xmrig | f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3b

Analysis

max time kernel
109s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
Size

1.2MB
MD5

889602cf036fa538c8cbcf6cd9170250
SHA1

c3833071975691410a9ed951bccd2cf549b7ef95
SHA256

f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3b
SHA512

5663ad66654a4981e563c77e620d9d90a0f2b24c632fc96bf55f0bfd227fe39b3ef86ac3cdf8406751402d68dbfa6ec1e221b8992e4a21919d8eeda059ecfb14
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5PbcmC3f/DFNkTQbVLqX:knw9oUUEEDl37jcmWH/xbI

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/408-57-0x00007FF7F1C90000-0x00007FF7F2081000-memory.dmp	xmrig
behavioral2/memory/3780-47-0x00007FF7F6790000-0x00007FF7F6B81000-memory.dmp	xmrig
behavioral2/memory/1100-120-0x00007FF7A9170000-0x00007FF7A9561000-memory.dmp	xmrig
behavioral2/memory/1864-124-0x00007FF65F290000-0x00007FF65F681000-memory.dmp	xmrig
behavioral2/memory/1048-141-0x00007FF7E9C60000-0x00007FF7EA051000-memory.dmp	xmrig
behavioral2/memory/3168-152-0x00007FF73C850000-0x00007FF73CC41000-memory.dmp	xmrig
behavioral2/memory/4876-151-0x00007FF673430000-0x00007FF673821000-memory.dmp	xmrig
behavioral2/memory/2684-144-0x00007FF736530000-0x00007FF736921000-memory.dmp	xmrig
behavioral2/memory/3220-143-0x00007FF710E90000-0x00007FF711281000-memory.dmp	xmrig
behavioral2/memory/3036-134-0x00007FF6BE700000-0x00007FF6BEAF1000-memory.dmp	xmrig
behavioral2/memory/4536-133-0x00007FF672870000-0x00007FF672C61000-memory.dmp	xmrig
behavioral2/memory/4952-125-0x00007FF6F6EF0000-0x00007FF6F72E1000-memory.dmp	xmrig
behavioral2/memory/3776-123-0x00007FF6944D0000-0x00007FF6948C1000-memory.dmp	xmrig
behavioral2/memory/4264-118-0x00007FF7F76E0000-0x00007FF7F7AD1000-memory.dmp	xmrig
behavioral2/memory/4200-71-0x00007FF79FC20000-0x00007FF7A0011000-memory.dmp	xmrig
behavioral2/memory/4200-719-0x00007FF79FC20000-0x00007FF7A0011000-memory.dmp	xmrig
behavioral2/memory/4312-953-0x00007FF60E780000-0x00007FF60EB71000-memory.dmp	xmrig
behavioral2/memory/3032-955-0x00007FF6A6A50000-0x00007FF6A6E41000-memory.dmp	xmrig
behavioral2/memory/3568-956-0x00007FF6B8150000-0x00007FF6B8541000-memory.dmp	xmrig
behavioral2/memory/5052-952-0x00007FF7E2860000-0x00007FF7E2C51000-memory.dmp	xmrig
behavioral2/memory/3172-1021-0x00007FF743980000-0x00007FF743D71000-memory.dmp	xmrig
behavioral2/memory/3096-1018-0x00007FF6BFA90000-0x00007FF6BFE81000-memory.dmp	xmrig
behavioral2/memory/3736-1256-0x00007FF67B940000-0x00007FF67BD31000-memory.dmp	xmrig
behavioral2/memory/4464-1363-0x00007FF71D9E0000-0x00007FF71DDD1000-memory.dmp	xmrig
behavioral2/memory/3764-1485-0x00007FF7DEFB0000-0x00007FF7DF3A1000-memory.dmp	xmrig
behavioral2/memory/1080-1614-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp	xmrig
behavioral2/memory/1100-2087-0x00007FF7A9170000-0x00007FF7A9561000-memory.dmp	xmrig
behavioral2/memory/4952-2134-0x00007FF6F6EF0000-0x00007FF6F72E1000-memory.dmp	xmrig
behavioral2/memory/4536-2136-0x00007FF672870000-0x00007FF672C61000-memory.dmp	xmrig
behavioral2/memory/1048-2138-0x00007FF7E9C60000-0x00007FF7EA051000-memory.dmp	xmrig
behavioral2/memory/3036-2140-0x00007FF6BE700000-0x00007FF6BEAF1000-memory.dmp	xmrig
behavioral2/memory/2684-2146-0x00007FF736530000-0x00007FF736921000-memory.dmp	xmrig
behavioral2/memory/4876-2154-0x00007FF673430000-0x00007FF673821000-memory.dmp	xmrig
behavioral2/memory/3168-2156-0x00007FF73C850000-0x00007FF73CC41000-memory.dmp	xmrig
behavioral2/memory/408-2152-0x00007FF7F1C90000-0x00007FF7F2081000-memory.dmp	xmrig
behavioral2/memory/3220-2150-0x00007FF710E90000-0x00007FF711281000-memory.dmp	xmrig
behavioral2/memory/3780-2148-0x00007FF7F6790000-0x00007FF7F6B81000-memory.dmp	xmrig
behavioral2/memory/4200-2188-0x00007FF79FC20000-0x00007FF7A0011000-memory.dmp	xmrig
behavioral2/memory/5052-2190-0x00007FF7E2860000-0x00007FF7E2C51000-memory.dmp	xmrig
behavioral2/memory/3776-2194-0x00007FF6944D0000-0x00007FF6948C1000-memory.dmp	xmrig
behavioral2/memory/3032-2192-0x00007FF6A6A50000-0x00007FF6A6E41000-memory.dmp	xmrig
behavioral2/memory/3096-2196-0x00007FF6BFA90000-0x00007FF6BFE81000-memory.dmp	xmrig
behavioral2/memory/3568-2232-0x00007FF6B8150000-0x00007FF6B8541000-memory.dmp	xmrig
behavioral2/memory/4464-2236-0x00007FF71D9E0000-0x00007FF71DDD1000-memory.dmp	xmrig
behavioral2/memory/3764-2238-0x00007FF7DEFB0000-0x00007FF7DF3A1000-memory.dmp	xmrig
behavioral2/memory/1080-2242-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp	xmrig
behavioral2/memory/3736-2234-0x00007FF67B940000-0x00007FF67BD31000-memory.dmp	xmrig
behavioral2/memory/4264-2230-0x00007FF7F76E0000-0x00007FF7F7AD1000-memory.dmp	xmrig
behavioral2/memory/1864-2200-0x00007FF65F290000-0x00007FF65F681000-memory.dmp	xmrig
behavioral2/memory/4312-2198-0x00007FF60E780000-0x00007FF60EB71000-memory.dmp	xmrig
behavioral2/memory/3172-2493-0x00007FF743980000-0x00007FF743D71000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4952	qmMaAbV.exe
4536	bqlMdUB.exe
1048	ADdFCvp.exe
3036	hGrCNWp.exe
3220	IykNpbg.exe
408	otFyJpO.exe
3780	ZcrYpjL.exe
2684	bZHGeBe.exe
3168	BXsXNPO.exe
4876	JFsUdnl.exe
4200	HXypqOA.exe
5052	tYyONgC.exe
3096	tPoOqjN.exe
4312	MFTCgFl.exe
3776	CTPpZic.exe
3032	hRBsGLt.exe
3172	nTkCCOR.exe
1864	dSLKtZv.exe
3568	RJpYqUj.exe
4264	wTGBMkk.exe
3736	okimBoT.exe
4464	SKPbYOc.exe
3764	gOyeVuy.exe
1080	wHNSTqN.exe
4656	ZGZRzYZ.exe
3100	MGyJpPg.exe
2928	RXpJmsK.exe
4292	FdWOeNw.exe
1656	JDjQBSv.exe
2912	IVKgYNd.exe
3300	vcakbUq.exe
1640	JyTwevp.exe
932	zyXyCAD.exe
4508	ZspnHic.exe
1644	nHPcVdE.exe
3236	thaHgDd.exe
3412	kCKmLpS.exe
4388	KLhaWGk.exe
2352	PENHljK.exe
936	EDgfnai.exe
392	rpveBmi.exe
2228	ppykoKi.exe
396	VsiSYXy.exe
5080	ELcPQOo.exe
3688	dKMXcji.exe
808	lMokdvr.exe
2720	mOIdxmP.exe
1428	Durmzqu.exe
1820	HaWnPXU.exe
3232	UzFTeLi.exe
4408	MQXGAnO.exe
2216	tLfaPcU.exe
3668	kWPQzRC.exe
3744	FMEZVFZ.exe
2096	xgNsbpJ.exe
1160	VzAdGqD.exe
1232	YkidbYX.exe
4456	IiTlLAE.exe
3188	fFrjusn.exe
1384	FziwYbx.exe
4132	cVhXIZf.exe
2992	UMwNXSQ.exe
3460	RUsfOKq.exe
4276	MLLdLTx.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DuYgpap.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\UCGBlEO.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\cMiDYXN.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\AYWgayR.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\KRheElP.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\MKKYjJq.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\dgaOvkQ.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\hgSdFjJ.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\WaLStCJ.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\CZanpAg.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\XRjdlxd.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\FMhgfob.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\tvZddVd.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\kXrawpz.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\lmjnAag.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\IzyOVQt.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\hiYvqKf.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\kCtZbrr.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\muflKjm.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\SmfNsGF.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\reOEued.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\WJiOZrd.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\BXRSsAQ.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\hgTTsXZ.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\zMDCyBe.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\hGrCNWp.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\IqjIMef.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\zEhlckE.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\guMrwmE.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\JXeAAZN.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\HBmUvyY.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\SHQfvez.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\tPoOqjN.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\leiCYJa.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\XkEBiIb.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\QPZdQlu.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\JDjQBSv.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\yLoUiTd.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\PxjLMOj.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\Xnpxatf.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\isdkQRx.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\otFyJpO.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\MQXGAnO.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\Wnvrsqh.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\JaJkqWS.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\wbgVUTJ.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\CJTimli.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\qLTpzee.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\LqIsZfn.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\BMqqcam.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\iHJeZlM.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\wBuEIrs.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\enESyKB.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\ELCFQZL.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\UNMkGWT.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\osiyMSS.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\FPVXJSM.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\Durmzqu.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\RUsfOKq.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\FUtMPOH.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\BJwLFYs.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\SPANlyl.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\JSKRMDF.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
File created	C:\Windows\System32\rAUiPoA.exe	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1100-0-0x00007FF7A9170000-0x00007FF7A9561000-memory.dmp	upx
behavioral2/files/0x000c000000023b8c-6.dat	upx
behavioral2/memory/4952-8-0x00007FF6F6EF0000-0x00007FF6F72E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-10.dat	upx
behavioral2/files/0x000a000000023b92-20.dat	upx
behavioral2/files/0x000a000000023b91-24.dat	upx
behavioral2/memory/3220-31-0x00007FF710E90000-0x00007FF711281000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-37.dat	upx
behavioral2/files/0x000a000000023b94-42.dat	upx
behavioral2/files/0x000a000000023b95-44.dat	upx
behavioral2/memory/2684-54-0x00007FF736530000-0x00007FF736921000-memory.dmp	upx
behavioral2/memory/4876-56-0x00007FF673430000-0x00007FF673821000-memory.dmp	upx
behavioral2/memory/3168-58-0x00007FF73C850000-0x00007FF73CC41000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-61.dat	upx
behavioral2/files/0x000a000000023b97-59.dat	upx
behavioral2/memory/408-57-0x00007FF7F1C90000-0x00007FF7F2081000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-49.dat	upx
behavioral2/memory/3780-47-0x00007FF7F6790000-0x00007FF7F6B81000-memory.dmp	upx
behavioral2/memory/3036-28-0x00007FF6BE700000-0x00007FF6BEAF1000-memory.dmp	upx
behavioral2/memory/1048-21-0x00007FF7E9C60000-0x00007FF7EA051000-memory.dmp	upx
behavioral2/memory/4536-17-0x00007FF672870000-0x00007FF672C61000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-66.dat	upx
behavioral2/files/0x000c000000023b8d-70.dat	upx
behavioral2/memory/5052-76-0x00007FF7E2860000-0x00007FF7E2C51000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-93.dat	upx
behavioral2/files/0x000a000000023b9d-108.dat	upx
behavioral2/files/0x000b000000023b9f-111.dat	upx
behavioral2/memory/3568-117-0x00007FF6B8150000-0x00007FF6B8541000-memory.dmp	upx
behavioral2/memory/1100-120-0x00007FF7A9170000-0x00007FF7A9561000-memory.dmp	upx
behavioral2/memory/1864-124-0x00007FF65F290000-0x00007FF65F681000-memory.dmp	upx
behavioral2/files/0x000a000000023ba9-128.dat	upx
behavioral2/files/0x0008000000023bb9-137.dat	upx
behavioral2/memory/1048-141-0x00007FF7E9C60000-0x00007FF7EA051000-memory.dmp	upx
behavioral2/files/0x000e000000023bc4-165.dat	upx
behavioral2/files/0x0008000000023bc9-178.dat	upx
behavioral2/files/0x0008000000023bfb-194.dat	upx
behavioral2/files/0x0008000000023bcc-190.dat	upx
behavioral2/files/0x0008000000023bcb-189.dat	upx
behavioral2/files/0x0008000000023bca-186.dat	upx
behavioral2/files/0x0008000000023bc6-173.dat	upx
behavioral2/files/0x0009000000023bc0-163.dat	upx
behavioral2/files/0x0009000000023bbf-158.dat	upx
behavioral2/files/0x0009000000023bbe-156.dat	upx
behavioral2/memory/1080-153-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp	upx
behavioral2/memory/3168-152-0x00007FF73C850000-0x00007FF73CC41000-memory.dmp	upx
behavioral2/memory/4876-151-0x00007FF673430000-0x00007FF673821000-memory.dmp	upx
behavioral2/memory/3764-147-0x00007FF7DEFB0000-0x00007FF7DF3A1000-memory.dmp	upx
behavioral2/memory/2684-144-0x00007FF736530000-0x00007FF736921000-memory.dmp	upx
behavioral2/memory/3220-143-0x00007FF710E90000-0x00007FF711281000-memory.dmp	upx
behavioral2/files/0x000e000000023bb0-139.dat	upx
behavioral2/memory/4464-136-0x00007FF71D9E0000-0x00007FF71DDD1000-memory.dmp	upx
behavioral2/memory/3036-134-0x00007FF6BE700000-0x00007FF6BEAF1000-memory.dmp	upx
behavioral2/memory/4536-133-0x00007FF672870000-0x00007FF672C61000-memory.dmp	upx
behavioral2/memory/3736-126-0x00007FF67B940000-0x00007FF67BD31000-memory.dmp	upx
behavioral2/memory/4952-125-0x00007FF6F6EF0000-0x00007FF6F72E1000-memory.dmp	upx
behavioral2/memory/3776-123-0x00007FF6944D0000-0x00007FF6948C1000-memory.dmp	upx
behavioral2/memory/4264-118-0x00007FF7F76E0000-0x00007FF7F7AD1000-memory.dmp	upx
behavioral2/files/0x000b000000023ba0-116.dat	upx
behavioral2/files/0x000b000000023ba1-114.dat	upx
behavioral2/memory/3172-113-0x00007FF743980000-0x00007FF743D71000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-109.dat	upx
behavioral2/memory/3032-103-0x00007FF6A6A50000-0x00007FF6A6E41000-memory.dmp	upx
behavioral2/memory/4312-97-0x00007FF60E780000-0x00007FF60EB71000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-91.dat	upx

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13780	dwm.exe
Token: SeChangeNotifyPrivilege	13780	dwm.exe
Token: 33	13780	dwm.exe
Token: SeIncBasePriorityPrivilege	13780	dwm.exe
Token: SeShutdownPrivilege	13780	dwm.exe
Token: SeCreatePagefilePrivilege	13780	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 4952	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	84
PID 1100 wrote to memory of 4952	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	84
PID 1100 wrote to memory of 4536	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	85
PID 1100 wrote to memory of 4536	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	85
PID 1100 wrote to memory of 1048	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	86
PID 1100 wrote to memory of 1048	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	86
PID 1100 wrote to memory of 3036	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	87
PID 1100 wrote to memory of 3036	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	87
PID 1100 wrote to memory of 3220	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	88
PID 1100 wrote to memory of 3220	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	88
PID 1100 wrote to memory of 408	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	89
PID 1100 wrote to memory of 408	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	89
PID 1100 wrote to memory of 3780	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	90
PID 1100 wrote to memory of 3780	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	90
PID 1100 wrote to memory of 2684	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	91
PID 1100 wrote to memory of 2684	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	91
PID 1100 wrote to memory of 3168	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	92
PID 1100 wrote to memory of 3168	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	92
PID 1100 wrote to memory of 4876	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	93
PID 1100 wrote to memory of 4876	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	93
PID 1100 wrote to memory of 4200	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	94
PID 1100 wrote to memory of 4200	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	94
PID 1100 wrote to memory of 5052	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	95
PID 1100 wrote to memory of 5052	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	95
PID 1100 wrote to memory of 3096	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	96
PID 1100 wrote to memory of 3096	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	96
PID 1100 wrote to memory of 4312	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	97
PID 1100 wrote to memory of 4312	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	97
PID 1100 wrote to memory of 3776	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	98
PID 1100 wrote to memory of 3776	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	98
PID 1100 wrote to memory of 1864	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	99
PID 1100 wrote to memory of 1864	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	99
PID 1100 wrote to memory of 3032	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	100
PID 1100 wrote to memory of 3032	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	100
PID 1100 wrote to memory of 3172	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	101
PID 1100 wrote to memory of 3172	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	101
PID 1100 wrote to memory of 3568	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	102
PID 1100 wrote to memory of 3568	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	102
PID 1100 wrote to memory of 4264	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	103
PID 1100 wrote to memory of 4264	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	103
PID 1100 wrote to memory of 3736	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	104
PID 1100 wrote to memory of 3736	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	104
PID 1100 wrote to memory of 4464	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	105
PID 1100 wrote to memory of 4464	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	105
PID 1100 wrote to memory of 3764	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	106
PID 1100 wrote to memory of 3764	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	106
PID 1100 wrote to memory of 1080	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	107
PID 1100 wrote to memory of 1080	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	107
PID 1100 wrote to memory of 4656	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	108
PID 1100 wrote to memory of 4656	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	108
PID 1100 wrote to memory of 3100	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	109
PID 1100 wrote to memory of 3100	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	109
PID 1100 wrote to memory of 2928	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	110
PID 1100 wrote to memory of 2928	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	110
PID 1100 wrote to memory of 4292	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	111
PID 1100 wrote to memory of 4292	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	111
PID 1100 wrote to memory of 1656	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	112
PID 1100 wrote to memory of 1656	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	112
PID 1100 wrote to memory of 2912	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	113
PID 1100 wrote to memory of 2912	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	113
PID 1100 wrote to memory of 3300	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	114
PID 1100 wrote to memory of 3300	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	114
PID 1100 wrote to memory of 1640	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	115
PID 1100 wrote to memory of 1640	1100	f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe	115

C:\Users\Admin\AppData\Local\Temp\f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe
"C:\Users\Admin\AppData\Local\Temp\f96e7817a64a48cbcb960c73d1eabcd85306752f0c814cf993bbdb56d13a8a3bN.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\System32\qmMaAbV.exe
  C:\Windows\System32\qmMaAbV.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System32\bqlMdUB.exe
  C:\Windows\System32\bqlMdUB.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System32\ADdFCvp.exe
  C:\Windows\System32\ADdFCvp.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System32\hGrCNWp.exe
  C:\Windows\System32\hGrCNWp.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System32\IykNpbg.exe
  C:\Windows\System32\IykNpbg.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System32\otFyJpO.exe
  C:\Windows\System32\otFyJpO.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System32\ZcrYpjL.exe
  C:\Windows\System32\ZcrYpjL.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System32\bZHGeBe.exe
  C:\Windows\System32\bZHGeBe.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System32\BXsXNPO.exe
  C:\Windows\System32\BXsXNPO.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System32\JFsUdnl.exe
  C:\Windows\System32\JFsUdnl.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System32\HXypqOA.exe
  C:\Windows\System32\HXypqOA.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System32\tYyONgC.exe
  C:\Windows\System32\tYyONgC.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System32\tPoOqjN.exe
  C:\Windows\System32\tPoOqjN.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System32\MFTCgFl.exe
  C:\Windows\System32\MFTCgFl.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\CTPpZic.exe
  C:\Windows\System32\CTPpZic.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System32\dSLKtZv.exe
  C:\Windows\System32\dSLKtZv.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System32\hRBsGLt.exe
  C:\Windows\System32\hRBsGLt.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System32\nTkCCOR.exe
  C:\Windows\System32\nTkCCOR.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System32\RJpYqUj.exe
  C:\Windows\System32\RJpYqUj.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System32\wTGBMkk.exe
  C:\Windows\System32\wTGBMkk.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System32\okimBoT.exe
  C:\Windows\System32\okimBoT.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System32\SKPbYOc.exe
  C:\Windows\System32\SKPbYOc.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System32\gOyeVuy.exe
  C:\Windows\System32\gOyeVuy.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System32\wHNSTqN.exe
  C:\Windows\System32\wHNSTqN.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\ZGZRzYZ.exe
  C:\Windows\System32\ZGZRzYZ.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System32\MGyJpPg.exe
  C:\Windows\System32\MGyJpPg.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System32\RXpJmsK.exe
  C:\Windows\System32\RXpJmsK.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System32\FdWOeNw.exe
  C:\Windows\System32\FdWOeNw.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System32\JDjQBSv.exe
  C:\Windows\System32\JDjQBSv.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System32\IVKgYNd.exe
  C:\Windows\System32\IVKgYNd.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System32\vcakbUq.exe
  C:\Windows\System32\vcakbUq.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System32\JyTwevp.exe
  C:\Windows\System32\JyTwevp.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System32\zyXyCAD.exe
  C:\Windows\System32\zyXyCAD.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\ZspnHic.exe
  C:\Windows\System32\ZspnHic.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System32\nHPcVdE.exe
  C:\Windows\System32\nHPcVdE.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System32\thaHgDd.exe
  C:\Windows\System32\thaHgDd.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System32\kCKmLpS.exe
  C:\Windows\System32\kCKmLpS.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System32\KLhaWGk.exe
  C:\Windows\System32\KLhaWGk.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System32\PENHljK.exe
  C:\Windows\System32\PENHljK.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System32\EDgfnai.exe
  C:\Windows\System32\EDgfnai.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System32\rpveBmi.exe
  C:\Windows\System32\rpveBmi.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\ppykoKi.exe
  C:\Windows\System32\ppykoKi.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System32\VsiSYXy.exe
  C:\Windows\System32\VsiSYXy.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System32\ELcPQOo.exe
  C:\Windows\System32\ELcPQOo.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System32\dKMXcji.exe
  C:\Windows\System32\dKMXcji.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System32\lMokdvr.exe
  C:\Windows\System32\lMokdvr.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System32\mOIdxmP.exe
  C:\Windows\System32\mOIdxmP.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\Durmzqu.exe
  C:\Windows\System32\Durmzqu.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System32\HaWnPXU.exe
  C:\Windows\System32\HaWnPXU.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System32\UzFTeLi.exe
  C:\Windows\System32\UzFTeLi.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System32\MQXGAnO.exe
  C:\Windows\System32\MQXGAnO.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\tLfaPcU.exe
  C:\Windows\System32\tLfaPcU.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System32\kWPQzRC.exe
  C:\Windows\System32\kWPQzRC.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System32\FMEZVFZ.exe
  C:\Windows\System32\FMEZVFZ.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System32\xgNsbpJ.exe
  C:\Windows\System32\xgNsbpJ.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System32\VzAdGqD.exe
  C:\Windows\System32\VzAdGqD.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System32\YkidbYX.exe
  C:\Windows\System32\YkidbYX.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System32\IiTlLAE.exe
  C:\Windows\System32\IiTlLAE.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System32\fFrjusn.exe
  C:\Windows\System32\fFrjusn.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System32\FziwYbx.exe
  C:\Windows\System32\FziwYbx.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System32\cVhXIZf.exe
  C:\Windows\System32\cVhXIZf.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System32\UMwNXSQ.exe
  C:\Windows\System32\UMwNXSQ.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System32\RUsfOKq.exe
  C:\Windows\System32\RUsfOKq.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System32\MLLdLTx.exe
  C:\Windows\System32\MLLdLTx.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\vyjMzLd.exe
  C:\Windows\System32\vyjMzLd.exe
  2⤵
  PID:4964
- C:\Windows\System32\vThbdDU.exe
  C:\Windows\System32\vThbdDU.exe
  2⤵
  PID:2192
- C:\Windows\System32\BQKdgjp.exe
  C:\Windows\System32\BQKdgjp.exe
  2⤵
  PID:1808
- C:\Windows\System32\LCAOGFO.exe
  C:\Windows\System32\LCAOGFO.exe
  2⤵
  PID:2136
- C:\Windows\System32\WaLStCJ.exe
  C:\Windows\System32\WaLStCJ.exe
  2⤵
  PID:3392
- C:\Windows\System32\bHtweAn.exe
  C:\Windows\System32\bHtweAn.exe
  2⤵
  PID:3992
- C:\Windows\System32\aaDsAkE.exe
  C:\Windows\System32\aaDsAkE.exe
  2⤵
  PID:1336
- C:\Windows\System32\jgoHPsO.exe
  C:\Windows\System32\jgoHPsO.exe
  2⤵
  PID:4936
- C:\Windows\System32\QrYQOsz.exe
  C:\Windows\System32\QrYQOsz.exe
  2⤵
  PID:4164
- C:\Windows\System32\leiCYJa.exe
  C:\Windows\System32\leiCYJa.exe
  2⤵
  PID:3584
- C:\Windows\System32\CZanpAg.exe
  C:\Windows\System32\CZanpAg.exe
  2⤵
  PID:3288
- C:\Windows\System32\QoiFNPH.exe
  C:\Windows\System32\QoiFNPH.exe
  2⤵
  PID:2440
- C:\Windows\System32\sSdcKbl.exe
  C:\Windows\System32\sSdcKbl.exe
  2⤵
  PID:756
- C:\Windows\System32\tGDyyAL.exe
  C:\Windows\System32\tGDyyAL.exe
  2⤵
  PID:4680
- C:\Windows\System32\fuHeyhw.exe
  C:\Windows\System32\fuHeyhw.exe
  2⤵
  PID:3732
- C:\Windows\System32\SEpIOww.exe
  C:\Windows\System32\SEpIOww.exe
  2⤵
  PID:4448
- C:\Windows\System32\lUlBqlD.exe
  C:\Windows\System32\lUlBqlD.exe
  2⤵
  PID:1268
- C:\Windows\System32\fFObomS.exe
  C:\Windows\System32\fFObomS.exe
  2⤵
  PID:1668
- C:\Windows\System32\JHjAczA.exe
  C:\Windows\System32\JHjAczA.exe
  2⤵
  PID:2060
- C:\Windows\System32\UIjTUXS.exe
  C:\Windows\System32\UIjTUXS.exe
  2⤵
  PID:3268
- C:\Windows\System32\FNGQGjK.exe
  C:\Windows\System32\FNGQGjK.exe
  2⤵
  PID:5104
- C:\Windows\System32\pzgETbo.exe
  C:\Windows\System32\pzgETbo.exe
  2⤵
  PID:1888
- C:\Windows\System32\mxJrKWJ.exe
  C:\Windows\System32\mxJrKWJ.exe
  2⤵
  PID:2120
- C:\Windows\System32\lwYmmZD.exe
  C:\Windows\System32\lwYmmZD.exe
  2⤵
  PID:4072
- C:\Windows\System32\xfnPBjl.exe
  C:\Windows\System32\xfnPBjl.exe
  2⤵
  PID:1604
- C:\Windows\System32\jCjOryU.exe
  C:\Windows\System32\jCjOryU.exe
  2⤵
  PID:1736
- C:\Windows\System32\uwgbnIm.exe
  C:\Windows\System32\uwgbnIm.exe
  2⤵
  PID:3324
- C:\Windows\System32\hpwSzDL.exe
  C:\Windows\System32\hpwSzDL.exe
  2⤵
  PID:4816
- C:\Windows\System32\VFRpOuS.exe
  C:\Windows\System32\VFRpOuS.exe
  2⤵
  PID:2612
- C:\Windows\System32\WOhskvy.exe
  C:\Windows\System32\WOhskvy.exe
  2⤵
  PID:3860
- C:\Windows\System32\xffBJBk.exe
  C:\Windows\System32\xffBJBk.exe
  2⤵
  PID:664
- C:\Windows\System32\NAmbrik.exe
  C:\Windows\System32\NAmbrik.exe
  2⤵
  PID:4564
- C:\Windows\System32\NnXcsel.exe
  C:\Windows\System32\NnXcsel.exe
  2⤵
  PID:1564
- C:\Windows\System32\wDmcfQS.exe
  C:\Windows\System32\wDmcfQS.exe
  2⤵
  PID:216
- C:\Windows\System32\rHyfEJU.exe
  C:\Windows\System32\rHyfEJU.exe
  2⤵
  PID:2232
- C:\Windows\System32\xmwAxHk.exe
  C:\Windows\System32\xmwAxHk.exe
  2⤵
  PID:4732
- C:\Windows\System32\WKMXeVZ.exe
  C:\Windows\System32\WKMXeVZ.exe
  2⤵
  PID:4116
- C:\Windows\System32\kCtZbrr.exe
  C:\Windows\System32\kCtZbrr.exe
  2⤵
  PID:1304
- C:\Windows\System32\UCcCJka.exe
  C:\Windows\System32\UCcCJka.exe
  2⤵
  PID:4664
- C:\Windows\System32\ronvZIR.exe
  C:\Windows\System32\ronvZIR.exe
  2⤵
  PID:5132
- C:\Windows\System32\uIWGPLb.exe
  C:\Windows\System32\uIWGPLb.exe
  2⤵
  PID:5160
- C:\Windows\System32\jGQWdQI.exe
  C:\Windows\System32\jGQWdQI.exe
  2⤵
  PID:5184
- C:\Windows\System32\muflKjm.exe
  C:\Windows\System32\muflKjm.exe
  2⤵
  PID:5216
- C:\Windows\System32\XRjdlxd.exe
  C:\Windows\System32\XRjdlxd.exe
  2⤵
  PID:5240
- C:\Windows\System32\HLLzFGp.exe
  C:\Windows\System32\HLLzFGp.exe
  2⤵
  PID:5272
- C:\Windows\System32\Wnvrsqh.exe
  C:\Windows\System32\Wnvrsqh.exe
  2⤵
  PID:5300
- C:\Windows\System32\yLoUiTd.exe
  C:\Windows\System32\yLoUiTd.exe
  2⤵
  PID:5324
- C:\Windows\System32\BDZQSaZ.exe
  C:\Windows\System32\BDZQSaZ.exe
  2⤵
  PID:5356
- C:\Windows\System32\FPHFaCs.exe
  C:\Windows\System32\FPHFaCs.exe
  2⤵
  PID:5384
- C:\Windows\System32\kPNvbju.exe
  C:\Windows\System32\kPNvbju.exe
  2⤵
  PID:5408
- C:\Windows\System32\DcihWhK.exe
  C:\Windows\System32\DcihWhK.exe
  2⤵
  PID:5444
- C:\Windows\System32\cyZJilT.exe
  C:\Windows\System32\cyZJilT.exe
  2⤵
  PID:5468
- C:\Windows\System32\jLyCGxB.exe
  C:\Windows\System32\jLyCGxB.exe
  2⤵
  PID:5496
- C:\Windows\System32\bzWEaPS.exe
  C:\Windows\System32\bzWEaPS.exe
  2⤵
  PID:5524
- C:\Windows\System32\bSGplxI.exe
  C:\Windows\System32\bSGplxI.exe
  2⤵
  PID:5552
- C:\Windows\System32\lyRDhNd.exe
  C:\Windows\System32\lyRDhNd.exe
  2⤵
  PID:5580
- C:\Windows\System32\lbPyODo.exe
  C:\Windows\System32\lbPyODo.exe
  2⤵
  PID:5608
- C:\Windows\System32\YiLLqgF.exe
  C:\Windows\System32\YiLLqgF.exe
  2⤵
  PID:5632
- C:\Windows\System32\WabBuUD.exe
  C:\Windows\System32\WabBuUD.exe
  2⤵
  PID:5664
- C:\Windows\System32\KCAnXpw.exe
  C:\Windows\System32\KCAnXpw.exe
  2⤵
  PID:5692
- C:\Windows\System32\LEVCmlw.exe
  C:\Windows\System32\LEVCmlw.exe
  2⤵
  PID:5720
- C:\Windows\System32\mxdtTYZ.exe
  C:\Windows\System32\mxdtTYZ.exe
  2⤵
  PID:5748
- C:\Windows\System32\BMqqcam.exe
  C:\Windows\System32\BMqqcam.exe
  2⤵
  PID:5780
- C:\Windows\System32\duplGKA.exe
  C:\Windows\System32\duplGKA.exe
  2⤵
  PID:5804
- C:\Windows\System32\rgzUNSl.exe
  C:\Windows\System32\rgzUNSl.exe
  2⤵
  PID:5832
- C:\Windows\System32\lTVLmdJ.exe
  C:\Windows\System32\lTVLmdJ.exe
  2⤵
  PID:5856
- C:\Windows\System32\RaPqjqn.exe
  C:\Windows\System32\RaPqjqn.exe
  2⤵
  PID:5888
- C:\Windows\System32\KEPlvvT.exe
  C:\Windows\System32\KEPlvvT.exe
  2⤵
  PID:5916
- C:\Windows\System32\qCNQqHI.exe
  C:\Windows\System32\qCNQqHI.exe
  2⤵
  PID:5944
- C:\Windows\System32\vsWgafM.exe
  C:\Windows\System32\vsWgafM.exe
  2⤵
  PID:5972
- C:\Windows\System32\XmhjRRg.exe
  C:\Windows\System32\XmhjRRg.exe
  2⤵
  PID:6000
- C:\Windows\System32\iHJeZlM.exe
  C:\Windows\System32\iHJeZlM.exe
  2⤵
  PID:6024
- C:\Windows\System32\gENwcQR.exe
  C:\Windows\System32\gENwcQR.exe
  2⤵
  PID:6056
- C:\Windows\System32\NUodYER.exe
  C:\Windows\System32\NUodYER.exe
  2⤵
  PID:6092
- C:\Windows\System32\gfDHdcZ.exe
  C:\Windows\System32\gfDHdcZ.exe
  2⤵
  PID:6116
- C:\Windows\System32\PxjLMOj.exe
  C:\Windows\System32\PxjLMOj.exe
  2⤵
  PID:4968
- C:\Windows\System32\CBhXndi.exe
  C:\Windows\System32\CBhXndi.exe
  2⤵
  PID:3616
- C:\Windows\System32\DUglGqV.exe
  C:\Windows\System32\DUglGqV.exe
  2⤵
  PID:2624
- C:\Windows\System32\OkYjSho.exe
  C:\Windows\System32\OkYjSho.exe
  2⤵
  PID:1892
- C:\Windows\System32\hFznvVX.exe
  C:\Windows\System32\hFznvVX.exe
  2⤵
  PID:5140
- C:\Windows\System32\SmfNsGF.exe
  C:\Windows\System32\SmfNsGF.exe
  2⤵
  PID:5024
- C:\Windows\System32\eQUSJkd.exe
  C:\Windows\System32\eQUSJkd.exe
  2⤵
  PID:5208
- C:\Windows\System32\XkEBiIb.exe
  C:\Windows\System32\XkEBiIb.exe
  2⤵
  PID:5248
- C:\Windows\System32\FUtMPOH.exe
  C:\Windows\System32\FUtMPOH.exe
  2⤵
  PID:1680
- C:\Windows\System32\pzBffDT.exe
  C:\Windows\System32\pzBffDT.exe
  2⤵
  PID:5332
- C:\Windows\System32\hLeUYLz.exe
  C:\Windows\System32\hLeUYLz.exe
  2⤵
  PID:5392
- C:\Windows\System32\ciJaduY.exe
  C:\Windows\System32\ciJaduY.exe
  2⤵
  PID:5464
- C:\Windows\System32\hpqCxDj.exe
  C:\Windows\System32\hpqCxDj.exe
  2⤵
  PID:5544
- C:\Windows\System32\apDrJHu.exe
  C:\Windows\System32\apDrJHu.exe
  2⤵
  PID:5592
- C:\Windows\System32\wOnRZbm.exe
  C:\Windows\System32\wOnRZbm.exe
  2⤵
  PID:5672
- C:\Windows\System32\ONvqemn.exe
  C:\Windows\System32\ONvqemn.exe
  2⤵
  PID:5740
- C:\Windows\System32\iOEdoFH.exe
  C:\Windows\System32\iOEdoFH.exe
  2⤵
  PID:5824
- C:\Windows\System32\LysqgsF.exe
  C:\Windows\System32\LysqgsF.exe
  2⤵
  PID:6012
- C:\Windows\System32\thRsuED.exe
  C:\Windows\System32\thRsuED.exe
  2⤵
  PID:6048
- C:\Windows\System32\ogpdKLB.exe
  C:\Windows\System32\ogpdKLB.exe
  2⤵
  PID:6088
- C:\Windows\System32\cvBrImh.exe
  C:\Windows\System32\cvBrImh.exe
  2⤵
  PID:6132
- C:\Windows\System32\QXQWloS.exe
  C:\Windows\System32\QXQWloS.exe
  2⤵
  PID:2968
- C:\Windows\System32\GxYnIVF.exe
  C:\Windows\System32\GxYnIVF.exe
  2⤵
  PID:4376
- C:\Windows\System32\GaZGLDp.exe
  C:\Windows\System32\GaZGLDp.exe
  2⤵
  PID:5044
- C:\Windows\System32\zFvZUUH.exe
  C:\Windows\System32\zFvZUUH.exe
  2⤵
  PID:5152
- C:\Windows\System32\gaixqAc.exe
  C:\Windows\System32\gaixqAc.exe
  2⤵
  PID:4700
- C:\Windows\System32\SgXbyoi.exe
  C:\Windows\System32\SgXbyoi.exe
  2⤵
  PID:5236
- C:\Windows\System32\ZVxZHRp.exe
  C:\Windows\System32\ZVxZHRp.exe
  2⤵
  PID:5312
- C:\Windows\System32\dhxwMsK.exe
  C:\Windows\System32\dhxwMsK.exe
  2⤵
  PID:5364
- C:\Windows\System32\OcutDzo.exe
  C:\Windows\System32\OcutDzo.exe
  2⤵
  PID:5700
- C:\Windows\System32\Hzdmsps.exe
  C:\Windows\System32\Hzdmsps.exe
  2⤵
  PID:3248
- C:\Windows\System32\BgfxMst.exe
  C:\Windows\System32\BgfxMst.exe
  2⤵
  PID:5864
- C:\Windows\System32\qOfHRoB.exe
  C:\Windows\System32\qOfHRoB.exe
  2⤵
  PID:1032
- C:\Windows\System32\gJNNuHZ.exe
  C:\Windows\System32\gJNNuHZ.exe
  2⤵
  PID:5880
- C:\Windows\System32\UhneZwf.exe
  C:\Windows\System32\UhneZwf.exe
  2⤵
  PID:5936
- C:\Windows\System32\CKCjJxu.exe
  C:\Windows\System32\CKCjJxu.exe
  2⤵
  PID:4760
- C:\Windows\System32\iJOHhEx.exe
  C:\Windows\System32\iJOHhEx.exe
  2⤵
  PID:6108
- C:\Windows\System32\kWBDMOQ.exe
  C:\Windows\System32\kWBDMOQ.exe
  2⤵
  PID:5560
- C:\Windows\System32\mgdEdoY.exe
  C:\Windows\System32\mgdEdoY.exe
  2⤵
  PID:4988
- C:\Windows\System32\coxVZJL.exe
  C:\Windows\System32\coxVZJL.exe
  2⤵
  PID:5264
- C:\Windows\System32\cXAcFme.exe
  C:\Windows\System32\cXAcFme.exe
  2⤵
  PID:5376
- C:\Windows\System32\kUJaKqq.exe
  C:\Windows\System32\kUJaKqq.exe
  2⤵
  PID:5900
- C:\Windows\System32\pMxCLWj.exe
  C:\Windows\System32\pMxCLWj.exe
  2⤵
  PID:2756
- C:\Windows\System32\GVVYJBf.exe
  C:\Windows\System32\GVVYJBf.exe
  2⤵
  PID:6160
- C:\Windows\System32\kZdbpBM.exe
  C:\Windows\System32\kZdbpBM.exe
  2⤵
  PID:6188
- C:\Windows\System32\CoWmnOo.exe
  C:\Windows\System32\CoWmnOo.exe
  2⤵
  PID:6204
- C:\Windows\System32\KvnSLew.exe
  C:\Windows\System32\KvnSLew.exe
  2⤵
  PID:6220
- C:\Windows\System32\TnmZHXB.exe
  C:\Windows\System32\TnmZHXB.exe
  2⤵
  PID:6240
- C:\Windows\System32\CiOCxPH.exe
  C:\Windows\System32\CiOCxPH.exe
  2⤵
  PID:6260
- C:\Windows\System32\VXdydCP.exe
  C:\Windows\System32\VXdydCP.exe
  2⤵
  PID:6316
- C:\Windows\System32\hLolrFm.exe
  C:\Windows\System32\hLolrFm.exe
  2⤵
  PID:6344
- C:\Windows\System32\KvJMYlZ.exe
  C:\Windows\System32\KvJMYlZ.exe
  2⤵
  PID:6368
- C:\Windows\System32\qgwpJwO.exe
  C:\Windows\System32\qgwpJwO.exe
  2⤵
  PID:6392
- C:\Windows\System32\VMlHFmM.exe
  C:\Windows\System32\VMlHFmM.exe
  2⤵
  PID:6428
- C:\Windows\System32\SEAsvFP.exe
  C:\Windows\System32\SEAsvFP.exe
  2⤵
  PID:6464
- C:\Windows\System32\vIggLPT.exe
  C:\Windows\System32\vIggLPT.exe
  2⤵
  PID:6488
- C:\Windows\System32\mJYYhek.exe
  C:\Windows\System32\mJYYhek.exe
  2⤵
  PID:6504
- C:\Windows\System32\lnLLoCl.exe
  C:\Windows\System32\lnLLoCl.exe
  2⤵
  PID:6524
- C:\Windows\System32\DuYgpap.exe
  C:\Windows\System32\DuYgpap.exe
  2⤵
  PID:6544
- C:\Windows\System32\aFwNdir.exe
  C:\Windows\System32\aFwNdir.exe
  2⤵
  PID:6560
- C:\Windows\System32\rfEtIJr.exe
  C:\Windows\System32\rfEtIJr.exe
  2⤵
  PID:6596
- C:\Windows\System32\AcBTusC.exe
  C:\Windows\System32\AcBTusC.exe
  2⤵
  PID:6632
- C:\Windows\System32\nRBahSF.exe
  C:\Windows\System32\nRBahSF.exe
  2⤵
  PID:6656
- C:\Windows\System32\RJPoenB.exe
  C:\Windows\System32\RJPoenB.exe
  2⤵
  PID:6672
- C:\Windows\System32\XMHlVKj.exe
  C:\Windows\System32\XMHlVKj.exe
  2⤵
  PID:6732
- C:\Windows\System32\ydRMpku.exe
  C:\Windows\System32\ydRMpku.exe
  2⤵
  PID:6752
- C:\Windows\System32\lVjThBb.exe
  C:\Windows\System32\lVjThBb.exe
  2⤵
  PID:6772
- C:\Windows\System32\MEPLVhD.exe
  C:\Windows\System32\MEPLVhD.exe
  2⤵
  PID:6788
- C:\Windows\System32\nyQSUvE.exe
  C:\Windows\System32\nyQSUvE.exe
  2⤵
  PID:6808
- C:\Windows\System32\UCGBlEO.exe
  C:\Windows\System32\UCGBlEO.exe
  2⤵
  PID:6836
- C:\Windows\System32\QPZdQlu.exe
  C:\Windows\System32\QPZdQlu.exe
  2⤵
  PID:6856
- C:\Windows\System32\AuIMtQz.exe
  C:\Windows\System32\AuIMtQz.exe
  2⤵
  PID:6872
- C:\Windows\System32\DKpoEpk.exe
  C:\Windows\System32\DKpoEpk.exe
  2⤵
  PID:6892
- C:\Windows\System32\TwQfZip.exe
  C:\Windows\System32\TwQfZip.exe
  2⤵
  PID:7004
- C:\Windows\System32\qxyEvIu.exe
  C:\Windows\System32\qxyEvIu.exe
  2⤵
  PID:7048
- C:\Windows\System32\gtPZqyv.exe
  C:\Windows\System32\gtPZqyv.exe
  2⤵
  PID:7068
- C:\Windows\System32\nvEElvR.exe
  C:\Windows\System32\nvEElvR.exe
  2⤵
  PID:7108
- C:\Windows\System32\ctEngCS.exe
  C:\Windows\System32\ctEngCS.exe
  2⤵
  PID:7136
- C:\Windows\System32\LrjognK.exe
  C:\Windows\System32\LrjognK.exe
  2⤵
  PID:7156
- C:\Windows\System32\BbWCtRV.exe
  C:\Windows\System32\BbWCtRV.exe
  2⤵
  PID:6148
- C:\Windows\System32\DyuLbDO.exe
  C:\Windows\System32\DyuLbDO.exe
  2⤵
  PID:6216
- C:\Windows\System32\IcGhfRH.exe
  C:\Windows\System32\IcGhfRH.exe
  2⤵
  PID:6196
- C:\Windows\System32\MCmbGOI.exe
  C:\Windows\System32\MCmbGOI.exe
  2⤵
  PID:6300
- C:\Windows\System32\TkCNxpO.exe
  C:\Windows\System32\TkCNxpO.exe
  2⤵
  PID:6376
- C:\Windows\System32\ipPcKYj.exe
  C:\Windows\System32\ipPcKYj.exe
  2⤵
  PID:6384
- C:\Windows\System32\wwizZFH.exe
  C:\Windows\System32\wwizZFH.exe
  2⤵
  PID:6500
- C:\Windows\System32\qIdrasP.exe
  C:\Windows\System32\qIdrasP.exe
  2⤵
  PID:6532
- C:\Windows\System32\ESgTjbD.exe
  C:\Windows\System32\ESgTjbD.exe
  2⤵
  PID:6552
- C:\Windows\System32\VLMdqhO.exe
  C:\Windows\System32\VLMdqhO.exe
  2⤵
  PID:6700
- C:\Windows\System32\ILUxiQK.exe
  C:\Windows\System32\ILUxiQK.exe
  2⤵
  PID:6740
- C:\Windows\System32\cjycEZF.exe
  C:\Windows\System32\cjycEZF.exe
  2⤵
  PID:6816
- C:\Windows\System32\wajDNqR.exe
  C:\Windows\System32\wajDNqR.exe
  2⤵
  PID:6948
- C:\Windows\System32\ObHizDA.exe
  C:\Windows\System32\ObHizDA.exe
  2⤵
  PID:6844
- C:\Windows\System32\PvsEVYR.exe
  C:\Windows\System32\PvsEVYR.exe
  2⤵
  PID:7016
- C:\Windows\System32\vtaPPEN.exe
  C:\Windows\System32\vtaPPEN.exe
  2⤵
  PID:7024
- C:\Windows\System32\PuXeXgJ.exe
  C:\Windows\System32\PuXeXgJ.exe
  2⤵
  PID:6172
- C:\Windows\System32\bcCEUvB.exe
  C:\Windows\System32\bcCEUvB.exe
  2⤵
  PID:6248
- C:\Windows\System32\IqjIMef.exe
  C:\Windows\System32\IqjIMef.exe
  2⤵
  PID:6312
- C:\Windows\System32\eFNoeHA.exe
  C:\Windows\System32\eFNoeHA.exe
  2⤵
  PID:6744
- C:\Windows\System32\gTKgPDz.exe
  C:\Windows\System32\gTKgPDz.exe
  2⤵
  PID:6868
- C:\Windows\System32\pazoFcm.exe
  C:\Windows\System32\pazoFcm.exe
  2⤵
  PID:6936
- C:\Windows\System32\IrFHgCb.exe
  C:\Windows\System32\IrFHgCb.exe
  2⤵
  PID:6972
- C:\Windows\System32\vJUusTA.exe
  C:\Windows\System32\vJUusTA.exe
  2⤵
  PID:7076
- C:\Windows\System32\hwvWsUi.exe
  C:\Windows\System32\hwvWsUi.exe
  2⤵
  PID:6668
- C:\Windows\System32\ASMpRTE.exe
  C:\Windows\System32\ASMpRTE.exe
  2⤵
  PID:6916
- C:\Windows\System32\PGwyaah.exe
  C:\Windows\System32\PGwyaah.exe
  2⤵
  PID:6380
- C:\Windows\System32\cvKuddz.exe
  C:\Windows\System32\cvKuddz.exe
  2⤵
  PID:6720
- C:\Windows\System32\lfuvgFZ.exe
  C:\Windows\System32\lfuvgFZ.exe
  2⤵
  PID:6864
- C:\Windows\System32\BJwLFYs.exe
  C:\Windows\System32\BJwLFYs.exe
  2⤵
  PID:7192
- C:\Windows\System32\wnqaICj.exe
  C:\Windows\System32\wnqaICj.exe
  2⤵
  PID:7240
- C:\Windows\System32\nTPyICc.exe
  C:\Windows\System32\nTPyICc.exe
  2⤵
  PID:7272
- C:\Windows\System32\zEhlckE.exe
  C:\Windows\System32\zEhlckE.exe
  2⤵
  PID:7316
- C:\Windows\System32\sFHwCxS.exe
  C:\Windows\System32\sFHwCxS.exe
  2⤵
  PID:7344
- C:\Windows\System32\dTJzAZb.exe
  C:\Windows\System32\dTJzAZb.exe
  2⤵
  PID:7360
- C:\Windows\System32\ZLkjkPW.exe
  C:\Windows\System32\ZLkjkPW.exe
  2⤵
  PID:7388
- C:\Windows\System32\bjqBDJE.exe
  C:\Windows\System32\bjqBDJE.exe
  2⤵
  PID:7404
- C:\Windows\System32\VymHxzh.exe
  C:\Windows\System32\VymHxzh.exe
  2⤵
  PID:7428
- C:\Windows\System32\rWAGYCv.exe
  C:\Windows\System32\rWAGYCv.exe
  2⤵
  PID:7448
- C:\Windows\System32\SJjTZnf.exe
  C:\Windows\System32\SJjTZnf.exe
  2⤵
  PID:7468
- C:\Windows\System32\guMrwmE.exe
  C:\Windows\System32\guMrwmE.exe
  2⤵
  PID:7488
- C:\Windows\System32\fHGdHBM.exe
  C:\Windows\System32\fHGdHBM.exe
  2⤵
  PID:7504
- C:\Windows\System32\mfELWsn.exe
  C:\Windows\System32\mfELWsn.exe
  2⤵
  PID:7528
- C:\Windows\System32\JONWDti.exe
  C:\Windows\System32\JONWDti.exe
  2⤵
  PID:7576
- C:\Windows\System32\cJuKTfC.exe
  C:\Windows\System32\cJuKTfC.exe
  2⤵
  PID:7612
- C:\Windows\System32\HqQmreN.exe
  C:\Windows\System32\HqQmreN.exe
  2⤵
  PID:7672
- C:\Windows\System32\JmJlKln.exe
  C:\Windows\System32\JmJlKln.exe
  2⤵
  PID:7696
- C:\Windows\System32\DDdDWqb.exe
  C:\Windows\System32\DDdDWqb.exe
  2⤵
  PID:7720
- C:\Windows\System32\AUalvPZ.exe
  C:\Windows\System32\AUalvPZ.exe
  2⤵
  PID:7740
- C:\Windows\System32\YSYRZVP.exe
  C:\Windows\System32\YSYRZVP.exe
  2⤵
  PID:7756
- C:\Windows\System32\tAVlzCW.exe
  C:\Windows\System32\tAVlzCW.exe
  2⤵
  PID:7780
- C:\Windows\System32\IAYonAo.exe
  C:\Windows\System32\IAYonAo.exe
  2⤵
  PID:7820
- C:\Windows\System32\UKfKTIi.exe
  C:\Windows\System32\UKfKTIi.exe
  2⤵
  PID:7840
- C:\Windows\System32\MMxsmAX.exe
  C:\Windows\System32\MMxsmAX.exe
  2⤵
  PID:7888
- C:\Windows\System32\KwWnIqP.exe
  C:\Windows\System32\KwWnIqP.exe
  2⤵
  PID:7988
- C:\Windows\System32\EimGHfo.exe
  C:\Windows\System32\EimGHfo.exe
  2⤵
  PID:8004
- C:\Windows\System32\zIBTVtE.exe
  C:\Windows\System32\zIBTVtE.exe
  2⤵
  PID:8056
- C:\Windows\System32\mqKjgMc.exe
  C:\Windows\System32\mqKjgMc.exe
  2⤵
  PID:8076
- C:\Windows\System32\wBuEIrs.exe
  C:\Windows\System32\wBuEIrs.exe
  2⤵
  PID:8116
- C:\Windows\System32\HpguNZQ.exe
  C:\Windows\System32\HpguNZQ.exe
  2⤵
  PID:8152
- C:\Windows\System32\reOEued.exe
  C:\Windows\System32\reOEued.exe
  2⤵
  PID:8168
- C:\Windows\System32\rkibpNR.exe
  C:\Windows\System32\rkibpNR.exe
  2⤵
  PID:8188
- C:\Windows\System32\enESyKB.exe
  C:\Windows\System32\enESyKB.exe
  2⤵
  PID:7216
- C:\Windows\System32\ycHlnsb.exe
  C:\Windows\System32\ycHlnsb.exe
  2⤵
  PID:7256
- C:\Windows\System32\iEdnQEi.exe
  C:\Windows\System32\iEdnQEi.exe
  2⤵
  PID:7400
- C:\Windows\System32\dcWohVo.exe
  C:\Windows\System32\dcWohVo.exe
  2⤵
  PID:7416
- C:\Windows\System32\ARblGDa.exe
  C:\Windows\System32\ARblGDa.exe
  2⤵
  PID:7540
- C:\Windows\System32\kyBFdgU.exe
  C:\Windows\System32\kyBFdgU.exe
  2⤵
  PID:7584
- C:\Windows\System32\OFMIYzf.exe
  C:\Windows\System32\OFMIYzf.exe
  2⤵
  PID:7632
- C:\Windows\System32\WIQXwRD.exe
  C:\Windows\System32\WIQXwRD.exe
  2⤵
  PID:7732
- C:\Windows\System32\hLqfzXg.exe
  C:\Windows\System32\hLqfzXg.exe
  2⤵
  PID:7680
- C:\Windows\System32\JXeAAZN.exe
  C:\Windows\System32\JXeAAZN.exe
  2⤵
  PID:7856
- C:\Windows\System32\ELCFQZL.exe
  C:\Windows\System32\ELCFQZL.exe
  2⤵
  PID:7868
- C:\Windows\System32\PGnMbOc.exe
  C:\Windows\System32\PGnMbOc.exe
  2⤵
  PID:7896
- C:\Windows\System32\TTRBWmB.exe
  C:\Windows\System32\TTRBWmB.exe
  2⤵
  PID:7924
- C:\Windows\System32\QMfIZuL.exe
  C:\Windows\System32\QMfIZuL.exe
  2⤵
  PID:7956
- C:\Windows\System32\TCTcUXI.exe
  C:\Windows\System32\TCTcUXI.exe
  2⤵
  PID:8068
- C:\Windows\System32\SowJqLk.exe
  C:\Windows\System32\SowJqLk.exe
  2⤵
  PID:8100
- C:\Windows\System32\sYUiHUS.exe
  C:\Windows\System32\sYUiHUS.exe
  2⤵
  PID:8180
- C:\Windows\System32\pbHlWls.exe
  C:\Windows\System32\pbHlWls.exe
  2⤵
  PID:8160
- C:\Windows\System32\klyNLRW.exe
  C:\Windows\System32\klyNLRW.exe
  2⤵
  PID:7292
- C:\Windows\System32\AZtsdHE.exe
  C:\Windows\System32\AZtsdHE.exe
  2⤵
  PID:7352
- C:\Windows\System32\ecMwSPf.exe
  C:\Windows\System32\ecMwSPf.exe
  2⤵
  PID:7656
- C:\Windows\System32\SPANlyl.exe
  C:\Windows\System32\SPANlyl.exe
  2⤵
  PID:7960
- C:\Windows\System32\tezZIBc.exe
  C:\Windows\System32\tezZIBc.exe
  2⤵
  PID:8000
- C:\Windows\System32\rckaZWi.exe
  C:\Windows\System32\rckaZWi.exe
  2⤵
  PID:8088
- C:\Windows\System32\hyKPTKy.exe
  C:\Windows\System32\hyKPTKy.exe
  2⤵
  PID:8164
- C:\Windows\System32\fyvlUgJ.exe
  C:\Windows\System32\fyvlUgJ.exe
  2⤵
  PID:7248
- C:\Windows\System32\Dcxcgkm.exe
  C:\Windows\System32\Dcxcgkm.exe
  2⤵
  PID:7608
- C:\Windows\System32\FzbmNga.exe
  C:\Windows\System32\FzbmNga.exe
  2⤵
  PID:8200
- C:\Windows\System32\GDakjsm.exe
  C:\Windows\System32\GDakjsm.exe
  2⤵
  PID:8236
- C:\Windows\System32\rAUiPoA.exe
  C:\Windows\System32\rAUiPoA.exe
  2⤵
  PID:8252
- C:\Windows\System32\mjsshxz.exe
  C:\Windows\System32\mjsshxz.exe
  2⤵
  PID:8272
- C:\Windows\System32\FsAVuta.exe
  C:\Windows\System32\FsAVuta.exe
  2⤵
  PID:8296
- C:\Windows\System32\GtQsTCz.exe
  C:\Windows\System32\GtQsTCz.exe
  2⤵
  PID:8316
- C:\Windows\System32\TUXQORD.exe
  C:\Windows\System32\TUXQORD.exe
  2⤵
  PID:8340
- C:\Windows\System32\pKrzeXR.exe
  C:\Windows\System32\pKrzeXR.exe
  2⤵
  PID:8380
- C:\Windows\System32\KTNsFEU.exe
  C:\Windows\System32\KTNsFEU.exe
  2⤵
  PID:8408
- C:\Windows\System32\wDYFzvF.exe
  C:\Windows\System32\wDYFzvF.exe
  2⤵
  PID:8436
- C:\Windows\System32\VuahNta.exe
  C:\Windows\System32\VuahNta.exe
  2⤵
  PID:8464
- C:\Windows\System32\hudpEBr.exe
  C:\Windows\System32\hudpEBr.exe
  2⤵
  PID:8492
- C:\Windows\System32\CJTimli.exe
  C:\Windows\System32\CJTimli.exe
  2⤵
  PID:8532
- C:\Windows\System32\ZPBXWCC.exe
  C:\Windows\System32\ZPBXWCC.exe
  2⤵
  PID:8560
- C:\Windows\System32\wiOnIaB.exe
  C:\Windows\System32\wiOnIaB.exe
  2⤵
  PID:8580
- C:\Windows\System32\HAYAZDP.exe
  C:\Windows\System32\HAYAZDP.exe
  2⤵
  PID:8596
- C:\Windows\System32\rwhxDZc.exe
  C:\Windows\System32\rwhxDZc.exe
  2⤵
  PID:8636
- C:\Windows\System32\CXSMlfD.exe
  C:\Windows\System32\CXSMlfD.exe
  2⤵
  PID:8652
- C:\Windows\System32\Clzcjkm.exe
  C:\Windows\System32\Clzcjkm.exe
  2⤵
  PID:8680
- C:\Windows\System32\ggcnksN.exe
  C:\Windows\System32\ggcnksN.exe
  2⤵
  PID:8708
- C:\Windows\System32\WZDIfCP.exe
  C:\Windows\System32\WZDIfCP.exe
  2⤵
  PID:8724
- C:\Windows\System32\zSYCcCH.exe
  C:\Windows\System32\zSYCcCH.exe
  2⤵
  PID:8744
- C:\Windows\System32\ngidYEj.exe
  C:\Windows\System32\ngidYEj.exe
  2⤵
  PID:8768
- C:\Windows\System32\iKhYBiA.exe
  C:\Windows\System32\iKhYBiA.exe
  2⤵
  PID:8820
- C:\Windows\System32\BJTtIMW.exe
  C:\Windows\System32\BJTtIMW.exe
  2⤵
  PID:8872
- C:\Windows\System32\nQoIWal.exe
  C:\Windows\System32\nQoIWal.exe
  2⤵
  PID:8904
- C:\Windows\System32\PNGxrrV.exe
  C:\Windows\System32\PNGxrrV.exe
  2⤵
  PID:8924
- C:\Windows\System32\geNEzAo.exe
  C:\Windows\System32\geNEzAo.exe
  2⤵
  PID:8952
- C:\Windows\System32\jqByhUn.exe
  C:\Windows\System32\jqByhUn.exe
  2⤵
  PID:8972
- C:\Windows\System32\FMhgfob.exe
  C:\Windows\System32\FMhgfob.exe
  2⤵
  PID:8996
- C:\Windows\System32\LpmsazA.exe
  C:\Windows\System32\LpmsazA.exe
  2⤵
  PID:9012
- C:\Windows\System32\xzhoRJY.exe
  C:\Windows\System32\xzhoRJY.exe
  2⤵
  PID:9056
- C:\Windows\System32\dMxxrDM.exe
  C:\Windows\System32\dMxxrDM.exe
  2⤵
  PID:9072
- C:\Windows\System32\oLInrOO.exe
  C:\Windows\System32\oLInrOO.exe
  2⤵
  PID:9092
- C:\Windows\System32\NXPMina.exe
  C:\Windows\System32\NXPMina.exe
  2⤵
  PID:9112
- C:\Windows\System32\olftpCS.exe
  C:\Windows\System32\olftpCS.exe
  2⤵
  PID:9160
- C:\Windows\System32\vBjziZq.exe
  C:\Windows\System32\vBjziZq.exe
  2⤵
  PID:9196
- C:\Windows\System32\oYgMGhE.exe
  C:\Windows\System32\oYgMGhE.exe
  2⤵
  PID:9212
- C:\Windows\System32\TAOTXMy.exe
  C:\Windows\System32\TAOTXMy.exe
  2⤵
  PID:8176
- C:\Windows\System32\dxntQIX.exe
  C:\Windows\System32\dxntQIX.exe
  2⤵
  PID:8268
- C:\Windows\System32\rIPNRkK.exe
  C:\Windows\System32\rIPNRkK.exe
  2⤵
  PID:8332
- C:\Windows\System32\unYNiAn.exe
  C:\Windows\System32\unYNiAn.exe
  2⤵
  PID:8420
- C:\Windows\System32\dTKWHSn.exe
  C:\Windows\System32\dTKWHSn.exe
  2⤵
  PID:8448
- C:\Windows\System32\TlPGwdI.exe
  C:\Windows\System32\TlPGwdI.exe
  2⤵
  PID:8520
- C:\Windows\System32\NHyufzh.exe
  C:\Windows\System32\NHyufzh.exe
  2⤵
  PID:8568
- C:\Windows\System32\OFQactc.exe
  C:\Windows\System32\OFQactc.exe
  2⤵
  PID:8648
- C:\Windows\System32\auiKLAK.exe
  C:\Windows\System32\auiKLAK.exe
  2⤵
  PID:8692
- C:\Windows\System32\XfkgilJ.exe
  C:\Windows\System32\XfkgilJ.exe
  2⤵
  PID:8832
- C:\Windows\System32\fQAKXIG.exe
  C:\Windows\System32\fQAKXIG.exe
  2⤵
  PID:8864
- C:\Windows\System32\EgKXAvW.exe
  C:\Windows\System32\EgKXAvW.exe
  2⤵
  PID:8936
- C:\Windows\System32\cMiDYXN.exe
  C:\Windows\System32\cMiDYXN.exe
  2⤵
  PID:9020
- C:\Windows\System32\yEVYnhC.exe
  C:\Windows\System32\yEVYnhC.exe
  2⤵
  PID:9100
- C:\Windows\System32\kOJKTSi.exe
  C:\Windows\System32\kOJKTSi.exe
  2⤵
  PID:9156
- C:\Windows\System32\mPxbCZK.exe
  C:\Windows\System32\mPxbCZK.exe
  2⤵
  PID:9204
- C:\Windows\System32\ZIvQiEk.exe
  C:\Windows\System32\ZIvQiEk.exe
  2⤵
  PID:8324
- C:\Windows\System32\vbhETNu.exe
  C:\Windows\System32\vbhETNu.exe
  2⤵
  PID:8424
- C:\Windows\System32\RHvTByH.exe
  C:\Windows\System32\RHvTByH.exe
  2⤵
  PID:8544
- C:\Windows\System32\jyRJtOE.exe
  C:\Windows\System32\jyRJtOE.exe
  2⤵
  PID:8736
- C:\Windows\System32\BThJitC.exe
  C:\Windows\System32\BThJitC.exe
  2⤵
  PID:8920
- C:\Windows\System32\QvKocDw.exe
  C:\Windows\System32\QvKocDw.exe
  2⤵
  PID:9084
- C:\Windows\System32\UNMkGWT.exe
  C:\Windows\System32\UNMkGWT.exe
  2⤵
  PID:7812
- C:\Windows\System32\OnxCwag.exe
  C:\Windows\System32\OnxCwag.exe
  2⤵
  PID:8480
- C:\Windows\System32\BXRSsAQ.exe
  C:\Windows\System32\BXRSsAQ.exe
  2⤵
  PID:8900
- C:\Windows\System32\hgTTsXZ.exe
  C:\Windows\System32\hgTTsXZ.exe
  2⤵
  PID:9152
- C:\Windows\System32\CCiGLFk.exe
  C:\Windows\System32\CCiGLFk.exe
  2⤵
  PID:8932
- C:\Windows\System32\PNMrwww.exe
  C:\Windows\System32\PNMrwww.exe
  2⤵
  PID:9232
- C:\Windows\System32\rTgGjED.exe
  C:\Windows\System32\rTgGjED.exe
  2⤵
  PID:9252
- C:\Windows\System32\yaoNRlo.exe
  C:\Windows\System32\yaoNRlo.exe
  2⤵
  PID:9296
- C:\Windows\System32\ccDvPVm.exe
  C:\Windows\System32\ccDvPVm.exe
  2⤵
  PID:9340
- C:\Windows\System32\tVIyQJS.exe
  C:\Windows\System32\tVIyQJS.exe
  2⤵
  PID:9360
- C:\Windows\System32\xdKqkBe.exe
  C:\Windows\System32\xdKqkBe.exe
  2⤵
  PID:9380
- C:\Windows\System32\uDZlkJU.exe
  C:\Windows\System32\uDZlkJU.exe
  2⤵
  PID:9400
- C:\Windows\System32\JaJkqWS.exe
  C:\Windows\System32\JaJkqWS.exe
  2⤵
  PID:9420
- C:\Windows\System32\WKPpUOw.exe
  C:\Windows\System32\WKPpUOw.exe
  2⤵
  PID:9444
- C:\Windows\System32\aGRGwnB.exe
  C:\Windows\System32\aGRGwnB.exe
  2⤵
  PID:9468
- C:\Windows\System32\MuORoZl.exe
  C:\Windows\System32\MuORoZl.exe
  2⤵
  PID:9488
- C:\Windows\System32\bQgajpY.exe
  C:\Windows\System32\bQgajpY.exe
  2⤵
  PID:9548
- C:\Windows\System32\dWAQaqQ.exe
  C:\Windows\System32\dWAQaqQ.exe
  2⤵
  PID:9568
- C:\Windows\System32\RrcbrNE.exe
  C:\Windows\System32\RrcbrNE.exe
  2⤵
  PID:9592
- C:\Windows\System32\ReUtnbI.exe
  C:\Windows\System32\ReUtnbI.exe
  2⤵
  PID:9612
- C:\Windows\System32\BCXFOkM.exe
  C:\Windows\System32\BCXFOkM.exe
  2⤵
  PID:9660
- C:\Windows\System32\tAWWxNJ.exe
  C:\Windows\System32\tAWWxNJ.exe
  2⤵
  PID:9704
- C:\Windows\System32\sOCVqnx.exe
  C:\Windows\System32\sOCVqnx.exe
  2⤵
  PID:9744
- C:\Windows\System32\XFlWoFP.exe
  C:\Windows\System32\XFlWoFP.exe
  2⤵
  PID:9760
- C:\Windows\System32\btujgDv.exe
  C:\Windows\System32\btujgDv.exe
  2⤵
  PID:9788
- C:\Windows\System32\lgwrxfX.exe
  C:\Windows\System32\lgwrxfX.exe
  2⤵
  PID:9804
- C:\Windows\System32\YWGJKoE.exe
  C:\Windows\System32\YWGJKoE.exe
  2⤵
  PID:9832
- C:\Windows\System32\HdAkMXU.exe
  C:\Windows\System32\HdAkMXU.exe
  2⤵
  PID:9872
- C:\Windows\System32\PHDolol.exe
  C:\Windows\System32\PHDolol.exe
  2⤵
  PID:9900
- C:\Windows\System32\fcjLVlt.exe
  C:\Windows\System32\fcjLVlt.exe
  2⤵
  PID:9920
- C:\Windows\System32\AYWgayR.exe
  C:\Windows\System32\AYWgayR.exe
  2⤵
  PID:9944
- C:\Windows\System32\pkxpSJO.exe
  C:\Windows\System32\pkxpSJO.exe
  2⤵
  PID:9960
- C:\Windows\System32\tvZddVd.exe
  C:\Windows\System32\tvZddVd.exe
  2⤵
  PID:9980
- C:\Windows\System32\cORpTCz.exe
  C:\Windows\System32\cORpTCz.exe
  2⤵
  PID:10000
- C:\Windows\System32\sEmHPSe.exe
  C:\Windows\System32\sEmHPSe.exe
  2⤵
  PID:10052
- C:\Windows\System32\edYyuHZ.exe
  C:\Windows\System32\edYyuHZ.exe
  2⤵
  PID:10104
- C:\Windows\System32\hNuPRTL.exe
  C:\Windows\System32\hNuPRTL.exe
  2⤵
  PID:10136
- C:\Windows\System32\mEySLLl.exe
  C:\Windows\System32\mEySLLl.exe
  2⤵
  PID:10156
- C:\Windows\System32\rXsgtsA.exe
  C:\Windows\System32\rXsgtsA.exe
  2⤵
  PID:10180
- C:\Windows\System32\tCWFGKU.exe
  C:\Windows\System32\tCWFGKU.exe
  2⤵
  PID:10220
- C:\Windows\System32\BvzBcbc.exe
  C:\Windows\System32\BvzBcbc.exe
  2⤵
  PID:9068
- C:\Windows\System32\oXXVJdv.exe
  C:\Windows\System32\oXXVJdv.exe
  2⤵
  PID:9260
- C:\Windows\System32\KRheElP.exe
  C:\Windows\System32\KRheElP.exe
  2⤵
  PID:9352
- C:\Windows\System32\sPNUVWH.exe
  C:\Windows\System32\sPNUVWH.exe
  2⤵
  PID:9372
- C:\Windows\System32\KTZogTg.exe
  C:\Windows\System32\KTZogTg.exe
  2⤵
  PID:9408
- C:\Windows\System32\TJxHvnB.exe
  C:\Windows\System32\TJxHvnB.exe
  2⤵
  PID:9480
- C:\Windows\System32\ijUbcMX.exe
  C:\Windows\System32\ijUbcMX.exe
  2⤵
  PID:9560
- C:\Windows\System32\sXkzUTg.exe
  C:\Windows\System32\sXkzUTg.exe
  2⤵
  PID:9756
- C:\Windows\System32\ntvbyoc.exe
  C:\Windows\System32\ntvbyoc.exe
  2⤵
  PID:9796
- C:\Windows\System32\bVDpvbc.exe
  C:\Windows\System32\bVDpvbc.exe
  2⤵
  PID:9888
- C:\Windows\System32\yRSmCtQ.exe
  C:\Windows\System32\yRSmCtQ.exe
  2⤵
  PID:9268
- C:\Windows\System32\EzhQMwY.exe
  C:\Windows\System32\EzhQMwY.exe
  2⤵
  PID:9912
- C:\Windows\System32\HkmzRBb.exe
  C:\Windows\System32\HkmzRBb.exe
  2⤵
  PID:10016
- C:\Windows\System32\ckriNuw.exe
  C:\Windows\System32\ckriNuw.exe
  2⤵
  PID:10168
- C:\Windows\System32\weGqbsj.exe
  C:\Windows\System32\weGqbsj.exe
  2⤵
  PID:10176
- C:\Windows\System32\HvELcmp.exe
  C:\Windows\System32\HvELcmp.exe
  2⤵
  PID:9248
- C:\Windows\System32\YTOXXXt.exe
  C:\Windows\System32\YTOXXXt.exe
  2⤵
  PID:9348
- C:\Windows\System32\oRMHlmi.exe
  C:\Windows\System32\oRMHlmi.exe
  2⤵
  PID:9656
- C:\Windows\System32\MKKYjJq.exe
  C:\Windows\System32\MKKYjJq.exe
  2⤵
  PID:9532
- C:\Windows\System32\ZOIoATP.exe
  C:\Windows\System32\ZOIoATP.exe
  2⤵
  PID:9844
- C:\Windows\System32\osiyMSS.exe
  C:\Windows\System32\osiyMSS.exe
  2⤵
  PID:9864
- C:\Windows\System32\LQaHFDH.exe
  C:\Windows\System32\LQaHFDH.exe
  2⤵
  PID:10196
- C:\Windows\System32\GNYQesy.exe
  C:\Windows\System32\GNYQesy.exe
  2⤵
  PID:9240
- C:\Windows\System32\zqXzGFA.exe
  C:\Windows\System32\zqXzGFA.exe
  2⤵
  PID:9368
- C:\Windows\System32\PjQcUod.exe
  C:\Windows\System32\PjQcUod.exe
  2⤵
  PID:9928
- C:\Windows\System32\ACqYMaO.exe
  C:\Windows\System32\ACqYMaO.exe
  2⤵
  PID:9600
- C:\Windows\System32\NMbwEeg.exe
  C:\Windows\System32\NMbwEeg.exe
  2⤵
  PID:10264
- C:\Windows\System32\FJccaAg.exe
  C:\Windows\System32\FJccaAg.exe
  2⤵
  PID:10280
- C:\Windows\System32\wbgVUTJ.exe
  C:\Windows\System32\wbgVUTJ.exe
  2⤵
  PID:10300
- C:\Windows\System32\KKZgSPc.exe
  C:\Windows\System32\KKZgSPc.exe
  2⤵
  PID:10336
- C:\Windows\System32\owGsePX.exe
  C:\Windows\System32\owGsePX.exe
  2⤵
  PID:10372
- C:\Windows\System32\cGpBAit.exe
  C:\Windows\System32\cGpBAit.exe
  2⤵
  PID:10396
- C:\Windows\System32\ZTFrVCU.exe
  C:\Windows\System32\ZTFrVCU.exe
  2⤵
  PID:10436
- C:\Windows\System32\sWpzktJ.exe
  C:\Windows\System32\sWpzktJ.exe
  2⤵
  PID:10472
- C:\Windows\System32\eyQaDMg.exe
  C:\Windows\System32\eyQaDMg.exe
  2⤵
  PID:10500
- C:\Windows\System32\aRKhTwA.exe
  C:\Windows\System32\aRKhTwA.exe
  2⤵
  PID:10516
- C:\Windows\System32\IDTfCBs.exe
  C:\Windows\System32\IDTfCBs.exe
  2⤵
  PID:10548
- C:\Windows\System32\Kuqddsy.exe
  C:\Windows\System32\Kuqddsy.exe
  2⤵
  PID:10564
- C:\Windows\System32\opDeyNw.exe
  C:\Windows\System32\opDeyNw.exe
  2⤵
  PID:10580
- C:\Windows\System32\fZXbDRf.exe
  C:\Windows\System32\fZXbDRf.exe
  2⤵
  PID:10604
- C:\Windows\System32\FPVXJSM.exe
  C:\Windows\System32\FPVXJSM.exe
  2⤵
  PID:10680
- C:\Windows\System32\JmcAdGi.exe
  C:\Windows\System32\JmcAdGi.exe
  2⤵
  PID:10716
- C:\Windows\System32\ggKxudN.exe
  C:\Windows\System32\ggKxudN.exe
  2⤵
  PID:10736
- C:\Windows\System32\mBzopgm.exe
  C:\Windows\System32\mBzopgm.exe
  2⤵
  PID:10752
- C:\Windows\System32\rzyovfX.exe
  C:\Windows\System32\rzyovfX.exe
  2⤵
  PID:10768
- C:\Windows\System32\yxnOFVw.exe
  C:\Windows\System32\yxnOFVw.exe
  2⤵
  PID:10784
- C:\Windows\System32\rETpzjx.exe
  C:\Windows\System32\rETpzjx.exe
  2⤵
  PID:10800
- C:\Windows\System32\YjyFKru.exe
  C:\Windows\System32\YjyFKru.exe
  2⤵
  PID:10820
- C:\Windows\System32\DZpPlPB.exe
  C:\Windows\System32\DZpPlPB.exe
  2⤵
  PID:10848
- C:\Windows\System32\PVBqNMG.exe
  C:\Windows\System32\PVBqNMG.exe
  2⤵
  PID:10864
- C:\Windows\System32\ZsJypOL.exe
  C:\Windows\System32\ZsJypOL.exe
  2⤵
  PID:10900
- C:\Windows\System32\qLTpzee.exe
  C:\Windows\System32\qLTpzee.exe
  2⤵
  PID:10920
- C:\Windows\System32\ertZxAH.exe
  C:\Windows\System32\ertZxAH.exe
  2⤵
  PID:10984
- C:\Windows\System32\SQGsxNu.exe
  C:\Windows\System32\SQGsxNu.exe
  2⤵
  PID:11012
- C:\Windows\System32\sqsXPxJ.exe
  C:\Windows\System32\sqsXPxJ.exe
  2⤵
  PID:11032
- C:\Windows\System32\SBCmnZM.exe
  C:\Windows\System32\SBCmnZM.exe
  2⤵
  PID:11064
- C:\Windows\System32\KRdOFgs.exe
  C:\Windows\System32\KRdOFgs.exe
  2⤵
  PID:11112
- C:\Windows\System32\QOiNjwr.exe
  C:\Windows\System32\QOiNjwr.exe
  2⤵
  PID:11144
- C:\Windows\System32\ILavIDF.exe
  C:\Windows\System32\ILavIDF.exe
  2⤵
  PID:11204
- C:\Windows\System32\dHbRrrX.exe
  C:\Windows\System32\dHbRrrX.exe
  2⤵
  PID:11228
- C:\Windows\System32\ZTYDpGa.exe
  C:\Windows\System32\ZTYDpGa.exe
  2⤵
  PID:11244
- C:\Windows\System32\DOfPXnp.exe
  C:\Windows\System32\DOfPXnp.exe
  2⤵
  PID:11260
- C:\Windows\System32\CVHMDxl.exe
  C:\Windows\System32\CVHMDxl.exe
  2⤵
  PID:8548
- C:\Windows\System32\bVCJezF.exe
  C:\Windows\System32\bVCJezF.exe
  2⤵
  PID:10308
- C:\Windows\System32\NRMvrgh.exe
  C:\Windows\System32\NRMvrgh.exe
  2⤵
  PID:10364
- C:\Windows\System32\zMDCyBe.exe
  C:\Windows\System32\zMDCyBe.exe
  2⤵
  PID:10444
- C:\Windows\System32\kmLCtpV.exe
  C:\Windows\System32\kmLCtpV.exe
  2⤵
  PID:10532
- C:\Windows\System32\BtKsqLc.exe
  C:\Windows\System32\BtKsqLc.exe
  2⤵
  PID:10592
- C:\Windows\System32\GPdLihB.exe
  C:\Windows\System32\GPdLihB.exe
  2⤵
  PID:10636
- C:\Windows\System32\TrWfEvZ.exe
  C:\Windows\System32\TrWfEvZ.exe
  2⤵
  PID:10744
- C:\Windows\System32\IZQqTGy.exe
  C:\Windows\System32\IZQqTGy.exe
  2⤵
  PID:10808
- C:\Windows\System32\NCLTuxH.exe
  C:\Windows\System32\NCLTuxH.exe
  2⤵
  PID:10748
- C:\Windows\System32\nMPcDTF.exe
  C:\Windows\System32\nMPcDTF.exe
  2⤵
  PID:10908
- C:\Windows\System32\RWcaBuI.exe
  C:\Windows\System32\RWcaBuI.exe
  2⤵
  PID:10944
- C:\Windows\System32\dgaOvkQ.exe
  C:\Windows\System32\dgaOvkQ.exe
  2⤵
  PID:11040
- C:\Windows\System32\QkixWom.exe
  C:\Windows\System32\QkixWom.exe
  2⤵
  PID:11120
- C:\Windows\System32\DOGXdmc.exe
  C:\Windows\System32\DOGXdmc.exe
  2⤵
  PID:11200
- C:\Windows\System32\uNTukHk.exe
  C:\Windows\System32\uNTukHk.exe
  2⤵
  PID:10044
- C:\Windows\System32\OFIbXSM.exe
  C:\Windows\System32\OFIbXSM.exe
  2⤵
  PID:10296
- C:\Windows\System32\jVZxPwO.exe
  C:\Windows\System32\jVZxPwO.exe
  2⤵
  PID:10456
- C:\Windows\System32\MJiSppZ.exe
  C:\Windows\System32\MJiSppZ.exe
  2⤵
  PID:10792
- C:\Windows\System32\zIQWerJ.exe
  C:\Windows\System32\zIQWerJ.exe
  2⤵
  PID:10816
- C:\Windows\System32\mYaOMYW.exe
  C:\Windows\System32\mYaOMYW.exe
  2⤵
  PID:10968
- C:\Windows\System32\WJiOZrd.exe
  C:\Windows\System32\WJiOZrd.exe
  2⤵
  PID:11104
- C:\Windows\System32\GLTLxZc.exe
  C:\Windows\System32\GLTLxZc.exe
  2⤵
  PID:11176
- C:\Windows\System32\duezWKz.exe
  C:\Windows\System32\duezWKz.exe
  2⤵
  PID:11256
- C:\Windows\System32\bdxudPu.exe
  C:\Windows\System32\bdxudPu.exe
  2⤵
  PID:10856
- C:\Windows\System32\DAJNjYb.exe
  C:\Windows\System32\DAJNjYb.exe
  2⤵
  PID:10668
- C:\Windows\System32\xpMFKtF.exe
  C:\Windows\System32\xpMFKtF.exe
  2⤵
  PID:10612
- C:\Windows\System32\mfZSTyr.exe
  C:\Windows\System32\mfZSTyr.exe
  2⤵
  PID:10328
- C:\Windows\System32\NNMihNe.exe
  C:\Windows\System32\NNMihNe.exe
  2⤵
  PID:10600
- C:\Windows\System32\fFZlfXC.exe
  C:\Windows\System32\fFZlfXC.exe
  2⤵
  PID:11276
- C:\Windows\System32\XzHLbAO.exe
  C:\Windows\System32\XzHLbAO.exe
  2⤵
  PID:11348
- C:\Windows\System32\hgSdFjJ.exe
  C:\Windows\System32\hgSdFjJ.exe
  2⤵
  PID:11392
- C:\Windows\System32\KzhFHDK.exe
  C:\Windows\System32\KzhFHDK.exe
  2⤵
  PID:11416
- C:\Windows\System32\GQNAdii.exe
  C:\Windows\System32\GQNAdii.exe
  2⤵
  PID:11436
- C:\Windows\System32\JvDsIpD.exe
  C:\Windows\System32\JvDsIpD.exe
  2⤵
  PID:11480
- C:\Windows\System32\xyMDDlv.exe
  C:\Windows\System32\xyMDDlv.exe
  2⤵
  PID:11504
- C:\Windows\System32\RPTWSZz.exe
  C:\Windows\System32\RPTWSZz.exe
  2⤵
  PID:11520
- C:\Windows\System32\AfcOnyS.exe
  C:\Windows\System32\AfcOnyS.exe
  2⤵
  PID:11584
- C:\Windows\System32\IzyOVQt.exe
  C:\Windows\System32\IzyOVQt.exe
  2⤵
  PID:11608
- C:\Windows\System32\FaYveYk.exe
  C:\Windows\System32\FaYveYk.exe
  2⤵
  PID:11628
- C:\Windows\System32\GeZpSDr.exe
  C:\Windows\System32\GeZpSDr.exe
  2⤵
  PID:11664
- C:\Windows\System32\HqjNkmQ.exe
  C:\Windows\System32\HqjNkmQ.exe
  2⤵
  PID:11684
- C:\Windows\System32\jKNSzGu.exe
  C:\Windows\System32\jKNSzGu.exe
  2⤵
  PID:11708
- C:\Windows\System32\FFiLuuT.exe
  C:\Windows\System32\FFiLuuT.exe
  2⤵
  PID:11744
- C:\Windows\System32\uGzIXTM.exe
  C:\Windows\System32\uGzIXTM.exe
  2⤵
  PID:11788
- C:\Windows\System32\dzuEQcC.exe
  C:\Windows\System32\dzuEQcC.exe
  2⤵
  PID:11804
- C:\Windows\System32\WGuVnbe.exe
  C:\Windows\System32\WGuVnbe.exe
  2⤵
  PID:11828
- C:\Windows\System32\ixjWGjh.exe
  C:\Windows\System32\ixjWGjh.exe
  2⤵
  PID:11848
- C:\Windows\System32\HBmUvyY.exe
  C:\Windows\System32\HBmUvyY.exe
  2⤵
  PID:11896
- C:\Windows\System32\dkOvTQj.exe
  C:\Windows\System32\dkOvTQj.exe
  2⤵
  PID:11912
- C:\Windows\System32\acvwjhB.exe
  C:\Windows\System32\acvwjhB.exe
  2⤵
  PID:11928
- C:\Windows\System32\jPhZEtK.exe
  C:\Windows\System32\jPhZEtK.exe
  2⤵
  PID:11996
- C:\Windows\System32\QKMcdrP.exe
  C:\Windows\System32\QKMcdrP.exe
  2⤵
  PID:12016
- C:\Windows\System32\culTPnN.exe
  C:\Windows\System32\culTPnN.exe
  2⤵
  PID:12032
- C:\Windows\System32\xpwSozx.exe
  C:\Windows\System32\xpwSozx.exe
  2⤵
  PID:12064
- C:\Windows\System32\PEMWGfV.exe
  C:\Windows\System32\PEMWGfV.exe
  2⤵
  PID:12084
- C:\Windows\System32\eZThTsB.exe
  C:\Windows\System32\eZThTsB.exe
  2⤵
  PID:12108
- C:\Windows\System32\snNVzdC.exe
  C:\Windows\System32\snNVzdC.exe
  2⤵
  PID:12124
- C:\Windows\System32\lHYPZGh.exe
  C:\Windows\System32\lHYPZGh.exe
  2⤵
  PID:12148
- C:\Windows\System32\xdmzpDP.exe
  C:\Windows\System32\xdmzpDP.exe
  2⤵
  PID:12172
- C:\Windows\System32\ziGRZKW.exe
  C:\Windows\System32\ziGRZKW.exe
  2⤵
  PID:12192
- C:\Windows\System32\zuOtyxg.exe
  C:\Windows\System32\zuOtyxg.exe
  2⤵
  PID:12208
- C:\Windows\System32\qbArfGR.exe
  C:\Windows\System32\qbArfGR.exe
  2⤵
  PID:12228
- C:\Windows\System32\vUUtAMP.exe
  C:\Windows\System32\vUUtAMP.exe
  2⤵
  PID:12268
- C:\Windows\System32\eSPTAvC.exe
  C:\Windows\System32\eSPTAvC.exe
  2⤵
  PID:10420
- C:\Windows\System32\BLgDhsN.exe
  C:\Windows\System32\BLgDhsN.exe
  2⤵
  PID:11288
- C:\Windows\System32\hiYvqKf.exe
  C:\Windows\System32\hiYvqKf.exe
  2⤵
  PID:11400
- C:\Windows\System32\AWFNSuE.exe
  C:\Windows\System32\AWFNSuE.exe
  2⤵
  PID:11496
- C:\Windows\System32\RnyrDnZ.exe
  C:\Windows\System32\RnyrDnZ.exe
  2⤵
  PID:11540
- C:\Windows\System32\kXrawpz.exe
  C:\Windows\System32\kXrawpz.exe
  2⤵
  PID:11604
- C:\Windows\System32\qCzUScG.exe
  C:\Windows\System32\qCzUScG.exe
  2⤵
  PID:11644
- C:\Windows\System32\JhaPqyv.exe
  C:\Windows\System32\JhaPqyv.exe
  2⤵
  PID:11704
- C:\Windows\System32\exqFJcQ.exe
  C:\Windows\System32\exqFJcQ.exe
  2⤵
  PID:11824
- C:\Windows\System32\bMHmrDG.exe
  C:\Windows\System32\bMHmrDG.exe
  2⤵
  PID:11968
- C:\Windows\System32\yvoPLQb.exe
  C:\Windows\System32\yvoPLQb.exe
  2⤵
  PID:12048
- C:\Windows\System32\QuXPWoX.exe
  C:\Windows\System32\QuXPWoX.exe
  2⤵
  PID:12080
- C:\Windows\System32\PERobeN.exe
  C:\Windows\System32\PERobeN.exe
  2⤵
  PID:12168
- C:\Windows\System32\forAifI.exe
  C:\Windows\System32\forAifI.exe
  2⤵
  PID:12204
- C:\Windows\System32\cqjbRwZ.exe
  C:\Windows\System32\cqjbRwZ.exe
  2⤵
  PID:12244
- C:\Windows\System32\AmezPNC.exe
  C:\Windows\System32\AmezPNC.exe
  2⤵
  PID:11316
- C:\Windows\System32\DLQAXLc.exe
  C:\Windows\System32\DLQAXLc.exe
  2⤵
  PID:11268
- C:\Windows\System32\lpvHyJs.exe
  C:\Windows\System32\lpvHyJs.exe
  2⤵
  PID:11560
- C:\Windows\System32\tviarqA.exe
  C:\Windows\System32\tviarqA.exe
  2⤵
  PID:11720
- C:\Windows\System32\LlqcGYQ.exe
  C:\Windows\System32\LlqcGYQ.exe
  2⤵
  PID:11868
- C:\Windows\System32\vOtsneD.exe
  C:\Windows\System32\vOtsneD.exe
  2⤵
  PID:12072
- C:\Windows\System32\xgclENt.exe
  C:\Windows\System32\xgclENt.exe
  2⤵
  PID:12188
- C:\Windows\System32\GUpIdtS.exe
  C:\Windows\System32\GUpIdtS.exe
  2⤵
  PID:12252
- C:\Windows\System32\yYufnEh.exe
  C:\Windows\System32\yYufnEh.exe
  2⤵
  PID:11672
- C:\Windows\System32\VQTzyHp.exe
  C:\Windows\System32\VQTzyHp.exe
  2⤵
  PID:3896
- C:\Windows\System32\XrBiWqD.exe
  C:\Windows\System32\XrBiWqD.exe
  2⤵
  PID:11680
- C:\Windows\System32\NHvMtnn.exe
  C:\Windows\System32\NHvMtnn.exe
  2⤵
  PID:12292
- C:\Windows\System32\tHBeszB.exe
  C:\Windows\System32\tHBeszB.exe
  2⤵
  PID:12308
- C:\Windows\System32\DDaqvDy.exe
  C:\Windows\System32\DDaqvDy.exe
  2⤵
  PID:12328
- C:\Windows\System32\hSGAywJ.exe
  C:\Windows\System32\hSGAywJ.exe
  2⤵
  PID:12356
- C:\Windows\System32\WEwAVGP.exe
  C:\Windows\System32\WEwAVGP.exe
  2⤵
  PID:12392
- C:\Windows\System32\lmjnAag.exe
  C:\Windows\System32\lmjnAag.exe
  2⤵
  PID:12440
- C:\Windows\System32\AVGefyc.exe
  C:\Windows\System32\AVGefyc.exe
  2⤵
  PID:12456
- C:\Windows\System32\QFxSJny.exe
  C:\Windows\System32\QFxSJny.exe
  2⤵
  PID:12484
- C:\Windows\System32\kjBWbTw.exe
  C:\Windows\System32\kjBWbTw.exe
  2⤵
  PID:12508
- C:\Windows\System32\lwBCtGV.exe
  C:\Windows\System32\lwBCtGV.exe
  2⤵
  PID:12524
- C:\Windows\System32\bUoMeYQ.exe
  C:\Windows\System32\bUoMeYQ.exe
  2⤵
  PID:12548
- C:\Windows\System32\tFEErFS.exe
  C:\Windows\System32\tFEErFS.exe
  2⤵
  PID:12568
- C:\Windows\System32\BYajjri.exe
  C:\Windows\System32\BYajjri.exe
  2⤵
  PID:12596
- C:\Windows\System32\CraugSJ.exe
  C:\Windows\System32\CraugSJ.exe
  2⤵
  PID:12616
- C:\Windows\System32\VxKTBeh.exe
  C:\Windows\System32\VxKTBeh.exe
  2⤵
  PID:12672
- C:\Windows\System32\jVISQuV.exe
  C:\Windows\System32\jVISQuV.exe
  2⤵
  PID:12692
- C:\Windows\System32\PZBxHgJ.exe
  C:\Windows\System32\PZBxHgJ.exe
  2⤵
  PID:12732
- C:\Windows\System32\GmthGPY.exe
  C:\Windows\System32\GmthGPY.exe
  2⤵
  PID:12768
- C:\Windows\System32\nzItMws.exe
  C:\Windows\System32\nzItMws.exe
  2⤵
  PID:12796
- C:\Windows\System32\bixtMdA.exe
  C:\Windows\System32\bixtMdA.exe
  2⤵
  PID:12816
- C:\Windows\System32\mnYKeal.exe
  C:\Windows\System32\mnYKeal.exe
  2⤵
  PID:12860
- C:\Windows\System32\YOmcgjX.exe
  C:\Windows\System32\YOmcgjX.exe
  2⤵
  PID:12880
- C:\Windows\System32\jAuXqCy.exe
  C:\Windows\System32\jAuXqCy.exe
  2⤵
  PID:12916
- C:\Windows\System32\rIfYHyE.exe
  C:\Windows\System32\rIfYHyE.exe
  2⤵
  PID:12948
- C:\Windows\System32\TAQeFJe.exe
  C:\Windows\System32\TAQeFJe.exe
  2⤵
  PID:12968
- C:\Windows\System32\TzqXBms.exe
  C:\Windows\System32\TzqXBms.exe
  2⤵
  PID:12992
- C:\Windows\System32\CxTDRVx.exe
  C:\Windows\System32\CxTDRVx.exe
  2⤵
  PID:13008
- C:\Windows\System32\VxTXXiC.exe
  C:\Windows\System32\VxTXXiC.exe
  2⤵
  PID:13036
- C:\Windows\System32\htZilPn.exe
  C:\Windows\System32\htZilPn.exe
  2⤵
  PID:13056
- C:\Windows\System32\foKdTES.exe
  C:\Windows\System32\foKdTES.exe
  2⤵
  PID:13080
- C:\Windows\System32\YqQuyPI.exe
  C:\Windows\System32\YqQuyPI.exe
  2⤵
  PID:13124
- C:\Windows\System32\fIyACCv.exe
  C:\Windows\System32\fIyACCv.exe
  2⤵
  PID:13160
- C:\Windows\System32\DyTOzFA.exe
  C:\Windows\System32\DyTOzFA.exe
  2⤵
  PID:13188
- C:\Windows\System32\yJWdaNq.exe
  C:\Windows\System32\yJWdaNq.exe
  2⤵
  PID:13220
- C:\Windows\System32\IClnjnt.exe
  C:\Windows\System32\IClnjnt.exe
  2⤵
  PID:13248
- C:\Windows\System32\UpFeIZy.exe
  C:\Windows\System32\UpFeIZy.exe
  2⤵
  PID:13272
- C:\Windows\System32\oGKqEJY.exe
  C:\Windows\System32\oGKqEJY.exe
  2⤵
  PID:13288
- C:\Windows\System32\dmcYaQX.exe
  C:\Windows\System32\dmcYaQX.exe
  2⤵
  PID:12340
- C:\Windows\System32\WoBpTYm.exe
  C:\Windows\System32\WoBpTYm.exe
  2⤵
  PID:12400
- C:\Windows\System32\IDkhqoR.exe
  C:\Windows\System32\IDkhqoR.exe
  2⤵
  PID:12408
- C:\Windows\System32\SgnzJTG.exe
  C:\Windows\System32\SgnzJTG.exe
  2⤵
  PID:12520
- C:\Windows\System32\BQcoxCG.exe
  C:\Windows\System32\BQcoxCG.exe
  2⤵
  PID:12608
- C:\Windows\System32\AdzFNzW.exe
  C:\Windows\System32\AdzFNzW.exe
  2⤵
  PID:12664
- C:\Windows\System32\qVkRTGj.exe
  C:\Windows\System32\qVkRTGj.exe
  2⤵
  PID:12688
- C:\Windows\System32\TevtRHz.exe
  C:\Windows\System32\TevtRHz.exe
  2⤵
  PID:12792
- C:\Windows\System32\arOApLK.exe
  C:\Windows\System32\arOApLK.exe
  2⤵
  PID:12832
- C:\Windows\System32\FfVnVPm.exe
  C:\Windows\System32\FfVnVPm.exe
  2⤵
  PID:12868
- C:\Windows\System32\CNqRyuN.exe
  C:\Windows\System32\CNqRyuN.exe
  2⤵
  PID:13044
- C:\Windows\System32\rnTjVXv.exe
  C:\Windows\System32\rnTjVXv.exe
  2⤵
  PID:13092
- C:\Windows\System32\kprDxjm.exe
  C:\Windows\System32\kprDxjm.exe
  2⤵
  PID:13144
- C:\Windows\System32\rPkjtts.exe
  C:\Windows\System32\rPkjtts.exe
  2⤵
  PID:13168
- C:\Windows\System32\wRHryrE.exe
  C:\Windows\System32\wRHryrE.exe
  2⤵
  PID:13196
- C:\Windows\System32\SIKtXGd.exe
  C:\Windows\System32\SIKtXGd.exe
  2⤵
  PID:13228
- C:\Windows\System32\UPeBznd.exe
  C:\Windows\System32\UPeBznd.exe
  2⤵
  PID:13284
- C:\Windows\System32\isdkQRx.exe
  C:\Windows\System32\isdkQRx.exe
  2⤵
  PID:11564
- C:\Windows\System32\DTjjDnF.exe
  C:\Windows\System32\DTjjDnF.exe
  2⤵
  PID:12368
- C:\Windows\System32\uhSGmaQ.exe
  C:\Windows\System32\uhSGmaQ.exe
  2⤵
  PID:12468
- C:\Windows\System32\bRmxcCz.exe
  C:\Windows\System32\bRmxcCz.exe
  2⤵
  PID:12812
- C:\Windows\System32\GNnEFdi.exe
  C:\Windows\System32\GNnEFdi.exe
  2⤵
  PID:12804
- C:\Windows\System32\Xnpxatf.exe
  C:\Windows\System32\Xnpxatf.exe
  2⤵
  PID:13028
- C:\Windows\System32\ajpvYlU.exe
  C:\Windows\System32\ajpvYlU.exe
  2⤵
  PID:12964
- C:\Windows\System32\JSKRMDF.exe
  C:\Windows\System32\JSKRMDF.exe
  2⤵
  PID:13024
- C:\Windows\System32\blegeaM.exe
  C:\Windows\System32\blegeaM.exe
  2⤵
  PID:13260
- C:\Windows\System32\sxyOsxZ.exe
  C:\Windows\System32\sxyOsxZ.exe
  2⤵
  PID:12988
- C:\Windows\System32\MmVbxsP.exe
  C:\Windows\System32\MmVbxsP.exe
  2⤵
  PID:13004
- C:\Windows\System32\VEmqkzJ.exe
  C:\Windows\System32\VEmqkzJ.exe
  2⤵
  PID:13088
- C:\Windows\System32\IQeLOrv.exe
  C:\Windows\System32\IQeLOrv.exe
  2⤵
  PID:13216
- C:\Windows\System32\ROOktYu.exe
  C:\Windows\System32\ROOktYu.exe
  2⤵
  PID:13392
- C:\Windows\System32\KwSoWIX.exe
  C:\Windows\System32\KwSoWIX.exe
  2⤵
  PID:13448
- C:\Windows\System32\REXnsSV.exe
  C:\Windows\System32\REXnsSV.exe
  2⤵
  PID:13488
- C:\Windows\System32\uEJFFeH.exe
  C:\Windows\System32\uEJFFeH.exe
  2⤵
  PID:13504
- C:\Windows\System32\ssoMgYC.exe
  C:\Windows\System32\ssoMgYC.exe
  2⤵
  PID:13528

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ADdFCvp.exe

Filesize
1.2MB

MD5
425ba6363194501ce6261928c17d87c3

SHA1
52419b01bbc01e8f8df7fd628205550c80d23a57

SHA256
6ff019773def406eece4e92f4bece6d7fe08b2a1ae442521442f59a8c5578a81

SHA512
ad726e4cd66e3f2f62fc6c0eacbce1950cb8ecf28448d4963f3082e85644306882ef4a583c3d9adc24518f86f32a7abc99ec298e5b5c42aab0a13452b8fcc27b

Download Submit
C:\Windows\System32\BXsXNPO.exe

Filesize
1.2MB

MD5
7748c5381eb07cc8a18d088e84b61c31

SHA1
7a841ff1c0eb7ff2d3c821c7becaba2b1f95a423

SHA256
793bdccd9d0bda6cd983ab2e9efec2811e7fc8fba920c9cdda80777cd6220933

SHA512
ada12a8456987f1924bf89d820e872142e2c6f6323278b9ac4127b46bab75dec62fb4487cf6cda20b856f39b9b59c2874ff686b0a19222197d8914ef822b6b2b

Download Submit
C:\Windows\System32\CTPpZic.exe

Filesize
1.2MB

MD5
f39404c6acdfc08db1c34c1c67991e4f

SHA1
bfe7c4254c60f886581376ac903f3e74676645b5

SHA256
cc79046d8db7d23fd48bd226a115a368d1f8eb1bf5c9527b48d76e039d1d548f

SHA512
009ca019589fb0e5344ff7f28eea3cc55a8c15f253e7896d7f1e0e4437ccdcc1fb56ed59f06e8d5d4774ccdca7163a0d77a74317d39e477ded5b953ea358c429

Download Submit
C:\Windows\System32\FdWOeNw.exe

Filesize
1.2MB

MD5
7a8c6c6d91d18a4adac5ac16f2cc76d8

SHA1
64abf43c50d9f0de016bd9bb80a797363af570c1

SHA256
3d9abb1cf1828b88a2ebd1d27e6324e0ea76ec2975f031d2fcfe5df9931328d2

SHA512
ff8446f881692750d9d1fbe8468c37baa9c20fe34a82e7560d0d1af9dfef84be53a79ea20ccb1c9b9456cbba8317cbcaac261172471213a89719412cdef4054e

Download Submit
C:\Windows\System32\HXypqOA.exe

Filesize
1.2MB

MD5
0a0dde087b3c086610a89a80eff7146d

SHA1
29da11c5c422c35ae81617599484ff78295010f3

SHA256
8b6e789e52f102886d84af8fdb6fc3c98da8c8a1dcda4627b394f3e200940816

SHA512
bc4f2beced9c8d5f28242cfdc0ca84241b17e95cbf80c84ca55bd7b7dbe031ea939d2c116228c35242958648cb557eaa0e4cdeae531c449a04512966aa16f9cb

Download Submit
C:\Windows\System32\IVKgYNd.exe

Filesize
1.2MB

MD5
5b56b0bb8ac800768c3dce628902a40b

SHA1
9cea80c58a358df9f9521b98e72b3b30a53039d6

SHA256
1956f7a8f217eba07a2fcd5de4d9bdeb8bb1d83a2fb705706d7e36821b91c3ae

SHA512
ba0781752429f7e241708ab66c4b22741e1da32a1635be7b21b600c02cabc6134ee509d1db405828f440e3537cb0a25944e4b7f2b389ef05d0d51c1a26f62235

Download Submit
C:\Windows\System32\IykNpbg.exe

Filesize
1.2MB

MD5
02f3521492989bdb5b0f3a5129fe1b5e

SHA1
458ce69c3f1aab35906f34c9a7b3909bc7e98fc4

SHA256
2d6829f1da3cee5480d78138fd47e961fc36eb72b2d4246f64edf604837a057c

SHA512
b09924ca8a4de7e48deabc602b72b59f6a842f046a0edf1472b3806d3f505391ed697d54bcd1cc0b628f3f4382d395da63198f335f8f198e84b442016444dac1

Download Submit
C:\Windows\System32\JDjQBSv.exe

Filesize
1.2MB

MD5
579b93a03df020d4ea633910040c4f42

SHA1
e8dd0af6f5414181ee79e35fe1037f45ba71764f

SHA256
db767e85c2eb361cd699f13d3c199494ad90e4d19ae6a2e12eef63be2674ead2

SHA512
8359383db2b655d6af023b5973b5bbe9be22af0a20fc16ca0f7d47b073cefb506636243419534780ed439f3567330e299faed8857d57d9c30823ad9d4292e51f

Download Submit
C:\Windows\System32\JFsUdnl.exe

Filesize
1.2MB

MD5
0b98245f6c903d580f5f452a979cb632

SHA1
d3a546c6ab9ae71b13f8552ac648739894cc2f64

SHA256
c2783a62d32c4c2992f95eb7de1bd3eb004e85d64a7f7a7a7b0188afbeb18637

SHA512
7d8aa758cc013da0fe9c502ae624a687ef2c4c5613b08ede98453e8e9b7131645c5dffe63fa5378f38b5f87afc27f62476d2d30375bfc6a4d20b1292133f83c7

Download Submit
C:\Windows\System32\JyTwevp.exe

Filesize
1.2MB

MD5
85d23ecf8caea061152ef4d3f2569344

SHA1
69ec59f638e79d4d9a1eccfb28ab7e52bc9190e8

SHA256
8635050450b85a2bd192fa72e54a07543b550a6af0f84476d65f1992ea45a6f1

SHA512
6da437b15a69514774bda0beea302239736eaf62e66e7a76dbfdd6dcabfae3269d21ae6a4fc5f3c0adb1714e87ecc8c32a82a6758f44b2c0f36e57b574d3a4c6

Download Submit
C:\Windows\System32\MFTCgFl.exe

Filesize
1.2MB

MD5
28143b17b3a6370a40ce97b0ff20b28d

SHA1
ccdfd8081187cbb339a380522437316bec08d487

SHA256
3265cc9334f67eb40b1b52af020d6acdf522d956f25fa7071cf785d5fced9a58

SHA512
79b973413de20e5c8d3bbddfe11e2437acad55e27f69dc11fb3384da0fcf6925437a89353c050a7e444db33a7376855c73c0f5c69bf53b2bb7ffc5843bfdc02f

Download Submit
C:\Windows\System32\MGyJpPg.exe

Filesize
1.2MB

MD5
5a31661eb7f5ffaf164407e90651e564

SHA1
db5542a9a84731a94cb43875e502423d2cba82b8

SHA256
f97bb069228957d66bd49f1e928841360ac9efa2684f6848884078ce30cf6501

SHA512
0a637436630378511eb0ee9fe8f6f22f42913ebcac7a8715f7789acf6b91712b758a030bbab417de1dfc89aedf49f4fb364a97de689ec19ee8f5a9cef785bed9

Download Submit
C:\Windows\System32\RJpYqUj.exe

Filesize
1.2MB

MD5
8364aec53a95c42b6e658c72aa5e7b61

SHA1
170d5788b6a337f637228146765122439e3e6e7b

SHA256
c6dd1012a0b5dcaa865a082756c6131215c243f05802d4bbf443179ec966e4ee

SHA512
6507eea538b3041626603dbcc295b2c397385c9aaf27028e22e85680d04026ba04ec67c6c5f743feb5f9c19504bccd322b87a01f4690b24c2db2a5e6d5a4cffc

Download Submit
C:\Windows\System32\RXpJmsK.exe

Filesize
1.2MB

MD5
c18a3c9b2d3285e5334146c62760c638

SHA1
3cef7584b3d6ae037f613bb38d364c2369bfbecd

SHA256
3938a416496d7724eb5c37f559f47812dc287ff9e8290a3b9b2b6897cd9f1fc9

SHA512
1ddedb5c633e13f58b2c193a8c4d6dc8e735c33092b3428369305ac7a3f510968e1f1c7c47a106ec590dae6ccb6257160931fd5208eb26b71717b4396023c51c

Download Submit
C:\Windows\System32\SKPbYOc.exe

Filesize
1.2MB

MD5
dd444e323ab5fb9fa1348662203b3a33

SHA1
d574d6a141f61004ca6a0912c24f7f9e1371a122

SHA256
78f11ea1e26971cacf0f80d57827236f2229035e0c0bc6d31302b2a5a89f9588

SHA512
74a05ccbf302817fafafe9e4a7b0883dfe58c84e82212f365fcd00ccc5f2a1239bef9c6b3a8c31a367e1b130800a422c076722fecb41e8b2445c40d7dba67207

Download Submit
C:\Windows\System32\ZGZRzYZ.exe

Filesize
1.2MB

MD5
4e71c64c30b14451601d62f53f61a8fe

SHA1
18b1ebb5896068e6db10888239a4c62271b8bf29

SHA256
6d371aa01b13e9dca2c65bb9a7bfc10e2d9fee5b918fc2a9177487d17c463517

SHA512
9341628489312d18eed67051cbd6008bc7567b3ee8c2e43b3f46b86a03c15cb1fe4dfb4344e8c5f34e76488cb1c1add10d18ea4e13c8aa7fab834eafcfbc7a0e

Download Submit
C:\Windows\System32\ZcrYpjL.exe

Filesize
1.2MB

MD5
fb49b5caa22b6a51539291cefd741d05

SHA1
19f331253a805eaec8e277e19397a25f8cd1e588

SHA256
45f6fba7238f64c80f2e70ba60a47e351495446fdd774a3f9b151c78e1a09b27

SHA512
a76b1ab62c1a8c22c23e1a0ac1ef74b30db11ce984f2b5ef09ccf26dc30013f62c1b7da55d261fc76acddd276950b2876ac432246f40e98dfdc64627d36d6c1c

Download Submit
C:\Windows\System32\bZHGeBe.exe

Filesize
1.2MB

MD5
c974d2b72e0543bddb63a8e452ccab2f

SHA1
c3a1a52c24cdfa7da7479afb5e5f7935f43428e7

SHA256
84a4fd966cad184d034e0dc6de5639ba744d3a98a983e3b70c79add4dcea5be6

SHA512
6b89b370e16c33a8befe6ae310c04acba9be8f4a523009e7cfecd3e1b6fd25f2a9bc92e4be54f0b743dda2a1719440bfe6b5354b769df82ffa11219192fb9d0a

Download Submit
C:\Windows\System32\bqlMdUB.exe

Filesize
1.2MB

MD5
8544d2e6f3ec2489b9461d1c49f4fd53

SHA1
19c7d8da60c2f7aa3d6f026257c55cf23db1280f

SHA256
64aba4e7e0490850a6b3c0543172d4f20e27d503330fa7eed72dada3c45b960a

SHA512
454cacc60e80fa96c77cc023cbaba76536131bc795999268d0104f59a891ed2316eb3e1da6a3f49fa39cc48dd7eef513d96a09585160a77ec304a69bfcbe84a1

Download Submit
C:\Windows\System32\dSLKtZv.exe

Filesize
1.2MB

MD5
330ec91f6753f52a14546728f675cf59

SHA1
c689994269222f62a3c3aec82c8886a1041f8531

SHA256
6a62759146ddcd66ddfa5d001592af3a5ccf8d8ba98bb7916e8dcb39825c74cb

SHA512
2e939d09375f35ee05900f26f501a5290e17e665484a7ce28f063ab7b42fbfd27b597b14d6712cf85a8bee79ec3663346557c1dce2358d0f2c297a462cdacf9a

Download Submit
C:\Windows\System32\gOyeVuy.exe

Filesize
1.2MB

MD5
b81b025e4f46bfeb87376c3d63e2752a

SHA1
b1bb006bd2be6372beec5115c0fd6cd7c27af08a

SHA256
fcc313a57c076da23292195eb72ebe3034a7bba131bf1d8e217014083b795585

SHA512
cb336c42858bec5d749e7c4a983a5340d9585a618fa4e43e31d27e6a8466fc4b754d7a72ddc2e48977d1fead3583a67215b64b7603b69fa586f1c7cd4531c863

Download Submit
C:\Windows\System32\hGrCNWp.exe

Filesize
1.2MB

MD5
d730483ab6927e9cf35d24531e28741d

SHA1
a3d9df3ba294d422b66767b22754c46cc99b14e6

SHA256
4b7566adb66c740b2626448461220ebf0d304ca6695b84083d87fcc02a6cc8bd

SHA512
b9c6c88ead5b39ee5c6e1a22786d330013407f4bf0f98c663a4bfe437c44496be272333c703a2e6e861e1f4508990743297b7d5e15a054f5678f74f09dad76c5

Download Submit
C:\Windows\System32\hRBsGLt.exe

Filesize
1.2MB

MD5
566e0b13fd2cb1ff1f32625ceebdb6da

SHA1
acbbba8c30eaf233c67482b9b331acd869981b04

SHA256
a22d458efcf7e0ffb4760fa10046d2d71c9deded71a70f3cb4cc9a20e37f473f

SHA512
da520c93d320b21617846f5ff6987d6fc26efcea1ab566b16e3f14f4f1464e6b1c9ddec2f3fced45cae7728dfb946e19f3665dabe6a9718ec006c46e1ae901d7

Download Submit
C:\Windows\System32\nTkCCOR.exe

Filesize
1.2MB

MD5
9da19a63fb574d02582982b3f775322f

SHA1
8f95b374e50671c1dc95bb8bc8278ace02fe4adc

SHA256
b7deb99fc8616c93d846c26d2ad57f143e00de66c3c7474f714fe53c5805dd4f

SHA512
21eb069e4589abc2b08a452880d2097ea0e8e345d48cd1ae127e1df6331379d27f52f587db1768584239658e306f95c7694e8f3530888678069c0f6f91016162

Download Submit
C:\Windows\System32\okimBoT.exe

Filesize
1.2MB

MD5
67a18727ce643f93fa5c90053d807068

SHA1
46671344dd83ed2f07ed417dc3eee00dc3611042

SHA256
507365710962581395232083ed0c7353ae026a5dd317e8dad7c0ac4d0d9c57ab

SHA512
ef6ca555d426efc10bd3a57e3be3c67fa91ceac6c9f09f9d7da0af93b9f23c7d6b2c871af5eb862827287f7e5ac26d69f577a2bfe56986ada1297e2f23442a48

Download Submit
C:\Windows\System32\otFyJpO.exe

Filesize
1.2MB

MD5
4212b0e2c4dfdf319c74750068b84343

SHA1
a8c9a1ee5ac35a26139c2ab2e65d844ef7a5e69f

SHA256
d85ab44ad4d67ebe98c07382743051c71329a2258569b3cb2e2f30abc472dc72

SHA512
a4585782e914f1f96102b065eac4fcba845ac353275e397d6a24bd25f07a5e05e1be5a5dd57353f1bd5c40eb73e968b007a435fff4e6a38799bafac69004eac0

Download Submit
C:\Windows\System32\qmMaAbV.exe

Filesize
1.2MB

MD5
7a65d380987f450e0c0fccf5a81a698f

SHA1
bddbdbbd989906c751d3bddea90e192e0c3b3723

SHA256
e114a30264d0491a055922f28bd0e8314fb274ab093f56e16623c6ce2025e770

SHA512
66743641a5ec8505e5bf45e3647eb74f255c4bb300a0887831d2fd1e87c7c3b6c64bb9eb59124b49fa4b0b39c8852eb571b25519fbcf6597467f615582bac451

Download Submit
C:\Windows\System32\tPoOqjN.exe

Filesize
1.2MB

MD5
b06f5db7e7aca3dea4024fe28a2d6ef3

SHA1
99854ce93c31bdfa01d6513f1d3ab0c7e482b428

SHA256
35f8c29c7d5e9d5e61c9e9bfdac26d9c96ed8e3119eb4240865f2ecc21250952

SHA512
4160e539a71debb30b11c478e2566c81ab8bd1a160a4312db13614ce5b553f3fb557dad28b37e91fc8f0f655b200f8ee36854a86f844d803fc47c3472cc24158

Download Submit
C:\Windows\System32\tYyONgC.exe

Filesize
1.2MB

MD5
db903594d6fc87b93f50529497b9437e

SHA1
4597f16d525fdfc272f46a4fc1ba36ef104fcb47

SHA256
3efdadcece2b01506df30b39f65e0f2344d2de7c7bd88cda2e41b211fd0d3a1e

SHA512
9842aea86097533c09219e077fcd1d5f3303863f2f79c6063247be586c11a8e120d6886c96d5590939a697d71d66be098884400d7d02dac6fff7c88cd6039070

Download Submit
C:\Windows\System32\vcakbUq.exe

Filesize
1.2MB

MD5
341032d55f632172f74dfe5536072cf6

SHA1
c1937c5295e79e9118ccf171f349582a1b79c71a

SHA256
828ec706cee40fb201d32339c969dd9b0adefe926461e1e0dc68686d921a9864

SHA512
a373031e9595305d9bc50d4166a6cb09726170d2604a60820e1396d4eee37b373c31f6d2bdac9642f769defe97a072368ce57f2fa12f17cf72a07ac3b90e5cb5

Download Submit
C:\Windows\System32\wHNSTqN.exe

Filesize
1.2MB

MD5
4103e0e77329a85a5e4fc9dd7c7b49f5

SHA1
a73a7db2cc152603b884a3bcbd7333d79b579fbd

SHA256
386b6514d4abcf608b672286258acbce2f6a9aad1d7e104512f457ddc6eb1740

SHA512
948a5ee2b4037061383c564d947cb3ba9a6feb21d5a3d92bac4993d532810582b192bc6046f2cf88114686a065350cdf2adce0832435a38e57cedbc0ea002ee8

Download Submit
C:\Windows\System32\wTGBMkk.exe

Filesize
1.2MB

MD5
026c1919e8f97e67691c931fbcfdda5e

SHA1
c45cdbc351a7217f72b4f247cccd704b2a3548be

SHA256
d09f885500f333b7d6ccd8ccc4354db9a44293287e755079b1cf842fa1dcc56c

SHA512
0c11069d51731eb58c5e831c85b18e24a5effeaa4d83136ecba3180e56f89d218127b386e870a64b51b53febfb2f0a1d546dcd256b82a79404b2f7049d9bb49b

Download Submit
C:\Windows\System32\zyXyCAD.exe

Filesize
1.2MB

MD5
399bb4964c06935b7dba6d3bc87b232e

SHA1
87e48644922b78e930917ed283166a65b2e22a1d

SHA256
3c9f434cd1f57d89fe34fd02b134c7b5a3436ff322ce2ea4a8554d27237a5661

SHA512
4bf720b670db4fed26ec77805ed4f51bcf7d13590b70da70623dda553a85c7dcdaa61b5520bc4136cee195b34ad256bdf79e2cb1182b8060d04d30b30e913219

Download Submit
memory/408-57-0x00007FF7F1C90000-0x00007FF7F2081000-memory.dmp

Filesize
3.9MB

Download
memory/408-2152-0x00007FF7F1C90000-0x00007FF7F2081000-memory.dmp

Filesize
3.9MB

Download
memory/1048-2138-0x00007FF7E9C60000-0x00007FF7EA051000-memory.dmp

Filesize
3.9MB

Download
memory/1048-141-0x00007FF7E9C60000-0x00007FF7EA051000-memory.dmp

Filesize
3.9MB

Download
memory/1048-21-0x00007FF7E9C60000-0x00007FF7EA051000-memory.dmp

Filesize
3.9MB

Download
memory/1080-153-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp

Filesize
3.9MB

Download
memory/1080-1614-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp

Filesize
3.9MB

Download
memory/1080-2242-0x00007FF70EB30000-0x00007FF70EF21000-memory.dmp

Filesize
3.9MB

Download
memory/1100-2087-0x00007FF7A9170000-0x00007FF7A9561000-memory.dmp

Filesize
3.9MB

Download
memory/1100-120-0x00007FF7A9170000-0x00007FF7A9561000-memory.dmp

Filesize
3.9MB

Download
memory/1100-0-0x00007FF7A9170000-0x00007FF7A9561000-memory.dmp

Filesize
3.9MB

Download
memory/1100-1-0x0000022B3A430000-0x0000022B3A440000-memory.dmp

Filesize
64KB

Download
memory/1864-124-0x00007FF65F290000-0x00007FF65F681000-memory.dmp

Filesize
3.9MB

Download
memory/1864-2200-0x00007FF65F290000-0x00007FF65F681000-memory.dmp

Filesize
3.9MB

Download
memory/2684-2146-0x00007FF736530000-0x00007FF736921000-memory.dmp

Filesize
3.9MB

Download
memory/2684-144-0x00007FF736530000-0x00007FF736921000-memory.dmp

Filesize
3.9MB

Download
memory/2684-54-0x00007FF736530000-0x00007FF736921000-memory.dmp

Filesize
3.9MB

Download
memory/3032-955-0x00007FF6A6A50000-0x00007FF6A6E41000-memory.dmp

Filesize
3.9MB

Download
memory/3032-2192-0x00007FF6A6A50000-0x00007FF6A6E41000-memory.dmp

Filesize
3.9MB

Download
memory/3032-103-0x00007FF6A6A50000-0x00007FF6A6E41000-memory.dmp

Filesize
3.9MB

Download
memory/3036-134-0x00007FF6BE700000-0x00007FF6BEAF1000-memory.dmp

Filesize
3.9MB

Download
memory/3036-28-0x00007FF6BE700000-0x00007FF6BEAF1000-memory.dmp

Filesize
3.9MB

Download
memory/3036-2140-0x00007FF6BE700000-0x00007FF6BEAF1000-memory.dmp

Filesize
3.9MB

Download
memory/3096-2196-0x00007FF6BFA90000-0x00007FF6BFE81000-memory.dmp

Filesize
3.9MB

Download
memory/3096-1018-0x00007FF6BFA90000-0x00007FF6BFE81000-memory.dmp

Filesize
3.9MB

Download
memory/3096-87-0x00007FF6BFA90000-0x00007FF6BFE81000-memory.dmp

Filesize
3.9MB

Download
memory/3168-2156-0x00007FF73C850000-0x00007FF73CC41000-memory.dmp

Filesize
3.9MB

Download
memory/3168-58-0x00007FF73C850000-0x00007FF73CC41000-memory.dmp

Filesize
3.9MB

Download
memory/3168-152-0x00007FF73C850000-0x00007FF73CC41000-memory.dmp

Filesize
3.9MB

Download
memory/3172-113-0x00007FF743980000-0x00007FF743D71000-memory.dmp

Filesize
3.9MB

Download
memory/3172-1021-0x00007FF743980000-0x00007FF743D71000-memory.dmp

Filesize
3.9MB

Download
memory/3172-2493-0x00007FF743980000-0x00007FF743D71000-memory.dmp

Filesize
3.9MB

Download
memory/3220-31-0x00007FF710E90000-0x00007FF711281000-memory.dmp

Filesize
3.9MB

Download
memory/3220-2150-0x00007FF710E90000-0x00007FF711281000-memory.dmp

Filesize
3.9MB

Download
memory/3220-143-0x00007FF710E90000-0x00007FF711281000-memory.dmp

Filesize
3.9MB

Download
memory/3568-956-0x00007FF6B8150000-0x00007FF6B8541000-memory.dmp

Filesize
3.9MB

Download
memory/3568-117-0x00007FF6B8150000-0x00007FF6B8541000-memory.dmp

Filesize
3.9MB

Download
memory/3568-2232-0x00007FF6B8150000-0x00007FF6B8541000-memory.dmp

Filesize
3.9MB

Download
memory/3736-2234-0x00007FF67B940000-0x00007FF67BD31000-memory.dmp

Filesize
3.9MB

Download
memory/3736-126-0x00007FF67B940000-0x00007FF67BD31000-memory.dmp

Filesize
3.9MB

Download
memory/3736-1256-0x00007FF67B940000-0x00007FF67BD31000-memory.dmp

Filesize
3.9MB

Download
memory/3764-2238-0x00007FF7DEFB0000-0x00007FF7DF3A1000-memory.dmp

Filesize
3.9MB

Download
memory/3764-1485-0x00007FF7DEFB0000-0x00007FF7DF3A1000-memory.dmp

Filesize
3.9MB

Download
memory/3764-147-0x00007FF7DEFB0000-0x00007FF7DF3A1000-memory.dmp

Filesize
3.9MB

Download
memory/3776-2194-0x00007FF6944D0000-0x00007FF6948C1000-memory.dmp

Filesize
3.9MB

Download
memory/3776-123-0x00007FF6944D0000-0x00007FF6948C1000-memory.dmp

Filesize
3.9MB

Download
memory/3780-47-0x00007FF7F6790000-0x00007FF7F6B81000-memory.dmp

Filesize
3.9MB

Download
memory/3780-2148-0x00007FF7F6790000-0x00007FF7F6B81000-memory.dmp

Filesize
3.9MB

Download
memory/4200-719-0x00007FF79FC20000-0x00007FF7A0011000-memory.dmp

Filesize
3.9MB

Download
memory/4200-71-0x00007FF79FC20000-0x00007FF7A0011000-memory.dmp

Filesize
3.9MB

Download
memory/4200-2188-0x00007FF79FC20000-0x00007FF7A0011000-memory.dmp

Filesize
3.9MB

Download
memory/4264-118-0x00007FF7F76E0000-0x00007FF7F7AD1000-memory.dmp

Filesize
3.9MB

Download
memory/4264-2230-0x00007FF7F76E0000-0x00007FF7F7AD1000-memory.dmp

Filesize
3.9MB

Download
memory/4312-953-0x00007FF60E780000-0x00007FF60EB71000-memory.dmp

Filesize
3.9MB

Download
memory/4312-97-0x00007FF60E780000-0x00007FF60EB71000-memory.dmp

Filesize
3.9MB

Download
memory/4312-2198-0x00007FF60E780000-0x00007FF60EB71000-memory.dmp

Filesize
3.9MB

Download
memory/4464-136-0x00007FF71D9E0000-0x00007FF71DDD1000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2236-0x00007FF71D9E0000-0x00007FF71DDD1000-memory.dmp

Filesize
3.9MB

Download
memory/4464-1363-0x00007FF71D9E0000-0x00007FF71DDD1000-memory.dmp

Filesize
3.9MB

Download
memory/4536-17-0x00007FF672870000-0x00007FF672C61000-memory.dmp

Filesize
3.9MB

Download
memory/4536-2136-0x00007FF672870000-0x00007FF672C61000-memory.dmp

Filesize
3.9MB

Download
memory/4536-133-0x00007FF672870000-0x00007FF672C61000-memory.dmp

Filesize
3.9MB

Download
memory/4876-2154-0x00007FF673430000-0x00007FF673821000-memory.dmp

Filesize
3.9MB

Download
memory/4876-151-0x00007FF673430000-0x00007FF673821000-memory.dmp

Filesize
3.9MB

Download
memory/4876-56-0x00007FF673430000-0x00007FF673821000-memory.dmp

Filesize
3.9MB

Download
memory/4952-125-0x00007FF6F6EF0000-0x00007FF6F72E1000-memory.dmp

Filesize
3.9MB

Download
memory/4952-8-0x00007FF6F6EF0000-0x00007FF6F72E1000-memory.dmp

Filesize
3.9MB

Download
memory/4952-2134-0x00007FF6F6EF0000-0x00007FF6F72E1000-memory.dmp

Filesize
3.9MB

Download
memory/5052-76-0x00007FF7E2860000-0x00007FF7E2C51000-memory.dmp

Filesize
3.9MB

Download
memory/5052-2190-0x00007FF7E2860000-0x00007FF7E2C51000-memory.dmp

Filesize
3.9MB

Download
memory/5052-952-0x00007FF7E2860000-0x00007FF7E2C51000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads