqAhFk.exe
  2⤵
  PID:6276
- C:\Windows\System32\MyGAKNE.exe
  C:\Windows\System32\MyGAKNE.exe
  2⤵
  PID:6448
- C:\Windows\System32\fQQQuXn.exe
  C:\Windows\System32\fQQQuXn.exe
  2⤵
  PID:6464
- C:\Windows\System32\mECByPh.exe
  C:\Windows\System32\mECByPh.exe
  2⤵
  PID:6484
- C:\Windows\System32\PUdJaGV.exe
  C:\Windows\System32\PUdJaGV.exe
  2⤵
  PID:6504
- C:\Windows\System32\BleACUb.exe
  C:\Windows\System32\BleACUb.exe
  2⤵
  PID:6532
- C:\Windows\System32\KHorvXS.exe
  C:\Windows\System32\KHorvXS.exe
  2⤵
  PID:6548
- C:\Windows\System32\GyXfVPV.exe
  C:\Windows\System32\GyXfVPV.exe
  2⤵
  PID:6568
- C:\Windows\System32\ALkhBab.exe
  C:\Windows\System32\ALkhBab.exe
  2⤵
  PID:6584
- C:\Windows\System32\QCYiBos.exe
  C:\Windows\System32\QCYiBos.exe
  2⤵
  PID:6608
- C:\Windows\System32\XbTkzLK.exe
  C:\Windows\System32\XbTkzLK.exe
  2⤵
  PID:6624
- C:\Windows\System32\WDSfKUc.exe
  C:\Windows\System32\WDSfKUc.exe
  2⤵
  PID:6644
- C:\Windows\System32\XMgYDvw.exe
  C:\Windows\System32\XMgYDvw.exe
  2⤵
  PID:6664
- C:\Windows\System32\GfviZtP.exe
  C:\Windows\System32\GfviZtP.exe
  2⤵
  PID:6688
- C:\Windows\System32\ddnonGT.exe
  C:\Windows\System32\ddnonGT.exe
  2⤵
  PID:6704
- C:\Windows\System32\JwwAgdC.exe
  C:\Windows\System32\JwwAgdC.exe
  2⤵
  PID:6724
- C:\Windows\System32\IMuDDaj.exe
  C:\Windows\System32\IMuDDaj.exe
  2⤵
  PID:6744
- C:\Windows\System32\qTgjMnr.exe
  C:\Windows\System32\qTgjMnr.exe
  2⤵
  PID:6868
- C:\Windows\System32\zFFwOCI.exe
  C:\Windows\System32\zFFwOCI.exe
  2⤵
  PID:6908
- C:\Windows\System32\TYWekJP.exe
  C:\Windows\System32\TYWekJP.exe
  2⤵
  PID:6932
- C:\Windows\System32\VrygKME.exe
  C:\Windows\System32\VrygKME.exe
  2⤵
  PID:6952
- C:\Windows\System32\CgkGnmU.exe
  C:\Windows\System32\CgkGnmU.exe
  2⤵
  PID:6972
- C:\Windows\System32\pxYHSbH.exe
  C:\Windows\System32\pxYHSbH.exe
  2⤵
  PID:7000
- C:\Windows\System32\jEjWAWZ.exe
  C:\Windows\System32\jEjWAWZ.exe
  2⤵
  PID:7020
- C:\Windows\System32\NFSzJdM.exe
  C:\Windows\System32\NFSzJdM.exe
  2⤵
  PID:7044
- C:\Windows\System32\HDKXLST.exe
  C:\Windows\System32\HDKXLST.exe
  2⤵
  PID:7064
- C:\Windows\System32\oePafTV.exe
  C:\Windows\System32\oePafTV.exe
  2⤵
  PID:7108
- C:\Windows\System32\QTXPyzc.exe
  C:\Windows\System32\QTXPyzc.exe
  2⤵
  PID:7132
- C:\Windows\System32\tAiVatb.exe
  C:\Windows\System32\tAiVatb.exe
  2⤵
  PID:5836
- C:\Windows\System32\mOYYyEs.exe
  C:\Windows\System32\mOYYyEs.exe
  2⤵
  PID:5412
- C:\Windows\System32\YARVWfL.exe
  C:\Windows\System32\YARVWfL.exe
  2⤵
  PID:6164
- C:\Windows\System32\PRiQcYC.exe
  C:\Windows\System32\PRiQcYC.exe
  2⤵
  PID:6244
- C:\Windows\System32\mPthhQn.exe
  C:\Windows\System32\mPthhQn.exe
  2⤵
  PID:5832
- C:\Windows\System32\qyozQJP.exe
  C:\Windows\System32\qyozQJP.exe
  2⤵
  PID:6284
- C:\Windows\System32\BERKTDi.exe
  C:\Windows\System32\BERKTDi.exe
  2⤵
  PID:6356
- C:\Windows\System32\CWcldYE.exe
  C:\Windows\System32\CWcldYE.exe
  2⤵
  PID:6408
- C:\Windows\System32\ogeLZnv.exe
  C:\Windows\System32\ogeLZnv.exe
  2⤵
  PID:6492
- C:\Windows\System32\sWtNYXB.exe
  C:\Windows\System32\sWtNYXB.exe
  2⤵
  PID:6540
- C:\Windows\System32\pZLMTSG.exe
  C:\Windows\System32\pZLMTSG.exe
  2⤵
  PID:6596
- C:\Windows\System32\ORTsuHY.exe
  C:\Windows\System32\ORTsuHY.exe
  2⤵
  PID:6580
- C:\Windows\System32\neQVtYm.exe
  C:\Windows\System32\neQVtYm.exe
  2⤵
  PID:6640
- C:\Windows\System32\YeDyCRC.exe
  C:\Windows\System32\YeDyCRC.exe
  2⤵
  PID:5680
- C:\Windows\System32\IkiyEVW.exe
  C:\Windows\System32\IkiyEVW.exe
  2⤵
  PID:6780
- C:\Windows\System32\osBEBfh.exe
  C:\Windows\System32\osBEBfh.exe
  2⤵
  PID:6860
- C:\Windows\System32\fLNgWXP.exe
  C:\Windows\System32\fLNgWXP.exe
  2⤵
  PID:6920
- C:\Windows\System32\teGDHsN.exe
  C:\Windows\System32\teGDHsN.exe
  2⤵
  PID:6980
- C:\Windows\System32\auLZoAH.exe
  C:\Windows\System32\auLZoAH.exe
  2⤵
  PID:7164
- C:\Windows\System32\GrhKeam.exe
  C:\Windows\System32\GrhKeam.exe
  2⤵
  PID:7152
- C:\Windows\System32\OWTWhbp.exe
  C:\Windows\System32\OWTWhbp.exe
  2⤵
  PID:5480
- C:\Windows\System32\CeEJWis.exe
  C:\Windows\System32\CeEJWis.exe
  2⤵
  PID:5924
- C:\Windows\System32\gdEmTsl.exe
  C:\Windows\System32\gdEmTsl.exe
  2⤵
  PID:6500
- C:\Windows\System32\FGQYZQU.exe
  C:\Windows\System32\FGQYZQU.exe
  2⤵
  PID:6732
- C:\Windows\System32\ihdJVNR.exe
  C:\Windows\System32\ihdJVNR.exe
  2⤵
  PID:6700
- C:\Windows\System32\PQjALka.exe
  C:\Windows\System32\PQjALka.exe
  2⤵
  PID:6804
- C:\Windows\System32\mFuZhab.exe
  C:\Windows\System32\mFuZhab.exe
  2⤵
  PID:7040
- C:\Windows\System32\BBqJDeg.exe
  C:\Windows\System32\BBqJDeg.exe
  2⤵
  PID:7032
- C:\Windows\System32\HiNgcTD.exe
  C:\Windows\System32\HiNgcTD.exe
  2⤵
  PID:6604
- C:\Windows\System32\ksGTZvb.exe
  C:\Windows\System32\ksGTZvb.exe
  2⤵
  PID:6696
- C:\Windows\System32\tIqWPoH.exe
  C:\Windows\System32\tIqWPoH.exe
  2⤵
  PID:6996
- C:\Windows\System32\apaUQVY.exe
  C:\Windows\System32\apaUQVY.exe
  2⤵
  PID:6264
- C:\Windows\System32\ZRAsXuA.exe
  C:\Windows\System32\ZRAsXuA.exe
  2⤵
  PID:6188
- C:\Windows\System32\eBRekKU.exe
  C:\Windows\System32\eBRekKU.exe
  2⤵
  PID:7180
- C:\Windows\System32\SHCmjEk.exe
  C:\Windows\System32\SHCmjEk.exe
  2⤵
  PID:7196
- C:\Windows\System32\HILjhrc.exe
  C:\Windows\System32\HILjhrc.exe
  2⤵
  PID:7220
- C:\Windows\System32\gKkOKrm.exe
  C:\Windows\System32\gKkOKrm.exe
  2⤵
  PID:7240
- C:\Windows\System32\KLXpiZx.exe
  C:\Windows\System32\KLXpiZx.exe
  2⤵
  PID:7256
- C:\Windows\System32\WqkYfpw.exe
  C:\Windows\System32\WqkYfpw.exe
  2⤵
  PID:7304
- C:\Windows\System32\XEAHvaM.exe
  C:\Windows\System32\XEAHvaM.exe
  2⤵
  PID:7392
- C:\Windows\System32\IRzgCpg.exe
  C:\Windows\System32\IRzgCpg.exe
  2⤵
  PID:7412
- C:\Windows\System32\PtrXMuv.exe
  C:\Windows\System32\PtrXMuv.exe
  2⤵
  PID:7440
- C:\Windows\System32\BmKJIgq.exe
  C:\Windows\System32\BmKJIgq.exe
  2⤵
  PID:7460
- C:\Windows\System32\DRPqvHx.exe
  C:\Windows\System32\DRPqvHx.exe
  2⤵
  PID:7480
- C:\Windows\System32\hVWsMWa.exe
  C:\Windows\System32\hVWsMWa.exe
  2⤵
  PID:7504
- C:\Windows\System32\BwuVHjD.exe
  C:\Windows\System32\BwuVHjD.exe
  2⤵
  PID:7524
- C:\Windows\System32\XyZbBAF.exe
  C:\Windows\System32\XyZbBAF.exe
  2⤵
  PID:7552
- C:\Windows\System32\nTUZjRb.exe
  C:\Windows\System32\nTUZjRb.exe
  2⤵
  PID:7568
- C:\Windows\System32\qDdTCij.exe
  C:\Windows\System32\qDdTCij.exe
  2⤵
  PID:7584
- C:\Windows\System32\YbXknOD.exe
  C:\Windows\System32\YbXknOD.exe
  2⤵
  PID:7632
- C:\Windows\System32\cCzxIAZ.exe
  C:\Windows\System32\cCzxIAZ.exe
  2⤵
  PID:7692
- C:\Windows\System32\KzPHNMS.exe
  C:\Windows\System32\KzPHNMS.exe
  2⤵
  PID:7712
- C:\Windows\System32\GmPrGlV.exe
  C:\Windows\System32\GmPrGlV.exe
  2⤵
  PID:7732
- C:\Windows\System32\ZGpEfVl.exe
  C:\Windows\System32\ZGpEfVl.exe
  2⤵
  PID:7748
- C:\Windows\System32\vRjKcKU.exe
  C:\Windows\System32\vRjKcKU.exe
  2⤵
  PID:7784
- C:\Windows\System32\hCbvtOM.exe
  C:\Windows\System32\hCbvtOM.exe
  2⤵
  PID:7824
- C:\Windows\System32\oOCWDRD.exe
  C:\Windows\System32\oOCWDRD.exe
  2⤵
  PID:7860
- C:\Windows\System32\TKTIPAE.exe
  C:\Windows\System32\TKTIPAE.exe
  2⤵
  PID:7884
- C:\Windows\System32\fmSQLSs.exe
  C:\Windows\System32\fmSQLSs.exe
  2⤵
  PID:7908
- C:\Windows\System32\LUjwDws.exe
  C:\Windows\System32\LUjwDws.exe
  2⤵
  PID:7960
- C:\Windows\System32\PtHtPrM.exe
  C:\Windows\System32\PtHtPrM.exe
  2⤵
  PID:7976
- C:\Windows\System32\tVGUwfm.exe
  C:\Windows\System32\tVGUwfm.exe
  2⤵
  PID:7996
- C:\Windows\System32\WdYTZBG.exe
  C:\Windows\System32\WdYTZBG.exe
  2⤵
  PID:8028
- C:\Windows\System32\WplafvM.exe
  C:\Windows\System32\WplafvM.exe
  2⤵
  PID:8060
- C:\Windows\System32\JyRBTfj.exe
  C:\Windows\System32\JyRBTfj.exe
  2⤵
  PID:8080
- C:\Windows\System32\ifFZBEf.exe
  C:\Windows\System32\ifFZBEf.exe
  2⤵
  PID:8104
- C:\Windows\System32\jVbTSZO.exe
  C:\Windows\System32\jVbTSZO.exe
  2⤵
  PID:8124
- C:\Windows\System32\YzCOnCq.exe
  C:\Windows\System32\YzCOnCq.exe
  2⤵
  PID:8144
- C:\Windows\System32\yEptpWc.exe
  C:\Windows\System32\yEptpWc.exe
  2⤵
  PID:8160
- C:\Windows\System32\cwCYgrN.exe
  C:\Windows\System32\cwCYgrN.exe
  2⤵
  PID:8180
- C:\Windows\System32\WjNBQPu.exe
  C:\Windows\System32\WjNBQPu.exe
  2⤵
  PID:7176
- C:\Windows\System32\vzJLbFd.exe
  C:\Windows\System32\vzJLbFd.exe
  2⤵
  PID:7252
- C:\Windows\System32\ZTNTfJY.exe
  C:\Windows\System32\ZTNTfJY.exe
  2⤵
  PID:7404
- C:\Windows\System32\fATtMZX.exe
  C:\Windows\System32\fATtMZX.exe
  2⤵
  PID:7488
- C:\Windows\System32\WhJaxVz.exe
  C:\Windows\System32\WhJaxVz.exe
  2⤵
  PID:7512
- C:\Windows\System32\ywqyokw.exe
  C:\Windows\System32\ywqyokw.exe
  2⤵
  PID:7576
- C:\Windows\System32\PFHMZye.exe
  C:\Windows\System32\PFHMZye.exe
  2⤵
  PID:7700
- C:\Windows\System32\zAIDrsE.exe
  C:\Windows\System32\zAIDrsE.exe
  2⤵
  PID:7796
- C:\Windows\System32\ZZRWoaP.exe
  C:\Windows\System32\ZZRWoaP.exe
  2⤵
  PID:7848
- C:\Windows\System32\LnqVscO.exe
  C:\Windows\System32\LnqVscO.exe
  2⤵
  PID:7904
- C:\Windows\System32\pZJOrkS.exe
  C:\Windows\System32\pZJOrkS.exe
  2⤵
  PID:8004
- C:\Windows\System32\ObVNlnV.exe
  C:\Windows\System32\ObVNlnV.exe
  2⤵
  PID:7988
- C:\Windows\System32\OHGjguJ.exe
  C:\Windows\System32\OHGjguJ.exe
  2⤵
  PID:8072
- C:\Windows\System32\AwptZUU.exe
  C:\Windows\System32\AwptZUU.exe
  2⤵
  PID:6156
- C:\Windows\System32\GQCHfei.exe
  C:\Windows\System32\GQCHfei.exe
  2⤵
  PID:8136
- C:\Windows\System32\gukVmGn.exe
  C:\Windows\System32\gukVmGn.exe
  2⤵
  PID:6444
- C:\Windows\System32\XlcbMVg.exe
  C:\Windows\System32\XlcbMVg.exe
  2⤵
  PID:7468
- C:\Windows\System32\uIhKanr.exe
  C:\Windows\System32\uIhKanr.exe
  2⤵
  PID:7476
- C:\Windows\System32\rSJogKK.exe
  C:\Windows\System32\rSJogKK.exe
  2⤵
  PID:7936
- C:\Windows\System32\tBbLJRU.exe
  C:\Windows\System32\tBbLJRU.exe
  2⤵
  PID:7992
- C:\Windows\System32\RHEuDwK.exe
  C:\Windows\System32\RHEuDwK.exe
  2⤵
  PID:8140
- C:\Windows\System32\DOVWVBP.exe
  C:\Windows\System32\DOVWVBP.exe
  2⤵
  PID:6808
- C:\Windows\System32\dKKuvrc.exe
  C:\Windows\System32\dKKuvrc.exe
  2⤵
  PID:7448
- C:\Windows\System32\bGQGwXd.exe
  C:\Windows\System32\bGQGwXd.exe
  2⤵
  PID:7764
- C:\Windows\System32\HCBPvyK.exe
  C:\Windows\System32\HCBPvyK.exe
  2⤵
  PID:7072
- C:\Windows\System32\ymGxLJU.exe
  C:\Windows\System32\ymGxLJU.exe
  2⤵
  PID:8116
- C:\Windows\System32\XPKyXyY.exe
  C:\Windows\System32\XPKyXyY.exe
  2⤵
  PID:8256
- C:\Windows\System32\FWURKWk.exe
  C:\Windows\System32\FWURKWk.exe
  2⤵
  PID:8280
- C:\Windows\System32\mcSeyHD.exe
  C:\Windows\System32\mcSeyHD.exe
  2⤵
  PID:8296
- C:\Windows\System32\UYIdxQa.exe
  C:\Windows\System32\UYIdxQa.exe
  2⤵
  PID:8316
- C:\Windows\System32\iGzMkyN.exe
  C:\Windows\System32\iGzMkyN.exe
  2⤵
  PID:8332
- C:\Windows\System32\HXpfuFU.exe
  C:\Windows\System32\HXpfuFU.exe
  2⤵
  PID:8352
- C:\Windows\System32\JZPxTeQ.exe
  C:\Windows\System32\JZPxTeQ.exe
  2⤵
  PID:8372
- C:\Windows\System32\zGdZBmm.exe
  C:\Windows\System32\zGdZBmm.exe
  2⤵
  PID:8392
- C:\Windows\System32\FCPMMan.exe
  C:\Windows\System32\FCPMMan.exe
  2⤵
  PID:8420
- C:\Windows\System32\vaeUuQz.exe
  C:\Windows\System32\vaeUuQz.exe
  2⤵
  PID:8460
- C:\Windows\System32\mYhWfuf.exe
  C:\Windows\System32\mYhWfuf.exe
  2⤵
  PID:8476
- C:\Windows\System32\KgIrNec.exe
  C:\Windows\System32\KgIrNec.exe
  2⤵
  PID:8532
- C:\Windows\System32\OltaErW.exe
  C:\Windows\System32\OltaErW.exe
  2⤵
  PID:8572
- C:\Windows\System32\mRdALDU.exe
  C:\Windows\System32\mRdALDU.exe
  2⤵
  PID:8588
- C:\Windows\System32\JGtvzIE.exe
  C:\Windows\System32\JGtvzIE.exe
  2⤵
  PID:8608
- C:\Windows\System32\olnTQyb.exe
  C:\Windows\System32\olnTQyb.exe
  2⤵
  PID:8624
- C:\Windows\System32\LCfgbMK.exe
  C:\Windows\System32\LCfgbMK.exe
  2⤵
  PID:8648
- C:\Windows\System32\rYpcIKv.exe
  C:\Windows\System32\rYpcIKv.exe
  2⤵
  PID:8672
- C:\Windows\System32\KKvRLKy.exe
  C:\Windows\System32\KKvRLKy.exe
  2⤵
  PID:8700
- C:\Windows\System32\UXPbCCW.exe
  C:\Windows\System32\UXPbCCW.exe
  2⤵
  PID:8716
- C:\Windows\System32\Xnwfrhd.exe
  C:\Windows\System32\Xnwfrhd.exe
  2⤵
  PID:8796
- C:\Windows\System32\HfiQPoe.exe
  C:\Windows\System32\HfiQPoe.exe
  2⤵
  PID:8832
- C:\Windows\System32\BxWqtZj.exe
  C:\Windows\System32\BxWqtZj.exe
  2⤵
  PID:8860
- C:\Windows\System32\huLEPEc.exe
  C:\Windows\System32\huLEPEc.exe
  2⤵
  PID:8900
- C:\Windows\System32\hlcmgJS.exe
  C:\Windows\System32\hlcmgJS.exe
  2⤵
  PID:8916
- C:\Windows\System32\yVsRPsc.exe
  C:\Windows\System32\yVsRPsc.exe
  2⤵
  PID:8936
- C:\Windows\System32\idApNKU.exe
  C:\Windows\System32\idApNKU.exe
  2⤵
  PID:8952
- C:\Windows\System32\TdxLtpy.exe
  C:\Windows\System32\TdxLtpy.exe
  2⤵
  PID:8992
- C:\Windows\System32\wDNWzLH.exe
  C:\Windows\System32\wDNWzLH.exe
  2⤵
  PID:9040
- C:\Windows\System32\FPnNJMY.exe
  C:\Windows\System32\FPnNJMY.exe
  2⤵
  PID:9056
- C:\Windows\System32\dFctTCv.exe
  C:\Windows\System32\dFctTCv.exe
  2⤵
  PID:9072
- C:\Windows\System32\QekQFrz.exe
  C:\Windows\System32\QekQFrz.exe
  2⤵
  PID:9096
- C:\Windows\System32\iYCuTlP.exe
  C:\Windows\System32\iYCuTlP.exe
  2⤵
  PID:9132
- C:\Windows\System32\oVbviha.exe
  C:\Windows\System32\oVbviha.exe
  2⤵
  PID:9184
- C:\Windows\System32\kuKCzpf.exe
  C:\Windows\System32\kuKCzpf.exe
  2⤵
  PID:9208
- C:\Windows\System32\ZdVliKu.exe
  C:\Windows\System32\ZdVliKu.exe
  2⤵
  PID:8016
- C:\Windows\System32\lsOUipL.exe
  C:\Windows\System32\lsOUipL.exe
  2⤵
  PID:7340
- C:\Windows\System32\Ihwxdud.exe
  C:\Windows\System32\Ihwxdud.exe
  2⤵
  PID:8292
- C:\Windows\System32\MqThUdG.exe
  C:\Windows\System32\MqThUdG.exe
  2⤵
  PID:8348
- C:\Windows\System32\nSTFyPw.exe
  C:\Windows\System32\nSTFyPw.exe
  2⤵
  PID:8384
- C:\Windows\System32\jGKAvmd.exe
  C:\Windows\System32\jGKAvmd.exe
  2⤵
  PID:8524
- C:\Windows\System32\nTLfvqZ.exe
  C:\Windows\System32\nTLfvqZ.exe
  2⤵
  PID:8560
- C:\Windows\System32\PAcjoeO.exe
  C:\Windows\System32\PAcjoeO.exe
  2⤵
  PID:8724
- C:\Windows\System32\jYLSlhL.exe
  C:\Windows\System32\jYLSlhL.exe
  2⤵
  PID:8668
- C:\Windows\System32\vXRCmSX.exe
  C:\Windows\System32\vXRCmSX.exe
  2⤵
  PID:8788
- C:\Windows\System32\tkMwxwg.exe
  C:\Windows\System32\tkMwxwg.exe
  2⤵
  PID:8844
- C:\Windows\System32\UrijbtU.exe
  C:\Windows\System32\UrijbtU.exe
  2⤵
  PID:8876
- C:\Windows\System32\VIzVUap.exe
  C:\Windows\System32\VIzVUap.exe
  2⤵
  PID:8912
- C:\Windows\System32\FgnCsXV.exe
  C:\Windows\System32\FgnCsXV.exe
  2⤵
  PID:9016
- C:\Windows\System32\fEnflQl.exe
  C:\Windows\System32\fEnflQl.exe
  2⤵
  PID:9048
- C:\Windows\System32\CSUOJEJ.exe
  C:\Windows\System32\CSUOJEJ.exe
  2⤵
  PID:9156
- C:\Windows\System32\SSvOnxO.exe
  C:\Windows\System32\SSvOnxO.exe
  2⤵
  PID:8212
- C:\Windows\System32\lkAtWWF.exe
  C:\Windows\System32\lkAtWWF.exe
  2⤵
  PID:8328
- C:\Windows\System32\lcdhanR.exe
  C:\Windows\System32\lcdhanR.exe
  2⤵
  PID:4176
- C:\Windows\System32\ohXJZNw.exe
  C:\Windows\System32\ohXJZNw.exe
  2⤵
  PID:8596
- C:\Windows\System32\HmRykLL.exe
  C:\Windows\System32\HmRykLL.exe
  2⤵
  PID:8712
- C:\Windows\System32\Argkupv.exe
  C:\Windows\System32\Argkupv.exe
  2⤵
  PID:8640
- C:\Windows\System32\lyhxyQO.exe
  C:\Windows\System32\lyhxyQO.exe
  2⤵
  PID:8848
- C:\Windows\System32\aIKuNeO.exe
  C:\Windows\System32\aIKuNeO.exe
  2⤵
  PID:7212
- C:\Windows\System32\arDMfvO.exe
  C:\Windows\System32\arDMfvO.exe
  2⤵
  PID:9004
- C:\Windows\System32\SaILDZr.exe
  C:\Windows\System32\SaILDZr.exe
  2⤵
  PID:9088
- C:\Windows\System32\pDHVUhu.exe
  C:\Windows\System32\pDHVUhu.exe
  2⤵
  PID:8468
- C:\Windows\System32\zQaWaGd.exe
  C:\Windows\System32\zQaWaGd.exe
  2⤵
  PID:8428
- C:\Windows\System32\WWrtfuy.exe
  C:\Windows\System32\WWrtfuy.exe
  2⤵
  PID:8744
- C:\Windows\System32\DRWqnkM.exe
  C:\Windows\System32\DRWqnkM.exe
  2⤵
  PID:9232
- C:\Windows\System32\VxeSPJz.exe
  C:\Windows\System32\VxeSPJz.exe
  2⤵
  PID:9256
- C:\Windows\System32\VPiWxfD.exe
  C:\Windows\System32\VPiWxfD.exe
  2⤵
  PID:9276
- C:\Windows\System32\KEAWxDw.exe
  C:\Windows\System32\KEAWxDw.exe
  2⤵
  PID:9292
- C:\Windows\System32\rpOJMpD.exe
  C:\Windows\System32\rpOJMpD.exe
  2⤵
  PID:9356
- C:\Windows\System32\rpDcwWh.exe
  C:\Windows\System32\rpDcwWh.exe
  2⤵
  PID:9408
- C:\Windows\System32\mNkIGmZ.exe
  C:\Windows\System32\mNkIGmZ.exe
  2⤵
  PID:9424
- C:\Windows\System32\erLDlGm.exe
  C:\Windows\System32\erLDlGm.exe
  2⤵
  PID:9448
- C:\Windows\System32\kTOCKKy.exe
  C:\Windows\System32\kTOCKKy.exe
  2⤵
  PID:9468
- C:\Windows\System32\jrHTPUg.exe
  C:\Windows\System32\jrHTPUg.exe
  2⤵
  PID:9508
- C:\Windows\System32\WIrUmwP.exe
  C:\Windows\System32\WIrUmwP.exe
  2⤵
  PID:9528
- C:\Windows\System32\loIONYQ.exe
  C:\Windows\System32\loIONYQ.exe
  2⤵
  PID:9560
- C:\Windows\System32\ZUzMFdh.exe
  C:\Windows\System32\ZUzMFdh.exe
  2⤵
  PID:9616
- C:\Windows\System32\qETzrwD.exe
  C:\Windows\System32\qETzrwD.exe
  2⤵
  PID:9640
- C:\Windows\System32\EGMxwLD.exe
  C:\Windows\System32\EGMxwLD.exe
  2⤵
  PID:9656
- C:\Windows\System32\vheJTMp.exe
  C:\Windows\System32\vheJTMp.exe
  2⤵
  PID:9676
- C:\Windows\System32\JddHXcY.exe
  C:\Windows\System32\JddHXcY.exe
  2⤵
  PID:9692
- C:\Windows\System32\HpVyUBU.exe
  C:\Windows\System32\HpVyUBU.exe
  2⤵
  PID:9732
- C:\Windows\System32\HcMJuBl.exe
  C:\Windows\System32\HcMJuBl.exe
  2⤵
  PID:9748
- C:\Windows\System32\XPaYJeq.exe
  C:\Windows\System32\XPaYJeq.exe
  2⤵
  PID:9776
- C:\Windows\System32\AfAapqD.exe
  C:\Windows\System32\AfAapqD.exe
  2⤵
  PID:9824
- C:\Windows\System32\kfTMQzc.exe
  C:\Windows\System32\kfTMQzc.exe
  2⤵
  PID:9852
- C:\Windows\System32\EhLTNSu.exe
  C:\Windows\System32\EhLTNSu.exe
  2⤵
  PID:9888
- C:\Windows\System32\pwgphep.exe
  C:\Windows\System32\pwgphep.exe
  2⤵
  PID:9912
- C:\Windows\System32\DJMbzwR.exe
  C:\Windows\System32\DJMbzwR.exe
  2⤵
  PID:9948
- C:\Windows\System32\uACHNfA.exe
  C:\Windows\System32\uACHNfA.exe
  2⤵
  PID:9976
- C:\Windows\System32\fThBAXx.exe
  C:\Windows\System32\fThBAXx.exe
  2⤵
  PID:10016
- C:\Windows\System32\JiSYKcx.exe
  C:\Windows\System32\JiSYKcx.exe
  2⤵
  PID:10040
- C:\Windows\System32\xDSfnqz.exe
  C:\Windows\System32\xDSfnqz.exe
  2⤵
  PID:10068
- C:\Windows\System32\MDwSIhc.exe
  C:\Windows\System32\MDwSIhc.exe
  2⤵
  PID:10100
- C:\Windows\System32\ZWewwVw.exe
  C:\Windows\System32\ZWewwVw.exe
  2⤵
  PID:10128
- C:\Windows\System32\xBbmwsg.exe
  C:\Windows\System32\xBbmwsg.exe
  2⤵
  PID:10148
- C:\Windows\System32\drKVikr.exe
  C:\Windows\System32\drKVikr.exe
  2⤵
  PID:10168
- C:\Windows\System32\vIovvOu.exe
  C:\Windows\System32\vIovvOu.exe
  2⤵
  PID:10208
- C:\Windows\System32\llYYoVf.exe
  C:\Windows\System32\llYYoVf.exe
  2⤵
  PID:10236
- C:\Windows\System32\ELNeXFy.exe
  C:\Windows\System32\ELNeXFy.exe
  2⤵
  PID:9252
- C:\Windows\System32\TajbnVL.exe
  C:\Windows\System32\TajbnVL.exe
  2⤵
  PID:9352
- C:\Windows\System32\QoeKDFb.exe
  C:\Windows\System32\QoeKDFb.exe
  2⤵
  PID:9372
- C:\Windows\System32\rebqWmn.exe
  C:\Windows\System32\rebqWmn.exe
  2⤵
  PID:9392
- C:\Windows\System32\ZRNDSWV.exe
  C:\Windows\System32\ZRNDSWV.exe
  2⤵
  PID:9456
- C:\Windows\System32\eqOCGBT.exe
  C:\Windows\System32\eqOCGBT.exe
  2⤵
  PID:416
- C:\Windows\System32\kiOulCr.exe
  C:\Windows\System32\kiOulCr.exe
  2⤵
  PID:9600
- C:\Windows\System32\fmvUZeH.exe
  C:\Windows\System32\fmvUZeH.exe
  2⤵
  PID:9652
- C:\Windows\System32\tVWrRUf.exe
  C:\Windows\System32\tVWrRUf.exe
  2⤵
  PID:9684
- C:\Windows\System32\STnkDBH.exe
  C:\Windows\System32\STnkDBH.exe
  2⤵
  PID:9768
- C:\Windows\System32\niBZJFf.exe
  C:\Windows\System32\niBZJFf.exe
  2⤵
  PID:9920
- C:\Windows\System32\XiKiife.exe
  C:\Windows\System32\XiKiife.exe
  2⤵
  PID:9932
- C:\Windows\System32\yIIxekj.exe
  C:\Windows\System32\yIIxekj.exe
  2⤵
  PID:9996
- C:\Windows\System32\hQnLwsA.exe
  C:\Windows\System32\hQnLwsA.exe
  2⤵
  PID:10064
- C:\Windows\System32\OZmgUka.exe
  C:\Windows\System32\OZmgUka.exe
  2⤵
  PID:10108
- C:\Windows\System32\IYDDHUX.exe
  C:\Windows\System32\IYDDHUX.exe
  2⤵
  PID:10232
- C:\Windows\System32\utLJsIY.exe
  C:\Windows\System32\utLJsIY.exe
  2⤵
  PID:9344
- C:\Windows\System32\YTPWLre.exe
  C:\Windows\System32\YTPWLre.exe
  2⤵
  PID:9320
- C:\Windows\System32\eeaxAto.exe
  C:\Windows\System32\eeaxAto.exe
  2⤵
  PID:9544
- C:\Windows\System32\JOLlUYf.exe
  C:\Windows\System32\JOLlUYf.exe
  2⤵
  PID:9664
- C:\Windows\System32\SamTjgS.exe
  C:\Windows\System32\SamTjgS.exe
  2⤵
  PID:9796
- C:\Windows\System32\qtOWrLg.exe
  C:\Windows\System32\qtOWrLg.exe
  2⤵
  PID:10080
- C:\Windows\System32\dPRruil.exe
  C:\Windows\System32\dPRruil.exe
  2⤵
  PID:9552
- C:\Windows\System32\rTPSldR.exe
  C:\Windows\System32\rTPSldR.exe
  2⤵
  PID:9240
- C:\Windows\System32\noiczTF.exe
  C:\Windows\System32\noiczTF.exe
  2⤵
  PID:9984
- C:\Windows\System32\lghQwPZ.exe
  C:\Windows\System32\lghQwPZ.exe
  2⤵
  PID:9864
- C:\Windows\System32\GatjKaJ.exe
  C:\Windows\System32\GatjKaJ.exe
  2⤵
  PID:9832
- C:\Windows\System32\AzZXgoZ.exe
  C:\Windows\System32\AzZXgoZ.exe
  2⤵
  PID:10256
- C:\Windows\System32\woMgFXu.exe
  C:\Windows\System32\woMgFXu.exe
  2⤵
  PID:10276
- C:\Windows\System32\AgdsKls.exe
  C:\Windows\System32\AgdsKls.exe
  2⤵
  PID:10292
- C:\Windows\System32\GHKtbHj.exe
  C:\Windows\System32\GHKtbHj.exe
  2⤵
  PID:10320
- C:\Windows\System32\sOfWZjK.exe
  C:\Windows\System32\sOfWZjK.exe
  2⤵
  PID:10344
- C:\Windows\System32\CxFYEpW.exe
  C:\Windows\System32\CxFYEpW.exe
  2⤵
  PID:10364
- C:\Windows\System32\nXdOItz.exe
  C:\Windows\System32\nXdOItz.exe
  2⤵
  PID:10388
- C:\Windows\System32\CqxYDcQ.exe
  C:\Windows\System32\CqxYDcQ.exe
  2⤵
  PID:10492
- C:\Windows\System32\UdbUkUh.exe
  C:\Windows\System32\UdbUkUh.exe
  2⤵
  PID:10508
- C:\Windows\System32\IzZkBjQ.exe
  C:\Windows\System32\IzZkBjQ.exe
  2⤵
  PID:10528
- C:\Windows\System32\bCTVbZm.exe
  C:\Windows\System32\bCTVbZm.exe
  2⤵
  PID:10552
- C:\Windows\System32\dpvPPfo.exe
  C:\Windows\System32\dpvPPfo.exe
  2⤵
  PID:10568
- C:\Windows\System32\CvyRzYJ.exe
  C:\Windows\System32\CvyRzYJ.exe
  2⤵
  PID:10600
- C:\Windows\System32\axSKIcs.exe
  C:\Windows\System32\axSKIcs.exe
  2⤵
  PID:10628
- C:\Windows\System32\gmqqsbi.exe
  C:\Windows\System32\gmqqsbi.exe
  2⤵
  PID:10656
- C:\Windows\System32\FaaNxZI.exe
  C:\Windows\System32\FaaNxZI.exe
  2⤵
  PID:10680
- C:\Windows\System32\lTMJMVz.exe
  C:\Windows\System32\lTMJMVz.exe
  2⤵
  PID:10712
- C:\Windows\System32\doFbPjK.exe
  C:\Windows\System32\doFbPjK.exe
  2⤵
  PID:10740
- C:\Windows\System32\ZZwDHrX.exe
  C:\Windows\System32\ZZwDHrX.exe
  2⤵
  PID:10760
- C:\Windows\System32\tXEhDWs.exe
  C:\Windows\System32\tXEhDWs.exe
  2⤵
  PID:10792
- C:\Windows\System32\HpVVvEW.exe
  C:\Windows\System32\HpVVvEW.exe
  2⤵
  PID:10828
- C:\Windows\System32\MMrgUtS.exe
  C:\Windows\System32\MMrgUtS.exe
  2⤵
  PID:10864
- C:\Windows\System32\EJRxMjL.exe
  C:\Windows\System32\EJRxMjL.exe
  2⤵
  PID:10896
- C:\Windows\System32\shAjqrJ.exe
  C:\Windows\System32\shAjqrJ.exe
  2⤵
  PID:10912
- C:\Windows\System32\ovfNQym.exe
  C:\Windows\System32\ovfNQym.exe
  2⤵
  PID:10944
- C:\Windows\System32\pmVhBFF.exe
  C:\Windows\System32\pmVhBFF.exe
  2⤵
  PID:10960
- C:\Windows\System32\uJSuOOQ.exe
  C:\Windows\System32\uJSuOOQ.exe
  2⤵
  PID:10988
- C:\Windows\System32\eMDCjUQ.exe
  C:\Windows\System32\eMDCjUQ.exe
  2⤵
  PID:11040
- C:\Windows\System32\zTfNswB.exe
  C:\Windows\System32\zTfNswB.exe
  2⤵
  PID:11056
- C:\Windows\System32\sQATWqY.exe
  C:\Windows\System32\sQATWqY.exe
  2⤵
  PID:11084
- C:\Windows\System32\kTMQRrF.exe
  C:\Windows\System32\kTMQRrF.exe
  2⤵
  PID:11108
- C:\Windows\System32\PtAOIIB.exe
  C:\Windows\System32\PtAOIIB.exe
  2⤵
  PID:11200
- C:\Windows\System32\PjaZLbC.exe
  C:\Windows\System32\PjaZLbC.exe
  2⤵
  PID:11228
- C:\Windows\System32\KPOjUej.exe
  C:\Windows\System32\KPOjUej.exe
  2⤵
  PID:11252
- C:\Windows\System32\QuolxTn.exe
  C:\Windows\System32\QuolxTn.exe
  2⤵
  PID:10176
- C:\Windows\System32\yPHVjlK.exe
  C:\Windows\System32\yPHVjlK.exe
  2⤵
  PID:10300
- C:\Windows\System32\FGndDto.exe
  C:\Windows\System32\FGndDto.exe
  2⤵
  PID:10288
- C:\Windows\System32\IbQNfOv.exe
  C:\Windows\System32\IbQNfOv.exe
  2⤵
  PID:10396
- C:\Windows\System32\BfYGrlO.exe
  C:\Windows\System32\BfYGrlO.exe
  2⤵
  PID:10428
- C:\Windows\System32\DWsyjuU.exe
  C:\Windows\System32\DWsyjuU.exe
  2⤵
  PID:10500
- C:\Windows\System32\wiFpYVz.exe
  C:\Windows\System32\wiFpYVz.exe
  2⤵
  PID:10564
- C:\Windows\System32\TpWgrlk.exe
  C:\Windows\System32\TpWgrlk.exe
  2⤵
  PID:10644
- C:\Windows\System32\bmoDRTY.exe
  C:\Windows\System32\bmoDRTY.exe
  2⤵
  PID:10664
- C:\Windows\System32\CmqjzgG.exe
  C:\Windows\System32\CmqjzgG.exe
  2⤵
  PID:10776
- C:\Windows\System32\mCaJCcK.exe
  C:\Windows\System32\mCaJCcK.exe
  2⤵
  PID:10748
- C:\Windows\System32\gKfnAZr.exe
  C:\Windows\System32\gKfnAZr.exe
  2⤵
  PID:10844
- C:\Windows\System32\VWymWyx.exe
  C:\Windows\System32\VWymWyx.exe
  2⤵
  PID:10952
- C:\Windows\System32\jHOpVHX.exe
  C:\Windows\System32\jHOpVHX.exe
  2⤵
  PID:11080
- C:\Windows\System32\AxgLDoz.exe
  C:\Windows\System32\AxgLDoz.exe
  2⤵
  PID:11124
- C:\Windows\System32\GGtEQrz.exe
  C:\Windows\System32\GGtEQrz.exe
  2⤵
  PID:11160
- C:\Windows\System32\zwKSLMj.exe
  C:\Windows\System32\zwKSLMj.exe
  2⤵
  PID:11156
- C:\Windows\System32\asHabjS.exe
  C:\Windows\System32\asHabjS.exe
  2⤵
  PID:11196
- C:\Windows\System32\iUJZSbD.exe
  C:\Windows\System32\iUJZSbD.exe
  2⤵
  PID:9284
- C:\Windows\System32\DpZJISH.exe
  C:\Windows\System32\DpZJISH.exe
  2⤵
  PID:10284
- C:\Windows\System32\tlGTAwO.exe
  C:\Windows\System32\tlGTAwO.exe
  2⤵
  PID:9604
- C:\Windows\System32\ttXwfzG.exe
  C:\Windows\System32\ttXwfzG.exe
  2⤵
  PID:10836
- C:\Windows\System32\gUiXDFT.exe
  C:\Windows\System32\gUiXDFT.exe
  2⤵
  PID:11024
- C:\Windows\System32\NknjXhu.exe
  C:\Windows\System32\NknjXhu.exe
  2⤵
  PID:11096
- C:\Windows\System32\qwlaXYJ.exe
  C:\Windows\System32\qwlaXYJ.exe
  2⤵
  PID:11116
- C:\Windows\System32\elvsBbT.exe
  C:\Windows\System32\elvsBbT.exe
  2⤵
  PID:10400
- C:\Windows\System32\rBhaVhF.exe
  C:\Windows\System32\rBhaVhF.exe
  2⤵
  PID:10752
- C:\Windows\System32\keIenzk.exe
  C:\Windows\System32\keIenzk.exe
  2⤵
  PID:10892
- C:\Windows\System32\wEXseKk.exe
  C:\Windows\System32\wEXseKk.exe
  2⤵
  PID:10804
- C:\Windows\System32\nwclEpK.exe
  C:\Windows\System32\nwclEpK.exe
  2⤵
  PID:10244
- C:\Windows\System32\CimlVSc.exe
  C:\Windows\System32\CimlVSc.exe
  2⤵
  PID:10412
- C:\Windows\System32\OptLspo.exe
  C:\Windows\System32\OptLspo.exe
  2⤵
  PID:11292
- C:\Windows\System32\qIunQlQ.exe
  C:\Windows\System32\qIunQlQ.exe
  2⤵
  PID:11312
- C:\Windows\System32\EjsZrrm.exe
  C:\Windows\System32\EjsZrrm.exe
  2⤵
  PID:11336
- C:\Windows\System32\pfshDoi.exe
  C:\Windows\System32\pfshDoi.exe
  2⤵
  PID:11364
- C:\Windows\System32\GLJnKmo.exe
  C:\Windows\System32\GLJnKmo.exe
  2⤵
  PID:11404
- C:\Windows\System32\ubMTiRd.exe
  C:\Windows\System32\ubMTiRd.exe
  2⤵
  PID:11432
- C:\Windows\System32\tZzMvee.exe
  C:\Windows\System32\tZzMvee.exe
  2⤵
  PID:11496
- C:\Windows\System32\rOcquFC.exe
  C:\Windows\System32\rOcquFC.exe
  2⤵
  PID:11512
- C:\Windows\System32\qpqBTsM.exe
  C:\Windows\System32\qpqBTsM.exe
  2⤵
  PID:11528
- C:\Windows\System32\EkVLDbp.exe
  C:\Windows\System32\EkVLDbp.exe
  2⤵
  PID:11560
- C:\Windows\System32\zHMtycE.exe
  C:\Windows\System32\zHMtycE.exe
  2⤵
  PID:11576
- C:\Windows\System32\woZptvq.exe
  C:\Windows\System32\woZptvq.exe
  2⤵
  PID:11592
- C:\Windows\System32\HHisbfE.exe
  C:\Windows\System32\HHisbfE.exe
  2⤵
  PID:11652
- C:\Windows\System32\tSVzXWd.exe
  C:\Windows\System32\tSVzXWd.exe
  2⤵
  PID:11700
- C:\Windows\System32\nHpXwmb.exe
  C:\Windows\System32\nHpXwmb.exe
  2⤵
  PID:11716
- C:\Windows\System32\axzPble.exe
  C:\Windows\System32\axzPble.exe
  2⤵
  PID:11752
- C:\Windows\System32\DWYwIiZ.exe
  C:\Windows\System32\DWYwIiZ.exe
  2⤵
  PID:11772
- C:\Windows\System32\VCVAGQn.exe
  C:\Windows\System32\VCVAGQn.exe
  2⤵
  PID:11788
- C:\Windows\System32\baASZiR.exe
  C:\Windows\System32\baASZiR.exe
  2⤵
  PID:11848
- C:\Windows\System32\yUZIppt.exe
  C:\Windows\System32\yUZIppt.exe
  2⤵
  PID:11876
- C:\Windows\System32\xKTIdmm.exe
  C:\Windows\System32\xKTIdmm.exe
  2⤵
  PID:11908
- C:\Windows\System32\PiSXswC.exe
  C:\Windows\System32\PiSXswC.exe
  2⤵
  PID:11932
- C:\Windows\System32\XCZbusM.exe
  C:\Windows\System32\XCZbusM.exe
  2⤵
  PID:11948
- C:\Windows\System32\tBFeWtC.exe
  C:\Windows\System32\tBFeWtC.exe
  2⤵
  PID:11976
- C:\Windows\System32\zOBFaMO.exe
  C:\Windows\System32\zOBFaMO.exe
  2⤵
  PID:12016
- C:\Windows\System32\iGyTUag.exe
  C:\Windows\System32\iGyTUag.exe
  2⤵
  PID:12032
- C:\Windows\System32\YkeYUEh.exe
  C:\Windows\System32\YkeYUEh.exe
  2⤵
  PID:12056
- C:\Windows\System32\LXpktOK.exe
  C:\Windows\System32\LXpktOK.exe
  2⤵
  PID:12072
- C:\Windows\System32\UrpjaKX.exe
  C:\Windows\System32\UrpjaKX.exe
  2⤵
  PID:12088
- C:\Windows\System32\etissoS.exe
  C:\Windows\System32\etissoS.exe
  2⤵
  PID:12120
- C:\Windows\System32\dGRaeyN.exe
  C:\Windows\System32\dGRaeyN.exe
  2⤵
  PID:12140
- C:\Windows\System32\NlEEGID.exe
  C:\Windows\System32\NlEEGID.exe
  2⤵
  PID:12176
- C:\Windows\System32\BzZEpVB.exe
  C:\Windows\System32\BzZEpVB.exe
  2⤵
  PID:12220
- C:\Windows\System32\FiEfGwX.exe
  C:\Windows\System32\FiEfGwX.exe
  2⤵
  PID:12268
- C:\Windows\System32\nXcEmGh.exe
  C:\Windows\System32\nXcEmGh.exe
  2⤵
  PID:11276
- C:\Windows\System32\cTuujvM.exe
  C:\Windows\System32\cTuujvM.exe
  2⤵
  PID:11304
- C:\Windows\System32\ULEFDSD.exe
  C:\Windows\System32\ULEFDSD.exe
  2⤵
  PID:11376
- C:\Windows\System32\aDxRzmP.exe
  C:\Windows\System32\aDxRzmP.exe
  2⤵
  PID:11420
- C:\Windows\System32\prqCMqm.exe
  C:\Windows\System32\prqCMqm.exe
  2⤵
  PID:11460
- C:\Windows\System32\VvhOBME.exe
  C:\Windows\System32\VvhOBME.exe
  2⤵
  PID:11544
- C:\Windows\System32\IJwMVBl.exe
  C:\Windows\System32\IJwMVBl.exe
  2⤵
  PID:11568
- C:\Windows\System32\IksRGUx.exe
  C:\Windows\System32\IksRGUx.exe
  2⤵
  PID:11628
- C:\Windows\System32\pPZOTQw.exe
  C:\Windows\System32\pPZOTQw.exe
  2⤵
  PID:11760
- C:\Windows\System32\Itplwif.exe
  C:\Windows\System32\Itplwif.exe
  2⤵
  PID:11816
- C:\Windows\System32\UoWbKBb.exe
  C:\Windows\System32\UoWbKBb.exe
  2⤵
  PID:11868
- C:\Windows\System32\yvtrLfl.exe
  C:\Windows\System32\yvtrLfl.exe
  2⤵
  PID:11916
- C:\Windows\System32\DrngTVB.exe
  C:\Windows\System32\DrngTVB.exe
  2⤵
  PID:11960
- C:\Windows\System32\aVzRwLR.exe
  C:\Windows\System32\aVzRwLR.exe
  2⤵
  PID:12000
- C:\Windows\System32\REuPMnQ.exe
  C:\Windows\System32\REuPMnQ.exe
  2⤵
  PID:12152
- C:\Windows\System32\CCeWGHm.exe
  C:\Windows\System32\CCeWGHm.exe
  2⤵
  PID:12228
- C:\Windows\System32\gDbNhMj.exe
  C:\Windows\System32\gDbNhMj.exe
  2⤵
  PID:12284
- C:\Windows\System32\nbIeDoJ.exe
  C:\Windows\System32\nbIeDoJ.exe
  2⤵
  PID:11372
- C:\Windows\System32\WpFjAHJ.exe
  C:\Windows\System32\WpFjAHJ.exe
  2⤵
  PID:11504
- C:\Windows\System32\ZJlDqab.exe
  C:\Windows\System32\ZJlDqab.exe
  2⤵
  PID:11572
- C:\Windows\System32\gQsTXyu.exe
  C:\Windows\System32\gQsTXyu.exe
  2⤵
  PID:11684
- C:\Windows\System32\UqLqZRv.exe
  C:\Windows\System32\UqLqZRv.exe
  2⤵
  PID:11780
- C:\Windows\System32\vZkDBzJ.exe
  C:\Windows\System32\vZkDBzJ.exe
  2⤵
  PID:11860
- C:\Windows\System32\TfWvHLb.exe
  C:\Windows\System32\TfWvHLb.exe
  2⤵
  PID:12024
- C:\Windows\System32\JMzyHme.exe
  C:\Windows\System32\JMzyHme.exe
  2⤵
  PID:12148
- C:\Windows\System32\CFrxrZI.exe
  C:\Windows\System32\CFrxrZI.exe
  2⤵
  PID:11724
- C:\Windows\System32\XpIBqoX.exe
  C:\Windows\System32\XpIBqoX.exe
  2⤵
  PID:12172
- C:\Windows\System32\qblUGBG.exe
  C:\Windows\System32\qblUGBG.exe
  2⤵
  PID:11452
- C:\Windows\System32\CRLTQEp.exe
  C:\Windows\System32\CRLTQEp.exe
  2⤵
  PID:12064
- C:\Windows\System32\VyJoGqU.exe
  C:\Windows\System32\VyJoGqU.exe
  2⤵
  PID:12304
- C:\Windows\System32\LBmCAoA.exe
  C:\Windows\System32\LBmCAoA.exe
  2⤵
  PID:12344
- C:\Windows\System32\NodAVsg.exe
  C:\Windows\System32\NodAVsg.exe
  2⤵
  PID:12372
- C:\Windows\System32\UjQPRSK.exe
  C:\Windows\System32\UjQPRSK.exe
  2⤵
  PID:12392
- C:\Windows\System32\mutsRup.exe
  C:\Windows\System32\mutsRup.exe
  2⤵
  PID:12432
- C:\Windows\System32\XNfYnSX.exe
  C:\Windows\System32\XNfYnSX.exe
  2⤵
  PID:12464
- C:\Windows\System32\IyDPtGd.exe
  C:\Windows\System32\IyDPtGd.exe
  2⤵
  PID:12484
- C:\Windows\System32\OMFMcBx.exe
  C:\Windows\System32\OMFMcBx.exe
  2⤵
  PID:12508
- C:\Windows\System32\DfvSbxf.exe
  C:\Windows\System32\DfvSbxf.exe
  2⤵
  PID:12532
- C:\Windows\System32\OyYiiuX.exe
  C:\Windows\System32\OyYiiuX.exe
  2⤵
  PID:12564
- C:\Windows\System32\mgihCfN.exe
  C:\Windows\System32\mgihCfN.exe
  2⤵
  PID:12580
- C:\Windows\System32\rqAUokR.exe
  C:\Windows\System32\rqAUokR.exe
  2⤵
  PID:12600
- C:\Windows\System32\esUlIgI.exe
  C:\Windows\System32\esUlIgI.exe
  2⤵
  PID:12620
- C:\Windows\System32\aNlMNIZ.exe
  C:\Windows\System32\aNlMNIZ.exe
  2⤵
  PID:12644
- C:\Windows\System32\aNTMUli.exe
  C:\Windows\System32\aNTMUli.exe
  2⤵
  PID:12660
- C:\Windows\System32\UWYhgRl.exe
  C:\Windows\System32\UWYhgRl.exe
  2⤵
  PID:12712
- C:\Windows\System32\crAeSPa.exe
  C:\Windows\System32\crAeSPa.exe
  2⤵
  PID:12736
- C:\Windows\System32\grfhWiS.exe
  C:\Windows\System32\grfhWiS.exe
  2⤵
  PID:12756
- C:\Windows\System32\KfIrXgu.exe
  C:\Windows\System32\KfIrXgu.exe
  2⤵
  PID:12792
- C:\Windows\System32\LlXYSxy.exe
  C:\Windows\System32\LlXYSxy.exe
  2⤵
  PID:12824
- C:\Windows\System32\xrqrEhP.exe
  C:\Windows\System32\xrqrEhP.exe
  2⤵
  PID:12892
- C:\Windows\System32\QpsTeiT.exe
  C:\Windows\System32\QpsTeiT.exe
  2⤵
  PID:12908
- C:\Windows\System32\tiPVJfW.exe
  C:\Windows\System32\tiPVJfW.exe
  2⤵
  PID:12936
- C:\Windows\System32\pCyVWpR.exe
  C:\Windows\System32\pCyVWpR.exe
  2⤵
  PID:12956
- C:\Windows\System32\gbwgEqK.exe
  C:\Windows\System32\gbwgEqK.exe
  2⤵
  PID:13004
- C:\Windows\System32\oUCAAFW.exe
  C:\Windows\System32\oUCAAFW.exe
  2⤵
  PID:13020
- C:\Windows\System32\QkFtRAz.exe
  C:\Windows\System32\QkFtRAz.exe
  2⤵
  PID:13036
- C:\Windows\System32\EJQaMbN.exe
  C:\Windows\System32\EJQaMbN.exe
  2⤵
  PID:13056
- C:\Windows\System32\pULbPxq.exe
  C:\Windows\System32\pULbPxq.exe
  2⤵
  PID:13092
- C:\Windows\System32\lWMJoNz.exe
  C:\Windows\System32\lWMJoNz.exe
  2⤵
  PID:13132
- C:\Windows\System32\oBYAExw.exe
  C:\Windows\System32\oBYAExw.exe
  2⤵
  PID:13160
- C:\Windows\System32\iqmBQOD.exe
  C:\Windows\System32\iqmBQOD.exe
  2⤵
  PID:13200
- C:\Windows\System32\RXFVwXV.exe
  C:\Windows\System32\RXFVwXV.exe
  2⤵
  PID:13216
- C:\Windows\System32\sbFhIAc.exe
  C:\Windows\System32\sbFhIAc.exe
  2⤵
  PID:13248
- C:\Windows\System32\WqlLjQA.exe
  C:\Windows\System32\WqlLjQA.exe
  2⤵
  PID:13268
- C:\Windows\System32\xnotwqZ.exe
  C:\Windows\System32\xnotwqZ.exe
  2⤵
  PID:13288
- C:\Windows\System32\WxpHhZi.exe
  C:\Windows\System32\WxpHhZi.exe
  2⤵
  PID:11476
- C:\Windows\System32\WfjXphA.exe
  C:\Windows\System32\WfjXphA.exe
  2⤵
  PID:12316
- C:\Windows\System32\xVKzknC.exe
  C:\Windows\System32\xVKzknC.exe
  2⤵
  PID:12400
- C:\Windows\System32\avwKBQD.exe
  C:\Windows\System32\avwKBQD.exe
  2⤵
  PID:12452
- C:\Windows\System32\AFjFGVp.exe
  C:\Windows\System32\AFjFGVp.exe
  2⤵
  PID:12496
- C:\Windows\System32\gPSxNRA.exe
  C:\Windows\System32\gPSxNRA.exe
  2⤵
  PID:12540
- C:\Windows\System32\DpmcbvD.exe
  C:\Windows\System32\DpmcbvD.exe
  2⤵
  PID:12572
- C:\Windows\System32\aIaWXIL.exe
  C:\Windows\System32\aIaWXIL.exe
  2⤵
  PID:12720
- C:\Windows\System32\yCkZQxj.exe
  C:\Windows\System32\yCkZQxj.exe
  2⤵
  PID:12732
- C:\Windows\System32\FKfOjgI.exe
  C:\Windows\System32\FKfOjgI.exe
  2⤵
  PID:12812
- C:\Windows\System32\uEYbwlL.exe
  C:\Windows\System32\uEYbwlL.exe
  2⤵
  PID:12848
- C:\Windows\System32\VasgBDW.exe
  C:\Windows\System32\VasgBDW.exe
  2⤵
  PID:12240
- C:\Windows\System32\xqlJsRy.exe
  C:\Windows\System32\xqlJsRy.exe
  2⤵
  PID:13032
- C:\Windows\System32\bzXWofg.exe
  C:\Windows\System32\bzXWofg.exe
  2⤵
  PID:13084
- C:\Windows\System32\qjckDki.exe
  C:\Windows\System32\qjckDki.exe
  2⤵
  PID:13104
- C:\Windows\System32\OeViGsk.exe
  C:\Windows\System32\OeViGsk.exe
  2⤵
  PID:13264
- C:\Windows\System32\zsvKwNm.exe
  C:\Windows\System32\zsvKwNm.exe
  2⤵
  PID:12296
- C:\Windows\System32\FyTKWWw.exe
  C:\Windows\System32\FyTKWWw.exe
  2⤵
  PID:12380
- C:\Windows\System32\xsEviNP.exe
  C:\Windows\System32\xsEviNP.exe
  2⤵
  PID:12416
- C:\Windows\System32\OpWtsBQ.exe
  C:\Windows\System32\OpWtsBQ.exe
  2⤵
  PID:12656
- C:\Windows\System32\FZKLWUX.exe
  C:\Windows\System32\FZKLWUX.exe
  2⤵
  PID:12780
- C:\Windows\System32\jRJucxm.exe
  C:\Windows\System32\jRJucxm.exe
  2⤵
  PID:13000
- C:\Windows\System32\xDSupJU.exe
  C:\Windows\System32\xDSupJU.exe
  2⤵
  PID:13228
- C:\Windows\System32\xLphVQw.exe
  C:\Windows\System32\xLphVQw.exe
  2⤵
  PID:12476
- C:\Windows\System32\cwOkqyp.exe
  C:\Windows\System32\cwOkqyp.exe
  2⤵
  PID:12688
- C:\Windows\System32\WhmCAFO.exe
  C:\Windows\System32\WhmCAFO.exe
  2⤵
  PID:4372
- C:\Windows\System32\khzQSdN.exe
  C:\Windows\System32\khzQSdN.exe
  2⤵
  PID:12952
- C:\Windows\System32\skiENgq.exe
  C:\Windows\System32\skiENgq.exe
  2⤵
  PID:13332
- C:\Windows\System32\pfPiuYv.exe
  C:\Windows\System32\pfPiuYv.exe
  2⤵
  PID:13352
- C:\Windows\System32\LoEdlvD.exe
  C:\Windows\System32\LoEdlvD.exe
  2⤵
  PID:13384
- C:\Windows\System32\ZBqqxpl.exe
  C:\Windows\System32\ZBqqxpl.exe
  2⤵
  PID:13416
- C:\Windows\System32\ggGfnni.exe
  C:\Windows\System32\ggGfnni.exe
  2⤵
  PID:13440

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AuJcHcz.exe

Filesize
1.3MB

MD5
d132a4a7da3edc8c65b154e92a5f0c90

SHA1
4545958a4313dcd8b78d35cc5ee7961d11d1e74a

SHA256
770027caf7b9a6cf4f6c946a919e5a96eddd3256fb995750fa8b480525a6ff59

SHA512
534fc235327f0719d6124706889b63e7a70984dc8e787ea884fa320e9a36e21baf6981a1f6c5857fc195dd1fa1b85da15670e861955a5371a040387365119443

Download Submit
C:\Windows\System32\BMazGZo.exe

Filesize
1.3MB

MD5
227fcd4c332cebaa3e4a58dd4a5e4da9

SHA1
5a5ef865819f6f8f09a4f3591990a49103ceb436

SHA256
aa1be29c92a48a8683a72827a165d5d1f8f3e572b71e99fec46e7fe54cdda8cb

SHA512
04b45b73a2e8ff990070855ca5d2439a0063bc79ac96ad7ee4c3108a6e3e11b352e10321427c133d35fdf4724169d38ff1081012a29fd265e373818c291a3494

Download Submit
C:\Windows\System32\CWmBcWl.exe

Filesize
1.3MB

MD5
921a9fa92b9300d882a825ac00147595

SHA1
a7fc557887d9632af43feff1d77c9ce9fb2baac4

SHA256
d447bc2fec39906c8ba5e0731f3e9535e4c72fc78d3643311bde738c74928751

SHA512
bf110985662354632a6fc7433a8573cfaaa7a0101b973216c2ba061cb5256d9ed24d83d5494bbc253717d9b31a9a9fd93284193cd4e4313e2041d2d359d4319f

Download Submit
C:\Windows\System32\DGHvCOK.exe

Filesize
1.3MB

MD5
6c1babf32b4419c6c1951a2dbdef41aa

SHA1
6dc364b98e415d19e4dda1502d7387477a72a29d

SHA256
b144da6233b036e0eb726a56060860dbaa3ef568d312cb2dc4c1a582f10ad863

SHA512
ebd16c8c6e7192d0e4f012647ec0bd6ab4f121e3aaba92bd0a16c4a48ebdc9c504d7c2809bafaf2d113f9f2872a0be340567ef80ae4afa24bc0daa50da2dbad2

Download Submit
C:\Windows\System32\DYfeCQi.exe

Filesize
1.3MB

MD5
734a02e277e63b9b0a27b46616d2f393

SHA1
affd01775d33f480f10e9af68a92d3d43cefd687

SHA256
1a8df3822c663a246241bc65fcd60623aae863620151d3cc60ef0f0f4acfa48d

SHA512
0f11342074039e86f7a225ab5a64da5e9b6a52f7fd82f0ee5fbccb23d771cc8eb786fdca422ab8370025af4033ea93fd3f9dc950ed825bdcc5fce1bfc37ef5a3

Download Submit
C:\Windows\System32\EMCXyYT.exe

Filesize
1.3MB

MD5
6fd9d244264e73e184431daf0622043b

SHA1
8f595eb35a95ff9a3c9e4c64e1faeca0057034bc

SHA256
54a6bdf8e93e7ab69390c291908f30f795797360cd678a1f1e95a2bb099a5162

SHA512
5464937fc4aa1d4d563f3c7ddf92e1ca7cf68221e29f9963d5698333dabf42f8dda605668ad4663e9c3f8f7c24b529047ad2505d9822045b45e2917dbdd36826

Download Submit
C:\Windows\System32\GOqBTpW.exe

Filesize
1.3MB

MD5
dc10e6f270dea6d8bc313a8bccb2e2fb

SHA1
af525930571b53bd00eb150d2bd589d37dee860f

SHA256
bed42de6560be49b019fe4c3abd395b3be7d97139d41e200f2d73f7e3c883cba

SHA512
94208f4f0bff27df01d04bc4b487302f6886314d4b6c9f878bb9efe25b1a25b695447624732c888520a70175063601d9dd4d893fc9bf24fdf215f8bda81ee085

Download Submit
C:\Windows\System32\GTRoOOc.exe

Filesize
1.3MB

MD5
90ee9e9b966e86a8e0a4aa83decaab76

SHA1
891085fb90e72b701fb4aa26518e2af92a01268e

SHA256
bb58bd258a799922d77c4915447f1fc2244b6848c64a96b84c91d04b0e0d92ff

SHA512
313d79e91a481d1dc6eba5000ec789b94537f7d0a2939704e93299c4b0bf0aa14be1993775619583a29d8caae0acfcb6ebd24f32c10907d71fa2d14f50107a4b

Download Submit
C:\Windows\System32\GrTbiEY.exe

Filesize
1.3MB

MD5
a60f6e1f0069036d634f0f6b82f19b34

SHA1
470042ff8595ec6fac7e76866c6838de007696f7

SHA256
f82f0b1ee856392523fd7176f26cd2da228f6c27dac25cfd0c25fe543f52cc88

SHA512
b7d2fd20ee2fb91a4033b43dd977caba32ce9860ddb5b9f0fce3bee3f0224991d769aaaf94f7955815f53df60810c83e208b6412ce3a88c729ed5f1c20dcbcae

Download Submit
C:\Windows\System32\HrDIvys.exe

Filesize
1.3MB

MD5
b9af49a3a41530e1badb297d1d1e16c8

SHA1
64af1b8458eec8774d4f56179dd24a7757fe463a

SHA256
0dc85cfee80efc975fe10db5dcd214da7bbbec3ff2492b4e4f8f73a8dcc0ec56

SHA512
bc0ac010cf4cf98da9b44b949cc6f015b60925d4587280d3f9cdacd552f8984a5b85a528457fcf2bc46cdf87b024e81cec8fe12ddec192f902e9a04beea7cb66

Download Submit
C:\Windows\System32\JTfMeZs.exe

Filesize
1.3MB

MD5
f6e51d2218900415bf9b88f8eb4d2b73

SHA1
1941dfc6562eac9783067977038fa6467bae78f2

SHA256
3a2293cb1087af8e8edb9f2cd17a1c20245f822e1ae3e359383b8e6f5a2f009c

SHA512
f426f42a571fcdc8cb092f9251e674f9b462b233b01bbda1671278135f4867bc922d16c175dad66c9f48ceb9e18668e6bf619a3b8aba59dcad4a381bfee29486

Download Submit
C:\Windows\System32\KtYhSHu.exe

Filesize
1.3MB

MD5
be56453c01b68cdb81bb0fd083f66187

SHA1
9cbe517933c55854589f43010a4996404bfa98c1

SHA256
6fc4041fc46907fa2380cc09487b76a6627b8f18c41f7dcf59a37c13f296958f

SHA512
b7a9e981dfe1ba25094e8b9bfe1b29c6b3c3c7943431d175ce8d22facdf3ce3bd29447fe523959b992e6c4f7a312c89e2e399de214d645c3e70919a758e8d2ab

Download Submit
C:\Windows\System32\LvTIXOf.exe

Filesize
1.3MB

MD5
716f258167e10cd56cc2ee1721986ec9

SHA1
37e14e7f85a938228f9c1bd4e9843cc629050c9c

SHA256
b871db25ab8e27b21fb2d7a675b909cbc2009efdf44979b1e8978b4f76b473dd

SHA512
2168a4bc25434b108b1c3522ae508c15641b1fc55a472aa7af5cd4b58efed33220d3e06ca7b93f7ef67b145dd8c15df2c4ee99f3b09a2ff6a0d3108a830772c3

Download Submit
C:\Windows\System32\MvwKJEd.exe

Filesize
1.3MB

MD5
08e70705dcc742118a2a9c20e105e898

SHA1
ab15da966de7c4da1711e3d486139aac8fa68858

SHA256
d319e6f88c80baf2353f867d053b9b1721c9571f633a92dab944a892d63d8645

SHA512
95fd12d25ceca0550799176c147e48ffa0bd826dcae73e36995749c716e3ca4a566b555f8f856d76a4aedb1f6ffbc6dd3e813585cde406564148586464fd15e7

Download Submit
C:\Windows\System32\RfvLgCO.exe

Filesize
1.3MB

MD5
5cf137dffdbdf133358bb7c55173b5ad

SHA1
760579d77a6f09fb941976cebf89b758738775b2

SHA256
951e039379d8c8ac35b70f2f16b4ebeddd53151f3c05dcdbe2ee8965f60e47f5

SHA512
c6e920fd3fbc94e173ed99fe5515e3ac3992a4934fcd9df32c189a1dd89b060c9df1dae8ede997dacd604bebed9a02ae8d9d7bebe7d6725499d9228ba8e9180f

Download Submit
C:\Windows\System32\RrPcBjE.exe

Filesize
1.3MB

MD5
8330035dbde15af3c747faab3efb2a50

SHA1
ff623e320804908890fba8fa429e6c2a664465e4

SHA256
dc0fa09c2b91f86b6bc7f7dc34d97b070407bc69d94a0f4531ad5b4516b939a7

SHA512
64efe874b69f7818cd8123d4e791fee3e9829aa560889ee5935c9bbc09f1d45c6104adb80a40d1c14e1e94ca955abadfde6eb36819855a8419bba0724f8f560f

Download Submit
C:\Windows\System32\SjzMFBF.exe

Filesize
1.3MB

MD5
8baa7d809a57c9b55504e33eaa63b291

SHA1
db7fc5c8a45a21c19e010c3a4905f272493054a3

SHA256
8f04f2c3c65e871ac05b692ffa79f9f9cd3e093467b3420953e940d2ed6b1a02

SHA512
7ed84a513e2d0c3a9d1dd0fa2f78891b3bee96df934a2f3b44dd25c7b082e456f3b0ad4b25ea52e683c2c12e7cb85028e4c6e0596b445119b71660bc56ff4cb2

Download Submit
C:\Windows\System32\WlyorRr.exe

Filesize
1.3MB

MD5
b65a4b960520a1e26273ad2219e1c3e0

SHA1
07f955f23a1abfb9e9d54475af79e619f7eee4e7

SHA256
1211ca04033a80b5d7b6787f7a92ed1fa4422ea0461c79d7cc52517d6e10eb06

SHA512
ac12af59379c44b070d89c2c6b44ff11e1435c0c03c269bd11cb87548118f9d102a5075aa6b4472c3f349b385eec09806a705b97daf4daafc03fe0ef31a0749f

Download Submit
C:\Windows\System32\YAgfVlr.exe

Filesize
1.3MB

MD5
a5b843ec692df5f3c6ef18912b36c536

SHA1
a05ffdc7d260cc7cbb1392ccc1da4ff8966dd18e

SHA256
009bcf659bf413ed0d68120e5c93747fcb3d0e176255b54d4db52667ba85b90f

SHA512
b308124ae581d4d35054cbda1740b8ffc5a4741e9c5359da0030d9d5d0df37ae1feb5980cd51dfd6c6a556bf6140ae66266693c09605112579130805f4d86d7e

Download Submit
C:\Windows\System32\aCjBeOJ.exe

Filesize
1.3MB

MD5
239280aac63a11da8587efd465065ce9

SHA1
d4dac3b59545f5390faa1329f6a6bda2347f56db

SHA256
e8a01db6e521100d9ae93f3593bec779198464d139cdf9ae7e1809949e59710c

SHA512
25bb63ee15b49976dca5616a01c1ac7daea60fd503a3af86cb1bdc47999dac5b17a99678a6305e3b6d0b0e571784180d5f125271d13e8b2950781c28fa80deab

Download Submit
C:\Windows\System32\ajFGbAs.exe

Filesize
1.3MB

MD5
eaa13eaeaf8322d11d7c4cec6862bd4d

SHA1
4ccd4f2744ebf19d9b6d1880eff776404c81794d

SHA256
a403a11ee3d90527c05f50008c258c342b74d7016a07ede12d22043f1e2945a4

SHA512
528cae9013a0b04725d2bcb27afd33bc2ddbd76cd47fbe465cff1994e8bdc6750f5069851426af997d42355a244c1ed70a76af4c9db7f389d953b07cfa593ab3

Download Submit
C:\Windows\System32\hIzhEjV.exe

Filesize
1.3MB

MD5
8d62ecb5f43105b008a2cd8d722e8d3f

SHA1
7a6d70a906ad2bb3e197d68c05bda80481796a8e

SHA256
ecaa19041e75c01973307f249b3f4a926444e828cd9ca8c41678a32382dadfbb

SHA512
3b5ad3e1b7e55c403221c857e9d9b3d937abd9565be4265fb5b9586ac2e7bebdfb06ecad0e5c5aed03b5525b0c5ccf792d4ea62408c27612587fdc1fb556d8c7

Download Submit
C:\Windows\System32\jQYRWwW.exe

Filesize
1.3MB

MD5
ce06b0134385ec0c90abb4b5349c60a3

SHA1
4d5bb7867ddabf4d6e668055adbf43e77e06d2f5

SHA256
992c4cc1343ef91844e7e4fae98d5fe579ffa92a16a8cb80230f37efe6615e4e

SHA512
b4c8a96d2eb8eac64e2afa3fef387dd6f64c8aeeac6ddc01bb2f8b7a1899b56525ed8e9efb7ca4192bc034f098095d0162abd60cf13b6949eb1245887fddc292

Download Submit
C:\Windows\System32\mifFXwX.exe

Filesize
1.3MB

MD5
7c7ba686e73caeacc2c29077cd752cf3

SHA1
ba8c147a4ae8847d9730a54ee49b19d0df45a06b

SHA256
567e0d667fd3c4291da23f81ebdef9e018ada87dac08b10a63f4c0389577ab30

SHA512
5e3d28be103dda5ab8f727e3a64e2d7eb95e8f70251bd690182b6af5df0a24e01f0c41413c7aac7bc1f42c6c01a885f8430730bdd76ae6361ea439e7ee29a289

Download Submit
C:\Windows\System32\oUIcylF.exe

Filesize
1.3MB

MD5
ba220c7923e2cb04bee22039d78ac1e4

SHA1
a54b8e54a506c81b3c4ec98d3c6637a8de3bdac6

SHA256
bfb47fc31c5b22ac01aa6898aced6e714fa08bfbe8576a62a5ba3b1ee895fa8d

SHA512
25b25eb4663ddca782a544d2c67b649afef3422692b2cdd6d7361cf181b6f44f66455131b3e3bbc5b7e774097722a14022ba4e85165f9549eda41a546c5fa790

Download Submit
C:\Windows\System32\oetjTEz.exe

Filesize
1.3MB

MD5
2667e47070c1cf71130635a96301dd5c

SHA1
6b9186de45378eaa8ff54fff5c467cbf7e88f302

SHA256
0333422385a6b80d5603d1a21e75686b03d6b9aec38c22768ff7db873f5d6d30

SHA512
81219c9450dd3a9913c184ef3af5548eb298244c1019d25aea8df3701f126cc67fafb279338a99c2420e005315d25b1da626253d7dbe4827e2225f85f5736893

Download Submit
C:\Windows\System32\rRiJnwt.exe

Filesize
1.3MB

MD5
03b8dd6232dbadf39d8aea27cf686e03

SHA1
e8b7723900f1fbe9544d7a8384bbd0cd89472c0e

SHA256
4d6c4d387bd05dfcb612d3e5b98507471cc5a8f78cfb8876f417b9eadc6c144b

SHA512
5bc99f56ad26a472cb93c3e62eacf84072c23981e62e128d95cd9e47386f0216c57bee95cf383c572d3f6c23f1107d50d9c665fc54d127876d3f2b6683355e09

Download Submit
C:\Windows\System32\tRugmvv.exe

Filesize
1.3MB

MD5
76bebdba405e257648f9908bb71e6886

SHA1
4345431db37ed7155075b7f799633421e930165e

SHA256
802ba09cf2a6fbcd28cb49b986dd0467fe882e1547734ed6ece0ddf7f29004ef

SHA512
5b7f66432012d96325faec74bd67b1e46785d1699bbc44802d21fbd8f226a17e860b0a90d23bb7402b8f9c0a94d59dca2c93a040804d5b594615f27c646d5245

Download Submit
C:\Windows\System32\vgendzU.exe

Filesize
1.3MB

MD5
f0be89b9101f3472d1f1e380abc7ffc5

SHA1
2924bfe6de29e81f434fb9bf4bc9ec21f8fcb4ce

SHA256
90fd252aee81e9175e213dc4cca9b4b33dd81f0030b5df3459e0c8c5f99b6cde

SHA512
45349574162552a640bfeefb0f531cfc20e6b68d8a56ce218108be9b3ed50cf1c6ae08c443a74bb17fad7bf4b8e3999c446ef411c0b45482513a3a840571702c

Download Submit
C:\Windows\System32\vljLuZL.exe

Filesize
1.3MB

MD5
9405f0c353289f1bbe988cf135bd2a5c

SHA1
3310c43fdda3f4200809c3a99677314cb75a1384

SHA256
4d3b1c109c9822cfe5fda5806ed91596cb3bee9da7e98e01e85ff41b7463b004

SHA512
8aa90ba9d4949dc94657ade8a89fa14abb6fb1750f3f832e1226fa502d748aaaecc2ae2565d07e5f301e268d07134e3540f595888e6b87c987453458dcbceadf

Download Submit
C:\Windows\System32\wedrlNN.exe

Filesize
1.3MB

MD5
acf9c12a174b2b8c918e71a17e5a719b

SHA1
7b350047059ad342ba262b6e5270aa6b6f7af2ed

SHA256
ac04338ea589e102d4d982848fab7ec4939ea9dcf6df698c3b604c31b6514895

SHA512
ece9fc1e559398a957dc1f72e9d4dcf02e4d6c3efa4ec1accbee12e0a30f89910d39501755f6d48028b0585e3da8beeca063dc26c627480bb70d3ee1baa68fbf

Download Submit
C:\Windows\System32\wyPAafX.exe

Filesize
1.3MB

MD5
f3a4386b85f3506d0eea474c2a455d10

SHA1
140e20bfbdd3a2113eae1a55d2e19ddfa8d21b2b

SHA256
65d9d50da350ed1bc36c6a5e38b19770b6bb3906e8524b01cf988aadfa990756

SHA512
fae1d2ffdc91b7abf3778933e5142be8030c9640aebc878fdb66ab1bf68dc08912aa796b9ebde10d13139f8c8b07ff3dc532f8d7decdde9828987397f2882e16

Download Submit
C:\Windows\System32\xbskmqu.exe

Filesize
1.3MB

MD5
9dc7540119c9c7833d2f343b6ead44ec

SHA1
524c48de8584c8ac63582619c22320034b0f337c

SHA256
c5204107b02ad8b756cf81cdfa2fe5511c317d92822b49ca7c130aa2dc96f157

SHA512
7676cc5a5bf13b4dfa1e0c67f2d400286c546b9905efa2065780354830c157304a4a41687c60431d8cb15ae66337aa5d847e0b117f3860b6b78f7e4e12df0d6a

Download Submit
C:\Windows\System32\yYkQALt.exe

Filesize
1.3MB

MD5
b9959940ca1c76b33d3c592bcc8e5cc8

SHA1
7d9be4b03b8e9b643367613f584fdee81d1106bb

SHA256
b36a1303eb89add7a439586a3316c295ab4b87bafc9ce6a866a515d7b5bf482f

SHA512
cd083656dbf8b2f350c252f25a788a1ecf0832a96cfb043aed37963135bb7e2a69fee8e58dd74385c3094c1bc3cfc7344d22bf2760d89bf9a01720c60cdb3ec8

Download Submit
memory/244-148-0x00007FF6FE270000-0x00007FF6FE661000-memory.dmp

Filesize
3.9MB

Download
memory/244-2143-0x00007FF6FE270000-0x00007FF6FE661000-memory.dmp

Filesize
3.9MB

Download
memory/244-36-0x00007FF6FE270000-0x00007FF6FE661000-memory.dmp

Filesize
3.9MB

Download
memory/1044-2147-0x00007FF682F70000-0x00007FF683361000-memory.dmp

Filesize
3.9MB

Download
memory/1044-199-0x00007FF682F70000-0x00007FF683361000-memory.dmp

Filesize
3.9MB

Download
memory/1044-42-0x00007FF682F70000-0x00007FF683361000-memory.dmp

Filesize
3.9MB

Download
memory/1064-58-0x00007FF6253D0000-0x00007FF6257C1000-memory.dmp

Filesize
3.9MB

Download
memory/1064-212-0x00007FF6253D0000-0x00007FF6257C1000-memory.dmp

Filesize
3.9MB

Download
memory/1064-2172-0x00007FF6253D0000-0x00007FF6257C1000-memory.dmp

Filesize
3.9MB

Download
memory/1436-61-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp

Filesize
3.9MB

Download
memory/1436-0-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp

Filesize
3.9MB

Download
memory/1436-2133-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp

Filesize
3.9MB

Download
memory/1436-201-0x00007FF67AA10000-0x00007FF67AE01000-memory.dmp

Filesize
3.9MB

Download
memory/1436-1-0x0000025753C60000-0x0000025753C70000-memory.dmp

Filesize
64KB

Download
memory/1884-81-0x00007FF78C8A0000-0x00007FF78CC91000-memory.dmp

Filesize
3.9MB

Download
memory/1884-2196-0x00007FF78C8A0000-0x00007FF78CC91000-memory.dmp

Filesize
3.9MB

Download
memory/1884-880-0x00007FF78C8A0000-0x00007FF78CC91000-memory.dmp

Filesize
3.9MB

Download
memory/2296-885-0x00007FF609EA0000-0x00007FF60A291000-memory.dmp

Filesize
3.9MB

Download
memory/2296-98-0x00007FF609EA0000-0x00007FF60A291000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2190-0x00007FF609EA0000-0x00007FF60A291000-memory.dmp

Filesize
3.9MB

Download
memory/2428-2205-0x00007FF71ABA0000-0x00007FF71AF91000-memory.dmp

Filesize
3.9MB

Download
memory/2428-193-0x00007FF71ABA0000-0x00007FF71AF91000-memory.dmp

Filesize
3.9MB

Download
memory/2680-1010-0x00007FF71FC10000-0x00007FF720001000-memory.dmp

Filesize
3.9MB

Download
memory/2680-96-0x00007FF71FC10000-0x00007FF720001000-memory.dmp

Filesize
3.9MB

Download
memory/2680-2192-0x00007FF71FC10000-0x00007FF720001000-memory.dmp

Filesize
3.9MB

Download
memory/2692-2149-0x00007FF6308D0000-0x00007FF630CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2692-47-0x00007FF6308D0000-0x00007FF630CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2692-209-0x00007FF6308D0000-0x00007FF630CC1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-2138-0x00007FF68A100000-0x00007FF68A4F1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-72-0x00007FF68A100000-0x00007FF68A4F1000-memory.dmp

Filesize
3.9MB

Download
memory/2996-8-0x00007FF68A100000-0x00007FF68A4F1000-memory.dmp

Filesize
3.9MB

Download
memory/3172-2231-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp

Filesize
3.9MB

Download
memory/3172-194-0x00007FF713FE0000-0x00007FF7143D1000-memory.dmp

Filesize
3.9MB

Download
memory/3208-198-0x00007FF628B30000-0x00007FF628F21000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2239-0x00007FF628B30000-0x00007FF628F21000-memory.dmp

Filesize
3.9MB

Download
memory/3276-197-0x00007FF72A540000-0x00007FF72A931000-memory.dmp

Filesize
3.9MB

Download
memory/3440-24-0x00007FF78E990000-0x00007FF78ED81000-memory.dmp

Filesize
3.9MB

Download
memory/3440-2139-0x00007FF78E990000-0x00007FF78ED81000-memory.dmp

Filesize
3.9MB

Download
memory/3440-77-0x00007FF78E990000-0x00007FF78ED81000-memory.dmp

Filesize
3.9MB

Download
memory/3516-196-0x00007FF715300000-0x00007FF7156F1000-memory.dmp

Filesize
3.9MB

Download
memory/3516-2201-0x00007FF715300000-0x00007FF7156F1000-memory.dmp

Filesize
3.9MB

Download
memory/3588-1023-0x00007FF7BC200000-0x00007FF7BC5F1000-memory.dmp

Filesize
3.9MB

Download
memory/3588-104-0x00007FF7BC200000-0x00007FF7BC5F1000-memory.dmp

Filesize
3.9MB

Download
memory/3588-2187-0x00007FF7BC200000-0x00007FF7BC5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4084-2142-0x00007FF6CF200000-0x00007FF6CF5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4084-27-0x00007FF6CF200000-0x00007FF6CF5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4084-86-0x00007FF6CF200000-0x00007FF6CF5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2195-0x00007FF6551B0000-0x00007FF6555A1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-102-0x00007FF6551B0000-0x00007FF6555A1000-memory.dmp

Filesize
3.9MB

Download
memory/4256-1012-0x00007FF6551B0000-0x00007FF6555A1000-memory.dmp

Filesize
3.9MB

Download
memory/4468-497-0x00007FF7EA840000-0x00007FF7EAC31000-memory.dmp

Filesize
3.9MB

Download
memory/4468-62-0x00007FF7EA840000-0x00007FF7EAC31000-memory.dmp

Filesize
3.9MB

Download
memory/4468-2170-0x00007FF7EA840000-0x00007FF7EAC31000-memory.dmp

Filesize
3.9MB

Download
memory/4676-200-0x00007FF71BD40000-0x00007FF71C131000-memory.dmp

Filesize
3.9MB

Download
memory/4700-2184-0x00007FF727100000-0x00007FF7274F1000-memory.dmp

Filesize
3.9MB

Download
memory/4700-67-0x00007FF727100000-0x00007FF7274F1000-memory.dmp

Filesize
3.9MB

Download
memory/4700-645-0x00007FF727100000-0x00007FF7274F1000-memory.dmp

Filesize
3.9MB

Download
memory/4804-28-0x00007FF7DB2D0000-0x00007FF7DB6C1000-memory.dmp

Filesize
3.9MB

Download
memory/4804-115-0x00007FF7DB2D0000-0x00007FF7DB6C1000-memory.dmp

Filesize
3.9MB

Download
memory/4804-2145-0x00007FF7DB2D0000-0x00007FF7DB6C1000-memory.dmp

Filesize
3.9MB

Download
memory/4884-15-0x00007FF60DFE0000-0x00007FF60E3D1000-memory.dmp

Filesize
3.9MB

Download
memory/4884-2135-0x00007FF60DFE0000-0x00007FF60E3D1000-memory.dmp

Filesize
3.9MB

Download
memory/4884-73-0x00007FF60DFE0000-0x00007FF60E3D1000-memory.dmp

Filesize
3.9MB

Download
memory/4932-2198-0x00007FF6540A0000-0x00007FF654491000-memory.dmp

Filesize
3.9MB

Download
memory/4932-103-0x00007FF6540A0000-0x00007FF654491000-memory.dmp

Filesize
3.9MB

Download
memory/4932-1019-0x00007FF6540A0000-0x00007FF654491000-memory.dmp

Filesize
3.9MB

Download
memory/4964-656-0x00007FF78D3D0000-0x00007FF78D7C1000-memory.dmp

Filesize
3.9MB

Download
memory/4964-76-0x00007FF78D3D0000-0x00007FF78D7C1000-memory.dmp

Filesize
3.9MB

Download
memory/4964-2188-0x00007FF78D3D0000-0x00007FF78D7C1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads