xmrig | c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cb

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
Size

1.4MB
MD5

86df861fa0dd47218784bb94e2f66660
SHA1

86577c0d6e3d71ab362dd325a724fbfcaa8e58fb
SHA256

c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cb
SHA512

12aed834173fd1f975331d47b453a6097209b460f7c5d73c702e8b38f55ac36538b921c1beb3188f11627f43c303ae744493c5f747f095e814635cb6daca10f3
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlGC78XIHbAYhbcj9V+V64u7N:knw9oUUEEDlGUJ8Y9c+Mt

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2076-542-0x00007FF7256B0000-0x00007FF725AA1000-memory.dmp	xmrig
behavioral2/memory/1080-543-0x00007FF7F0B70000-0x00007FF7F0F61000-memory.dmp	xmrig
behavioral2/memory/4408-544-0x00007FF6D7E40000-0x00007FF6D8231000-memory.dmp	xmrig
behavioral2/memory/2648-545-0x00007FF7E4840000-0x00007FF7E4C31000-memory.dmp	xmrig
behavioral2/memory/112-594-0x00007FF69D680000-0x00007FF69DA71000-memory.dmp	xmrig
behavioral2/memory/1976-602-0x00007FF708CD0000-0x00007FF7090C1000-memory.dmp	xmrig
behavioral2/memory/516-600-0x00007FF6D0310000-0x00007FF6D0701000-memory.dmp	xmrig
behavioral2/memory/1836-606-0x00007FF652C00000-0x00007FF652FF1000-memory.dmp	xmrig
behavioral2/memory/3400-605-0x00007FF640710000-0x00007FF640B01000-memory.dmp	xmrig
behavioral2/memory/4844-595-0x00007FF7D1DF0000-0x00007FF7D21E1000-memory.dmp	xmrig
behavioral2/memory/428-617-0x00007FF602DC0000-0x00007FF6031B1000-memory.dmp	xmrig
behavioral2/memory/2744-607-0x00007FF75F480000-0x00007FF75F871000-memory.dmp	xmrig
behavioral2/memory/1452-623-0x00007FF77C150000-0x00007FF77C541000-memory.dmp	xmrig
behavioral2/memory/4776-621-0x00007FF667A30000-0x00007FF667E21000-memory.dmp	xmrig
behavioral2/memory/4312-54-0x00007FF714960000-0x00007FF714D51000-memory.dmp	xmrig
behavioral2/memory/384-21-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp	xmrig
behavioral2/memory/3940-845-0x00007FF6F9C00000-0x00007FF6F9FF1000-memory.dmp	xmrig
behavioral2/memory/4512-850-0x00007FF763CF0000-0x00007FF7640E1000-memory.dmp	xmrig
behavioral2/memory/384-960-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp	xmrig
behavioral2/memory/4696-1092-0x00007FF727F80000-0x00007FF728371000-memory.dmp	xmrig
behavioral2/memory/1944-1097-0x00007FF60C680000-0x00007FF60CA71000-memory.dmp	xmrig
behavioral2/memory/2336-1105-0x00007FF737F80000-0x00007FF738371000-memory.dmp	xmrig
behavioral2/memory/4496-1181-0x00007FF7052F0000-0x00007FF7056E1000-memory.dmp	xmrig
behavioral2/memory/3828-1189-0x00007FF71BD70000-0x00007FF71C161000-memory.dmp	xmrig
behavioral2/memory/4308-1278-0x00007FF7D26A0000-0x00007FF7D2A91000-memory.dmp	xmrig
behavioral2/memory/4412-1412-0x00007FF7252D0000-0x00007FF7256C1000-memory.dmp	xmrig
behavioral2/memory/384-2153-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp	xmrig
behavioral2/memory/4512-2155-0x00007FF763CF0000-0x00007FF7640E1000-memory.dmp	xmrig
behavioral2/memory/1944-2163-0x00007FF60C680000-0x00007FF60CA71000-memory.dmp	xmrig
behavioral2/memory/2076-2170-0x00007FF7256B0000-0x00007FF725AA1000-memory.dmp	xmrig
behavioral2/memory/1452-2174-0x00007FF77C150000-0x00007FF77C541000-memory.dmp	xmrig
behavioral2/memory/1836-2208-0x00007FF652C00000-0x00007FF652FF1000-memory.dmp	xmrig
behavioral2/memory/2744-2220-0x00007FF75F480000-0x00007FF75F871000-memory.dmp	xmrig
behavioral2/memory/112-2222-0x00007FF69D680000-0x00007FF69DA71000-memory.dmp	xmrig
behavioral2/memory/4776-2216-0x00007FF667A30000-0x00007FF667E21000-memory.dmp	xmrig
behavioral2/memory/3400-2212-0x00007FF640710000-0x00007FF640B01000-memory.dmp	xmrig
behavioral2/memory/516-2210-0x00007FF6D0310000-0x00007FF6D0701000-memory.dmp	xmrig
behavioral2/memory/428-2218-0x00007FF602DC0000-0x00007FF6031B1000-memory.dmp	xmrig
behavioral2/memory/4844-2205-0x00007FF7D1DF0000-0x00007FF7D21E1000-memory.dmp	xmrig
behavioral2/memory/4408-2178-0x00007FF6D7E40000-0x00007FF6D8231000-memory.dmp	xmrig
behavioral2/memory/1080-2176-0x00007FF7F0B70000-0x00007FF7F0F61000-memory.dmp	xmrig
behavioral2/memory/4412-2172-0x00007FF7252D0000-0x00007FF7256C1000-memory.dmp	xmrig
behavioral2/memory/4496-2166-0x00007FF7052F0000-0x00007FF7056E1000-memory.dmp	xmrig
behavioral2/memory/4696-2168-0x00007FF727F80000-0x00007FF728371000-memory.dmp	xmrig
behavioral2/memory/3828-2161-0x00007FF71BD70000-0x00007FF71C161000-memory.dmp	xmrig
behavioral2/memory/4312-2159-0x00007FF714960000-0x00007FF714D51000-memory.dmp	xmrig
behavioral2/memory/2336-2158-0x00007FF737F80000-0x00007FF738371000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4512	KxFsxqZ.exe
384	icoEwYw.exe
1944	loTupJi.exe
4696	aXRzCow.exe
3828	McSJhsa.exe
2336	FuLSkMt.exe
4308	mcMUFgL.exe
4496	JmxznTk.exe
4312	fxOqLpz.exe
4412	wdJebIq.exe
2076	dMXwyYc.exe
1452	HuXWhKc.exe
1080	pDiLJGa.exe
4408	eiRtfes.exe
2648	xXbHNlO.exe
112	wgeKPOz.exe
4844	EXxGBzF.exe
516	QeQkFhh.exe
1976	AfcypfX.exe
3400	YBtwcMN.exe
1836	enQqeub.exe
2744	khXMqXj.exe
428	DDqOxww.exe
4776	YEvnPFP.exe
3052	XKRnIqm.exe
1848	kkkpGsG.exe
3652	FLEshDk.exe
3516	giswfTp.exe
3020	aDHcUFB.exe
448	zrPMHoT.exe
512	XGurtpg.exe
1144	jAoJVLr.exe
5004	ZTTYrLJ.exe
1068	aTQyIAR.exe
3932	UDAvJOi.exe
2524	uREHnaE.exe
1996	MLqBnRw.exe
2536	QBYJzAY.exe
2752	oIeGmiZ.exe
2932	oEEGfRr.exe
4740	HWZwezN.exe
3496	BCPetbK.exe
3536	XsRMdnt.exe
2484	mXvJgBW.exe
4704	rmkoPDM.exe
568	IUOCADp.exe
4396	AvEXvPz.exe
3104	SilEZlt.exe
4712	FlonXer.exe
3392	hjRHwNm.exe
4296	gSHMAkK.exe
4608	rKBuHpz.exe
5028	zsfKQql.exe
1276	yEVsydn.exe
2124	jHyXDJM.exe
4500	KmYuANd.exe
1264	amFmclK.exe
3260	exspbts.exe
388	QIgeQHP.exe
1508	quRnEyB.exe
3952	hnOeJKh.exe
264	GKXujAk.exe
4708	Mbgostq.exe
408	HbiTTJU.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\HxRRmDF.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\LmuWJkU.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\mMWOVxB.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\vvSXLli.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\GvIMgAc.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\IIQpFpr.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\YuNgqcu.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\apUtiqy.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\KfyqWQa.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\bLDuLId.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\PGMYYjT.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\hlBXIfw.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\exspbts.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\ZNJsIdV.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\FbaBKtF.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\rKxYzvn.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\uRMSsQB.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\gEpvQoe.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\EIJlTmD.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\LcNYVvB.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\XFvowEZ.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\bFYIcjw.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\XRzWlhB.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\EPujSUc.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\ojiOkEz.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\cwSsGxH.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\wAffNoX.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\jgqMYHy.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\wWzPuDQ.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\aJnjNCN.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\OBhnkPd.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\TdkpjNf.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\dXGatVq.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\kldiDor.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\mIUqnOP.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\qtDfhgo.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\sCmsGai.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\CPEebcM.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\oRuxchq.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\GaLEcBv.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\mCmKmyg.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\IPZeadV.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\jCIgpYo.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\stzzKqZ.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\xlXoPVs.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\iozSceb.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\uiSlZHF.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\AFLNZjk.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\icoEwYw.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\Mbgostq.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\NxtTYRS.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\ivvokNn.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\nLvlBjZ.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\zdjaVPZ.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\nGFXEmf.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\LpwxlUm.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\NrzVCSu.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\AfcypfX.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\brQWmmO.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\mlJLYou.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\IMQGajL.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\aDHcUFB.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\gvxNtnA.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
File created	C:\Windows\System32\OSmdpul.exe	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3940-0-0x00007FF6F9C00000-0x00007FF6F9FF1000-memory.dmp	upx
behavioral2/files/0x001300000001e944-4.dat	upx
behavioral2/files/0x0031000000023b4d-7.dat	upx
behavioral2/memory/4512-12-0x00007FF763CF0000-0x00007FF7640E1000-memory.dmp	upx
behavioral2/files/0x000a000000023b4f-29.dat	upx
behavioral2/memory/1944-31-0x00007FF60C680000-0x00007FF60CA71000-memory.dmp	upx
behavioral2/memory/4308-50-0x00007FF7D26A0000-0x00007FF7D2A91000-memory.dmp	upx
behavioral2/files/0x000a000000023b55-57.dat	upx
behavioral2/files/0x000a000000023b4e-61.dat	upx
behavioral2/files/0x000a000000023b58-75.dat	upx
behavioral2/files/0x000a000000023b66-151.dat	upx
behavioral2/memory/2076-542-0x00007FF7256B0000-0x00007FF725AA1000-memory.dmp	upx
behavioral2/memory/1080-543-0x00007FF7F0B70000-0x00007FF7F0F61000-memory.dmp	upx
behavioral2/memory/4408-544-0x00007FF6D7E40000-0x00007FF6D8231000-memory.dmp	upx
behavioral2/memory/2648-545-0x00007FF7E4840000-0x00007FF7E4C31000-memory.dmp	upx
behavioral2/memory/112-594-0x00007FF69D680000-0x00007FF69DA71000-memory.dmp	upx
behavioral2/memory/1976-602-0x00007FF708CD0000-0x00007FF7090C1000-memory.dmp	upx
behavioral2/memory/516-600-0x00007FF6D0310000-0x00007FF6D0701000-memory.dmp	upx
behavioral2/memory/1836-606-0x00007FF652C00000-0x00007FF652FF1000-memory.dmp	upx
behavioral2/memory/3400-605-0x00007FF640710000-0x00007FF640B01000-memory.dmp	upx
behavioral2/memory/4844-595-0x00007FF7D1DF0000-0x00007FF7D21E1000-memory.dmp	upx
behavioral2/memory/428-617-0x00007FF602DC0000-0x00007FF6031B1000-memory.dmp	upx
behavioral2/memory/2744-607-0x00007FF75F480000-0x00007FF75F871000-memory.dmp	upx
behavioral2/memory/1452-623-0x00007FF77C150000-0x00007FF77C541000-memory.dmp	upx
behavioral2/memory/4776-621-0x00007FF667A30000-0x00007FF667E21000-memory.dmp	upx
behavioral2/files/0x000a000000023b6b-172.dat	upx
behavioral2/files/0x000a000000023b6a-168.dat	upx
behavioral2/files/0x000a000000023b69-166.dat	upx
behavioral2/files/0x000a000000023b68-162.dat	upx
behavioral2/files/0x000a000000023b67-159.dat	upx
behavioral2/files/0x000a000000023b65-146.dat	upx
behavioral2/files/0x000a000000023b64-144.dat	upx
behavioral2/files/0x000a000000023b63-139.dat	upx
behavioral2/files/0x000a000000023b62-131.dat	upx
behavioral2/files/0x000a000000023b61-126.dat	upx
behavioral2/files/0x000a000000023b60-121.dat	upx
behavioral2/files/0x000a000000023b5f-119.dat	upx
behavioral2/files/0x000a000000023b5e-111.dat	upx
behavioral2/files/0x000a000000023b5d-109.dat	upx
behavioral2/files/0x000a000000023b5c-104.dat	upx
behavioral2/files/0x000a000000023b5b-97.dat	upx
behavioral2/files/0x000a000000023b5a-94.dat	upx
behavioral2/files/0x000a000000023b59-89.dat	upx
behavioral2/files/0x000a000000023b56-78.dat	upx
behavioral2/files/0x000a000000023b57-77.dat	upx
behavioral2/files/0x000a000000023b54-71.dat	upx
behavioral2/memory/4412-65-0x00007FF7252D0000-0x00007FF7256C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b52-59.dat	upx
behavioral2/memory/4312-54-0x00007FF714960000-0x00007FF714D51000-memory.dmp	upx
behavioral2/files/0x000a000000023b50-47.dat	upx
behavioral2/files/0x000a000000023b51-45.dat	upx
behavioral2/files/0x000a000000023b53-44.dat	upx
behavioral2/memory/3828-42-0x00007FF71BD70000-0x00007FF71C161000-memory.dmp	upx
behavioral2/memory/4496-39-0x00007FF7052F0000-0x00007FF7056E1000-memory.dmp	upx
behavioral2/memory/2336-38-0x00007FF737F80000-0x00007FF738371000-memory.dmp	upx
behavioral2/memory/4696-25-0x00007FF727F80000-0x00007FF728371000-memory.dmp	upx
behavioral2/memory/384-21-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp	upx
behavioral2/files/0x0032000000023b4c-9.dat	upx
behavioral2/memory/3940-845-0x00007FF6F9C00000-0x00007FF6F9FF1000-memory.dmp	upx
behavioral2/memory/4512-850-0x00007FF763CF0000-0x00007FF7640E1000-memory.dmp	upx
behavioral2/memory/384-960-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp	upx
behavioral2/memory/4696-1092-0x00007FF727F80000-0x00007FF728371000-memory.dmp	upx
behavioral2/memory/1944-1097-0x00007FF60C680000-0x00007FF60CA71000-memory.dmp	upx
behavioral2/memory/2336-1105-0x00007FF737F80000-0x00007FF738371000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14096	dwm.exe
Token: SeChangeNotifyPrivilege	14096	dwm.exe
Token: 33	14096	dwm.exe
Token: SeIncBasePriorityPrivilege	14096	dwm.exe
Token: SeShutdownPrivilege	14096	dwm.exe
Token: SeCreatePagefilePrivilege	14096	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4512	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	83
PID 3940 wrote to memory of 4512	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	83
PID 3940 wrote to memory of 384	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	84
PID 3940 wrote to memory of 384	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	84
PID 3940 wrote to memory of 1944	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	85
PID 3940 wrote to memory of 1944	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	85
PID 3940 wrote to memory of 4696	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	86
PID 3940 wrote to memory of 4696	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	86
PID 3940 wrote to memory of 3828	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	87
PID 3940 wrote to memory of 3828	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	87
PID 3940 wrote to memory of 2336	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	88
PID 3940 wrote to memory of 2336	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	88
PID 3940 wrote to memory of 4496	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	89
PID 3940 wrote to memory of 4496	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	89
PID 3940 wrote to memory of 4308	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	90
PID 3940 wrote to memory of 4308	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	90
PID 3940 wrote to memory of 4312	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	91
PID 3940 wrote to memory of 4312	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	91
PID 3940 wrote to memory of 4412	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	92
PID 3940 wrote to memory of 4412	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	92
PID 3940 wrote to memory of 2076	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	93
PID 3940 wrote to memory of 2076	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	93
PID 3940 wrote to memory of 1452	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	94
PID 3940 wrote to memory of 1452	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	94
PID 3940 wrote to memory of 1080	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	95
PID 3940 wrote to memory of 1080	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	95
PID 3940 wrote to memory of 4408	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	96
PID 3940 wrote to memory of 4408	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	96
PID 3940 wrote to memory of 2648	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	97
PID 3940 wrote to memory of 2648	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	97
PID 3940 wrote to memory of 112	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	98
PID 3940 wrote to memory of 112	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	98
PID 3940 wrote to memory of 4844	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	99
PID 3940 wrote to memory of 4844	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	99
PID 3940 wrote to memory of 516	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	100
PID 3940 wrote to memory of 516	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	100
PID 3940 wrote to memory of 1976	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	101
PID 3940 wrote to memory of 1976	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	101
PID 3940 wrote to memory of 3400	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	102
PID 3940 wrote to memory of 3400	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	102
PID 3940 wrote to memory of 1836	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	103
PID 3940 wrote to memory of 1836	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	103
PID 3940 wrote to memory of 2744	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	104
PID 3940 wrote to memory of 2744	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	104
PID 3940 wrote to memory of 428	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	105
PID 3940 wrote to memory of 428	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	105
PID 3940 wrote to memory of 4776	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	106
PID 3940 wrote to memory of 4776	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	106
PID 3940 wrote to memory of 3052	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	107
PID 3940 wrote to memory of 3052	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	107
PID 3940 wrote to memory of 1848	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	108
PID 3940 wrote to memory of 1848	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	108
PID 3940 wrote to memory of 3652	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	109
PID 3940 wrote to memory of 3652	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	109
PID 3940 wrote to memory of 3516	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	110
PID 3940 wrote to memory of 3516	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	110
PID 3940 wrote to memory of 3020	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	111
PID 3940 wrote to memory of 3020	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	111
PID 3940 wrote to memory of 448	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	112
PID 3940 wrote to memory of 448	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	112
PID 3940 wrote to memory of 512	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	113
PID 3940 wrote to memory of 512	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	113
PID 3940 wrote to memory of 1144	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	114
PID 3940 wrote to memory of 1144	3940	c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe	114

C:\Users\Admin\AppData\Local\Temp\c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe
"C:\Users\Admin\AppData\Local\Temp\c5a8371c3cf7ce7dfa166de9bcfbdd76dafae5f55c250508ec4d3173615a12cbN.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\System32\KxFsxqZ.exe
  C:\Windows\System32\KxFsxqZ.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System32\icoEwYw.exe
  C:\Windows\System32\icoEwYw.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System32\loTupJi.exe
  C:\Windows\System32\loTupJi.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System32\aXRzCow.exe
  C:\Windows\System32\aXRzCow.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System32\McSJhsa.exe
  C:\Windows\System32\McSJhsa.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System32\FuLSkMt.exe
  C:\Windows\System32\FuLSkMt.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\JmxznTk.exe
  C:\Windows\System32\JmxznTk.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\mcMUFgL.exe
  C:\Windows\System32\mcMUFgL.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System32\fxOqLpz.exe
  C:\Windows\System32\fxOqLpz.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\wdJebIq.exe
  C:\Windows\System32\wdJebIq.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System32\dMXwyYc.exe
  C:\Windows\System32\dMXwyYc.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System32\HuXWhKc.exe
  C:\Windows\System32\HuXWhKc.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System32\pDiLJGa.exe
  C:\Windows\System32\pDiLJGa.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System32\eiRtfes.exe
  C:\Windows\System32\eiRtfes.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\xXbHNlO.exe
  C:\Windows\System32\xXbHNlO.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System32\wgeKPOz.exe
  C:\Windows\System32\wgeKPOz.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Windows\System32\EXxGBzF.exe
  C:\Windows\System32\EXxGBzF.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\QeQkFhh.exe
  C:\Windows\System32\QeQkFhh.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System32\AfcypfX.exe
  C:\Windows\System32\AfcypfX.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System32\YBtwcMN.exe
  C:\Windows\System32\YBtwcMN.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System32\enQqeub.exe
  C:\Windows\System32\enQqeub.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System32\khXMqXj.exe
  C:\Windows\System32\khXMqXj.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\DDqOxww.exe
  C:\Windows\System32\DDqOxww.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System32\YEvnPFP.exe
  C:\Windows\System32\YEvnPFP.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System32\XKRnIqm.exe
  C:\Windows\System32\XKRnIqm.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System32\kkkpGsG.exe
  C:\Windows\System32\kkkpGsG.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System32\FLEshDk.exe
  C:\Windows\System32\FLEshDk.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System32\giswfTp.exe
  C:\Windows\System32\giswfTp.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System32\aDHcUFB.exe
  C:\Windows\System32\aDHcUFB.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System32\zrPMHoT.exe
  C:\Windows\System32\zrPMHoT.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System32\XGurtpg.exe
  C:\Windows\System32\XGurtpg.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System32\jAoJVLr.exe
  C:\Windows\System32\jAoJVLr.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System32\ZTTYrLJ.exe
  C:\Windows\System32\ZTTYrLJ.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System32\aTQyIAR.exe
  C:\Windows\System32\aTQyIAR.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System32\UDAvJOi.exe
  C:\Windows\System32\UDAvJOi.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System32\uREHnaE.exe
  C:\Windows\System32\uREHnaE.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\MLqBnRw.exe
  C:\Windows\System32\MLqBnRw.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System32\QBYJzAY.exe
  C:\Windows\System32\QBYJzAY.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System32\oIeGmiZ.exe
  C:\Windows\System32\oIeGmiZ.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System32\oEEGfRr.exe
  C:\Windows\System32\oEEGfRr.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System32\HWZwezN.exe
  C:\Windows\System32\HWZwezN.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System32\BCPetbK.exe
  C:\Windows\System32\BCPetbK.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System32\XsRMdnt.exe
  C:\Windows\System32\XsRMdnt.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\mXvJgBW.exe
  C:\Windows\System32\mXvJgBW.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System32\rmkoPDM.exe
  C:\Windows\System32\rmkoPDM.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System32\IUOCADp.exe
  C:\Windows\System32\IUOCADp.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System32\AvEXvPz.exe
  C:\Windows\System32\AvEXvPz.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System32\SilEZlt.exe
  C:\Windows\System32\SilEZlt.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System32\FlonXer.exe
  C:\Windows\System32\FlonXer.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System32\hjRHwNm.exe
  C:\Windows\System32\hjRHwNm.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System32\gSHMAkK.exe
  C:\Windows\System32\gSHMAkK.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System32\rKBuHpz.exe
  C:\Windows\System32\rKBuHpz.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System32\zsfKQql.exe
  C:\Windows\System32\zsfKQql.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System32\yEVsydn.exe
  C:\Windows\System32\yEVsydn.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System32\jHyXDJM.exe
  C:\Windows\System32\jHyXDJM.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System32\KmYuANd.exe
  C:\Windows\System32\KmYuANd.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System32\amFmclK.exe
  C:\Windows\System32\amFmclK.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System32\exspbts.exe
  C:\Windows\System32\exspbts.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System32\QIgeQHP.exe
  C:\Windows\System32\QIgeQHP.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System32\quRnEyB.exe
  C:\Windows\System32\quRnEyB.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System32\hnOeJKh.exe
  C:\Windows\System32\hnOeJKh.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\GKXujAk.exe
  C:\Windows\System32\GKXujAk.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System32\Mbgostq.exe
  C:\Windows\System32\Mbgostq.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\HbiTTJU.exe
  C:\Windows\System32\HbiTTJU.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System32\ZPDgYIR.exe
  C:\Windows\System32\ZPDgYIR.exe
  2⤵
  PID:1164
- C:\Windows\System32\IffmTkN.exe
  C:\Windows\System32\IffmTkN.exe
  2⤵
  PID:5008
- C:\Windows\System32\ZMAtgDH.exe
  C:\Windows\System32\ZMAtgDH.exe
  2⤵
  PID:2700
- C:\Windows\System32\MXWWLGc.exe
  C:\Windows\System32\MXWWLGc.exe
  2⤵
  PID:1428
- C:\Windows\System32\NnMLzdx.exe
  C:\Windows\System32\NnMLzdx.exe
  2⤵
  PID:3892
- C:\Windows\System32\luQjkhh.exe
  C:\Windows\System32\luQjkhh.exe
  2⤵
  PID:4912
- C:\Windows\System32\ohpIXEs.exe
  C:\Windows\System32\ohpIXEs.exe
  2⤵
  PID:2184
- C:\Windows\System32\SnmwpwO.exe
  C:\Windows\System32\SnmwpwO.exe
  2⤵
  PID:3276
- C:\Windows\System32\GvIMgAc.exe
  C:\Windows\System32\GvIMgAc.exe
  2⤵
  PID:556
- C:\Windows\System32\BqpFuHL.exe
  C:\Windows\System32\BqpFuHL.exe
  2⤵
  PID:1424
- C:\Windows\System32\tJacqUc.exe
  C:\Windows\System32\tJacqUc.exe
  2⤵
  PID:5068
- C:\Windows\System32\aaxydVq.exe
  C:\Windows\System32\aaxydVq.exe
  2⤵
  PID:4448
- C:\Windows\System32\gylYnEP.exe
  C:\Windows\System32\gylYnEP.exe
  2⤵
  PID:4040
- C:\Windows\System32\tFaXgCn.exe
  C:\Windows\System32\tFaXgCn.exe
  2⤵
  PID:4120
- C:\Windows\System32\mHJcJdp.exe
  C:\Windows\System32\mHJcJdp.exe
  2⤵
  PID:2720
- C:\Windows\System32\TdkpjNf.exe
  C:\Windows\System32\TdkpjNf.exe
  2⤵
  PID:2392
- C:\Windows\System32\qxTiKIS.exe
  C:\Windows\System32\qxTiKIS.exe
  2⤵
  PID:3000
- C:\Windows\System32\ukvhnnW.exe
  C:\Windows\System32\ukvhnnW.exe
  2⤵
  PID:4300
- C:\Windows\System32\poTelcT.exe
  C:\Windows\System32\poTelcT.exe
  2⤵
  PID:2724
- C:\Windows\System32\yQXheKL.exe
  C:\Windows\System32\yQXheKL.exe
  2⤵
  PID:4080
- C:\Windows\System32\kjSZafr.exe
  C:\Windows\System32\kjSZafr.exe
  2⤵
  PID:1940
- C:\Windows\System32\Ptgtlaj.exe
  C:\Windows\System32\Ptgtlaj.exe
  2⤵
  PID:776
- C:\Windows\System32\GLbpdxR.exe
  C:\Windows\System32\GLbpdxR.exe
  2⤵
  PID:5088
- C:\Windows\System32\LBFLrqj.exe
  C:\Windows\System32\LBFLrqj.exe
  2⤵
  PID:5136
- C:\Windows\System32\yFAThdk.exe
  C:\Windows\System32\yFAThdk.exe
  2⤵
  PID:5164
- C:\Windows\System32\NgGhWhS.exe
  C:\Windows\System32\NgGhWhS.exe
  2⤵
  PID:5192
- C:\Windows\System32\hrUDicK.exe
  C:\Windows\System32\hrUDicK.exe
  2⤵
  PID:5220
- C:\Windows\System32\bXTWQER.exe
  C:\Windows\System32\bXTWQER.exe
  2⤵
  PID:5256
- C:\Windows\System32\Yzjkacz.exe
  C:\Windows\System32\Yzjkacz.exe
  2⤵
  PID:5276
- C:\Windows\System32\CXYXEMs.exe
  C:\Windows\System32\CXYXEMs.exe
  2⤵
  PID:5304
- C:\Windows\System32\vGIwJLL.exe
  C:\Windows\System32\vGIwJLL.exe
  2⤵
  PID:5332
- C:\Windows\System32\guPCwqb.exe
  C:\Windows\System32\guPCwqb.exe
  2⤵
  PID:5360
- C:\Windows\System32\nKSHGIo.exe
  C:\Windows\System32\nKSHGIo.exe
  2⤵
  PID:5388
- C:\Windows\System32\ZNJsIdV.exe
  C:\Windows\System32\ZNJsIdV.exe
  2⤵
  PID:5420
- C:\Windows\System32\VPPxlkL.exe
  C:\Windows\System32\VPPxlkL.exe
  2⤵
  PID:5444
- C:\Windows\System32\yMeBIPP.exe
  C:\Windows\System32\yMeBIPP.exe
  2⤵
  PID:5468
- C:\Windows\System32\jnJpYwy.exe
  C:\Windows\System32\jnJpYwy.exe
  2⤵
  PID:5500
- C:\Windows\System32\LDDgbku.exe
  C:\Windows\System32\LDDgbku.exe
  2⤵
  PID:5532
- C:\Windows\System32\JruQNEp.exe
  C:\Windows\System32\JruQNEp.exe
  2⤵
  PID:5556
- C:\Windows\System32\hxBKAYO.exe
  C:\Windows\System32\hxBKAYO.exe
  2⤵
  PID:5584
- C:\Windows\System32\wAffNoX.exe
  C:\Windows\System32\wAffNoX.exe
  2⤵
  PID:5612
- C:\Windows\System32\pksnbvF.exe
  C:\Windows\System32\pksnbvF.exe
  2⤵
  PID:5664
- C:\Windows\System32\xWlxdkW.exe
  C:\Windows\System32\xWlxdkW.exe
  2⤵
  PID:5680
- C:\Windows\System32\WLJiHtB.exe
  C:\Windows\System32\WLJiHtB.exe
  2⤵
  PID:5696
- C:\Windows\System32\rruleFR.exe
  C:\Windows\System32\rruleFR.exe
  2⤵
  PID:5724
- C:\Windows\System32\UnWsXQy.exe
  C:\Windows\System32\UnWsXQy.exe
  2⤵
  PID:5752
- C:\Windows\System32\hdYLTyk.exe
  C:\Windows\System32\hdYLTyk.exe
  2⤵
  PID:5776
- C:\Windows\System32\WUQRhKC.exe
  C:\Windows\System32\WUQRhKC.exe
  2⤵
  PID:5808
- C:\Windows\System32\vZPipBa.exe
  C:\Windows\System32\vZPipBa.exe
  2⤵
  PID:5836
- C:\Windows\System32\rMTQLGQ.exe
  C:\Windows\System32\rMTQLGQ.exe
  2⤵
  PID:5860
- C:\Windows\System32\KqNjORS.exe
  C:\Windows\System32\KqNjORS.exe
  2⤵
  PID:5888
- C:\Windows\System32\gvxNtnA.exe
  C:\Windows\System32\gvxNtnA.exe
  2⤵
  PID:5920
- C:\Windows\System32\NxtTYRS.exe
  C:\Windows\System32\NxtTYRS.exe
  2⤵
  PID:5944
- C:\Windows\System32\HLEDVrp.exe
  C:\Windows\System32\HLEDVrp.exe
  2⤵
  PID:5976
- C:\Windows\System32\IGLCGHy.exe
  C:\Windows\System32\IGLCGHy.exe
  2⤵
  PID:6000
- C:\Windows\System32\OSmdpul.exe
  C:\Windows\System32\OSmdpul.exe
  2⤵
  PID:6032
- C:\Windows\System32\TVcirxp.exe
  C:\Windows\System32\TVcirxp.exe
  2⤵
  PID:6064
- C:\Windows\System32\mvGhWrK.exe
  C:\Windows\System32\mvGhWrK.exe
  2⤵
  PID:6088
- C:\Windows\System32\maxrQHm.exe
  C:\Windows\System32\maxrQHm.exe
  2⤵
  PID:6120
- C:\Windows\System32\WnAlTtJ.exe
  C:\Windows\System32\WnAlTtJ.exe
  2⤵
  PID:2868
- C:\Windows\System32\knFOQAz.exe
  C:\Windows\System32\knFOQAz.exe
  2⤵
  PID:4924
- C:\Windows\System32\WmgGCRW.exe
  C:\Windows\System32\WmgGCRW.exe
  2⤵
  PID:4376
- C:\Windows\System32\bFYIcjw.exe
  C:\Windows\System32\bFYIcjw.exe
  2⤵
  PID:4516
- C:\Windows\System32\qyNGqux.exe
  C:\Windows\System32\qyNGqux.exe
  2⤵
  PID:3204
- C:\Windows\System32\nZktylu.exe
  C:\Windows\System32\nZktylu.exe
  2⤵
  PID:4532
- C:\Windows\System32\YdUsIdN.exe
  C:\Windows\System32\YdUsIdN.exe
  2⤵
  PID:5128
- C:\Windows\System32\yjCDFpg.exe
  C:\Windows\System32\yjCDFpg.exe
  2⤵
  PID:5184
- C:\Windows\System32\XkleEGJ.exe
  C:\Windows\System32\XkleEGJ.exe
  2⤵
  PID:5228
- C:\Windows\System32\OckUCOx.exe
  C:\Windows\System32\OckUCOx.exe
  2⤵
  PID:5284
- C:\Windows\System32\zPAJcAO.exe
  C:\Windows\System32\zPAJcAO.exe
  2⤵
  PID:5352
- C:\Windows\System32\eDZWfzR.exe
  C:\Windows\System32\eDZWfzR.exe
  2⤵
  PID:5428
- C:\Windows\System32\vDWMoXF.exe
  C:\Windows\System32\vDWMoXF.exe
  2⤵
  PID:5484
- C:\Windows\System32\hxCTtiO.exe
  C:\Windows\System32\hxCTtiO.exe
  2⤵
  PID:5576
- C:\Windows\System32\nInckVF.exe
  C:\Windows\System32\nInckVF.exe
  2⤵
  PID:5596
- C:\Windows\System32\CISaRvM.exe
  C:\Windows\System32\CISaRvM.exe
  2⤵
  PID:5672
- C:\Windows\System32\XePIKFS.exe
  C:\Windows\System32\XePIKFS.exe
  2⤵
  PID:5736
- C:\Windows\System32\ESjhAiU.exe
  C:\Windows\System32\ESjhAiU.exe
  2⤵
  PID:5800
- C:\Windows\System32\GcKCBJQ.exe
  C:\Windows\System32\GcKCBJQ.exe
  2⤵
  PID:5848
- C:\Windows\System32\njEamvh.exe
  C:\Windows\System32\njEamvh.exe
  2⤵
  PID:5896
- C:\Windows\System32\tkRbCUD.exe
  C:\Windows\System32\tkRbCUD.exe
  2⤵
  PID:5940
- C:\Windows\System32\PGMYYjT.exe
  C:\Windows\System32\PGMYYjT.exe
  2⤵
  PID:5988
- C:\Windows\System32\gopWEEf.exe
  C:\Windows\System32\gopWEEf.exe
  2⤵
  PID:6044
- C:\Windows\System32\rvEEDlH.exe
  C:\Windows\System32\rvEEDlH.exe
  2⤵
  PID:6128
- C:\Windows\System32\eWQXcDz.exe
  C:\Windows\System32\eWQXcDz.exe
  2⤵
  PID:4692
- C:\Windows\System32\cRhMFYu.exe
  C:\Windows\System32\cRhMFYu.exe
  2⤵
  PID:3580
- C:\Windows\System32\UhRnIgZ.exe
  C:\Windows\System32\UhRnIgZ.exe
  2⤵
  PID:4616
- C:\Windows\System32\kersxDH.exe
  C:\Windows\System32\kersxDH.exe
  2⤵
  PID:5296
- C:\Windows\System32\vkCFBWL.exe
  C:\Windows\System32\vkCFBWL.exe
  2⤵
  PID:5368
- C:\Windows\System32\AbTzWek.exe
  C:\Windows\System32\AbTzWek.exe
  2⤵
  PID:2000
- C:\Windows\System32\DmRPopR.exe
  C:\Windows\System32\DmRPopR.exe
  2⤵
  PID:628
- C:\Windows\System32\mCmKmyg.exe
  C:\Windows\System32\mCmKmyg.exe
  2⤵
  PID:552
- C:\Windows\System32\gTudlIC.exe
  C:\Windows\System32\gTudlIC.exe
  2⤵
  PID:5784
- C:\Windows\System32\YysHnfN.exe
  C:\Windows\System32\YysHnfN.exe
  2⤵
  PID:6016
- C:\Windows\System32\LvubxnC.exe
  C:\Windows\System32\LvubxnC.exe
  2⤵
  PID:2660
- C:\Windows\System32\aarjlsQ.exe
  C:\Windows\System32\aarjlsQ.exe
  2⤵
  PID:3356
- C:\Windows\System32\dXGatVq.exe
  C:\Windows\System32\dXGatVq.exe
  2⤵
  PID:4544
- C:\Windows\System32\hyRHxng.exe
  C:\Windows\System32\hyRHxng.exe
  2⤵
  PID:1212
- C:\Windows\System32\oCFROhZ.exe
  C:\Windows\System32\oCFROhZ.exe
  2⤵
  PID:5476
- C:\Windows\System32\SBoPXpc.exe
  C:\Windows\System32\SBoPXpc.exe
  2⤵
  PID:5760
- C:\Windows\System32\pucrWqT.exe
  C:\Windows\System32\pucrWqT.exe
  2⤵
  PID:2492
- C:\Windows\System32\utKLLnP.exe
  C:\Windows\System32\utKLLnP.exe
  2⤵
  PID:1588
- C:\Windows\System32\lFZgzOO.exe
  C:\Windows\System32\lFZgzOO.exe
  2⤵
  PID:6072
- C:\Windows\System32\kldiDor.exe
  C:\Windows\System32\kldiDor.exe
  2⤵
  PID:3464
- C:\Windows\System32\KpAWoAd.exe
  C:\Windows\System32\KpAWoAd.exe
  2⤵
  PID:2864
- C:\Windows\System32\EptTsSm.exe
  C:\Windows\System32\EptTsSm.exe
  2⤵
  PID:5704
- C:\Windows\System32\gHSHYAd.exe
  C:\Windows\System32\gHSHYAd.exe
  2⤵
  PID:6176
- C:\Windows\System32\czuBTek.exe
  C:\Windows\System32\czuBTek.exe
  2⤵
  PID:6200
- C:\Windows\System32\lfrMWOW.exe
  C:\Windows\System32\lfrMWOW.exe
  2⤵
  PID:6232
- C:\Windows\System32\jLCFtTG.exe
  C:\Windows\System32\jLCFtTG.exe
  2⤵
  PID:6248
- C:\Windows\System32\zieDvgT.exe
  C:\Windows\System32\zieDvgT.exe
  2⤵
  PID:6272
- C:\Windows\System32\oHovEPL.exe
  C:\Windows\System32\oHovEPL.exe
  2⤵
  PID:6292
- C:\Windows\System32\PoCgzXc.exe
  C:\Windows\System32\PoCgzXc.exe
  2⤵
  PID:6328
- C:\Windows\System32\jBamDbO.exe
  C:\Windows\System32\jBamDbO.exe
  2⤵
  PID:6360
- C:\Windows\System32\mTHMVgs.exe
  C:\Windows\System32\mTHMVgs.exe
  2⤵
  PID:6380
- C:\Windows\System32\MIkxlWB.exe
  C:\Windows\System32\MIkxlWB.exe
  2⤵
  PID:6404
- C:\Windows\System32\njBODWr.exe
  C:\Windows\System32\njBODWr.exe
  2⤵
  PID:6424
- C:\Windows\System32\WURfBwv.exe
  C:\Windows\System32\WURfBwv.exe
  2⤵
  PID:6488
- C:\Windows\System32\cBCAssa.exe
  C:\Windows\System32\cBCAssa.exe
  2⤵
  PID:6564
- C:\Windows\System32\HyzegCN.exe
  C:\Windows\System32\HyzegCN.exe
  2⤵
  PID:6580
- C:\Windows\System32\ToFXImR.exe
  C:\Windows\System32\ToFXImR.exe
  2⤵
  PID:6632
- C:\Windows\System32\eQXzqjq.exe
  C:\Windows\System32\eQXzqjq.exe
  2⤵
  PID:6660
- C:\Windows\System32\euKFHGH.exe
  C:\Windows\System32\euKFHGH.exe
  2⤵
  PID:6680
- C:\Windows\System32\xRQnPSe.exe
  C:\Windows\System32\xRQnPSe.exe
  2⤵
  PID:6736
- C:\Windows\System32\McHxuKb.exe
  C:\Windows\System32\McHxuKb.exe
  2⤵
  PID:6752
- C:\Windows\System32\HxRRmDF.exe
  C:\Windows\System32\HxRRmDF.exe
  2⤵
  PID:6800
- C:\Windows\System32\IPZeadV.exe
  C:\Windows\System32\IPZeadV.exe
  2⤵
  PID:6876
- C:\Windows\System32\ZjkJEmP.exe
  C:\Windows\System32\ZjkJEmP.exe
  2⤵
  PID:6892
- C:\Windows\System32\RsiHKwG.exe
  C:\Windows\System32\RsiHKwG.exe
  2⤵
  PID:6912
- C:\Windows\System32\AjBHeLR.exe
  C:\Windows\System32\AjBHeLR.exe
  2⤵
  PID:6928
- C:\Windows\System32\vUyhDNo.exe
  C:\Windows\System32\vUyhDNo.exe
  2⤵
  PID:6944
- C:\Windows\System32\fQecsDc.exe
  C:\Windows\System32\fQecsDc.exe
  2⤵
  PID:6960
- C:\Windows\System32\FMNgqwQ.exe
  C:\Windows\System32\FMNgqwQ.exe
  2⤵
  PID:6976
- C:\Windows\System32\YzFkZTQ.exe
  C:\Windows\System32\YzFkZTQ.exe
  2⤵
  PID:6992
- C:\Windows\System32\wTxfxpR.exe
  C:\Windows\System32\wTxfxpR.exe
  2⤵
  PID:7008
- C:\Windows\System32\fRARQdI.exe
  C:\Windows\System32\fRARQdI.exe
  2⤵
  PID:7024
- C:\Windows\System32\JmcPRXn.exe
  C:\Windows\System32\JmcPRXn.exe
  2⤵
  PID:7140
- C:\Windows\System32\KSrLzVi.exe
  C:\Windows\System32\KSrLzVi.exe
  2⤵
  PID:3324
- C:\Windows\System32\ZhymYgx.exe
  C:\Windows\System32\ZhymYgx.exe
  2⤵
  PID:2556
- C:\Windows\System32\DmNYDDD.exe
  C:\Windows\System32\DmNYDDD.exe
  2⤵
  PID:5592
- C:\Windows\System32\vmdiooo.exe
  C:\Windows\System32\vmdiooo.exe
  2⤵
  PID:3488
- C:\Windows\System32\BxWEYEt.exe
  C:\Windows\System32\BxWEYEt.exe
  2⤵
  PID:6216
- C:\Windows\System32\voitMGn.exe
  C:\Windows\System32\voitMGn.exe
  2⤵
  PID:6244
- C:\Windows\System32\NshdDDv.exe
  C:\Windows\System32\NshdDDv.exe
  2⤵
  PID:1852
- C:\Windows\System32\NSjFLoq.exe
  C:\Windows\System32\NSjFLoq.exe
  2⤵
  PID:6400
- C:\Windows\System32\TUgefcj.exe
  C:\Windows\System32\TUgefcj.exe
  2⤵
  PID:6416
- C:\Windows\System32\UefBrCs.exe
  C:\Windows\System32\UefBrCs.exe
  2⤵
  PID:6508
- C:\Windows\System32\pxaCACW.exe
  C:\Windows\System32\pxaCACW.exe
  2⤵
  PID:3048
- C:\Windows\System32\ZxSbDOV.exe
  C:\Windows\System32\ZxSbDOV.exe
  2⤵
  PID:6312
- C:\Windows\System32\MGuCqlt.exe
  C:\Windows\System32\MGuCqlt.exe
  2⤵
  PID:6620
- C:\Windows\System32\fWJecHo.exe
  C:\Windows\System32\fWJecHo.exe
  2⤵
  PID:6676
- C:\Windows\System32\kNbUzMc.exe
  C:\Windows\System32\kNbUzMc.exe
  2⤵
  PID:6780
- C:\Windows\System32\sdMHWnK.exe
  C:\Windows\System32\sdMHWnK.exe
  2⤵
  PID:6792
- C:\Windows\System32\JKZdoZm.exe
  C:\Windows\System32\JKZdoZm.exe
  2⤵
  PID:6988
- C:\Windows\System32\lOdhZWE.exe
  C:\Windows\System32\lOdhZWE.exe
  2⤵
  PID:7048
- C:\Windows\System32\PXmzsEd.exe
  C:\Windows\System32\PXmzsEd.exe
  2⤵
  PID:7004
- C:\Windows\System32\vAoFXrF.exe
  C:\Windows\System32\vAoFXrF.exe
  2⤵
  PID:6940
- C:\Windows\System32\brQWmmO.exe
  C:\Windows\System32\brQWmmO.exe
  2⤵
  PID:6904
- C:\Windows\System32\jgqMYHy.exe
  C:\Windows\System32\jgqMYHy.exe
  2⤵
  PID:2844
- C:\Windows\System32\XXUSdCi.exe
  C:\Windows\System32\XXUSdCi.exe
  2⤵
  PID:1912
- C:\Windows\System32\qyQBBFh.exe
  C:\Windows\System32\qyQBBFh.exe
  2⤵
  PID:6256
- C:\Windows\System32\ZyDrUJe.exe
  C:\Windows\System32\ZyDrUJe.exe
  2⤵
  PID:6284
- C:\Windows\System32\ptGSDmI.exe
  C:\Windows\System32\ptGSDmI.exe
  2⤵
  PID:6368
- C:\Windows\System32\TZfrEAc.exe
  C:\Windows\System32\TZfrEAc.exe
  2⤵
  PID:6396
- C:\Windows\System32\bVlPcnB.exe
  C:\Windows\System32\bVlPcnB.exe
  2⤵
  PID:5984
- C:\Windows\System32\OZkdgeb.exe
  C:\Windows\System32\OZkdgeb.exe
  2⤵
  PID:6536
- C:\Windows\System32\FEDGsVL.exe
  C:\Windows\System32\FEDGsVL.exe
  2⤵
  PID:6748
- C:\Windows\System32\mIUqnOP.exe
  C:\Windows\System32\mIUqnOP.exe
  2⤵
  PID:6840
- C:\Windows\System32\cfZMjsf.exe
  C:\Windows\System32\cfZMjsf.exe
  2⤵
  PID:7088
- C:\Windows\System32\yzWIwvL.exe
  C:\Windows\System32\yzWIwvL.exe
  2⤵
  PID:7016
- C:\Windows\System32\lRWbUVX.exe
  C:\Windows\System32\lRWbUVX.exe
  2⤵
  PID:5344
- C:\Windows\System32\XFBQUkB.exe
  C:\Windows\System32\XFBQUkB.exe
  2⤵
  PID:6372
- C:\Windows\System32\KHQjGKI.exe
  C:\Windows\System32\KHQjGKI.exe
  2⤵
  PID:6972
- C:\Windows\System32\IIQpFpr.exe
  C:\Windows\System32\IIQpFpr.exe
  2⤵
  PID:7060
- C:\Windows\System32\VdCYDmX.exe
  C:\Windows\System32\VdCYDmX.exe
  2⤵
  PID:6984
- C:\Windows\System32\qtgVKWU.exe
  C:\Windows\System32\qtgVKWU.exe
  2⤵
  PID:7188
- C:\Windows\System32\RaMbLxJ.exe
  C:\Windows\System32\RaMbLxJ.exe
  2⤵
  PID:7204
- C:\Windows\System32\aZMMCHJ.exe
  C:\Windows\System32\aZMMCHJ.exe
  2⤵
  PID:7232
- C:\Windows\System32\BRBTKKd.exe
  C:\Windows\System32\BRBTKKd.exe
  2⤵
  PID:7264
- C:\Windows\System32\nJRHAHM.exe
  C:\Windows\System32\nJRHAHM.exe
  2⤵
  PID:7304
- C:\Windows\System32\qMUUqUj.exe
  C:\Windows\System32\qMUUqUj.exe
  2⤵
  PID:7328
- C:\Windows\System32\wWzPuDQ.exe
  C:\Windows\System32\wWzPuDQ.exe
  2⤵
  PID:7380
- C:\Windows\System32\LYMBNyA.exe
  C:\Windows\System32\LYMBNyA.exe
  2⤵
  PID:7400
- C:\Windows\System32\NNfnEIy.exe
  C:\Windows\System32\NNfnEIy.exe
  2⤵
  PID:7440
- C:\Windows\System32\okKUPPs.exe
  C:\Windows\System32\okKUPPs.exe
  2⤵
  PID:7508
- C:\Windows\System32\wSVVirI.exe
  C:\Windows\System32\wSVVirI.exe
  2⤵
  PID:7556
- C:\Windows\System32\ivvokNn.exe
  C:\Windows\System32\ivvokNn.exe
  2⤵
  PID:7588
- C:\Windows\System32\wjwmFmg.exe
  C:\Windows\System32\wjwmFmg.exe
  2⤵
  PID:7620
- C:\Windows\System32\dRKFDaP.exe
  C:\Windows\System32\dRKFDaP.exe
  2⤵
  PID:7660
- C:\Windows\System32\AFsXbym.exe
  C:\Windows\System32\AFsXbym.exe
  2⤵
  PID:7676
- C:\Windows\System32\tneYjWS.exe
  C:\Windows\System32\tneYjWS.exe
  2⤵
  PID:7716
- C:\Windows\System32\qtDfhgo.exe
  C:\Windows\System32\qtDfhgo.exe
  2⤵
  PID:7744
- C:\Windows\System32\FgAgCNv.exe
  C:\Windows\System32\FgAgCNv.exe
  2⤵
  PID:7768
- C:\Windows\System32\chVzqEm.exe
  C:\Windows\System32\chVzqEm.exe
  2⤵
  PID:7800
- C:\Windows\System32\geicCiE.exe
  C:\Windows\System32\geicCiE.exe
  2⤵
  PID:7824
- C:\Windows\System32\VLXoaBo.exe
  C:\Windows\System32\VLXoaBo.exe
  2⤵
  PID:7844
- C:\Windows\System32\uRMSsQB.exe
  C:\Windows\System32\uRMSsQB.exe
  2⤵
  PID:7864
- C:\Windows\System32\ikRXmMC.exe
  C:\Windows\System32\ikRXmMC.exe
  2⤵
  PID:7888
- C:\Windows\System32\QQFTecR.exe
  C:\Windows\System32\QQFTecR.exe
  2⤵
  PID:7924
- C:\Windows\System32\GgatWUV.exe
  C:\Windows\System32\GgatWUV.exe
  2⤵
  PID:7944
- C:\Windows\System32\nLvlBjZ.exe
  C:\Windows\System32\nLvlBjZ.exe
  2⤵
  PID:7964
- C:\Windows\System32\JkUoVLE.exe
  C:\Windows\System32\JkUoVLE.exe
  2⤵
  PID:7988
- C:\Windows\System32\YMraDrm.exe
  C:\Windows\System32\YMraDrm.exe
  2⤵
  PID:8024
- C:\Windows\System32\MdEtDzx.exe
  C:\Windows\System32\MdEtDzx.exe
  2⤵
  PID:8064
- C:\Windows\System32\hKmmahT.exe
  C:\Windows\System32\hKmmahT.exe
  2⤵
  PID:8088
- C:\Windows\System32\CVCzSyp.exe
  C:\Windows\System32\CVCzSyp.exe
  2⤵
  PID:8128
- C:\Windows\System32\dDOOKNX.exe
  C:\Windows\System32\dDOOKNX.exe
  2⤵
  PID:8152
- C:\Windows\System32\rIjJtli.exe
  C:\Windows\System32\rIjJtli.exe
  2⤵
  PID:8168
- C:\Windows\System32\RhetzXw.exe
  C:\Windows\System32\RhetzXw.exe
  2⤵
  PID:7228
- C:\Windows\System32\hStyibo.exe
  C:\Windows\System32\hStyibo.exe
  2⤵
  PID:7260
- C:\Windows\System32\jCIgpYo.exe
  C:\Windows\System32\jCIgpYo.exe
  2⤵
  PID:7280
- C:\Windows\System32\UYCTgnV.exe
  C:\Windows\System32\UYCTgnV.exe
  2⤵
  PID:7312
- C:\Windows\System32\OAfXCWE.exe
  C:\Windows\System32\OAfXCWE.exe
  2⤵
  PID:7272
- C:\Windows\System32\gFtjtnf.exe
  C:\Windows\System32\gFtjtnf.exe
  2⤵
  PID:6592
- C:\Windows\System32\auFSZJp.exe
  C:\Windows\System32\auFSZJp.exe
  2⤵
  PID:7428
- C:\Windows\System32\zdjaVPZ.exe
  C:\Windows\System32\zdjaVPZ.exe
  2⤵
  PID:7572
- C:\Windows\System32\lkTfKEd.exe
  C:\Windows\System32\lkTfKEd.exe
  2⤵
  PID:7684
- C:\Windows\System32\stzzKqZ.exe
  C:\Windows\System32\stzzKqZ.exe
  2⤵
  PID:7728
- C:\Windows\System32\NJAtkba.exe
  C:\Windows\System32\NJAtkba.exe
  2⤵
  PID:7784
- C:\Windows\System32\dyfYViF.exe
  C:\Windows\System32\dyfYViF.exe
  2⤵
  PID:2288
- C:\Windows\System32\BqTSpDq.exe
  C:\Windows\System32\BqTSpDq.exe
  2⤵
  PID:7840
- C:\Windows\System32\cHlUQNc.exe
  C:\Windows\System32\cHlUQNc.exe
  2⤵
  PID:7912
- C:\Windows\System32\hkvaryQ.exe
  C:\Windows\System32\hkvaryQ.exe
  2⤵
  PID:7972
- C:\Windows\System32\vnquGDS.exe
  C:\Windows\System32\vnquGDS.exe
  2⤵
  PID:2384
- C:\Windows\System32\NTzkkoo.exe
  C:\Windows\System32\NTzkkoo.exe
  2⤵
  PID:8164
- C:\Windows\System32\kelqZZd.exe
  C:\Windows\System32\kelqZZd.exe
  2⤵
  PID:8140
- C:\Windows\System32\daFlbfb.exe
  C:\Windows\System32\daFlbfb.exe
  2⤵
  PID:4588
- C:\Windows\System32\pDPXHKM.exe
  C:\Windows\System32\pDPXHKM.exe
  2⤵
  PID:7320
- C:\Windows\System32\DgyUHPZ.exe
  C:\Windows\System32\DgyUHPZ.exe
  2⤵
  PID:7500
- C:\Windows\System32\zLUxldw.exe
  C:\Windows\System32\zLUxldw.exe
  2⤵
  PID:7600
- C:\Windows\System32\YuNgqcu.exe
  C:\Windows\System32\YuNgqcu.exe
  2⤵
  PID:8008
- C:\Windows\System32\XqPHnSc.exe
  C:\Windows\System32\XqPHnSc.exe
  2⤵
  PID:7836
- C:\Windows\System32\imbdQwF.exe
  C:\Windows\System32\imbdQwF.exe
  2⤵
  PID:8136
- C:\Windows\System32\XRzWlhB.exe
  C:\Windows\System32\XRzWlhB.exe
  2⤵
  PID:6924
- C:\Windows\System32\apUtiqy.exe
  C:\Windows\System32\apUtiqy.exe
  2⤵
  PID:7288
- C:\Windows\System32\fuKWsaB.exe
  C:\Windows\System32\fuKWsaB.exe
  2⤵
  PID:7336
- C:\Windows\System32\GnhIzQA.exe
  C:\Windows\System32\GnhIzQA.exe
  2⤵
  PID:7364
- C:\Windows\System32\CgIjRPb.exe
  C:\Windows\System32\CgIjRPb.exe
  2⤵
  PID:7224
- C:\Windows\System32\BZxFUyU.exe
  C:\Windows\System32\BZxFUyU.exe
  2⤵
  PID:7568
- C:\Windows\System32\PUnzYoC.exe
  C:\Windows\System32\PUnzYoC.exe
  2⤵
  PID:7996
- C:\Windows\System32\IuxpzKp.exe
  C:\Windows\System32\IuxpzKp.exe
  2⤵
  PID:7920
- C:\Windows\System32\LheCNaU.exe
  C:\Windows\System32\LheCNaU.exe
  2⤵
  PID:8224
- C:\Windows\System32\NAApNDh.exe
  C:\Windows\System32\NAApNDh.exe
  2⤵
  PID:8248
- C:\Windows\System32\OvYrlhP.exe
  C:\Windows\System32\OvYrlhP.exe
  2⤵
  PID:8272
- C:\Windows\System32\XRTwKMB.exe
  C:\Windows\System32\XRTwKMB.exe
  2⤵
  PID:8296
- C:\Windows\System32\fOWtNfE.exe
  C:\Windows\System32\fOWtNfE.exe
  2⤵
  PID:8340
- C:\Windows\System32\AyOgOjf.exe
  C:\Windows\System32\AyOgOjf.exe
  2⤵
  PID:8356
- C:\Windows\System32\lJuBcMF.exe
  C:\Windows\System32\lJuBcMF.exe
  2⤵
  PID:8380
- C:\Windows\System32\tyMgMIL.exe
  C:\Windows\System32\tyMgMIL.exe
  2⤵
  PID:8420
- C:\Windows\System32\xlXoPVs.exe
  C:\Windows\System32\xlXoPVs.exe
  2⤵
  PID:8444
- C:\Windows\System32\EPujSUc.exe
  C:\Windows\System32\EPujSUc.exe
  2⤵
  PID:8464
- C:\Windows\System32\kcSUNCT.exe
  C:\Windows\System32\kcSUNCT.exe
  2⤵
  PID:8484
- C:\Windows\System32\AOXPjDx.exe
  C:\Windows\System32\AOXPjDx.exe
  2⤵
  PID:8520
- C:\Windows\System32\UbLMOCr.exe
  C:\Windows\System32\UbLMOCr.exe
  2⤵
  PID:8552
- C:\Windows\System32\RXqmoqM.exe
  C:\Windows\System32\RXqmoqM.exe
  2⤵
  PID:8568
- C:\Windows\System32\yIrSewL.exe
  C:\Windows\System32\yIrSewL.exe
  2⤵
  PID:8584
- C:\Windows\System32\VuYAPnY.exe
  C:\Windows\System32\VuYAPnY.exe
  2⤵
  PID:8620
- C:\Windows\System32\GDFoSvI.exe
  C:\Windows\System32\GDFoSvI.exe
  2⤵
  PID:8684
- C:\Windows\System32\ZKrHjfb.exe
  C:\Windows\System32\ZKrHjfb.exe
  2⤵
  PID:8712
- C:\Windows\System32\jMOfbPQ.exe
  C:\Windows\System32\jMOfbPQ.exe
  2⤵
  PID:8728
- C:\Windows\System32\amXajqk.exe
  C:\Windows\System32\amXajqk.exe
  2⤵
  PID:8756
- C:\Windows\System32\FPRRCyY.exe
  C:\Windows\System32\FPRRCyY.exe
  2⤵
  PID:8776
- C:\Windows\System32\iIoBktj.exe
  C:\Windows\System32\iIoBktj.exe
  2⤵
  PID:8792
- C:\Windows\System32\AHtbsdn.exe
  C:\Windows\System32\AHtbsdn.exe
  2⤵
  PID:8816
- C:\Windows\System32\aGcSMvr.exe
  C:\Windows\System32\aGcSMvr.exe
  2⤵
  PID:8840
- C:\Windows\System32\nGFXEmf.exe
  C:\Windows\System32\nGFXEmf.exe
  2⤵
  PID:8860
- C:\Windows\System32\odpTkui.exe
  C:\Windows\System32\odpTkui.exe
  2⤵
  PID:8880
- C:\Windows\System32\XrONWXg.exe
  C:\Windows\System32\XrONWXg.exe
  2⤵
  PID:8944
- C:\Windows\System32\nGTDlsM.exe
  C:\Windows\System32\nGTDlsM.exe
  2⤵
  PID:8988
- C:\Windows\System32\YAUtrUl.exe
  C:\Windows\System32\YAUtrUl.exe
  2⤵
  PID:9020
- C:\Windows\System32\TGVMKih.exe
  C:\Windows\System32\TGVMKih.exe
  2⤵
  PID:9080
- C:\Windows\System32\ntorQyb.exe
  C:\Windows\System32\ntorQyb.exe
  2⤵
  PID:9096
- C:\Windows\System32\iWwdqLj.exe
  C:\Windows\System32\iWwdqLj.exe
  2⤵
  PID:9116
- C:\Windows\System32\CdYbBIm.exe
  C:\Windows\System32\CdYbBIm.exe
  2⤵
  PID:9144
- C:\Windows\System32\MlGxeRo.exe
  C:\Windows\System32\MlGxeRo.exe
  2⤵
  PID:9160
- C:\Windows\System32\QCTDeUz.exe
  C:\Windows\System32\QCTDeUz.exe
  2⤵
  PID:9212
- C:\Windows\System32\ujrVvtZ.exe
  C:\Windows\System32\ujrVvtZ.exe
  2⤵
  PID:8208
- C:\Windows\System32\aRBjcgd.exe
  C:\Windows\System32\aRBjcgd.exe
  2⤵
  PID:8304
- C:\Windows\System32\DHcwCkD.exe
  C:\Windows\System32\DHcwCkD.exe
  2⤵
  PID:8372
- C:\Windows\System32\RJKlngl.exe
  C:\Windows\System32\RJKlngl.exe
  2⤵
  PID:3212
- C:\Windows\System32\wepDglk.exe
  C:\Windows\System32\wepDglk.exe
  2⤵
  PID:8500
- C:\Windows\System32\WoUvVll.exe
  C:\Windows\System32\WoUvVll.exe
  2⤵
  PID:8604
- C:\Windows\System32\wFzpWwI.exe
  C:\Windows\System32\wFzpWwI.exe
  2⤵
  PID:8592
- C:\Windows\System32\PraPMwO.exe
  C:\Windows\System32\PraPMwO.exe
  2⤵
  PID:8648
- C:\Windows\System32\uHggAhM.exe
  C:\Windows\System32\uHggAhM.exe
  2⤵
  PID:8788
- C:\Windows\System32\REfwcgc.exe
  C:\Windows\System32\REfwcgc.exe
  2⤵
  PID:8836
- C:\Windows\System32\GZztWGv.exe
  C:\Windows\System32\GZztWGv.exe
  2⤵
  PID:8872
- C:\Windows\System32\yMrcAKz.exe
  C:\Windows\System32\yMrcAKz.exe
  2⤵
  PID:8996
- C:\Windows\System32\LpwxlUm.exe
  C:\Windows\System32\LpwxlUm.exe
  2⤵
  PID:6712
- C:\Windows\System32\NrzVCSu.exe
  C:\Windows\System32\NrzVCSu.exe
  2⤵
  PID:6696
- C:\Windows\System32\DBFPJfC.exe
  C:\Windows\System32\DBFPJfC.exe
  2⤵
  PID:9104
- C:\Windows\System32\YvByJcU.exe
  C:\Windows\System32\YvByJcU.exe
  2⤵
  PID:5148
- C:\Windows\System32\KfyqWQa.exe
  C:\Windows\System32\KfyqWQa.exe
  2⤵
  PID:9108
- C:\Windows\System32\tjlJclI.exe
  C:\Windows\System32\tjlJclI.exe
  2⤵
  PID:3084
- C:\Windows\System32\yVmIREn.exe
  C:\Windows\System32\yVmIREn.exe
  2⤵
  PID:4584
- C:\Windows\System32\mpJJPJH.exe
  C:\Windows\System32\mpJJPJH.exe
  2⤵
  PID:9204
- C:\Windows\System32\qwKmUse.exe
  C:\Windows\System32\qwKmUse.exe
  2⤵
  PID:8280
- C:\Windows\System32\aLnNamJ.exe
  C:\Windows\System32\aLnNamJ.exe
  2⤵
  PID:8744
- C:\Windows\System32\ADrDzfI.exe
  C:\Windows\System32\ADrDzfI.exe
  2⤵
  PID:8768
- C:\Windows\System32\ndEAiox.exe
  C:\Windows\System32\ndEAiox.exe
  2⤵
  PID:6724
- C:\Windows\System32\szCFwMy.exe
  C:\Windows\System32\szCFwMy.exe
  2⤵
  PID:4632
- C:\Windows\System32\AmRIXZS.exe
  C:\Windows\System32\AmRIXZS.exe
  2⤵
  PID:8232
- C:\Windows\System32\HYoceBP.exe
  C:\Windows\System32\HYoceBP.exe
  2⤵
  PID:8472
- C:\Windows\System32\GKafnvu.exe
  C:\Windows\System32\GKafnvu.exe
  2⤵
  PID:8928
- C:\Windows\System32\npHTFUR.exe
  C:\Windows\System32\npHTFUR.exe
  2⤵
  PID:6700
- C:\Windows\System32\shkpxKu.exe
  C:\Windows\System32\shkpxKu.exe
  2⤵
  PID:9008
- C:\Windows\System32\qOReHZw.exe
  C:\Windows\System32\qOReHZw.exe
  2⤵
  PID:8456
- C:\Windows\System32\KEYnJqK.exe
  C:\Windows\System32\KEYnJqK.exe
  2⤵
  PID:8564
- C:\Windows\System32\iaJsnKB.exe
  C:\Windows\System32\iaJsnKB.exe
  2⤵
  PID:9092
- C:\Windows\System32\XsnPuyw.exe
  C:\Windows\System32\XsnPuyw.exe
  2⤵
  PID:9224
- C:\Windows\System32\dVfojqw.exe
  C:\Windows\System32\dVfojqw.exe
  2⤵
  PID:9360
- C:\Windows\System32\cFdsBOZ.exe
  C:\Windows\System32\cFdsBOZ.exe
  2⤵
  PID:9384
- C:\Windows\System32\QrYcXJF.exe
  C:\Windows\System32\QrYcXJF.exe
  2⤵
  PID:9416
- C:\Windows\System32\QAMogSd.exe
  C:\Windows\System32\QAMogSd.exe
  2⤵
  PID:9440
- C:\Windows\System32\uEbsscT.exe
  C:\Windows\System32\uEbsscT.exe
  2⤵
  PID:9468
- C:\Windows\System32\NKKJQyR.exe
  C:\Windows\System32\NKKJQyR.exe
  2⤵
  PID:9488
- C:\Windows\System32\qzptFeY.exe
  C:\Windows\System32\qzptFeY.exe
  2⤵
  PID:9504
- C:\Windows\System32\WkNorVo.exe
  C:\Windows\System32\WkNorVo.exe
  2⤵
  PID:9520
- C:\Windows\System32\nweSyUZ.exe
  C:\Windows\System32\nweSyUZ.exe
  2⤵
  PID:9560
- C:\Windows\System32\YKlqgGz.exe
  C:\Windows\System32\YKlqgGz.exe
  2⤵
  PID:9608
- C:\Windows\System32\PyGzcVc.exe
  C:\Windows\System32\PyGzcVc.exe
  2⤵
  PID:9648
- C:\Windows\System32\zlEljwQ.exe
  C:\Windows\System32\zlEljwQ.exe
  2⤵
  PID:9676
- C:\Windows\System32\fQGxWkt.exe
  C:\Windows\System32\fQGxWkt.exe
  2⤵
  PID:9692
- C:\Windows\System32\HcnOapj.exe
  C:\Windows\System32\HcnOapj.exe
  2⤵
  PID:9712
- C:\Windows\System32\UTJmrLQ.exe
  C:\Windows\System32\UTJmrLQ.exe
  2⤵
  PID:9732
- C:\Windows\System32\FUwaonS.exe
  C:\Windows\System32\FUwaonS.exe
  2⤵
  PID:9764
- C:\Windows\System32\HtrbPMX.exe
  C:\Windows\System32\HtrbPMX.exe
  2⤵
  PID:9808
- C:\Windows\System32\VpfBPRW.exe
  C:\Windows\System32\VpfBPRW.exe
  2⤵
  PID:9832
- C:\Windows\System32\RLCaFvw.exe
  C:\Windows\System32\RLCaFvw.exe
  2⤵
  PID:9848
- C:\Windows\System32\EctLnYs.exe
  C:\Windows\System32\EctLnYs.exe
  2⤵
  PID:9876
- C:\Windows\System32\gcxmERC.exe
  C:\Windows\System32\gcxmERC.exe
  2⤵
  PID:9912
- C:\Windows\System32\SHxkLjy.exe
  C:\Windows\System32\SHxkLjy.exe
  2⤵
  PID:9932
- C:\Windows\System32\KfTdkhX.exe
  C:\Windows\System32\KfTdkhX.exe
  2⤵
  PID:9964
- C:\Windows\System32\iVQeuyg.exe
  C:\Windows\System32\iVQeuyg.exe
  2⤵
  PID:10020
- C:\Windows\System32\reAjuiN.exe
  C:\Windows\System32\reAjuiN.exe
  2⤵
  PID:10040
- C:\Windows\System32\FdxVfUG.exe
  C:\Windows\System32\FdxVfUG.exe
  2⤵
  PID:10056
- C:\Windows\System32\jezvTrl.exe
  C:\Windows\System32\jezvTrl.exe
  2⤵
  PID:10084
- C:\Windows\System32\hPstWvD.exe
  C:\Windows\System32\hPstWvD.exe
  2⤵
  PID:10104
- C:\Windows\System32\UWFypPH.exe
  C:\Windows\System32\UWFypPH.exe
  2⤵
  PID:10120
- C:\Windows\System32\oaWqPOK.exe
  C:\Windows\System32\oaWqPOK.exe
  2⤵
  PID:10156
- C:\Windows\System32\lOvMXKH.exe
  C:\Windows\System32\lOvMXKH.exe
  2⤵
  PID:10188
- C:\Windows\System32\Pofqxer.exe
  C:\Windows\System32\Pofqxer.exe
  2⤵
  PID:10216
- C:\Windows\System32\iozSceb.exe
  C:\Windows\System32\iozSceb.exe
  2⤵
  PID:9152
- C:\Windows\System32\NRtsSzu.exe
  C:\Windows\System32\NRtsSzu.exe
  2⤵
  PID:9284
- C:\Windows\System32\ehDihaG.exe
  C:\Windows\System32\ehDihaG.exe
  2⤵
  PID:8868
- C:\Windows\System32\uLyEtfn.exe
  C:\Windows\System32\uLyEtfn.exe
  2⤵
  PID:9368
- C:\Windows\System32\oMNUTOi.exe
  C:\Windows\System32\oMNUTOi.exe
  2⤵
  PID:9460
- C:\Windows\System32\OnbGemx.exe
  C:\Windows\System32\OnbGemx.exe
  2⤵
  PID:9528
- C:\Windows\System32\dYqLYeA.exe
  C:\Windows\System32\dYqLYeA.exe
  2⤵
  PID:9644
- C:\Windows\System32\bTAwDsd.exe
  C:\Windows\System32\bTAwDsd.exe
  2⤵
  PID:9660
- C:\Windows\System32\uJTCLZA.exe
  C:\Windows\System32\uJTCLZA.exe
  2⤵
  PID:9744
- C:\Windows\System32\PYbjnQS.exe
  C:\Windows\System32\PYbjnQS.exe
  2⤵
  PID:9784
- C:\Windows\System32\LmuWJkU.exe
  C:\Windows\System32\LmuWJkU.exe
  2⤵
  PID:9864
- C:\Windows\System32\ZvptTmd.exe
  C:\Windows\System32\ZvptTmd.exe
  2⤵
  PID:9924
- C:\Windows\System32\RqbdOQY.exe
  C:\Windows\System32\RqbdOQY.exe
  2⤵
  PID:9984
- C:\Windows\System32\TJcIOnj.exe
  C:\Windows\System32\TJcIOnj.exe
  2⤵
  PID:10072
- C:\Windows\System32\YuSxSIx.exe
  C:\Windows\System32\YuSxSIx.exe
  2⤵
  PID:10148
- C:\Windows\System32\PKYwtIL.exe
  C:\Windows\System32\PKYwtIL.exe
  2⤵
  PID:10196
- C:\Windows\System32\SAblwuy.exe
  C:\Windows\System32\SAblwuy.exe
  2⤵
  PID:8404
- C:\Windows\System32\YcjgdeA.exe
  C:\Windows\System32\YcjgdeA.exe
  2⤵
  PID:9412
- C:\Windows\System32\JkcZqMj.exe
  C:\Windows\System32\JkcZqMj.exe
  2⤵
  PID:9340
- C:\Windows\System32\hdTxYNf.exe
  C:\Windows\System32\hdTxYNf.exe
  2⤵
  PID:9512
- C:\Windows\System32\CPgjexd.exe
  C:\Windows\System32\CPgjexd.exe
  2⤵
  PID:9752
- C:\Windows\System32\Bxgcuup.exe
  C:\Windows\System32\Bxgcuup.exe
  2⤵
  PID:9780
- C:\Windows\System32\FQGkaal.exe
  C:\Windows\System32\FQGkaal.exe
  2⤵
  PID:9820
- C:\Windows\System32\PqnBwHK.exe
  C:\Windows\System32\PqnBwHK.exe
  2⤵
  PID:10052
- C:\Windows\System32\lQLXphL.exe
  C:\Windows\System32\lQLXphL.exe
  2⤵
  PID:9448
- C:\Windows\System32\stAQbJf.exe
  C:\Windows\System32\stAQbJf.exe
  2⤵
  PID:9928
- C:\Windows\System32\aJnjNCN.exe
  C:\Windows\System32\aJnjNCN.exe
  2⤵
  PID:4124
- C:\Windows\System32\iGdOecp.exe
  C:\Windows\System32\iGdOecp.exe
  2⤵
  PID:9708
- C:\Windows\System32\DNruTIE.exe
  C:\Windows\System32\DNruTIE.exe
  2⤵
  PID:10276
- C:\Windows\System32\ubqGjDw.exe
  C:\Windows\System32\ubqGjDw.exe
  2⤵
  PID:10292
- C:\Windows\System32\MTPZQWm.exe
  C:\Windows\System32\MTPZQWm.exe
  2⤵
  PID:10312
- C:\Windows\System32\TLSkjub.exe
  C:\Windows\System32\TLSkjub.exe
  2⤵
  PID:10336
- C:\Windows\System32\cAklJmr.exe
  C:\Windows\System32\cAklJmr.exe
  2⤵
  PID:10372
- C:\Windows\System32\FhYZWiz.exe
  C:\Windows\System32\FhYZWiz.exe
  2⤵
  PID:10396
- C:\Windows\System32\bxmKFiL.exe
  C:\Windows\System32\bxmKFiL.exe
  2⤵
  PID:10440
- C:\Windows\System32\CLVqCIE.exe
  C:\Windows\System32\CLVqCIE.exe
  2⤵
  PID:10468
- C:\Windows\System32\sUVVAff.exe
  C:\Windows\System32\sUVVAff.exe
  2⤵
  PID:10488
- C:\Windows\System32\GmAahbH.exe
  C:\Windows\System32\GmAahbH.exe
  2⤵
  PID:10516
- C:\Windows\System32\LJiFnwU.exe
  C:\Windows\System32\LJiFnwU.exe
  2⤵
  PID:10540
- C:\Windows\System32\kuYcoMM.exe
  C:\Windows\System32\kuYcoMM.exe
  2⤵
  PID:10568
- C:\Windows\System32\gEpvQoe.exe
  C:\Windows\System32\gEpvQoe.exe
  2⤵
  PID:10592
- C:\Windows\System32\gNcjjOx.exe
  C:\Windows\System32\gNcjjOx.exe
  2⤵
  PID:10620
- C:\Windows\System32\EIJlTmD.exe
  C:\Windows\System32\EIJlTmD.exe
  2⤵
  PID:10636
- C:\Windows\System32\ikEwFPt.exe
  C:\Windows\System32\ikEwFPt.exe
  2⤵
  PID:10712
- C:\Windows\System32\tZPGgtk.exe
  C:\Windows\System32\tZPGgtk.exe
  2⤵
  PID:10728
- C:\Windows\System32\mlJLYou.exe
  C:\Windows\System32\mlJLYou.exe
  2⤵
  PID:10748
- C:\Windows\System32\tcjYbul.exe
  C:\Windows\System32\tcjYbul.exe
  2⤵
  PID:10776
- C:\Windows\System32\pIATFdn.exe
  C:\Windows\System32\pIATFdn.exe
  2⤵
  PID:10792
- C:\Windows\System32\fOOaGKk.exe
  C:\Windows\System32\fOOaGKk.exe
  2⤵
  PID:10812
- C:\Windows\System32\sokZLrk.exe
  C:\Windows\System32\sokZLrk.exe
  2⤵
  PID:10872
- C:\Windows\System32\uiSlZHF.exe
  C:\Windows\System32\uiSlZHF.exe
  2⤵
  PID:10892
- C:\Windows\System32\EGtPPwS.exe
  C:\Windows\System32\EGtPPwS.exe
  2⤵
  PID:10908
- C:\Windows\System32\gdfAXZV.exe
  C:\Windows\System32\gdfAXZV.exe
  2⤵
  PID:10932
- C:\Windows\System32\hVaSLwc.exe
  C:\Windows\System32\hVaSLwc.exe
  2⤵
  PID:10964
- C:\Windows\System32\lPDYokH.exe
  C:\Windows\System32\lPDYokH.exe
  2⤵
  PID:10988
- C:\Windows\System32\ecGKYJj.exe
  C:\Windows\System32\ecGKYJj.exe
  2⤵
  PID:11016
- C:\Windows\System32\VCGkLva.exe
  C:\Windows\System32\VCGkLva.exe
  2⤵
  PID:11056
- C:\Windows\System32\vGhRvlu.exe
  C:\Windows\System32\vGhRvlu.exe
  2⤵
  PID:11072
- C:\Windows\System32\lDrhvDK.exe
  C:\Windows\System32\lDrhvDK.exe
  2⤵
  PID:11092
- C:\Windows\System32\HhPoPRd.exe
  C:\Windows\System32\HhPoPRd.exe
  2⤵
  PID:11108
- C:\Windows\System32\OYKKXWO.exe
  C:\Windows\System32\OYKKXWO.exe
  2⤵
  PID:11128
- C:\Windows\System32\JkvVzbD.exe
  C:\Windows\System32\JkvVzbD.exe
  2⤵
  PID:11144
- C:\Windows\System32\XVLMdxz.exe
  C:\Windows\System32\XVLMdxz.exe
  2⤵
  PID:11200
- C:\Windows\System32\mRGQoTQ.exe
  C:\Windows\System32\mRGQoTQ.exe
  2⤵
  PID:11216
- C:\Windows\System32\QhuOned.exe
  C:\Windows\System32\QhuOned.exe
  2⤵
  PID:11232
- C:\Windows\System32\cJzFWUB.exe
  C:\Windows\System32\cJzFWUB.exe
  2⤵
  PID:11260
- C:\Windows\System32\tTIYAnk.exe
  C:\Windows\System32\tTIYAnk.exe
  2⤵
  PID:10332
- C:\Windows\System32\NWGqBmH.exe
  C:\Windows\System32\NWGqBmH.exe
  2⤵
  PID:10380
- C:\Windows\System32\ZtsCaPb.exe
  C:\Windows\System32\ZtsCaPb.exe
  2⤵
  PID:10528
- C:\Windows\System32\OsZUzEJ.exe
  C:\Windows\System32\OsZUzEJ.exe
  2⤵
  PID:10616
- C:\Windows\System32\vebAsZV.exe
  C:\Windows\System32\vebAsZV.exe
  2⤵
  PID:10600
- C:\Windows\System32\dpRzJDl.exe
  C:\Windows\System32\dpRzJDl.exe
  2⤵
  PID:10680
- C:\Windows\System32\wWuHTuH.exe
  C:\Windows\System32\wWuHTuH.exe
  2⤵
  PID:10764
- C:\Windows\System32\rJbGSXf.exe
  C:\Windows\System32\rJbGSXf.exe
  2⤵
  PID:10784
- C:\Windows\System32\DaeFTIm.exe
  C:\Windows\System32\DaeFTIm.exe
  2⤵
  PID:10904
- C:\Windows\System32\ITWHdAh.exe
  C:\Windows\System32\ITWHdAh.exe
  2⤵
  PID:10984
- C:\Windows\System32\slHyZmy.exe
  C:\Windows\System32\slHyZmy.exe
  2⤵
  PID:11040
- C:\Windows\System32\TiJJpdl.exe
  C:\Windows\System32\TiJJpdl.exe
  2⤵
  PID:11104
- C:\Windows\System32\kFeSDVJ.exe
  C:\Windows\System32\kFeSDVJ.exe
  2⤵
  PID:11176
- C:\Windows\System32\lCtymoX.exe
  C:\Windows\System32\lCtymoX.exe
  2⤵
  PID:11248
- C:\Windows\System32\RXfDfba.exe
  C:\Windows\System32\RXfDfba.exe
  2⤵
  PID:11256
- C:\Windows\System32\VnMMXQS.exe
  C:\Windows\System32\VnMMXQS.exe
  2⤵
  PID:10360
- C:\Windows\System32\qHKATcc.exe
  C:\Windows\System32\qHKATcc.exe
  2⤵
  PID:10588
- C:\Windows\System32\lPTySum.exe
  C:\Windows\System32\lPTySum.exe
  2⤵
  PID:10016
- C:\Windows\System32\iyLLcWy.exe
  C:\Windows\System32\iyLLcWy.exe
  2⤵
  PID:10844
- C:\Windows\System32\rEaIKcp.exe
  C:\Windows\System32\rEaIKcp.exe
  2⤵
  PID:11064
- C:\Windows\System32\REmvseC.exe
  C:\Windows\System32\REmvseC.exe
  2⤵
  PID:11080
- C:\Windows\System32\iIPZfmZ.exe
  C:\Windows\System32\iIPZfmZ.exe
  2⤵
  PID:10484
- C:\Windows\System32\BIVYUYF.exe
  C:\Windows\System32\BIVYUYF.exe
  2⤵
  PID:10580
- C:\Windows\System32\psnaHFW.exe
  C:\Windows\System32\psnaHFW.exe
  2⤵
  PID:11188
- C:\Windows\System32\TQUiEkF.exe
  C:\Windows\System32\TQUiEkF.exe
  2⤵
  PID:11268
- C:\Windows\System32\YmOwHRa.exe
  C:\Windows\System32\YmOwHRa.exe
  2⤵
  PID:11292
- C:\Windows\System32\NHXGCKv.exe
  C:\Windows\System32\NHXGCKv.exe
  2⤵
  PID:11316
- C:\Windows\System32\fUWrMpt.exe
  C:\Windows\System32\fUWrMpt.exe
  2⤵
  PID:11336
- C:\Windows\System32\xAlcSIF.exe
  C:\Windows\System32\xAlcSIF.exe
  2⤵
  PID:11368
- C:\Windows\System32\sCmsGai.exe
  C:\Windows\System32\sCmsGai.exe
  2⤵
  PID:11400
- C:\Windows\System32\NLkUwGQ.exe
  C:\Windows\System32\NLkUwGQ.exe
  2⤵
  PID:11420
- C:\Windows\System32\NNqGRRr.exe
  C:\Windows\System32\NNqGRRr.exe
  2⤵
  PID:11456
- C:\Windows\System32\CWJAeYt.exe
  C:\Windows\System32\CWJAeYt.exe
  2⤵
  PID:11488
- C:\Windows\System32\mjOUVZl.exe
  C:\Windows\System32\mjOUVZl.exe
  2⤵
  PID:11520
- C:\Windows\System32\EmpQbSy.exe
  C:\Windows\System32\EmpQbSy.exe
  2⤵
  PID:11540
- C:\Windows\System32\AFLNZjk.exe
  C:\Windows\System32\AFLNZjk.exe
  2⤵
  PID:11568
- C:\Windows\System32\CWrulQT.exe
  C:\Windows\System32\CWrulQT.exe
  2⤵
  PID:11584
- C:\Windows\System32\CPEebcM.exe
  C:\Windows\System32\CPEebcM.exe
  2⤵
  PID:11620
- C:\Windows\System32\IdMFsWy.exe
  C:\Windows\System32\IdMFsWy.exe
  2⤵
  PID:11644
- C:\Windows\System32\jgCFfZY.exe
  C:\Windows\System32\jgCFfZY.exe
  2⤵
  PID:11704
- C:\Windows\System32\HgBmNRP.exe
  C:\Windows\System32\HgBmNRP.exe
  2⤵
  PID:11732
- C:\Windows\System32\smygAwo.exe
  C:\Windows\System32\smygAwo.exe
  2⤵
  PID:11748
- C:\Windows\System32\grarlCV.exe
  C:\Windows\System32\grarlCV.exe
  2⤵
  PID:11768
- C:\Windows\System32\LcNYVvB.exe
  C:\Windows\System32\LcNYVvB.exe
  2⤵
  PID:11792
- C:\Windows\System32\IaALgGk.exe
  C:\Windows\System32\IaALgGk.exe
  2⤵
  PID:11808
- C:\Windows\System32\OBhnkPd.exe
  C:\Windows\System32\OBhnkPd.exe
  2⤵
  PID:11828
- C:\Windows\System32\lvgfmxj.exe
  C:\Windows\System32\lvgfmxj.exe
  2⤵
  PID:11844
- C:\Windows\System32\SYWVHnP.exe
  C:\Windows\System32\SYWVHnP.exe
  2⤵
  PID:11868
- C:\Windows\System32\GvUHvvN.exe
  C:\Windows\System32\GvUHvvN.exe
  2⤵
  PID:11912
- C:\Windows\System32\aZhFcHK.exe
  C:\Windows\System32\aZhFcHK.exe
  2⤵
  PID:11944
- C:\Windows\System32\uBrVdEg.exe
  C:\Windows\System32\uBrVdEg.exe
  2⤵
  PID:11968
- C:\Windows\System32\JtwLKIp.exe
  C:\Windows\System32\JtwLKIp.exe
  2⤵
  PID:12028
- C:\Windows\System32\CQHkZFs.exe
  C:\Windows\System32\CQHkZFs.exe
  2⤵
  PID:12044
- C:\Windows\System32\hpdVRXq.exe
  C:\Windows\System32\hpdVRXq.exe
  2⤵
  PID:12060
- C:\Windows\System32\iKcZkbt.exe
  C:\Windows\System32\iKcZkbt.exe
  2⤵
  PID:12112
- C:\Windows\System32\KnBFzIQ.exe
  C:\Windows\System32\KnBFzIQ.exe
  2⤵
  PID:12152
- C:\Windows\System32\zPdKtbY.exe
  C:\Windows\System32\zPdKtbY.exe
  2⤵
  PID:12180
- C:\Windows\System32\coadEdQ.exe
  C:\Windows\System32\coadEdQ.exe
  2⤵
  PID:12196
- C:\Windows\System32\MJtBHwJ.exe
  C:\Windows\System32\MJtBHwJ.exe
  2⤵
  PID:12212
- C:\Windows\System32\mMWOVxB.exe
  C:\Windows\System32\mMWOVxB.exe
  2⤵
  PID:12240
- C:\Windows\System32\LxbFzDZ.exe
  C:\Windows\System32\LxbFzDZ.exe
  2⤵
  PID:12280
- C:\Windows\System32\lofiHxB.exe
  C:\Windows\System32\lofiHxB.exe
  2⤵
  PID:11280
- C:\Windows\System32\pyULqAo.exe
  C:\Windows\System32\pyULqAo.exe
  2⤵
  PID:11324
- C:\Windows\System32\VBJDWcR.exe
  C:\Windows\System32\VBJDWcR.exe
  2⤵
  PID:11500
- C:\Windows\System32\BnOZuQB.exe
  C:\Windows\System32\BnOZuQB.exe
  2⤵
  PID:11496
- C:\Windows\System32\fVnVywp.exe
  C:\Windows\System32\fVnVywp.exe
  2⤵
  PID:11532
- C:\Windows\System32\vnRjEVw.exe
  C:\Windows\System32\vnRjEVw.exe
  2⤵
  PID:11652
- C:\Windows\System32\eQRZSXc.exe
  C:\Windows\System32\eQRZSXc.exe
  2⤵
  PID:11712
- C:\Windows\System32\ofnNZll.exe
  C:\Windows\System32\ofnNZll.exe
  2⤵
  PID:11700
- C:\Windows\System32\AldpxzA.exe
  C:\Windows\System32\AldpxzA.exe
  2⤵
  PID:11804
- C:\Windows\System32\lLVydxj.exe
  C:\Windows\System32\lLVydxj.exe
  2⤵
  PID:11836
- C:\Windows\System32\FWPLJUR.exe
  C:\Windows\System32\FWPLJUR.exe
  2⤵
  PID:11980
- C:\Windows\System32\ADbgQcb.exe
  C:\Windows\System32\ADbgQcb.exe
  2⤵
  PID:11976
- C:\Windows\System32\RQWFkxf.exe
  C:\Windows\System32\RQWFkxf.exe
  2⤵
  PID:12080
- C:\Windows\System32\TuYBnXQ.exe
  C:\Windows\System32\TuYBnXQ.exe
  2⤵
  PID:12144
- C:\Windows\System32\AVUtjow.exe
  C:\Windows\System32\AVUtjow.exe
  2⤵
  PID:12188
- C:\Windows\System32\KptTMFr.exe
  C:\Windows\System32\KptTMFr.exe
  2⤵
  PID:12276
- C:\Windows\System32\JdIAhUN.exe
  C:\Windows\System32\JdIAhUN.exe
  2⤵
  PID:11360
- C:\Windows\System32\jmcyYdL.exe
  C:\Windows\System32\jmcyYdL.exe
  2⤵
  PID:11548
- C:\Windows\System32\EqhRptO.exe
  C:\Windows\System32\EqhRptO.exe
  2⤵
  PID:11636
- C:\Windows\System32\LnzenMV.exe
  C:\Windows\System32\LnzenMV.exe
  2⤵
  PID:10668
- C:\Windows\System32\BCOpNNX.exe
  C:\Windows\System32\BCOpNNX.exe
  2⤵
  PID:11288
- C:\Windows\System32\ZGHKxkv.exe
  C:\Windows\System32\ZGHKxkv.exe
  2⤵
  PID:11464
- C:\Windows\System32\hlBXIfw.exe
  C:\Windows\System32\hlBXIfw.exe
  2⤵
  PID:11744
- C:\Windows\System32\HROorUN.exe
  C:\Windows\System32\HROorUN.exe
  2⤵
  PID:11940
- C:\Windows\System32\GgpsllP.exe
  C:\Windows\System32\GgpsllP.exe
  2⤵
  PID:12300
- C:\Windows\System32\bLDuLId.exe
  C:\Windows\System32\bLDuLId.exe
  2⤵
  PID:12316
- C:\Windows\System32\YHUJUXv.exe
  C:\Windows\System32\YHUJUXv.exe
  2⤵
  PID:12332
- C:\Windows\System32\PJnZuCM.exe
  C:\Windows\System32\PJnZuCM.exe
  2⤵
  PID:12348
- C:\Windows\System32\grOLdMo.exe
  C:\Windows\System32\grOLdMo.exe
  2⤵
  PID:12364
- C:\Windows\System32\QjlQcEt.exe
  C:\Windows\System32\QjlQcEt.exe
  2⤵
  PID:12380
- C:\Windows\System32\VXPYIzT.exe
  C:\Windows\System32\VXPYIzT.exe
  2⤵
  PID:12396
- C:\Windows\System32\ImGsYdy.exe
  C:\Windows\System32\ImGsYdy.exe
  2⤵
  PID:12412
- C:\Windows\System32\VuwXrSF.exe
  C:\Windows\System32\VuwXrSF.exe
  2⤵
  PID:12432
- C:\Windows\System32\NCoXYDK.exe
  C:\Windows\System32\NCoXYDK.exe
  2⤵
  PID:12472
- C:\Windows\System32\gJIxPdc.exe
  C:\Windows\System32\gJIxPdc.exe
  2⤵
  PID:12488
- C:\Windows\System32\jZOMZNS.exe
  C:\Windows\System32\jZOMZNS.exe
  2⤵
  PID:12512
- C:\Windows\System32\JKSwAkP.exe
  C:\Windows\System32\JKSwAkP.exe
  2⤵
  PID:12620
- C:\Windows\System32\zGrzwSJ.exe
  C:\Windows\System32\zGrzwSJ.exe
  2⤵
  PID:12644
- C:\Windows\System32\XFvowEZ.exe
  C:\Windows\System32\XFvowEZ.exe
  2⤵
  PID:12704
- C:\Windows\System32\gIsIUmb.exe
  C:\Windows\System32\gIsIUmb.exe
  2⤵
  PID:12740
- C:\Windows\System32\CmXwEAT.exe
  C:\Windows\System32\CmXwEAT.exe
  2⤵
  PID:12764
- C:\Windows\System32\SurRHmr.exe
  C:\Windows\System32\SurRHmr.exe
  2⤵
  PID:12780
- C:\Windows\System32\ZHcdjlq.exe
  C:\Windows\System32\ZHcdjlq.exe
  2⤵
  PID:12828
- C:\Windows\System32\eSsDVju.exe
  C:\Windows\System32\eSsDVju.exe
  2⤵
  PID:12884
- C:\Windows\System32\BpFdXHB.exe
  C:\Windows\System32\BpFdXHB.exe
  2⤵
  PID:12912
- C:\Windows\System32\ojiOkEz.exe
  C:\Windows\System32\ojiOkEz.exe
  2⤵
  PID:12932
- C:\Windows\System32\EOrUgJn.exe
  C:\Windows\System32\EOrUgJn.exe
  2⤵
  PID:12968
- C:\Windows\System32\avRDmJt.exe
  C:\Windows\System32\avRDmJt.exe
  2⤵
  PID:12992
- C:\Windows\System32\IttBrVN.exe
  C:\Windows\System32\IttBrVN.exe
  2⤵
  PID:13012
- C:\Windows\System32\ucmAfbr.exe
  C:\Windows\System32\ucmAfbr.exe
  2⤵
  PID:13028
- C:\Windows\System32\ynHrcAP.exe
  C:\Windows\System32\ynHrcAP.exe
  2⤵
  PID:13068
- C:\Windows\System32\QqHJckS.exe
  C:\Windows\System32\QqHJckS.exe
  2⤵
  PID:13128
- C:\Windows\System32\uXwAifI.exe
  C:\Windows\System32\uXwAifI.exe
  2⤵
  PID:13196
- C:\Windows\System32\sCQypEn.exe
  C:\Windows\System32\sCQypEn.exe
  2⤵
  PID:13224
- C:\Windows\System32\KTQbndG.exe
  C:\Windows\System32\KTQbndG.exe
  2⤵
  PID:13268
- C:\Windows\System32\hAiKuUk.exe
  C:\Windows\System32\hAiKuUk.exe
  2⤵
  PID:13288
- C:\Windows\System32\WotAIOw.exe
  C:\Windows\System32\WotAIOw.exe
  2⤵
  PID:13308
- C:\Windows\System32\uFCEqoV.exe
  C:\Windows\System32\uFCEqoV.exe
  2⤵
  PID:12056
- C:\Windows\System32\dMxDlJs.exe
  C:\Windows\System32\dMxDlJs.exe
  2⤵
  PID:12164
- C:\Windows\System32\fplyGLV.exe
  C:\Windows\System32\fplyGLV.exe
  2⤵
  PID:12004
- C:\Windows\System32\zXAivqF.exe
  C:\Windows\System32\zXAivqF.exe
  2⤵
  PID:12344
- C:\Windows\System32\DgKvuSv.exe
  C:\Windows\System32\DgKvuSv.exe
  2⤵
  PID:12420
- C:\Windows\System32\cuSzqny.exe
  C:\Windows\System32\cuSzqny.exe
  2⤵
  PID:12324
- C:\Windows\System32\RYybSWQ.exe
  C:\Windows\System32\RYybSWQ.exe
  2⤵
  PID:11628
- C:\Windows\System32\BWKCXni.exe
  C:\Windows\System32\BWKCXni.exe
  2⤵
  PID:12484
- C:\Windows\System32\FbaBKtF.exe
  C:\Windows\System32\FbaBKtF.exe
  2⤵
  PID:12608
- C:\Windows\System32\KhvqHRL.exe
  C:\Windows\System32\KhvqHRL.exe
  2⤵
  PID:12672
- C:\Windows\System32\axOhbmn.exe
  C:\Windows\System32\axOhbmn.exe
  2⤵
  PID:12760
- C:\Windows\System32\jFLBEII.exe
  C:\Windows\System32\jFLBEII.exe
  2⤵
  PID:12808
- C:\Windows\System32\tsXXpGM.exe
  C:\Windows\System32\tsXXpGM.exe
  2⤵
  PID:12868
- C:\Windows\System32\zBehwdn.exe
  C:\Windows\System32\zBehwdn.exe
  2⤵
  PID:12952
- C:\Windows\System32\XZEcrop.exe
  C:\Windows\System32\XZEcrop.exe
  2⤵
  PID:12976
- C:\Windows\System32\vuuaIeU.exe
  C:\Windows\System32\vuuaIeU.exe
  2⤵
  PID:13044
- C:\Windows\System32\oEXGrHl.exe
  C:\Windows\System32\oEXGrHl.exe
  2⤵
  PID:13092
- C:\Windows\System32\fjPtOAl.exe
  C:\Windows\System32\fjPtOAl.exe
  2⤵
  PID:13160
- C:\Windows\System32\xOviEAc.exe
  C:\Windows\System32\xOviEAc.exe
  2⤵
  PID:13180
- C:\Windows\System32\VNDlHnP.exe
  C:\Windows\System32\VNDlHnP.exe
  2⤵
  PID:13232
- C:\Windows\System32\TyrkIEB.exe
  C:\Windows\System32\TyrkIEB.exe
  2⤵
  PID:13296
- C:\Windows\System32\hptAsfm.exe
  C:\Windows\System32\hptAsfm.exe
  2⤵
  PID:12092
- C:\Windows\System32\IMQGajL.exe
  C:\Windows\System32\IMQGajL.exe
  2⤵
  PID:11408
- C:\Windows\System32\smQIKcE.exe
  C:\Windows\System32\smQIKcE.exe
  2⤵
  PID:12376
- C:\Windows\System32\vVrygCr.exe
  C:\Windows\System32\vVrygCr.exe
  2⤵
  PID:12508
- C:\Windows\System32\xBmQcwT.exe
  C:\Windows\System32\xBmQcwT.exe
  2⤵
  PID:1184
- C:\Windows\System32\hRZDRZZ.exe
  C:\Windows\System32\hRZDRZZ.exe
  2⤵
  PID:12844
- C:\Windows\System32\TcVUdTp.exe
  C:\Windows\System32\TcVUdTp.exe
  2⤵
  PID:13008
- C:\Windows\System32\GddksxA.exe
  C:\Windows\System32\GddksxA.exe
  2⤵
  PID:13108
- C:\Windows\System32\oRuxchq.exe
  C:\Windows\System32\oRuxchq.exe
  2⤵
  PID:13208
- C:\Windows\System32\IWhyTVB.exe
  C:\Windows\System32\IWhyTVB.exe
  2⤵
  PID:12372
- C:\Windows\System32\nKVSmLt.exe
  C:\Windows\System32\nKVSmLt.exe
  2⤵
  PID:12652
- C:\Windows\System32\UPsxTjS.exe
  C:\Windows\System32\UPsxTjS.exe
  2⤵
  PID:12792
- C:\Windows\System32\uOGiJbG.exe
  C:\Windows\System32\uOGiJbG.exe
  2⤵
  PID:13148
- C:\Windows\System32\tAUfCJy.exe
  C:\Windows\System32\tAUfCJy.exe
  2⤵
  PID:12984
- C:\Windows\System32\iwfXElE.exe
  C:\Windows\System32\iwfXElE.exe
  2⤵
  PID:13320
- C:\Windows\System32\PNMyhuT.exe
  C:\Windows\System32\PNMyhuT.exe
  2⤵
  PID:13340
- C:\Windows\System32\cwSsGxH.exe
  C:\Windows\System32\cwSsGxH.exe
  2⤵
  PID:13356
- C:\Windows\System32\OfHFnDs.exe
  C:\Windows\System32\OfHFnDs.exe
  2⤵
  PID:13392
- C:\Windows\System32\fMkNzGw.exe
  C:\Windows\System32\fMkNzGw.exe
  2⤵
  PID:13424
- C:\Windows\System32\kBEnwqR.exe
  C:\Windows\System32\kBEnwqR.exe
  2⤵
  PID:13468
- C:\Windows\System32\KZuoDgb.exe
  C:\Windows\System32\KZuoDgb.exe
  2⤵
  PID:13492
- C:\Windows\System32\rKxYzvn.exe
  C:\Windows\System32\rKxYzvn.exe
  2⤵
  PID:13516
- C:\Windows\System32\XqeJQUf.exe
  C:\Windows\System32\XqeJQUf.exe
  2⤵
  PID:13532

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AfcypfX.exe

Filesize
1.4MB

MD5
9fab2c0f5156aa98e366a02bbbf55693

SHA1
cc09676f5ab5ef7bf13f6bee3c185d02e2c6f6da

SHA256
2035f111cf4d2f9c6953594928153be3392273b4b394c85cb0be849edbbc3a03

SHA512
68cf11fe0affe1f59f67470424e6f6ba83b6496af122807c78736daa0ffadee225481c3a6ce6f33d72c2e29cd0532591849bce3676afda2a608385568fda0f25

Download Submit
C:\Windows\System32\DDqOxww.exe

Filesize
1.4MB

MD5
c03ecaa52cc7f814983dd3eb15da46a5

SHA1
22eb5aa0a510e51be6cbf6fe5164134f5fe99986

SHA256
262d79ec8976975c6d3b772edb04ba2bf54fcb18df972e995f4bd21f2f035ef6

SHA512
95efce4737a45e5293bdf97caf31e0a9304596c592e3eec7f731589d23a2c6023619169e207ee112df9b59478a2a94e85d3ee9b39436a94217aeae65771bbd1f

Download Submit
C:\Windows\System32\EXxGBzF.exe

Filesize
1.4MB

MD5
790ec9acf8b1fee87c68c53184994770

SHA1
d43cde0f18ae1a5d792a5a7fd526610c6cf1349f

SHA256
8cd401de4af6b3e5a64bf9c3216ba376b8812b11bc639863e24f53b26fa77e45

SHA512
eadfb5bcd416d3d76c4176f195ec9c14b4d110d7d54a6dc72ca450783ce5edbc97406f6af13130e2cb3002724cb5f4a0acf0c67f5c6efebeec9d3553fce75300

Download Submit
C:\Windows\System32\FLEshDk.exe

Filesize
1.4MB

MD5
b23fbd1556c13456d1d17b55d7ddbb6f

SHA1
c0aa2e4c0494af9d83dec1fbbb4983e786cae334

SHA256
8e4632ac7ae1b896d86bf14c52b131cfe83e4f89a0838823f8fa9bbd61562bea

SHA512
735cf45f16172fcc0dbae5ae39ea95533205b7c1fc11a2cc169c417d8cd52f7f2a9e9cf8bdaac1ba5af4c3f60ddf6050bb3ff96513a19e5bf3f273ca45f907c0

Download Submit
C:\Windows\System32\FuLSkMt.exe

Filesize
1.4MB

MD5
a8b2e83be7e3969ac83faf7dcaae402d

SHA1
1c3cd09a8f2a6edbd03f10ced4bf2ddd0e51a510

SHA256
bffe35190182b5c5732c5bd2ecece9616a7d9807604b57fcd5b0aa1484f066e5

SHA512
5af7b9d0282b49fd0ab0e0a13c37276091f99d178f7a3d1b1242bf155488aee4701f5b5ec0794082304e4b88078e85ca9e41dba2211d86cfde433ffd7421d305

Download Submit
C:\Windows\System32\HuXWhKc.exe

Filesize
1.4MB

MD5
faed232b59054a81a5a8bd0972a96f46

SHA1
4cbcc27397b532aadffa1659ec84ca5df6528889

SHA256
0c1156415e80b276cdf79e889fab50cea0a801e64f77a344ac46d4746b7af0ac

SHA512
ff2abe04941abebe388d178be76ad815bc85ee06c743d13ac9ca1a8cf4150edf211b3a3d808ba3636a9130095326fd97bf2370ea58507496cde76d7f80c0cb3b

Download Submit
C:\Windows\System32\JmxznTk.exe

Filesize
1.4MB

MD5
6c2ac67089a08c0f4ff84882fb07a313

SHA1
31101a3daf3131e8fef820e9cc156f6a6182ae1d

SHA256
dab4b6083b11b7a9985afd766b43b28252d1b1d18b77fae01a6d4452a65ea856

SHA512
0b49a6befec97cd6dbec027f8523009a308f87a66e0a6d0e039ac1ab0037b70957bc23a31b54eddf6623f00e6d5f0d5dbd9ebf7cefbd502d3f5a79526e720b29

Download Submit
C:\Windows\System32\KxFsxqZ.exe

Filesize
1.4MB

MD5
25dbca4ceec65188b84dd330b91c950a

SHA1
92c55a7314c1f22ecebed82b9d8b0da8e7a26002

SHA256
0dbc75a6c76fc55224692a987a8a18a2a0a9bf19b61f857ce25553aa74fa9008

SHA512
1f7cd581cf27d1af29d042a5c81cf2be577c13fa8a57e1bd0a5afd3353c06ee5e28d203d78a7b2baaeb2a82426df9540567d5902beb027e9d259628ce38c2a07

Download Submit
C:\Windows\System32\McSJhsa.exe

Filesize
1.4MB

MD5
5d18ceb83a232cfe479510b69a168e65

SHA1
320adfe5173ec83ac55f4bb9b0669ee6549421de

SHA256
1495789f19e9a4cb6c568a2415769d0cbc21179bb76f45e21eeaa36e44cef655

SHA512
fead8904e91f44556cff774e2150931ccf1e85399c59495142c9e58171e123cbaac1dcc283ea43cd3b7b34b55edf6d235f87382bedbb76c85b302bcfb8482e1f

Download Submit
C:\Windows\System32\QeQkFhh.exe

Filesize
1.4MB

MD5
081be0658349517b40001eabd91c5459

SHA1
a2e1077f413918335c929b2b93ab8b92f2fc30f0

SHA256
8af21eb8aae057316a791d59800f176b3a798c5925aac6d0e10db4f15cd4f8bb

SHA512
858e8de902162f345baa161262a357a8d7505a1a4bd7c4f2e68e3e0b00a99267809bb622e25ea4cce2ca510e33327126e42a758835a22dfe1b16db90b420c1df

Download Submit
C:\Windows\System32\XGurtpg.exe

Filesize
1.4MB

MD5
ac126a55d2c69b38786e0bd29be86b55

SHA1
d07f28de8fd716a6f32caf37d748754538688763

SHA256
8e8f72fdfed66ef822cf64ec3e5c596ed1d1949626f163fdd2f16fbf6d13b15c

SHA512
b9e2e8725fabd025468d21da0f074a397c969ee65de27091ac54a4a2181f1943b82f218d5d77563f60eb71ae4b6dd0a0b12ca90582c7add2c7e6a07592ee6d5a

Download Submit
C:\Windows\System32\XKRnIqm.exe

Filesize
1.4MB

MD5
2fcad5df4b4bff1db0a5f7c0f470ea62

SHA1
87497c1dea1c6983a0fdd2d915e3419b450bea74

SHA256
810847d9fe09fdcaa268baf4e11d69da7cee35624048589714fd399974a60b23

SHA512
048eb49aa7ffcc9a3bd1dc7093606b1be8e4a1f4587ffc6a54621c4ec2c2003b8d9b4fb807865c9d877a54f27fc2ce8eff7a7aba86adb5461701b63da90e2b43

Download Submit
C:\Windows\System32\YBtwcMN.exe

Filesize
1.4MB

MD5
72b134a6f2b496510c63f45f3d38c72e

SHA1
d04991a925d22e15369556d1fbac1acd9ced905f

SHA256
44d6bceee57dee67e4c027323f58a49bfbe906a8eb8f0ca51bfe06136c9287fb

SHA512
98eaec9e5d28da08a8eb6f02f83c4e964b3784f162020dada419d66c9a6da40f7d4f8c8d457f43e349236d5a64f5bc8b24995dab523ccb7e7ea94c36e5aa84bf

Download Submit
C:\Windows\System32\YEvnPFP.exe

Filesize
1.4MB

MD5
60267414b802f4fcee487aaac8217ed3

SHA1
8649070cd734377008410d17fb56e9f9d41be965

SHA256
64f127d03b0051cbfef27a11a664d4370f537e6d188f896ec6d3446597d531a5

SHA512
a1b12d98d9e939740a562b73c364170582abf3f10dcc00fb1d37173c951a8a1c7ed1e876e082ba4d1718fcda304edc0bb4b54490945d0d6c7ac3e8d09e682803

Download Submit
C:\Windows\System32\ZTTYrLJ.exe

Filesize
1.4MB

MD5
9ce1e9fd154c1bb8ad54c2d2ad13ae7f

SHA1
d67b3412c239c98f31cb69bcd89f2ab13cd95e8b

SHA256
46b3ec4c34e0d8c1838f0958204babbfca84e9c028655cf68075029fed65a6ae

SHA512
91a2e66bbe7268307e0722cfb018d5696b2fad0ba49bd41802ced82a71a77dd0a08603e7b378742dc79aca3122a6607da8d3675a472e62dffb071ce8c155f746

Download Submit
C:\Windows\System32\aDHcUFB.exe

Filesize
1.4MB

MD5
febf05c40f7936e93920a44575616c68

SHA1
46081e362be5626467242c9a6dc31a588202ae7c

SHA256
ecf0d058c45d897b9f4e681f661c78d9192699088af1af99e391ba69f53ae9f0

SHA512
6eeeb07ed6cb742cf53cd417d84a24bfd5b7ea748b4251b907bd3e56517bf691391628ad97f646e5782f0814d99df480d9e2f78916510e970e9f8a69ee0dcbd0

Download Submit
C:\Windows\System32\aXRzCow.exe

Filesize
1.4MB

MD5
3f096750b3a30a1248a319712da3d5da

SHA1
a5d7b0ca93cca5a058319f36ecdd7be16fa15b78

SHA256
8c12c6a7b6375d59d5ff3b32ae1bd61a02b6a5fd26cf064047a5c9a84f8636cc

SHA512
6e435cf52ff9d81145f336724a86b6a3041b1e4dd80afd96d841be4689556862405dce61e3471603aa3dfc84443c085d8021c9b233e9d92fb46639b3a7c89ba4

Download Submit
C:\Windows\System32\dMXwyYc.exe

Filesize
1.4MB

MD5
cf25d73c939a616b7feee5c6b152f62c

SHA1
86d151ffef70626e757aaf938e63a2c00e4b1840

SHA256
4df58df332bf7480df9948b9f4dc91e05c1577c80a79d3cee5a9012f5ea040b5

SHA512
b89332e7aa1b94587210f1b650713212ed403f8b6a6f1c4dd01e4c5c3ea78d15548884e9dadc1899ad87f37ed8662413ae5f0ecf0d68d267730df4d002dcaf96

Download Submit
C:\Windows\System32\eiRtfes.exe

Filesize
1.4MB

MD5
f97c00ee3a9f2753e614ea1e687a7197

SHA1
fc178c74c88cc9a2639572a1ca5f5c4a7f65c531

SHA256
1243e40ee3f14fb5fcbea718bdb340730d19068d75add730a481ea9f5718bf2c

SHA512
7fd83582a4cedbdb25e41c87575a0aa606be3568b7331d4edd86d55a94bdc091da2ad1dba84d8ded1c3ca6056480eb89b8d0fda8f87871427b94af46741024da

Download Submit
C:\Windows\System32\enQqeub.exe

Filesize
1.4MB

MD5
06ee53df7d53898a4b97e7c114845c85

SHA1
3b8f8cc01454b01e5eceecf64509028300b57cac

SHA256
c96819a1c0a3f2308bd2ad6635e6f7845b2fd1e9c2aacbc5776a84fc44741cb2

SHA512
5c8a990226e48c420a5bd9c285e83bdff072f098a35281c2447cb1227207f5b60390c451548627d9cda95d679686a22758e7d0553773afa86001889211e9f2ce

Download Submit
C:\Windows\System32\fxOqLpz.exe

Filesize
1.4MB

MD5
53b2e5c74aff99f10ebe6e28e5b445fa

SHA1
bc271ef7c753bbb282880196e9fae7d27d3873e2

SHA256
c8f11de5f290e02a810ffea9a03f5546fa0fe0064c5f25607d8ca0e351302572

SHA512
742f1d8cce934e1e3370c994f7f9eb0f243ef4a19f6e9c713d2b2327f141a710e7a7f47a3315726936bbec661a17ca584d4539b6ad70178967bd2b9ff734d285

Download Submit
C:\Windows\System32\giswfTp.exe

Filesize
1.4MB

MD5
24ddd21eb038f7409fc87c5a5d9afeee

SHA1
7edb29f24d4d640cb0e12b15f1058296dcad8808

SHA256
f1c6f7a7f5bf8bb289e64b30b2fc2f3e75dd8258dfd1245185c741fc7b37e453

SHA512
8f088f06455e492c1dfb1ba0b377790330242eba23e35954855778b57a34f691a8bff8909d9696bfc7514daa7b9ef82f714b16bcd88938f65088ab0a36fabf87

Download Submit
C:\Windows\System32\icoEwYw.exe

Filesize
1.4MB

MD5
da57cfe97beb3aee23661cb65a6d7a0b

SHA1
fe8e8bd3915602eb00541fbb669188f63fe4ed12

SHA256
132d3abd5834094fc338f5bc11fab0a7a13a63fabd7b2dc7bef7be015b84cf32

SHA512
4121b8f85eca2ecd1afe41776feaf56cc57039f447bf43816ad935618fa705113039b91a09b0d7e64e4f81de6c36be517bfb1d93fe440c971d4cb1b642efc4b5

Download Submit
C:\Windows\System32\jAoJVLr.exe

Filesize
1.4MB

MD5
79de7cf6f301587c4fbd0d5f6013fe0b

SHA1
839f4889971880cc8a34cca2b093e12a5053ad23

SHA256
b5c9abe96802c02e758dfc700ab7a5aba30ef1edf5418f7b9a24de8239515110

SHA512
0c2279b1ad1b47c851b88934f6cc482c5f2bf2c4e998e8552cf63444ebc1458d86bc7052ca5125441aac24d926a1736ab1910d5642a6a7e4812c656e33c36e3a

Download Submit
C:\Windows\System32\khXMqXj.exe

Filesize
1.4MB

MD5
7dec69634dd1b1748b55c905447f337c

SHA1
d27aa7dc76ff2a5118de92dbe75f2b62c8bfbf9d

SHA256
7b6d04c46267ae2af7550cf03df93021628805ba99ee5a7ef3635346ed4f3ec0

SHA512
05488a400406f4f25f09dcaec7d2af0b17f83eeb23fa87cdc5d38581c0b763a5d2eb050078e79afb6b8dab09f462afdaf66a26837c639fd5cb03ca2d8dcbd575

Download Submit
C:\Windows\System32\kkkpGsG.exe

Filesize
1.4MB

MD5
53337083480625e27c30171709ff5e51

SHA1
aeaed72fc67dcf3b883980d2458cb77e08012ad6

SHA256
9213a659072910df60607e4fd7887015347e632f89e393c17efcb5235dfdcf69

SHA512
d88f38b915ea8c8fc54bd76d870a1c65c0bcff31f0a53d6b7469a7b8edc4c0d0ad6575b761f0443e891dee01a9794e49f032ebdae206d5191d819a72a73e8812

Download Submit
C:\Windows\System32\loTupJi.exe

Filesize
1.4MB

MD5
63227b298d613c78fb9d6870dce159bd

SHA1
f68b2f92dc3d80bc1e976e68192fa1d8be6eee71

SHA256
c53b5c52e127fc4609e76740d520a015fab33533f773e3cc9e44f9bfa93f6181

SHA512
2feb15d4de77689548851636316421e0010bc9b57078100833ffdbaed6b73a12eed060e7fe22c8dead216c35dc9c6543e51305751341dd12236ca891a2db5018

Download Submit
C:\Windows\System32\mcMUFgL.exe

Filesize
1.4MB

MD5
a73b208a20e9981b42748eba8f53f70d

SHA1
60e2984b1b5e3b02a6c4d0d371c23f9432d79183

SHA256
6e5a341d9b8b897a2b44ebe85d5c717c9c61f8d663b44661f2543fa1750d3718

SHA512
555929fb402d367b31202df7ef1ad22abda92eaff1929605d335bd0db319e260660eb53f751e113763081e5662919838a8c1826674dbc8bf1ce0c24a61e0b42f

Download Submit
C:\Windows\System32\pDiLJGa.exe

Filesize
1.4MB

MD5
f13d215633ca1b368afbff0b5a7e0b61

SHA1
5163638cc5faa5f073cac2bf80d7dc5da91e7aa9

SHA256
0dca03a174d7a6b1933172ac0f5837589e1f16a57dffc50f09f3a9aeaaa25f92

SHA512
7f2c074b3d8c9ca74a6fa39621dd7d756cddfa731de36de7abb8a9e27708f820ed65b6858b5d1c1af56e896f8c6e3c03292593ed1aa74946940ef07fe04c2d74

Download Submit
C:\Windows\System32\wdJebIq.exe

Filesize
1.4MB

MD5
5b623ea75bb01cb45377c690e1c5c3f8

SHA1
1d1225b1b4ef6826d1883ea1d12a9a90063ff4ff

SHA256
b4fd5586bfea1ba6520af47a5dba08b1e98c3fd05ca12d67344aa6be9e47bf23

SHA512
8176da5104165339afa2e2bdc03cf69fc4e46debf696376d4e6eee7ccfeafc918124ecad5b3b901a5721d40515539ab2dd706c8a8a1dfe65cec4e830559309ee

Download Submit
C:\Windows\System32\wgeKPOz.exe

Filesize
1.4MB

MD5
1d546ee480829ef650b8d72e0b4fe80d

SHA1
886974b8291792f5b0877343f938588cc49da7f5

SHA256
0c75c0836435e87aad2246150c17d75d1b572fbbf3e0ec2066b4ceb1902199f6

SHA512
d398211d0286fba3d9e22e7784ba0bbfd8bcc7a6aa938cad07f81037a80a2083be1ead3474656be8a0e4dd6fb0cceb5843ae7f31239ab4ed1cf6b4eba908a0e6

Download Submit
C:\Windows\System32\xXbHNlO.exe

Filesize
1.4MB

MD5
6574751e1f807cbd7cac66fb401cbc21

SHA1
1aecf46b706044128698c8143f6d973135fe2997

SHA256
e6eeffda45c9ee1cefa8e23852968a12695ae45c08b3b8ece301249752a4b314

SHA512
9661534e60efa715bf71fe128e4c658f61a532f43103ec0d72eb58f048733b2d6e0b68f056173a28742161f05de0436600f2fabefbb3c9af988daa39f5376cbd

Download Submit
C:\Windows\System32\zrPMHoT.exe

Filesize
1.4MB

MD5
d1e6e0d64820c2bfbf36519b777f6bbe

SHA1
de293d9d3d950f03dad7cb47e546335a1d444ae1

SHA256
422fde20cb7b576b4e83f4ff11ad2bd975a4bb96fc504be7365c8f0c222e1c51

SHA512
1ceabd2313a8fc8418aaa1631ceefa148d0761115c5f5b57f5c123babe232206b3bf056ebbfed9dccce32ffd6e4aa680701e9740c27ffa95d11606570d41cea9

Download Submit
memory/112-2222-0x00007FF69D680000-0x00007FF69DA71000-memory.dmp

Filesize
3.9MB

Download
memory/112-594-0x00007FF69D680000-0x00007FF69DA71000-memory.dmp

Filesize
3.9MB

Download
memory/384-960-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp

Filesize
3.9MB

Download
memory/384-2153-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp

Filesize
3.9MB

Download
memory/384-21-0x00007FF6DEAB0000-0x00007FF6DEEA1000-memory.dmp

Filesize
3.9MB

Download
memory/428-617-0x00007FF602DC0000-0x00007FF6031B1000-memory.dmp

Filesize
3.9MB

Download
memory/428-2218-0x00007FF602DC0000-0x00007FF6031B1000-memory.dmp

Filesize
3.9MB

Download
memory/516-2210-0x00007FF6D0310000-0x00007FF6D0701000-memory.dmp

Filesize
3.9MB

Download
memory/516-600-0x00007FF6D0310000-0x00007FF6D0701000-memory.dmp

Filesize
3.9MB

Download
memory/1080-2176-0x00007FF7F0B70000-0x00007FF7F0F61000-memory.dmp

Filesize
3.9MB

Download
memory/1080-543-0x00007FF7F0B70000-0x00007FF7F0F61000-memory.dmp

Filesize
3.9MB

Download
memory/1452-2174-0x00007FF77C150000-0x00007FF77C541000-memory.dmp

Filesize
3.9MB

Download
memory/1452-623-0x00007FF77C150000-0x00007FF77C541000-memory.dmp

Filesize
3.9MB

Download
memory/1836-606-0x00007FF652C00000-0x00007FF652FF1000-memory.dmp

Filesize
3.9MB

Download
memory/1836-2208-0x00007FF652C00000-0x00007FF652FF1000-memory.dmp

Filesize
3.9MB

Download
memory/1944-2163-0x00007FF60C680000-0x00007FF60CA71000-memory.dmp

Filesize
3.9MB

Download
memory/1944-31-0x00007FF60C680000-0x00007FF60CA71000-memory.dmp

Filesize
3.9MB

Download
memory/1944-1097-0x00007FF60C680000-0x00007FF60CA71000-memory.dmp

Filesize
3.9MB

Download
memory/1976-602-0x00007FF708CD0000-0x00007FF7090C1000-memory.dmp

Filesize
3.9MB

Download
memory/2076-2170-0x00007FF7256B0000-0x00007FF725AA1000-memory.dmp

Filesize
3.9MB

Download
memory/2076-542-0x00007FF7256B0000-0x00007FF725AA1000-memory.dmp

Filesize
3.9MB

Download
memory/2336-2158-0x00007FF737F80000-0x00007FF738371000-memory.dmp

Filesize
3.9MB

Download
memory/2336-1105-0x00007FF737F80000-0x00007FF738371000-memory.dmp

Filesize
3.9MB

Download
memory/2336-38-0x00007FF737F80000-0x00007FF738371000-memory.dmp

Filesize
3.9MB

Download
memory/2648-545-0x00007FF7E4840000-0x00007FF7E4C31000-memory.dmp

Filesize
3.9MB

Download
memory/2744-607-0x00007FF75F480000-0x00007FF75F871000-memory.dmp

Filesize
3.9MB

Download
memory/2744-2220-0x00007FF75F480000-0x00007FF75F871000-memory.dmp

Filesize
3.9MB

Download
memory/3400-2212-0x00007FF640710000-0x00007FF640B01000-memory.dmp

Filesize
3.9MB

Download
memory/3400-605-0x00007FF640710000-0x00007FF640B01000-memory.dmp

Filesize
3.9MB

Download
memory/3828-1189-0x00007FF71BD70000-0x00007FF71C161000-memory.dmp

Filesize
3.9MB

Download
memory/3828-2161-0x00007FF71BD70000-0x00007FF71C161000-memory.dmp

Filesize
3.9MB

Download
memory/3828-42-0x00007FF71BD70000-0x00007FF71C161000-memory.dmp

Filesize
3.9MB

Download
memory/3940-0-0x00007FF6F9C00000-0x00007FF6F9FF1000-memory.dmp

Filesize
3.9MB

Download
memory/3940-1-0x00000237770C0000-0x00000237770D0000-memory.dmp

Filesize
64KB

Download
memory/3940-845-0x00007FF6F9C00000-0x00007FF6F9FF1000-memory.dmp

Filesize
3.9MB

Download
memory/4308-1278-0x00007FF7D26A0000-0x00007FF7D2A91000-memory.dmp

Filesize
3.9MB

Download
memory/4308-50-0x00007FF7D26A0000-0x00007FF7D2A91000-memory.dmp

Filesize
3.9MB

Download
memory/4312-54-0x00007FF714960000-0x00007FF714D51000-memory.dmp

Filesize
3.9MB

Download
memory/4312-2159-0x00007FF714960000-0x00007FF714D51000-memory.dmp

Filesize
3.9MB

Download
memory/4408-544-0x00007FF6D7E40000-0x00007FF6D8231000-memory.dmp

Filesize
3.9MB

Download
memory/4408-2178-0x00007FF6D7E40000-0x00007FF6D8231000-memory.dmp

Filesize
3.9MB

Download
memory/4412-1412-0x00007FF7252D0000-0x00007FF7256C1000-memory.dmp

Filesize
3.9MB

Download
memory/4412-65-0x00007FF7252D0000-0x00007FF7256C1000-memory.dmp

Filesize
3.9MB

Download
memory/4412-2172-0x00007FF7252D0000-0x00007FF7256C1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-1181-0x00007FF7052F0000-0x00007FF7056E1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2166-0x00007FF7052F0000-0x00007FF7056E1000-memory.dmp

Filesize
3.9MB

Download
memory/4496-39-0x00007FF7052F0000-0x00007FF7056E1000-memory.dmp

Filesize
3.9MB

Download
memory/4512-12-0x00007FF763CF0000-0x00007FF7640E1000-memory.dmp

Filesize
3.9MB

Download
memory/4512-850-0x00007FF763CF0000-0x00007FF7640E1000-memory.dmp

Filesize
3.9MB

Download
memory/4512-2155-0x00007FF763CF0000-0x00007FF7640E1000-memory.dmp

Filesize
3.9MB

Download
memory/4696-25-0x00007FF727F80000-0x00007FF728371000-memory.dmp

Filesize
3.9MB

Download
memory/4696-2168-0x00007FF727F80000-0x00007FF728371000-memory.dmp

Filesize
3.9MB

Download
memory/4696-1092-0x00007FF727F80000-0x00007FF728371000-memory.dmp

Filesize
3.9MB

Download
memory/4776-2216-0x00007FF667A30000-0x00007FF667E21000-memory.dmp

Filesize
3.9MB

Download
memory/4776-621-0x00007FF667A30000-0x00007FF667E21000-memory.dmp

Filesize
3.9MB

Download
memory/4844-2205-0x00007FF7D1DF0000-0x00007FF7D21E1000-memory.dmp

Filesize
3.9MB

Download
memory/4844-595-0x00007FF7D1DF0000-0x00007FF7D21E1000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads