kpot | e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
Size

2.0MB
MD5

2392a9eb4ba9251b52f2aa020a72b6c5
SHA1

16e8eea758239ffc255e67ae6747031739fae270
SHA256

e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a
SHA512

6cebae566e3e1c6538d417fc2808c89fd3b6193b5db2854287a7d82686de2a2c2d2d0162d97b61d090291e606a337354599fd74e3fc35ae52f4633d6d60abcc1
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIi5aIwC+Agr6S/Fatb7zIgZ:GemTLkNdfE0pZaQf

Score

10^/10

kpot xmrig miner stealer trojan

Malware Config

Signatures

KPOT
KPOT is an information stealer that steals user data and account credentials.
trojan stealer kpot

KPOT Core Executable 33 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023cdd-4.dat	family_kpot
behavioral2/files/0x0007000000023d85-8.dat	family_kpot
behavioral2/files/0x0008000000023d81-9.dat	family_kpot
behavioral2/files/0x0007000000023d86-20.dat	family_kpot
behavioral2/files/0x0007000000023d87-24.dat	family_kpot
behavioral2/files/0x0007000000023d88-30.dat	family_kpot
behavioral2/files/0x0007000000023d89-34.dat	family_kpot
behavioral2/files/0x0007000000023d8a-40.dat	family_kpot
behavioral2/files/0x0007000000023d8f-59.dat	family_kpot
behavioral2/files/0x0007000000023d93-77.dat	family_kpot
behavioral2/files/0x0007000000023d98-104.dat	family_kpot
behavioral2/files/0x0007000000023d9f-137.dat	family_kpot
behavioral2/files/0x0007000000023da1-152.dat	family_kpot
behavioral2/files/0x0007000000023da4-162.dat	family_kpot
behavioral2/files/0x0007000000023da2-158.dat	family_kpot
behavioral2/files/0x0007000000023da3-157.dat	family_kpot
behavioral2/files/0x0007000000023da0-148.dat	family_kpot
behavioral2/files/0x0007000000023d9e-138.dat	family_kpot
behavioral2/files/0x0007000000023d9d-132.dat	family_kpot
behavioral2/files/0x0007000000023d9c-128.dat	family_kpot
behavioral2/files/0x0007000000023d9b-122.dat	family_kpot
behavioral2/files/0x0007000000023d9a-118.dat	family_kpot
behavioral2/files/0x0007000000023d99-112.dat	family_kpot
behavioral2/files/0x0007000000023d97-102.dat	family_kpot
behavioral2/files/0x0007000000023d96-97.dat	family_kpot
behavioral2/files/0x0007000000023d95-93.dat	family_kpot
behavioral2/files/0x0007000000023d94-88.dat	family_kpot
behavioral2/files/0x0007000000023d92-78.dat	family_kpot
behavioral2/files/0x0007000000023d91-72.dat	family_kpot
behavioral2/files/0x0007000000023d90-68.dat	family_kpot
behavioral2/files/0x0007000000023d8e-55.dat	family_kpot
behavioral2/files/0x0007000000023d8d-50.dat	family_kpot
behavioral2/files/0x0007000000023d8b-45.dat	family_kpot

Kpot family
kpot
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 33 IoCs

miner

resource	yara_rule
behavioral2/files/0x000a000000023cdd-4.dat	xmrig
behavioral2/files/0x0007000000023d85-8.dat	xmrig
behavioral2/files/0x0008000000023d81-9.dat	xmrig
behavioral2/files/0x0007000000023d86-20.dat	xmrig
behavioral2/files/0x0007000000023d87-24.dat	xmrig
behavioral2/files/0x0007000000023d88-30.dat	xmrig
behavioral2/files/0x0007000000023d89-34.dat	xmrig
behavioral2/files/0x0007000000023d8a-40.dat	xmrig
behavioral2/files/0x0007000000023d8f-59.dat	xmrig
behavioral2/files/0x0007000000023d93-77.dat	xmrig
behavioral2/files/0x0007000000023d98-104.dat	xmrig
behavioral2/files/0x0007000000023d9f-137.dat	xmrig
behavioral2/files/0x0007000000023da1-152.dat	xmrig
behavioral2/files/0x0007000000023da4-162.dat	xmrig
behavioral2/files/0x0007000000023da2-158.dat	xmrig
behavioral2/files/0x0007000000023da3-157.dat	xmrig
behavioral2/files/0x0007000000023da0-148.dat	xmrig
behavioral2/files/0x0007000000023d9e-138.dat	xmrig
behavioral2/files/0x0007000000023d9d-132.dat	xmrig
behavioral2/files/0x0007000000023d9c-128.dat	xmrig
behavioral2/files/0x0007000000023d9b-122.dat	xmrig
behavioral2/files/0x0007000000023d9a-118.dat	xmrig
behavioral2/files/0x0007000000023d99-112.dat	xmrig
behavioral2/files/0x0007000000023d97-102.dat	xmrig
behavioral2/files/0x0007000000023d96-97.dat	xmrig
behavioral2/files/0x0007000000023d95-93.dat	xmrig
behavioral2/files/0x0007000000023d94-88.dat	xmrig
behavioral2/files/0x0007000000023d92-78.dat	xmrig
behavioral2/files/0x0007000000023d91-72.dat	xmrig
behavioral2/files/0x0007000000023d90-68.dat	xmrig
behavioral2/files/0x0007000000023d8e-55.dat	xmrig
behavioral2/files/0x0007000000023d8d-50.dat	xmrig
behavioral2/files/0x0007000000023d8b-45.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2600	zGlptCY.exe
424	WTPZZcT.exe
3156	wpkMtLc.exe
3636	agfvUHs.exe
4016	FJumWun.exe
2268	cOqDwoF.exe
2580	BtidAKf.exe
1400	RYVVToH.exe
2896	eMHSKCG.exe
3308	vKipLyE.exe
2204	KdYDMSO.exe
4852	WarbImf.exe
752	HrjNgzI.exe
1060	KkOzPfJ.exe
2092	YCjSFID.exe
4100	lLwrvpk.exe
1424	MYIRURF.exe
4220	XMjFXvt.exe
3264	fHReenh.exe
4416	LPvCRnk.exe
4908	GDZMGrs.exe
680	xxKKfzN.exe
5108	UHkRodZ.exe
460	sIQtBmB.exe
3696	furxQDj.exe
4620	DpmkbqZ.exe
1696	JBfqiBm.exe
2372	akYhoYl.exe
3076	GbesPQD.exe
2636	xczhqBY.exe
4196	gpckrdf.exe
3900	qtaxBSm.exe
3924	ieCpxjQ.exe
3896	SAuzsMy.exe
1848	flEOtEM.exe
4064	vSJkDkj.exe
4896	pLwDMzf.exe
4752	VzkqrTG.exe
3856	XdegJFS.exe
4688	QTGutEb.exe
1976	pbhODdF.exe
4284	otIAVSQ.exe
4296	iIssrLl.exe
2676	uEMXkhe.exe
2336	LaZTRfP.exe
4844	xXydoUN.exe
3744	FnzvRnX.exe
3728	JCXtNqA.exe
5072	daKznSt.exe
3304	mVWJZmW.exe
2860	aIWUjQg.exe
4860	brLxsRo.exe
1544	ikEHpTf.exe
1184	tWpPxOZ.exe
2244	zotfCtb.exe
3812	VMWFbyT.exe
4788	lwMqTYn.exe
1480	bulAdvF.exe
3628	HmQppXR.exe
3860	ltfFMxl.exe
2780	JuVZrvx.exe
4664	ujUatys.exe
4328	HyCfpQz.exe
4640	TQrlMWy.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\hkCHFSM.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\Tdbubcc.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\FTNljPR.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\Fszwzyo.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\xczhqBY.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\HmQppXR.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\ukZQnlT.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\YIeddqj.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\SGXIZqA.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\QNLWzOr.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\nyWhHis.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\INXkYcc.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\IuIWezr.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\RYVVToH.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\JBfqiBm.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\zotfCtb.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\SZjrjFH.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\iLBWplk.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\YWfhmSS.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\phccIUl.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\npUzQiO.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\rwIeuEg.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\EJifTCm.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\irKZJif.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\xRbfGjn.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\RmRSjlm.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\nNLPRTN.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\GoWlbKh.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\nWaKJMj.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\pmpcIDP.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\bWlejAb.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\GDRZXkS.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\NPuzzSH.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\dwjewYT.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\NFVbgyM.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\FJloyrK.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\bdMyDwO.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\furxQDj.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\DpBTRBk.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\cZhPRfr.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\DQZLsDG.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\DpmkbqZ.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\ikEHpTf.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\PGrtxOX.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\eXcWJQR.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\OmjEhkl.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\NVTyLsn.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\akYhoYl.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\iKwqZzg.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\EVoiiRG.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\xxKKfzN.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\QTGutEb.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\Yvgzqsy.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\EAkklhP.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\WzjHZWu.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\YdhgqIm.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\XZCOPVf.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\pkJKBcm.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\xuTWsBM.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\AduPzvt.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\viizmVc.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\vqpQfde.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\lZmNPlN.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
File created	C:\Windows\System\GJDxBqS.exe	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
Token: SeLockMemoryPrivilege	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2600	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	87
PID 3540 wrote to memory of 2600	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	87
PID 3540 wrote to memory of 424	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	88
PID 3540 wrote to memory of 424	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	88
PID 3540 wrote to memory of 3156	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	89
PID 3540 wrote to memory of 3156	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	89
PID 3540 wrote to memory of 3636	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	90
PID 3540 wrote to memory of 3636	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	90
PID 3540 wrote to memory of 4016	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	91
PID 3540 wrote to memory of 4016	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	91
PID 3540 wrote to memory of 2268	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	92
PID 3540 wrote to memory of 2268	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	92
PID 3540 wrote to memory of 2580	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	93
PID 3540 wrote to memory of 2580	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	93
PID 3540 wrote to memory of 1400	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	94
PID 3540 wrote to memory of 1400	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	94
PID 3540 wrote to memory of 2896	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	95
PID 3540 wrote to memory of 2896	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	95
PID 3540 wrote to memory of 3308	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	96
PID 3540 wrote to memory of 3308	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	96
PID 3540 wrote to memory of 2204	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	97
PID 3540 wrote to memory of 2204	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	97
PID 3540 wrote to memory of 4852	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	98
PID 3540 wrote to memory of 4852	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	98
PID 3540 wrote to memory of 752	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	99
PID 3540 wrote to memory of 752	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	99
PID 3540 wrote to memory of 1060	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	100
PID 3540 wrote to memory of 1060	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	100
PID 3540 wrote to memory of 2092	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	101
PID 3540 wrote to memory of 2092	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	101
PID 3540 wrote to memory of 4100	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	102
PID 3540 wrote to memory of 4100	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	102
PID 3540 wrote to memory of 1424	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	103
PID 3540 wrote to memory of 1424	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	103
PID 3540 wrote to memory of 4220	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	104
PID 3540 wrote to memory of 4220	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	104
PID 3540 wrote to memory of 3264	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	105
PID 3540 wrote to memory of 3264	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	105
PID 3540 wrote to memory of 4416	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	106
PID 3540 wrote to memory of 4416	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	106
PID 3540 wrote to memory of 4908	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	107
PID 3540 wrote to memory of 4908	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	107
PID 3540 wrote to memory of 680	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	108
PID 3540 wrote to memory of 680	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	108
PID 3540 wrote to memory of 5108	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	109
PID 3540 wrote to memory of 5108	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	109
PID 3540 wrote to memory of 460	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	110
PID 3540 wrote to memory of 460	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	110
PID 3540 wrote to memory of 3696	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	111
PID 3540 wrote to memory of 3696	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	111
PID 3540 wrote to memory of 4620	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	112
PID 3540 wrote to memory of 4620	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	112
PID 3540 wrote to memory of 1696	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	113
PID 3540 wrote to memory of 1696	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	113
PID 3540 wrote to memory of 2372	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	114
PID 3540 wrote to memory of 2372	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	114
PID 3540 wrote to memory of 3076	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	115
PID 3540 wrote to memory of 3076	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	115
PID 3540 wrote to memory of 2636	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	116
PID 3540 wrote to memory of 2636	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	116
PID 3540 wrote to memory of 4196	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	117
PID 3540 wrote to memory of 4196	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	117
PID 3540 wrote to memory of 3900	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	118
PID 3540 wrote to memory of 3900	3540	e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe	118

C:\Users\Admin\AppData\Local\Temp\e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe
"C:\Users\Admin\AppData\Local\Temp\e64948a28444186e1e1af21106ce7c8d81740e71d5c65286e77ce3fafbc53a2a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\System\zGlptCY.exe
  C:\Windows\System\zGlptCY.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\WTPZZcT.exe
  C:\Windows\System\WTPZZcT.exe
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Windows\System\wpkMtLc.exe
  C:\Windows\System\wpkMtLc.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\agfvUHs.exe
  C:\Windows\System\agfvUHs.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\FJumWun.exe
  C:\Windows\System\FJumWun.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\cOqDwoF.exe
  C:\Windows\System\cOqDwoF.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\BtidAKf.exe
  C:\Windows\System\BtidAKf.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\RYVVToH.exe
  C:\Windows\System\RYVVToH.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\eMHSKCG.exe
  C:\Windows\System\eMHSKCG.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\vKipLyE.exe
  C:\Windows\System\vKipLyE.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\KdYDMSO.exe
  C:\Windows\System\KdYDMSO.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\WarbImf.exe
  C:\Windows\System\WarbImf.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\HrjNgzI.exe
  C:\Windows\System\HrjNgzI.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\KkOzPfJ.exe
  C:\Windows\System\KkOzPfJ.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\YCjSFID.exe
  C:\Windows\System\YCjSFID.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\lLwrvpk.exe
  C:\Windows\System\lLwrvpk.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\MYIRURF.exe
  C:\Windows\System\MYIRURF.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\XMjFXvt.exe
  C:\Windows\System\XMjFXvt.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\fHReenh.exe
  C:\Windows\System\fHReenh.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\LPvCRnk.exe
  C:\Windows\System\LPvCRnk.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\GDZMGrs.exe
  C:\Windows\System\GDZMGrs.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\xxKKfzN.exe
  C:\Windows\System\xxKKfzN.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\UHkRodZ.exe
  C:\Windows\System\UHkRodZ.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\sIQtBmB.exe
  C:\Windows\System\sIQtBmB.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\furxQDj.exe
  C:\Windows\System\furxQDj.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\DpmkbqZ.exe
  C:\Windows\System\DpmkbqZ.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\JBfqiBm.exe
  C:\Windows\System\JBfqiBm.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\akYhoYl.exe
  C:\Windows\System\akYhoYl.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\GbesPQD.exe
  C:\Windows\System\GbesPQD.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\xczhqBY.exe
  C:\Windows\System\xczhqBY.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\gpckrdf.exe
  C:\Windows\System\gpckrdf.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\qtaxBSm.exe
  C:\Windows\System\qtaxBSm.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Windows\System\ieCpxjQ.exe
  C:\Windows\System\ieCpxjQ.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\SAuzsMy.exe
  C:\Windows\System\SAuzsMy.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\flEOtEM.exe
  C:\Windows\System\flEOtEM.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\vSJkDkj.exe
  C:\Windows\System\vSJkDkj.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\pLwDMzf.exe
  C:\Windows\System\pLwDMzf.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\VzkqrTG.exe
  C:\Windows\System\VzkqrTG.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\XdegJFS.exe
  C:\Windows\System\XdegJFS.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\QTGutEb.exe
  C:\Windows\System\QTGutEb.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\pbhODdF.exe
  C:\Windows\System\pbhODdF.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\otIAVSQ.exe
  C:\Windows\System\otIAVSQ.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\iIssrLl.exe
  C:\Windows\System\iIssrLl.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\uEMXkhe.exe
  C:\Windows\System\uEMXkhe.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\LaZTRfP.exe
  C:\Windows\System\LaZTRfP.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\xXydoUN.exe
  C:\Windows\System\xXydoUN.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\FnzvRnX.exe
  C:\Windows\System\FnzvRnX.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\JCXtNqA.exe
  C:\Windows\System\JCXtNqA.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System\daKznSt.exe
  C:\Windows\System\daKznSt.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\mVWJZmW.exe
  C:\Windows\System\mVWJZmW.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\aIWUjQg.exe
  C:\Windows\System\aIWUjQg.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\brLxsRo.exe
  C:\Windows\System\brLxsRo.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\ikEHpTf.exe
  C:\Windows\System\ikEHpTf.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\tWpPxOZ.exe
  C:\Windows\System\tWpPxOZ.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\zotfCtb.exe
  C:\Windows\System\zotfCtb.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\VMWFbyT.exe
  C:\Windows\System\VMWFbyT.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\lwMqTYn.exe
  C:\Windows\System\lwMqTYn.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\bulAdvF.exe
  C:\Windows\System\bulAdvF.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\HmQppXR.exe
  C:\Windows\System\HmQppXR.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\ltfFMxl.exe
  C:\Windows\System\ltfFMxl.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\JuVZrvx.exe
  C:\Windows\System\JuVZrvx.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\ujUatys.exe
  C:\Windows\System\ujUatys.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\HyCfpQz.exe
  C:\Windows\System\HyCfpQz.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\TQrlMWy.exe
  C:\Windows\System\TQrlMWy.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\quQLvpu.exe
  C:\Windows\System\quQLvpu.exe
  2⤵
  PID:2508
- C:\Windows\System\dSLkKDj.exe
  C:\Windows\System\dSLkKDj.exe
  2⤵
  PID:668
- C:\Windows\System\VPdzhvr.exe
  C:\Windows\System\VPdzhvr.exe
  2⤵
  PID:5136
- C:\Windows\System\BfABZVD.exe
  C:\Windows\System\BfABZVD.exe
  2⤵
  PID:5160
- C:\Windows\System\OUCiYTz.exe
  C:\Windows\System\OUCiYTz.exe
  2⤵
  PID:5192
- C:\Windows\System\FBuxBXw.exe
  C:\Windows\System\FBuxBXw.exe
  2⤵
  PID:5216
- C:\Windows\System\dHvDDQm.exe
  C:\Windows\System\dHvDDQm.exe
  2⤵
  PID:5248
- C:\Windows\System\PGrtxOX.exe
  C:\Windows\System\PGrtxOX.exe
  2⤵
  PID:5272
- C:\Windows\System\vqpQfde.exe
  C:\Windows\System\vqpQfde.exe
  2⤵
  PID:5304
- C:\Windows\System\tOMmThU.exe
  C:\Windows\System\tOMmThU.exe
  2⤵
  PID:5328
- C:\Windows\System\nHIzExK.exe
  C:\Windows\System\nHIzExK.exe
  2⤵
  PID:5364
- C:\Windows\System\AGdudMV.exe
  C:\Windows\System\AGdudMV.exe
  2⤵
  PID:5384
- C:\Windows\System\amBpOms.exe
  C:\Windows\System\amBpOms.exe
  2⤵
  PID:5416
- C:\Windows\System\YERVhWo.exe
  C:\Windows\System\YERVhWo.exe
  2⤵
  PID:5440
- C:\Windows\System\RLmOJZK.exe
  C:\Windows\System\RLmOJZK.exe
  2⤵
  PID:5472
- C:\Windows\System\cbUizEj.exe
  C:\Windows\System\cbUizEj.exe
  2⤵
  PID:5496
- C:\Windows\System\OvAUGOh.exe
  C:\Windows\System\OvAUGOh.exe
  2⤵
  PID:5528
- C:\Windows\System\hJaPNyE.exe
  C:\Windows\System\hJaPNyE.exe
  2⤵
  PID:5552
- C:\Windows\System\hkCHFSM.exe
  C:\Windows\System\hkCHFSM.exe
  2⤵
  PID:5584
- C:\Windows\System\nYTkkNw.exe
  C:\Windows\System\nYTkkNw.exe
  2⤵
  PID:5608
- C:\Windows\System\RvjDzXe.exe
  C:\Windows\System\RvjDzXe.exe
  2⤵
  PID:5636
- C:\Windows\System\BHEHwZC.exe
  C:\Windows\System\BHEHwZC.exe
  2⤵
  PID:5672
- C:\Windows\System\BVUKkGr.exe
  C:\Windows\System\BVUKkGr.exe
  2⤵
  PID:5748
- C:\Windows\System\tgOlPRc.exe
  C:\Windows\System\tgOlPRc.exe
  2⤵
  PID:5764
- C:\Windows\System\ksEGIND.exe
  C:\Windows\System\ksEGIND.exe
  2⤵
  PID:5780
- C:\Windows\System\ILoeoem.exe
  C:\Windows\System\ILoeoem.exe
  2⤵
  PID:5808
- C:\Windows\System\SZjrjFH.exe
  C:\Windows\System\SZjrjFH.exe
  2⤵
  PID:5836
- C:\Windows\System\IIVqjBX.exe
  C:\Windows\System\IIVqjBX.exe
  2⤵
  PID:5860
- C:\Windows\System\UDzgJbW.exe
  C:\Windows\System\UDzgJbW.exe
  2⤵
  PID:5888
- C:\Windows\System\YMFmRnH.exe
  C:\Windows\System\YMFmRnH.exe
  2⤵
  PID:5916
- C:\Windows\System\fNByyQw.exe
  C:\Windows\System\fNByyQw.exe
  2⤵
  PID:5936
- C:\Windows\System\FqEnoZX.exe
  C:\Windows\System\FqEnoZX.exe
  2⤵
  PID:5964
- C:\Windows\System\EXPcwvp.exe
  C:\Windows\System\EXPcwvp.exe
  2⤵
  PID:5992
- C:\Windows\System\ukZQnlT.exe
  C:\Windows\System\ukZQnlT.exe
  2⤵
  PID:6020
- C:\Windows\System\RpfcjWf.exe
  C:\Windows\System\RpfcjWf.exe
  2⤵
  PID:6048
- C:\Windows\System\CWEQCrR.exe
  C:\Windows\System\CWEQCrR.exe
  2⤵
  PID:6076
- C:\Windows\System\EGdTmMR.exe
  C:\Windows\System\EGdTmMR.exe
  2⤵
  PID:6104
- C:\Windows\System\nWaKJMj.exe
  C:\Windows\System\nWaKJMj.exe
  2⤵
  PID:6136
- C:\Windows\System\ldwBLvG.exe
  C:\Windows\System\ldwBLvG.exe
  2⤵
  PID:396
- C:\Windows\System\LfMMtJe.exe
  C:\Windows\System\LfMMtJe.exe
  2⤵
  PID:4488
- C:\Windows\System\Yvgzqsy.exe
  C:\Windows\System\Yvgzqsy.exe
  2⤵
  PID:1580
- C:\Windows\System\EAkklhP.exe
  C:\Windows\System\EAkklhP.exe
  2⤵
  PID:1460
- C:\Windows\System\xiVZjWc.exe
  C:\Windows\System\xiVZjWc.exe
  2⤵
  PID:4668
- C:\Windows\System\jWmdEDd.exe
  C:\Windows\System\jWmdEDd.exe
  2⤵
  PID:4976
- C:\Windows\System\sCzBBJw.exe
  C:\Windows\System\sCzBBJw.exe
  2⤵
  PID:5180
- C:\Windows\System\yhKvmPq.exe
  C:\Windows\System\yhKvmPq.exe
  2⤵
  PID:5256
- C:\Windows\System\VkEBFqt.exe
  C:\Windows\System\VkEBFqt.exe
  2⤵
  PID:5320
- C:\Windows\System\zuQEYOK.exe
  C:\Windows\System\zuQEYOK.exe
  2⤵
  PID:5380
- C:\Windows\System\DpBTRBk.exe
  C:\Windows\System\DpBTRBk.exe
  2⤵
  PID:5452
- C:\Windows\System\pkJKBcm.exe
  C:\Windows\System\pkJKBcm.exe
  2⤵
  PID:5512
- C:\Windows\System\xrGkfBY.exe
  C:\Windows\System\xrGkfBY.exe
  2⤵
  PID:5572
- C:\Windows\System\bUKVksj.exe
  C:\Windows\System\bUKVksj.exe
  2⤵
  PID:5648
- C:\Windows\System\rwIeuEg.exe
  C:\Windows\System\rwIeuEg.exe
  2⤵
  PID:5688
- C:\Windows\System\lZmNPlN.exe
  C:\Windows\System\lZmNPlN.exe
  2⤵
  PID:5796
- C:\Windows\System\yZRbpZT.exe
  C:\Windows\System\yZRbpZT.exe
  2⤵
  PID:5856
- C:\Windows\System\rRjfeDu.exe
  C:\Windows\System\rRjfeDu.exe
  2⤵
  PID:5928
- C:\Windows\System\sNpFXar.exe
  C:\Windows\System\sNpFXar.exe
  2⤵
  PID:5984
- C:\Windows\System\TYYauMg.exe
  C:\Windows\System\TYYauMg.exe
  2⤵
  PID:6060
- C:\Windows\System\nXlyiQn.exe
  C:\Windows\System\nXlyiQn.exe
  2⤵
  PID:5004
- C:\Windows\System\CDNdxeo.exe
  C:\Windows\System\CDNdxeo.exe
  2⤵
  PID:4648
- C:\Windows\System\EYqYfBA.exe
  C:\Windows\System\EYqYfBA.exe
  2⤵
  PID:3100
- C:\Windows\System\Tdbubcc.exe
  C:\Windows\System\Tdbubcc.exe
  2⤵
  PID:3432
- C:\Windows\System\iLBWplk.exe
  C:\Windows\System\iLBWplk.exe
  2⤵
  PID:5228
- C:\Windows\System\EJifTCm.exe
  C:\Windows\System\EJifTCm.exe
  2⤵
  PID:5348
- C:\Windows\System\MjjCDjO.exe
  C:\Windows\System\MjjCDjO.exe
  2⤵
  PID:5544
- C:\Windows\System\ZkOTzbE.exe
  C:\Windows\System\ZkOTzbE.exe
  2⤵
  PID:1124
- C:\Windows\System\zMYHhMe.exe
  C:\Windows\System\zMYHhMe.exe
  2⤵
  PID:5828
- C:\Windows\System\UPxeBDE.exe
  C:\Windows\System\UPxeBDE.exe
  2⤵
  PID:5976
- C:\Windows\System\wzZqmBD.exe
  C:\Windows\System\wzZqmBD.exe
  2⤵
  PID:4836
- C:\Windows\System\CNzeUet.exe
  C:\Windows\System\CNzeUet.exe
  2⤵
  PID:5044
- C:\Windows\System\yKYLAqw.exe
  C:\Windows\System\yKYLAqw.exe
  2⤵
  PID:5212
- C:\Windows\System\KrRlyde.exe
  C:\Windows\System\KrRlyde.exe
  2⤵
  PID:5604
- C:\Windows\System\zUwYVMB.exe
  C:\Windows\System\zUwYVMB.exe
  2⤵
  PID:5904
- C:\Windows\System\LQFfnCp.exe
  C:\Windows\System\LQFfnCp.exe
  2⤵
  PID:2016
- C:\Windows\System\VcnIAar.exe
  C:\Windows\System\VcnIAar.exe
  2⤵
  PID:6168
- C:\Windows\System\WzjHZWu.exe
  C:\Windows\System\WzjHZWu.exe
  2⤵
  PID:6196
- C:\Windows\System\fbjFXHh.exe
  C:\Windows\System\fbjFXHh.exe
  2⤵
  PID:6220
- C:\Windows\System\HZFmulW.exe
  C:\Windows\System\HZFmulW.exe
  2⤵
  PID:6252
- C:\Windows\System\GOxFSxA.exe
  C:\Windows\System\GOxFSxA.exe
  2⤵
  PID:6276
- C:\Windows\System\KLLqSRL.exe
  C:\Windows\System\KLLqSRL.exe
  2⤵
  PID:6304
- C:\Windows\System\HMRxcKI.exe
  C:\Windows\System\HMRxcKI.exe
  2⤵
  PID:6336
- C:\Windows\System\VJTeaTE.exe
  C:\Windows\System\VJTeaTE.exe
  2⤵
  PID:6364
- C:\Windows\System\pJWdWZB.exe
  C:\Windows\System\pJWdWZB.exe
  2⤵
  PID:6392
- C:\Windows\System\WZMcFCG.exe
  C:\Windows\System\WZMcFCG.exe
  2⤵
  PID:6420
- C:\Windows\System\xuTWsBM.exe
  C:\Windows\System\xuTWsBM.exe
  2⤵
  PID:6448
- C:\Windows\System\dzXpSJl.exe
  C:\Windows\System\dzXpSJl.exe
  2⤵
  PID:6472
- C:\Windows\System\VEQdFLh.exe
  C:\Windows\System\VEQdFLh.exe
  2⤵
  PID:6504
- C:\Windows\System\oDppYYH.exe
  C:\Windows\System\oDppYYH.exe
  2⤵
  PID:6560
- C:\Windows\System\JTWBfPJ.exe
  C:\Windows\System\JTWBfPJ.exe
  2⤵
  PID:6588
- C:\Windows\System\cZhPRfr.exe
  C:\Windows\System\cZhPRfr.exe
  2⤵
  PID:6628
- C:\Windows\System\wCdhUXE.exe
  C:\Windows\System\wCdhUXE.exe
  2⤵
  PID:6648
- C:\Windows\System\KySJGJM.exe
  C:\Windows\System\KySJGJM.exe
  2⤵
  PID:6688
- C:\Windows\System\FXnIaIv.exe
  C:\Windows\System\FXnIaIv.exe
  2⤵
  PID:6712
- C:\Windows\System\akYhCYZ.exe
  C:\Windows\System\akYhCYZ.exe
  2⤵
  PID:6756
- C:\Windows\System\HbyDLyp.exe
  C:\Windows\System\HbyDLyp.exe
  2⤵
  PID:6784
- C:\Windows\System\MTwJjpN.exe
  C:\Windows\System\MTwJjpN.exe
  2⤵
  PID:6820
- C:\Windows\System\OhIJAzd.exe
  C:\Windows\System\OhIJAzd.exe
  2⤵
  PID:6848
- C:\Windows\System\TMUNugM.exe
  C:\Windows\System\TMUNugM.exe
  2⤵
  PID:6876
- C:\Windows\System\YIeddqj.exe
  C:\Windows\System\YIeddqj.exe
  2⤵
  PID:6908
- C:\Windows\System\YWfhmSS.exe
  C:\Windows\System\YWfhmSS.exe
  2⤵
  PID:6932
- C:\Windows\System\FcCvMzT.exe
  C:\Windows\System\FcCvMzT.exe
  2⤵
  PID:6960
- C:\Windows\System\QzFXVNb.exe
  C:\Windows\System\QzFXVNb.exe
  2⤵
  PID:6988
- C:\Windows\System\kbhxbRl.exe
  C:\Windows\System\kbhxbRl.exe
  2⤵
  PID:7016
- C:\Windows\System\DCNeEiH.exe
  C:\Windows\System\DCNeEiH.exe
  2⤵
  PID:7048
- C:\Windows\System\GYjzfiW.exe
  C:\Windows\System\GYjzfiW.exe
  2⤵
  PID:7080
- C:\Windows\System\irKZJif.exe
  C:\Windows\System\irKZJif.exe
  2⤵
  PID:7108
- C:\Windows\System\bWlejAb.exe
  C:\Windows\System\bWlejAb.exe
  2⤵
  PID:7136
- C:\Windows\System\PyIkjIA.exe
  C:\Windows\System\PyIkjIA.exe
  2⤵
  PID:7164
- C:\Windows\System\phccIUl.exe
  C:\Windows\System\phccIUl.exe
  2⤵
  PID:5480
- C:\Windows\System\CACGJRx.exe
  C:\Windows\System\CACGJRx.exe
  2⤵
  PID:6180
- C:\Windows\System\GDRZXkS.exe
  C:\Windows\System\GDRZXkS.exe
  2⤵
  PID:6216
- C:\Windows\System\fVMXkzM.exe
  C:\Windows\System\fVMXkzM.exe
  2⤵
  PID:6268
- C:\Windows\System\oOZOkin.exe
  C:\Windows\System\oOZOkin.exe
  2⤵
  PID:6324
- C:\Windows\System\elRjDrC.exe
  C:\Windows\System\elRjDrC.exe
  2⤵
  PID:6384
- C:\Windows\System\emNveTJ.exe
  C:\Windows\System\emNveTJ.exe
  2⤵
  PID:2448
- C:\Windows\System\COGOibF.exe
  C:\Windows\System\COGOibF.exe
  2⤵
  PID:6464
- C:\Windows\System\jKtOvCQ.exe
  C:\Windows\System\jKtOvCQ.exe
  2⤵
  PID:716
- C:\Windows\System\RZLwGII.exe
  C:\Windows\System\RZLwGII.exe
  2⤵
  PID:6616
- C:\Windows\System\sDWlhZh.exe
  C:\Windows\System\sDWlhZh.exe
  2⤵
  PID:1620
- C:\Windows\System\fmyuBFO.exe
  C:\Windows\System\fmyuBFO.exe
  2⤵
  PID:6704
- C:\Windows\System\KuUHQrP.exe
  C:\Windows\System\KuUHQrP.exe
  2⤵
  PID:4352
- C:\Windows\System\hyiPiOD.exe
  C:\Windows\System\hyiPiOD.exe
  2⤵
  PID:1960
- C:\Windows\System\lOQYamL.exe
  C:\Windows\System\lOQYamL.exe
  2⤵
  PID:3212
- C:\Windows\System\NPuzzSH.exe
  C:\Windows\System\NPuzzSH.exe
  2⤵
  PID:6776
- C:\Windows\System\tthSmAV.exe
  C:\Windows\System\tthSmAV.exe
  2⤵
  PID:6832
- C:\Windows\System\blGInNb.exe
  C:\Windows\System\blGInNb.exe
  2⤵
  PID:6896
- C:\Windows\System\atFEPED.exe
  C:\Windows\System\atFEPED.exe
  2⤵
  PID:6924
- C:\Windows\System\GJDxBqS.exe
  C:\Windows\System\GJDxBqS.exe
  2⤵
  PID:6984
- C:\Windows\System\mBOAAEB.exe
  C:\Windows\System\mBOAAEB.exe
  2⤵
  PID:7072
- C:\Windows\System\fBLeQcR.exe
  C:\Windows\System\fBLeQcR.exe
  2⤵
  PID:7152
- C:\Windows\System\DQZLsDG.exe
  C:\Windows\System\DQZLsDG.exe
  2⤵
  PID:6156
- C:\Windows\System\OUahmbZ.exe
  C:\Windows\System\OUahmbZ.exe
  2⤵
  PID:4924
- C:\Windows\System\TZLfYcE.exe
  C:\Windows\System\TZLfYcE.exe
  2⤵
  PID:5724
- C:\Windows\System\XfVNlsc.exe
  C:\Windows\System\XfVNlsc.exe
  2⤵
  PID:5088
- C:\Windows\System\SaiGXPM.exe
  C:\Windows\System\SaiGXPM.exe
  2⤵
  PID:6584
- C:\Windows\System\rMURrlv.exe
  C:\Windows\System\rMURrlv.exe
  2⤵
  PID:6700
- C:\Windows\System\cgDnEqa.exe
  C:\Windows\System\cgDnEqa.exe
  2⤵
  PID:1604
- C:\Windows\System\wSVnHjT.exe
  C:\Windows\System\wSVnHjT.exe
  2⤵
  PID:6864
- C:\Windows\System\pFERkjx.exe
  C:\Windows\System\pFERkjx.exe
  2⤵
  PID:7028
- C:\Windows\System\gqaWWSq.exe
  C:\Windows\System\gqaWWSq.exe
  2⤵
  PID:7104
- C:\Windows\System\uwPeEwr.exe
  C:\Windows\System\uwPeEwr.exe
  2⤵
  PID:1340
- C:\Windows\System\pmpcIDP.exe
  C:\Windows\System\pmpcIDP.exe
  2⤵
  PID:6412
- C:\Windows\System\ulJbxxQ.exe
  C:\Windows\System\ulJbxxQ.exe
  2⤵
  PID:6768
- C:\Windows\System\IigVteA.exe
  C:\Windows\System\IigVteA.exe
  2⤵
  PID:6088
- C:\Windows\System\QlDlpZZ.exe
  C:\Windows\System\QlDlpZZ.exe
  2⤵
  PID:6556
- C:\Windows\System\LsHVWVU.exe
  C:\Windows\System\LsHVWVU.exe
  2⤵
  PID:7128
- C:\Windows\System\npUzQiO.exe
  C:\Windows\System\npUzQiO.exe
  2⤵
  PID:6664
- C:\Windows\System\NYWeXKv.exe
  C:\Windows\System\NYWeXKv.exe
  2⤵
  PID:7040
- C:\Windows\System\zpCpJHn.exe
  C:\Windows\System\zpCpJHn.exe
  2⤵
  PID:6516
- C:\Windows\System\JvziCJz.exe
  C:\Windows\System\JvziCJz.exe
  2⤵
  PID:7176
- C:\Windows\System\NpSeAWQ.exe
  C:\Windows\System\NpSeAWQ.exe
  2⤵
  PID:7204
- C:\Windows\System\sCIxdtb.exe
  C:\Windows\System\sCIxdtb.exe
  2⤵
  PID:7232
- C:\Windows\System\FTNljPR.exe
  C:\Windows\System\FTNljPR.exe
  2⤵
  PID:7260
- C:\Windows\System\oaAZRuh.exe
  C:\Windows\System\oaAZRuh.exe
  2⤵
  PID:7288
- C:\Windows\System\VdqDtCp.exe
  C:\Windows\System\VdqDtCp.exe
  2⤵
  PID:7316
- C:\Windows\System\Ewwnokc.exe
  C:\Windows\System\Ewwnokc.exe
  2⤵
  PID:7344
- C:\Windows\System\nyWhHis.exe
  C:\Windows\System\nyWhHis.exe
  2⤵
  PID:7372
- C:\Windows\System\AjsKBZd.exe
  C:\Windows\System\AjsKBZd.exe
  2⤵
  PID:7392
- C:\Windows\System\iKwqZzg.exe
  C:\Windows\System\iKwqZzg.exe
  2⤵
  PID:7428
- C:\Windows\System\SGXIZqA.exe
  C:\Windows\System\SGXIZqA.exe
  2⤵
  PID:7456
- C:\Windows\System\gAqgOCr.exe
  C:\Windows\System\gAqgOCr.exe
  2⤵
  PID:7484
- C:\Windows\System\eXcWJQR.exe
  C:\Windows\System\eXcWJQR.exe
  2⤵
  PID:7516
- C:\Windows\System\xRbfGjn.exe
  C:\Windows\System\xRbfGjn.exe
  2⤵
  PID:7544
- C:\Windows\System\iwzJYYB.exe
  C:\Windows\System\iwzJYYB.exe
  2⤵
  PID:7572
- C:\Windows\System\zhQISLW.exe
  C:\Windows\System\zhQISLW.exe
  2⤵
  PID:7600
- C:\Windows\System\YdhgqIm.exe
  C:\Windows\System\YdhgqIm.exe
  2⤵
  PID:7632
- C:\Windows\System\xyLTElf.exe
  C:\Windows\System\xyLTElf.exe
  2⤵
  PID:7664
- C:\Windows\System\JEgQDJQ.exe
  C:\Windows\System\JEgQDJQ.exe
  2⤵
  PID:7692
- C:\Windows\System\kvGMZDU.exe
  C:\Windows\System\kvGMZDU.exe
  2⤵
  PID:7720
- C:\Windows\System\dwjewYT.exe
  C:\Windows\System\dwjewYT.exe
  2⤵
  PID:7748
- C:\Windows\System\VOgLKWL.exe
  C:\Windows\System\VOgLKWL.exe
  2⤵
  PID:7776
- C:\Windows\System\KfDqesx.exe
  C:\Windows\System\KfDqesx.exe
  2⤵
  PID:7804
- C:\Windows\System\RgznHUj.exe
  C:\Windows\System\RgznHUj.exe
  2⤵
  PID:7844
- C:\Windows\System\uQSoqWL.exe
  C:\Windows\System\uQSoqWL.exe
  2⤵
  PID:7864
- C:\Windows\System\OkfDXRC.exe
  C:\Windows\System\OkfDXRC.exe
  2⤵
  PID:7892
- C:\Windows\System\BkPDjSe.exe
  C:\Windows\System\BkPDjSe.exe
  2⤵
  PID:7920
- C:\Windows\System\xNpuSfo.exe
  C:\Windows\System\xNpuSfo.exe
  2⤵
  PID:7956
- C:\Windows\System\MGVIKDn.exe
  C:\Windows\System\MGVIKDn.exe
  2⤵
  PID:7992
- C:\Windows\System\QgTfimm.exe
  C:\Windows\System\QgTfimm.exe
  2⤵
  PID:8040
- C:\Windows\System\BleNRRl.exe
  C:\Windows\System\BleNRRl.exe
  2⤵
  PID:8080
- C:\Windows\System\fkWtblW.exe
  C:\Windows\System\fkWtblW.exe
  2⤵
  PID:8112
- C:\Windows\System\RmRSjlm.exe
  C:\Windows\System\RmRSjlm.exe
  2⤵
  PID:8140
- C:\Windows\System\OSXNPRm.exe
  C:\Windows\System\OSXNPRm.exe
  2⤵
  PID:8168
- C:\Windows\System\wGQoQIK.exe
  C:\Windows\System\wGQoQIK.exe
  2⤵
  PID:7172
- C:\Windows\System\AduPzvt.exe
  C:\Windows\System\AduPzvt.exe
  2⤵
  PID:7224
- C:\Windows\System\NWXtWtj.exe
  C:\Windows\System\NWXtWtj.exe
  2⤵
  PID:7300
- C:\Windows\System\QNLWzOr.exe
  C:\Windows\System\QNLWzOr.exe
  2⤵
  PID:7356
- C:\Windows\System\pIdAXVL.exe
  C:\Windows\System\pIdAXVL.exe
  2⤵
  PID:7440
- C:\Windows\System\stvJFta.exe
  C:\Windows\System\stvJFta.exe
  2⤵
  PID:7508
- C:\Windows\System\KRewwVc.exe
  C:\Windows\System\KRewwVc.exe
  2⤵
  PID:7584
- C:\Windows\System\FJloyrK.exe
  C:\Windows\System\FJloyrK.exe
  2⤵
  PID:7652
- C:\Windows\System\mQQgjgH.exe
  C:\Windows\System\mQQgjgH.exe
  2⤵
  PID:7712
- C:\Windows\System\gFeMjcm.exe
  C:\Windows\System\gFeMjcm.exe
  2⤵
  PID:7772
- C:\Windows\System\fmPBsrT.exe
  C:\Windows\System\fmPBsrT.exe
  2⤵
  PID:7852
- C:\Windows\System\FgpqLWK.exe
  C:\Windows\System\FgpqLWK.exe
  2⤵
  PID:7916
- C:\Windows\System\PHEKRif.exe
  C:\Windows\System\PHEKRif.exe
  2⤵
  PID:8008
- C:\Windows\System\MlDjZUq.exe
  C:\Windows\System\MlDjZUq.exe
  2⤵
  PID:8092
- C:\Windows\System\TprSLdS.exe
  C:\Windows\System\TprSLdS.exe
  2⤵
  PID:7976
- C:\Windows\System\GPdjLXj.exe
  C:\Windows\System\GPdjLXj.exe
  2⤵
  PID:7256
- C:\Windows\System\uIjpknw.exe
  C:\Windows\System\uIjpknw.exe
  2⤵
  PID:7420
- C:\Windows\System\nNLPRTN.exe
  C:\Windows\System\nNLPRTN.exe
  2⤵
  PID:7564
- C:\Windows\System\aYXQuhJ.exe
  C:\Windows\System\aYXQuhJ.exe
  2⤵
  PID:7744
- C:\Windows\System\XAkWLCT.exe
  C:\Windows\System\XAkWLCT.exe
  2⤵
  PID:7904
- C:\Windows\System\NFVbgyM.exe
  C:\Windows\System\NFVbgyM.exe
  2⤵
  PID:8136
- C:\Windows\System\qEZCBjh.exe
  C:\Windows\System\qEZCBjh.exe
  2⤵
  PID:7416
- C:\Windows\System\StWtrbi.exe
  C:\Windows\System\StWtrbi.exe
  2⤵
  PID:8056
- C:\Windows\System\OypiqHv.exe
  C:\Windows\System\OypiqHv.exe
  2⤵
  PID:7704
- C:\Windows\System\JYkYUVd.exe
  C:\Windows\System\JYkYUVd.exe
  2⤵
  PID:8200
- C:\Windows\System\hsFOrTq.exe
  C:\Windows\System\hsFOrTq.exe
  2⤵
  PID:8228
- C:\Windows\System\yCiMSPW.exe
  C:\Windows\System\yCiMSPW.exe
  2⤵
  PID:8260
- C:\Windows\System\yJVdRzr.exe
  C:\Windows\System\yJVdRzr.exe
  2⤵
  PID:8288
- C:\Windows\System\MPkTDyC.exe
  C:\Windows\System\MPkTDyC.exe
  2⤵
  PID:8312
- C:\Windows\System\XiMRBnf.exe
  C:\Windows\System\XiMRBnf.exe
  2⤵
  PID:8332
- C:\Windows\System\INXkYcc.exe
  C:\Windows\System\INXkYcc.exe
  2⤵
  PID:8380
- C:\Windows\System\xebhNlz.exe
  C:\Windows\System\xebhNlz.exe
  2⤵
  PID:8408
- C:\Windows\System\ezNJSrv.exe
  C:\Windows\System\ezNJSrv.exe
  2⤵
  PID:8436
- C:\Windows\System\wQsEAvp.exe
  C:\Windows\System\wQsEAvp.exe
  2⤵
  PID:8464
- C:\Windows\System\zWmDliX.exe
  C:\Windows\System\zWmDliX.exe
  2⤵
  PID:8492
- C:\Windows\System\zLSBVek.exe
  C:\Windows\System\zLSBVek.exe
  2⤵
  PID:8520
- C:\Windows\System\BoTyXny.exe
  C:\Windows\System\BoTyXny.exe
  2⤵
  PID:8548
- C:\Windows\System\mbXCDBZ.exe
  C:\Windows\System\mbXCDBZ.exe
  2⤵
  PID:8576
- C:\Windows\System\eWERQcU.exe
  C:\Windows\System\eWERQcU.exe
  2⤵
  PID:8608
- C:\Windows\System\ZiDzCXx.exe
  C:\Windows\System\ZiDzCXx.exe
  2⤵
  PID:8636
- C:\Windows\System\pptmfcX.exe
  C:\Windows\System\pptmfcX.exe
  2⤵
  PID:8660
- C:\Windows\System\mUIlaMs.exe
  C:\Windows\System\mUIlaMs.exe
  2⤵
  PID:8688
- C:\Windows\System\ClkXfFo.exe
  C:\Windows\System\ClkXfFo.exe
  2⤵
  PID:8716
- C:\Windows\System\XOiBfdP.exe
  C:\Windows\System\XOiBfdP.exe
  2⤵
  PID:8740
- C:\Windows\System\rnXPDFf.exe
  C:\Windows\System\rnXPDFf.exe
  2⤵
  PID:8780
- C:\Windows\System\rdaUPkm.exe
  C:\Windows\System\rdaUPkm.exe
  2⤵
  PID:8808
- C:\Windows\System\IwumtbA.exe
  C:\Windows\System\IwumtbA.exe
  2⤵
  PID:8840
- C:\Windows\System\PCijTQr.exe
  C:\Windows\System\PCijTQr.exe
  2⤵
  PID:8876
- C:\Windows\System\ImtryNR.exe
  C:\Windows\System\ImtryNR.exe
  2⤵
  PID:8904
- C:\Windows\System\OmjEhkl.exe
  C:\Windows\System\OmjEhkl.exe
  2⤵
  PID:8924
- C:\Windows\System\yZOaLrf.exe
  C:\Windows\System\yZOaLrf.exe
  2⤵
  PID:8956
- C:\Windows\System\aKpYVxs.exe
  C:\Windows\System\aKpYVxs.exe
  2⤵
  PID:8984
- C:\Windows\System\xpvOsLh.exe
  C:\Windows\System\xpvOsLh.exe
  2⤵
  PID:9012
- C:\Windows\System\ONJBhFC.exe
  C:\Windows\System\ONJBhFC.exe
  2⤵
  PID:9032
- C:\Windows\System\BxIgIqX.exe
  C:\Windows\System\BxIgIqX.exe
  2⤵
  PID:9056
- C:\Windows\System\SxSDBZA.exe
  C:\Windows\System\SxSDBZA.exe
  2⤵
  PID:9084
- C:\Windows\System\EVoiiRG.exe
  C:\Windows\System\EVoiiRG.exe
  2⤵
  PID:9128
- C:\Windows\System\RsJxVyP.exe
  C:\Windows\System\RsJxVyP.exe
  2⤵
  PID:9168
- C:\Windows\System\MeXRQlc.exe
  C:\Windows\System\MeXRQlc.exe
  2⤵
  PID:9200
- C:\Windows\System\AgzHQmA.exe
  C:\Windows\System\AgzHQmA.exe
  2⤵
  PID:8236
- C:\Windows\System\viizmVc.exe
  C:\Windows\System\viizmVc.exe
  2⤵
  PID:8300
- C:\Windows\System\iCZoDxI.exe
  C:\Windows\System\iCZoDxI.exe
  2⤵
  PID:8324
- C:\Windows\System\AcMJJeu.exe
  C:\Windows\System\AcMJJeu.exe
  2⤵
  PID:8452
- C:\Windows\System\jipzebe.exe
  C:\Windows\System\jipzebe.exe
  2⤵
  PID:8512
- C:\Windows\System\bdMyDwO.exe
  C:\Windows\System\bdMyDwO.exe
  2⤵
  PID:8656
- C:\Windows\System\GoWlbKh.exe
  C:\Windows\System\GoWlbKh.exe
  2⤵
  PID:8728
- C:\Windows\System\CpCnapM.exe
  C:\Windows\System\CpCnapM.exe
  2⤵
  PID:8856
- C:\Windows\System\lzXpfXE.exe
  C:\Windows\System\lzXpfXE.exe
  2⤵
  PID:8948
- C:\Windows\System\AfUSpTz.exe
  C:\Windows\System\AfUSpTz.exe
  2⤵
  PID:9000
- C:\Windows\System\Fszwzyo.exe
  C:\Windows\System\Fszwzyo.exe
  2⤵
  PID:9072
- C:\Windows\System\ybumrMk.exe
  C:\Windows\System\ybumrMk.exe
  2⤵
  PID:8280
- C:\Windows\System\XZCOPVf.exe
  C:\Windows\System\XZCOPVf.exe
  2⤵
  PID:8488
- C:\Windows\System\oqHWQao.exe
  C:\Windows\System\oqHWQao.exe
  2⤵
  PID:8820
- C:\Windows\System\NVTyLsn.exe
  C:\Windows\System\NVTyLsn.exe
  2⤵
  PID:9040
- C:\Windows\System\sJikgHG.exe
  C:\Windows\System\sJikgHG.exe
  2⤵
  PID:8460
- C:\Windows\System\IuIWezr.exe
  C:\Windows\System\IuIWezr.exe
  2⤵
  PID:8712
- C:\Windows\System\pSTJZhx.exe
  C:\Windows\System\pSTJZhx.exe
  2⤵
  PID:9248
- C:\Windows\System\fphzOqo.exe
  C:\Windows\System\fphzOqo.exe
  2⤵
  PID:9276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BtidAKf.exe

Filesize
2.0MB

MD5
e99d8e523f0eb809a570f4208723e5eb

SHA1
689a40e25c6d1a9bc6e4e3e45c046a7929a84d74

SHA256
bc4f5afd56046543d39f8952b7e25c99c88baebf1013004e409a2647146be4f1

SHA512
e1970ef295738bd385aebc009fddc5050d13a8a4e8723ac8ff785f9b8c89569e09f24772758509df6b7c8c76208517034484dfe42985dd3526cd30687d3f4ed4

Download Submit
C:\Windows\System\DpmkbqZ.exe

Filesize
2.0MB

MD5
07e711678539d511151db1cb7004631e

SHA1
135e300a809423d1201d7f8a5040f00a355ed8a3

SHA256
01e8f46cb03144721137d8de9e95550537b62c12bdedcbfc1f1c25149f510729

SHA512
4fbfc2b9cc30a1f3c0f9b6a8736d63cc16eee6ff74757e2177179b935a925044c56ea685a04cb1a06f498c00680a0b4bb89fc70b5a1e18950ef2ec33323f3bb6

Download Submit
C:\Windows\System\FJumWun.exe

Filesize
2.0MB

MD5
abbfd4b80a4d547d0c6d77505a62c794

SHA1
38865c14adac97983cb574d75e3a151ad77fc832

SHA256
be8283bf8ce0c3d20fdcbd683bf278ce24fd8cc783592a43262d8cfc1b500f56

SHA512
90f21219ebd98b70042da97fd0963bded6ff8a2a451cfd434cd360a5e2dd65afd54fbbf66ae88d2c34e8e1d5c56cda89e013d56485a44f511c7eba81f9c7b321

Download Submit
C:\Windows\System\GDZMGrs.exe

Filesize
2.0MB

MD5
817018e06daf48275a3d220790b8d852

SHA1
8eb3e5a79a63bd2aca4ddb61d2637dc57d645aee

SHA256
cf0c413c7c85a18fb0fec9623b84f373b8aa162834ecb5b3e446fd405d393fe5

SHA512
ca40322cd5f19e73971200c2d3a73181c2f4974187214be11af33c31595b2fd278c0c3c8ee3299353308bc63f14559d01cdcffc2a533e45c0d8aafdc225c3bb4

Download Submit
C:\Windows\System\GbesPQD.exe

Filesize
2.0MB

MD5
37df0bcb142768e2013fb41fcc7e3ff8

SHA1
0d9070c0b57e98db68ef383414954faf6a16ffa3

SHA256
1fb82228b7d33d5feb482db208c4430203e06c16dd5cac520b322e2f72213146

SHA512
2c829a5fe355ec3309e3fa8e83ec47117dddb4565204d3d2184d23ad467dbeb550d204726473903f7e9c9ca291c9675d35a14b89c5af4cdcbc9c072c41bd5e75

Download Submit
C:\Windows\System\HrjNgzI.exe

Filesize
2.0MB

MD5
32d6b4e46c5368d8945274b304b5d10e

SHA1
165c874e66103d6a8b03c6c993204f9bea7ad297

SHA256
671e34af3133ccc4c248caf3c17130110b45b6d2918d7ef0b2cb5ac6b732c74e

SHA512
07fb1212691d92ef57817ced60ad301eb6c88a2af919cba641858d14af7030bdbd896786e28b3a7defc7f032f8f835024c024d86f317d9faa4e176ddbd3ebe9c

Download Submit
C:\Windows\System\JBfqiBm.exe

Filesize
2.0MB

MD5
f54eb99acd167c7002fb3d2c6abe4165

SHA1
319378602ea93a35c2ced54d587195f80ae9d3e6

SHA256
573345130fd7d62dd6212d142ddbc69c60bcc7e54eaa05745ba4e50530659ef8

SHA512
b734dc140ccd3d88c1c878fb22ffe6d6cc85c6a9f45f39f44f4dad79297231a26e96721bd4d1a9f24ef6da7ec6f1b7c03adbb41a8bd3430941bbc9e3c438bb9c

Download Submit
C:\Windows\System\KdYDMSO.exe

Filesize
2.0MB

MD5
10da9edf301db2fabd6f6a32d223737b

SHA1
2e38c60ac3f7252f9a8eeab335f883ce133b24d6

SHA256
6424b91ebcadc37b74efe92c3fa8e697290f6981b0ffddbc23475f7e75c17686

SHA512
41a53414987223ddf27826ccccd25f1a37f1f4fc32aebec81097821600e97802f2ad5de72adae9e296e943ca3985d2f1b064d0af2d2ea38c82ecdedf11b0f7df

Download Submit
C:\Windows\System\KkOzPfJ.exe

Filesize
2.0MB

MD5
598be28cb08aabcb1c5398dc28a38d91

SHA1
e0e6bbf0ec695977eb58a33b6948e25662ba0e5f

SHA256
1879e6ad9f542fa6d96f0a29903fec14a40b1eb02540bb85f523365d1c70930d

SHA512
e177d147db0c371256e486328175b0d000953564b955b3ab7b52d64ab23b059ebed3620e24f1445826c05b305c972812a5e5084ce639d3e1d184c227eacb0290

Download Submit
C:\Windows\System\LPvCRnk.exe

Filesize
2.0MB

MD5
3fc63be0e3153d99890c564c98f065b9

SHA1
a209ac89f1793424a8e7137566d175ba84ccb23a

SHA256
9ed040f1eefbc6fef5d22d0c920598f82916d934d57373fe834ebc435b39edc2

SHA512
4859acb37e7cbe6d36ea10438437dded9e60f074cd0ad8a384a93fb35ca6bc418af37fa6f14b4a3f5cb9f29eecacd25042b3ae6c4557b6f570c072361b3fbb00

Download Submit
C:\Windows\System\MYIRURF.exe

Filesize
2.0MB

MD5
3f2764b942e9c54c88a505d0db5a90b9

SHA1
7f4d3406478c8edba200ea15feeb8a0e35e9babc

SHA256
cb66f201a6225ccfae12c984fafbdf45fb968e9470cd365a51069f7845ca5140

SHA512
72a3cd7a6acb8dd66897bef6141779251c57a71a4e4d27a3e6c4ddf5dccbcc533223659247d5eaee91612996347bf2df0623bda79bce30422ec08e09bec4be3e

Download Submit
C:\Windows\System\RYVVToH.exe

Filesize
2.0MB

MD5
b0e0c8711fa84bba2eebffef9b08f3d1

SHA1
34605ca805d4d08f74a9f61d9fab9b8a3cf6bbaa

SHA256
687bcfe29ccff75256584dcbe7b0f73c24e456e0a83e5d5077188956e17f2bb7

SHA512
515a802ea9e0a7386ae6b844d86dc6833404ac341cb7d0565b722f4ea6be0b6f63e536126a6361a2059eb597967335043fd36de5ba7542db4809a246d8ca6882

Download Submit
C:\Windows\System\UHkRodZ.exe

Filesize
2.0MB

MD5
7f0b411d0f2e8298a91af91599a5c7a2

SHA1
570f07eab3f76c68ac74857c7f1563849b8fd417

SHA256
6d8fa345d14bb20e037576def78bceb65ab457f2391fad368a8779ec0eda3409

SHA512
2044abec8e2e1a72ef4d9f146fa9ba566c07b3851f5e201416c6882985f7383efa4c4d56b6b72370024087942ab66b706dcebd1b78539440ff495da8485743c1

Download Submit
C:\Windows\System\WTPZZcT.exe

Filesize
2.0MB

MD5
203e273378b23ef1f5ffafe97d4e50a0

SHA1
0f65b3f5c837ba12bf991742988c96de6d63c4bc

SHA256
81de37204142a9f57d16805b80a73f650228b506a12d1265f5750242cedef791

SHA512
eff46c5499f7584e2af434f3c3a9d70adcd47447ff83555aa8c674736c51200b9fe2dc72e9d16f287e73f60d7035f9fb9e6922d50d2071e562f9bfe96953cc86

Download Submit
C:\Windows\System\WarbImf.exe

Filesize
2.0MB

MD5
b69234bc25c5c956a17a12e29e4702b4

SHA1
b17b4cd7c1c27741e6845f2d7b5642f34ab4594f

SHA256
10b16cb9fb9660939edeab278399a83b6a3a16b6459cb24aacc84e3e7496651c

SHA512
efcca32b34ed415ca62137d74828ffe1a194e9d3d0411b99baaaab187c74ea4bd2a0b1e1beb164ef14a2f01c2f55f906abb866f4b2241731f77cce54175fe300

Download Submit
C:\Windows\System\XMjFXvt.exe

Filesize
2.0MB

MD5
e9a11730f10f5b71e2d84e3e287252cf

SHA1
49ea4f7cd98be89632ccf9fa1521010949952dbc

SHA256
0ecb1dcdb5e3fb13c2dcfb832dbbc4e4bd3f2ab89c273449985cd769467bef85

SHA512
d6e051ced592c16bf0b8b86029271617adbe101397d1233cbffddfb9adc0d9d0e85cc93e3a331390466b1e2281221271c1b4dfaa1c2c776849c510e04a2edbdb

Download Submit
C:\Windows\System\YCjSFID.exe

Filesize
2.0MB

MD5
9524678dc2845a4f15a83030f8237374

SHA1
d93c732beab03ea61286cdf85624c5bb46e499e6

SHA256
143b563bed0eab7dcd11ba88b4e57e6d438602674f45a0e8bd15b0a287ceba06

SHA512
0edb42e4cceacab76fba0c7bd369d59e6af738f3993fd271d3d3ec64516cf8b0f301f73fed48a3c7a17548453acd96d5b60e8db296e08488ce82b45d3057652e

Download Submit
C:\Windows\System\agfvUHs.exe

Filesize
2.0MB

MD5
7b42b6173bc09355aaccd268ddf35fb8

SHA1
01beb40337385ba385cc8782ccb447f5355456a5

SHA256
97422e54d46fcd707107d60ee90a91f4a5ae02325bf8a5eb76d7320fe3ee6a61

SHA512
e64b4f5d9049a375a56632996d31ebf97962bc39b7b3fa4c949ce7a5d766736cd9e3d4dede7d3bb7e0ee0b644be946b4a0fe353e51ba1aac2a053cdc145598ac

Download Submit
C:\Windows\System\akYhoYl.exe

Filesize
2.0MB

MD5
87ffaf14f9fc4ee21fa9c4a649bc7034

SHA1
996b8d6416d073a76623b35b02a5abd177bef082

SHA256
fdbb75daacb74435e23ca0c7456296fb95fd0d3f9c167c0f42d4e10a5235663c

SHA512
f81b2d4dcae8fd9f3be3962e7fe2772678d769b01be9a473b1e0e59257027cd49b6ab9fa5cc17993bbf4023e747f39db161f5fc1b0e5a33699a29f0859b64391

Download Submit
C:\Windows\System\cOqDwoF.exe

Filesize
2.0MB

MD5
a29162e4c565bb4ca841200b189c16ea

SHA1
c231d0c629572853ca4c173035239b100fda8234

SHA256
eadffb331c47b713b571fd4442a51e7b760ed1c02472f83fef56493f728c11dd

SHA512
a0266f44dd2b3b8bc09f344172527cfc306a0cc6a4c7fee1d6347b63020b9b7302950c6ca0e6d703aaedabf1bd047f0dce0154f384e581096c0d162137d30dc8

Download Submit
C:\Windows\System\eMHSKCG.exe

Filesize
2.0MB

MD5
460e122828059b8e4ea4c558737fb2fd

SHA1
51af9037acedcee9a5ac9b24910c3444e65f8628

SHA256
c591e62b45f01170ed8a9ef1640ed75e7c63e9621ed2a38e5635b3a8632bd6b6

SHA512
cf4e8cfc14746f9e7da3e2bc119a90f0999dfdbe10722fd0212a6c36a4dd8ce48602d8d6b1a657e38f094ff98d82c95b5b2a53077bbd83b9636e15ca98b8e1a4

Download Submit
C:\Windows\System\fHReenh.exe

Filesize
2.0MB

MD5
8bad1ba1e2e08a97a30042079d63c1bf

SHA1
cedf3d34bf46557733e578f4b741905ca9b156e3

SHA256
c57983da77af090558e515cc34f21c4b79897dc0a10c6876358cd51488a497a6

SHA512
77c872f91bf605a5e282fc88d2f658b9d67747409ddd8c9b5fc8a2b3f9af55337624f750f6aa0f9d17aabec46e0f08386b2608ea62a81f83d6553bc828479a28

Download Submit
C:\Windows\System\furxQDj.exe

Filesize
2.0MB

MD5
c4b30038b3c75f704e2c91cae4146382

SHA1
85b3c40b1ab685d5bfbc38c16166cc28afe32dcd

SHA256
2ade6896147ee5376f87a6c7aea2852b0d470dcc7a9fa67cabb6e03003e5184f

SHA512
23a04d6ab094ea6bdb0a20dbe0ec8151ba8996ce5d5ba3b6b7387e9eeae8ba235562a71ce434bfd8eb94a4110255b4c7b091b40920f83930d7ce396f083a58b9

Download Submit
C:\Windows\System\gpckrdf.exe

Filesize
2.0MB

MD5
41b5855d9c39c534964c7cad12c9233f

SHA1
f0f4a9c470722e1c6d72eb50082cc3580d20b5c2

SHA256
7380ef1256fe44896afa753b58cfa85295d1ea8397ea22bd9e6e59bbab2e1b6e

SHA512
6facd525dae7d5d18db0d53fba1e6acb09137198b1276fd03aa78fb25b5c93fa08df0d29d2ad9add9408e487b62b976e4596567d1a7f191d6446bb68ee4856dd

Download Submit
C:\Windows\System\ieCpxjQ.exe

Filesize
2.0MB

MD5
3c1e265cf842476bfbba917b17dc8ba8

SHA1
0bf63371c3306ec02ca8defbdb6f9615e5b763b4

SHA256
867d7e7c1e01fc321047b8b3774d34f5a89ff69df4bc4b13f1bccd0acfeba739

SHA512
8b05c2203171dd98256e443d0d0ac0246c5d969e3d0bc3a029b06fb25cc051ef69a98dfbae3a3a662611b0677005cc57ae4e56ce67bb9f78da98235464b06f6e

Download Submit
C:\Windows\System\lLwrvpk.exe

Filesize
2.0MB

MD5
e68a71dfb29de2e25fadc14b0d6c6781

SHA1
50f513b5508a877bea76c6f73ac78fe0976f1c5e

SHA256
e46cb18e5f6d6eb0b1f68bfb8e85c030e99218d711f89ad6aab7ff2f9026e1c8

SHA512
b8128d48f81eed440ed0ff1d082ef2bde15e0e70d5c5b92a0a48c0afcaf67b47ff3198b99ad51852206605d29b2dea530435d2b5fa9ef14309392cd2c2456ee1

Download Submit
C:\Windows\System\qtaxBSm.exe

Filesize
2.0MB

MD5
30c1c19f780a84b44cf635ff638ad811

SHA1
338cb4b7ce3ba72a9c52b3af6a4a3c8d1bbe3dbc

SHA256
c5bbd71b7b793be682b786de5f962ce4cb711a36533d3c81a765e07b40f406c7

SHA512
2000dfda78db067c10c9dbe71d0d5304ec97049199cfd04338f2fb06bf848afa0ef0aaba48e8d6b34b8c263457ba0a92b19b269afaaa8da650cfbaa8b858c5c4

Download Submit
C:\Windows\System\sIQtBmB.exe

Filesize
2.0MB

MD5
a34ce03aa0736c9fbf06b7eef9d4674d

SHA1
fa1a541d6af4513e2fab1d21f0a33f51e3d51061

SHA256
b66d89210d7d810303d8dcf9a1d9e1ebece60af1bf1ad3735eb4c9d06f6667f0

SHA512
b7154d6c9a859f0830555001a4bb29ddbd6bd06d693d851a75b54ba6cc3b4ef7f421aa954f6585e3b2a1d1311c41fd188c996be67ef6560ed5c3e62abbf6464c

Download Submit
C:\Windows\System\vKipLyE.exe

Filesize
2.0MB

MD5
9e07936cb2ec70d00186e6ee6cb1ea1e

SHA1
53881be2cb8c3de6291a21fd7ab952926f4d1da4

SHA256
ed5b91de5ad2468e6ac5d478181de2bed63f406ba8d3331a59a4cb6364f4338a

SHA512
89247a1114d633bd81288839629f30eab4512f4445b052995f211dfca88498b49d9e3ec65184119076a7deef3f31ee29a6dcd3e8e80713d1aa36022aa7c50993

Download Submit
C:\Windows\System\wpkMtLc.exe

Filesize
2.0MB

MD5
398cfa23a8db631311bb78fda8165571

SHA1
3d3a6c4a31e0a628fc2335b1e96e6c5a31baf249

SHA256
0a735cab57d442fac6f9541489ab1d68902bfdf66cd065ea4a8aefa02796a664

SHA512
834b0c8c5873004fceedb94451f7d03682c66254d7eccbbc841e7c751c8a490b1cfa8301cfb9179e4010e5afa3d6d1be9535838b181c64902a52ae1cc5893c42

Download Submit
C:\Windows\System\xczhqBY.exe

Filesize
2.0MB

MD5
0bc8528ddf77a892bce96a8a30ee80aa

SHA1
d32623dd2208fecef838200120c261fa28c0f797

SHA256
0a960f5cf347fbf9581f911c40b3038d33d96c93da828cb0a0801fdf53d87457

SHA512
9f3248844c8108db719be496ffa968e3d71c0cceba2e3f99f2f9fc232bfb20f3015bd0642c97facfb119b52ae54c6b9d70c105f37ceb3fc2dea54a9afbabbf79

Download Submit
C:\Windows\System\xxKKfzN.exe

Filesize
2.0MB

MD5
99e8bccb6a83a9c27b383cf97caa1340

SHA1
c8bd1747bd2cd39e59d66c40cab2f40881158c79

SHA256
e51e628a2df641f0ad321c5f46df68c1791b127586ddaf9a74a1864733dd96e2

SHA512
b94599658c13ed7df6ce9dc1844085b59391e30717bb064a800139da1ec978b37c66743fb1f6752a65bca04cc2b4cac5d4ef999dee33f0a3a3fd7d7fa9dcec3a

Download Submit
C:\Windows\System\zGlptCY.exe

Filesize
2.0MB

MD5
22741143a080d19a6d6ba9d541b3d249

SHA1
5a44dc36c0241034805571ef2f71e06cc895a9e0

SHA256
71d135d04fbfeb66ef6d417088a4139b40c2f69810dcd9bbecbca5d89c8afff8

SHA512
91b641b981a5a3a86931ff175a02f5102b80327c55acd67d5b024444a1a71500b6142256224bbb23edf5c3a0139f9b9f7219575f60ff9ef0c816560777b3c38d

Download Submit
memory/3540-0-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download