cobaltstrike | 30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
Size

6.0MB
MD5

7c02d94a7005b0492b57eec9dadd2fb4
SHA1

87db1cc02e913595fffc460f4e32aecacd34843d
SHA256

30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d
SHA512

7edc481ab41d149bb4ba9d3a629848f224c96f16b592dbcc3d46c95dda959ed516cc807b705c6b34cd119cc595401a24310850612fecd2e9b69e1f20c9e89161
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lU0:T+q56utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 32 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0006000000021e21-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024231-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024230-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024232-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024233-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024234-32.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024235-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024236-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024237-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024239-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002423c-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002423b-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002423d-100.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002423f-110.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002423e-106.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002423a-74.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002422d-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024240-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024241-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024242-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024243-137.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024245-148.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024248-169.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024247-167.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024246-157.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024249-181.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000024070-185.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000024076-189.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000024244-144.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002424a-195.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001da2c-206.dat	cobalt_reflective_dll
behavioral2/files/0x0004000000016918-201.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/6116-0-0x00007FF7ABBA0000-0x00007FF7ABEF4000-memory.dmp	xmrig
behavioral2/files/0x0006000000021e21-4.dat	xmrig
behavioral2/memory/1356-8-0x00007FF684980000-0x00007FF684CD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024231-10.dat	xmrig
behavioral2/memory/1800-13-0x00007FF6C8450000-0x00007FF6C87A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024230-12.dat	xmrig
behavioral2/memory/216-19-0x00007FF732A90000-0x00007FF732DE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024232-25.dat	xmrig
behavioral2/memory/1564-24-0x00007FF74AEA0000-0x00007FF74B1F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024233-28.dat	xmrig
behavioral2/files/0x0007000000024234-32.dat	xmrig
behavioral2/files/0x0007000000024235-41.dat	xmrig
behavioral2/files/0x0007000000024236-49.dat	xmrig
behavioral2/memory/2964-48-0x00007FF709C80000-0x00007FF709FD4000-memory.dmp	xmrig
behavioral2/memory/4220-44-0x00007FF710EC0000-0x00007FF711214000-memory.dmp	xmrig
behavioral2/memory/1692-35-0x00007FF6293C0000-0x00007FF629714000-memory.dmp	xmrig
behavioral2/memory/4424-30-0x00007FF758490000-0x00007FF7587E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024237-57.dat	xmrig
behavioral2/memory/5332-55-0x00007FF65E4F0000-0x00007FF65E844000-memory.dmp	xmrig
behavioral2/files/0x0007000000024239-62.dat	xmrig
behavioral2/memory/1688-72-0x00007FF757610000-0x00007FF757964000-memory.dmp	xmrig
behavioral2/files/0x000700000002423c-84.dat	xmrig
behavioral2/files/0x000700000002423b-87.dat	xmrig
behavioral2/memory/4424-93-0x00007FF758490000-0x00007FF7587E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002423d-100.dat	xmrig
behavioral2/memory/4644-105-0x00007FF73E3F0000-0x00007FF73E744000-memory.dmp	xmrig
behavioral2/files/0x000700000002423f-110.dat	xmrig
behavioral2/files/0x000700000002423e-106.dat	xmrig
behavioral2/memory/1692-104-0x00007FF6293C0000-0x00007FF629714000-memory.dmp	xmrig
behavioral2/memory/4548-103-0x00007FF6829D0000-0x00007FF682D24000-memory.dmp	xmrig
behavioral2/memory/4608-101-0x00007FF7A6FD0000-0x00007FF7A7324000-memory.dmp	xmrig
behavioral2/memory/4460-89-0x00007FF60BAB0000-0x00007FF60BE04000-memory.dmp	xmrig
behavioral2/memory/1564-86-0x00007FF74AEA0000-0x00007FF74B1F4000-memory.dmp	xmrig
behavioral2/memory/3732-85-0x00007FF674750000-0x00007FF674AA4000-memory.dmp	xmrig
behavioral2/memory/216-81-0x00007FF732A90000-0x00007FF732DE4000-memory.dmp	xmrig
behavioral2/memory/1800-77-0x00007FF6C8450000-0x00007FF6C87A4000-memory.dmp	xmrig
behavioral2/memory/4416-75-0x00007FF6CF360000-0x00007FF6CF6B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002423a-74.dat	xmrig
behavioral2/memory/1356-73-0x00007FF684980000-0x00007FF684CD4000-memory.dmp	xmrig
behavioral2/memory/5784-70-0x00007FF7ACA30000-0x00007FF7ACD84000-memory.dmp	xmrig
behavioral2/memory/6116-69-0x00007FF7ABBA0000-0x00007FF7ABEF4000-memory.dmp	xmrig
behavioral2/files/0x000800000002422d-63.dat	xmrig
behavioral2/memory/4220-112-0x00007FF710EC0000-0x00007FF711214000-memory.dmp	xmrig
behavioral2/files/0x0007000000024240-116.dat	xmrig
behavioral2/memory/4708-119-0x00007FF74F750000-0x00007FF74FAA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024241-121.dat	xmrig
behavioral2/memory/5332-125-0x00007FF65E4F0000-0x00007FF65E844000-memory.dmp	xmrig
behavioral2/files/0x0007000000024242-130.dat	xmrig
behavioral2/memory/4796-132-0x00007FF6040F0000-0x00007FF604444000-memory.dmp	xmrig
behavioral2/memory/5616-126-0x00007FF7751E0000-0x00007FF775534000-memory.dmp	xmrig
behavioral2/memory/2964-118-0x00007FF709C80000-0x00007FF709FD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024243-137.dat	xmrig
behavioral2/memory/4416-142-0x00007FF6CF360000-0x00007FF6CF6B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024245-148.dat	xmrig
behavioral2/memory/6004-166-0x00007FF67FA40000-0x00007FF67FD94000-memory.dmp	xmrig
behavioral2/memory/5180-173-0x00007FF799BE0000-0x00007FF799F34000-memory.dmp	xmrig
behavioral2/memory/4608-172-0x00007FF7A6FD0000-0x00007FF7A7324000-memory.dmp	xmrig
behavioral2/memory/6080-171-0x00007FF7C6760000-0x00007FF7C6AB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000024248-169.dat	xmrig
behavioral2/files/0x0007000000024247-167.dat	xmrig
behavioral2/memory/4548-161-0x00007FF6829D0000-0x00007FF682D24000-memory.dmp	xmrig
behavioral2/memory/4460-160-0x00007FF60BAB0000-0x00007FF60BE04000-memory.dmp	xmrig
behavioral2/files/0x0007000000024246-157.dat	xmrig
behavioral2/memory/4644-177-0x00007FF73E3F0000-0x00007FF73E744000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1356	vUqZmSm.exe
1800	YpmVltQ.exe
216	OyHqdtg.exe
1564	exYYtJK.exe
4424	iVnHOCC.exe
1692	RPFcqhh.exe
4220	eMXhMJV.exe
2964	IywgVTZ.exe
5332	koPgaXi.exe
5784	TbhydIg.exe
1688	vLMoLhx.exe
4416	ilYHgNd.exe
3732	xBmFAqc.exe
4460	EPPBaMb.exe
4608	svhOlIk.exe
4548	bpgxMSQ.exe
4644	UbIvUZL.exe
4708	rIhxCBQ.exe
5616	vTgbryk.exe
4796	gbXrMeF.exe
5112	WeGmPHC.exe
1588	mTBfBKc.exe
5544	XgLMHJJ.exe
6004	psEElAw.exe
5180	koNxbLx.exe
6080	GoCTKIq.exe
2804	PsBsMVn.exe
5076	FYXyzGo.exe
5192	hwGmAty.exe
3528	OhGYWYk.exe
1696	cXyfiOR.exe
3540	JNVgJYJ.exe
5552	JSgwQGW.exe
5908	FZtVIlX.exe
528	kNaimtl.exe
2240	tfhZzxz.exe
4688	ULysZVS.exe
1752	GyrTwJM.exe
1448	LvzdiIU.exe
776	NkzKZjk.exe
4428	wOnRmEg.exe
1080	yBunMhU.exe
3148	niwkVEe.exe
1652	rhxGtZc.exe
5968	pGdvWBv.exe
4140	HkOreoU.exe
5468	NefdiWD.exe
1972	lmOMzUE.exe
2676	LFUcmHy.exe
5728	ZvXolPg.exe
2680	CqLimoq.exe
2924	cqnCLqq.exe
784	ogMrMxO.exe
5352	BzRKnay.exe
4020	lCJsBWX.exe
5692	SJiydlo.exe
5336	kIKEKgW.exe
928	EdiqziJ.exe
2956	TOfuJxn.exe
1876	byCKuRl.exe
6084	hUQedJh.exe
4572	vNpWath.exe
4756	OtMUJsg.exe
3552	GteNKuV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/6116-0-0x00007FF7ABBA0000-0x00007FF7ABEF4000-memory.dmp	upx
behavioral2/files/0x0006000000021e21-4.dat	upx
behavioral2/memory/1356-8-0x00007FF684980000-0x00007FF684CD4000-memory.dmp	upx
behavioral2/files/0x0007000000024231-10.dat	upx
behavioral2/memory/1800-13-0x00007FF6C8450000-0x00007FF6C87A4000-memory.dmp	upx
behavioral2/files/0x0007000000024230-12.dat	upx
behavioral2/memory/216-19-0x00007FF732A90000-0x00007FF732DE4000-memory.dmp	upx
behavioral2/files/0x0007000000024232-25.dat	upx
behavioral2/memory/1564-24-0x00007FF74AEA0000-0x00007FF74B1F4000-memory.dmp	upx
behavioral2/files/0x0007000000024233-28.dat	upx
behavioral2/files/0x0007000000024234-32.dat	upx
behavioral2/files/0x0007000000024235-41.dat	upx
behavioral2/files/0x0007000000024236-49.dat	upx
behavioral2/memory/2964-48-0x00007FF709C80000-0x00007FF709FD4000-memory.dmp	upx
behavioral2/memory/4220-44-0x00007FF710EC0000-0x00007FF711214000-memory.dmp	upx
behavioral2/memory/1692-35-0x00007FF6293C0000-0x00007FF629714000-memory.dmp	upx
behavioral2/memory/4424-30-0x00007FF758490000-0x00007FF7587E4000-memory.dmp	upx
behavioral2/files/0x0007000000024237-57.dat	upx
behavioral2/memory/5332-55-0x00007FF65E4F0000-0x00007FF65E844000-memory.dmp	upx
behavioral2/files/0x0007000000024239-62.dat	upx
behavioral2/memory/1688-72-0x00007FF757610000-0x00007FF757964000-memory.dmp	upx
behavioral2/files/0x000700000002423c-84.dat	upx
behavioral2/files/0x000700000002423b-87.dat	upx
behavioral2/memory/4424-93-0x00007FF758490000-0x00007FF7587E4000-memory.dmp	upx
behavioral2/files/0x000700000002423d-100.dat	upx
behavioral2/memory/4644-105-0x00007FF73E3F0000-0x00007FF73E744000-memory.dmp	upx
behavioral2/files/0x000700000002423f-110.dat	upx
behavioral2/files/0x000700000002423e-106.dat	upx
behavioral2/memory/1692-104-0x00007FF6293C0000-0x00007FF629714000-memory.dmp	upx
behavioral2/memory/4548-103-0x00007FF6829D0000-0x00007FF682D24000-memory.dmp	upx
behavioral2/memory/4608-101-0x00007FF7A6FD0000-0x00007FF7A7324000-memory.dmp	upx
behavioral2/memory/4460-89-0x00007FF60BAB0000-0x00007FF60BE04000-memory.dmp	upx
behavioral2/memory/1564-86-0x00007FF74AEA0000-0x00007FF74B1F4000-memory.dmp	upx
behavioral2/memory/3732-85-0x00007FF674750000-0x00007FF674AA4000-memory.dmp	upx
behavioral2/memory/216-81-0x00007FF732A90000-0x00007FF732DE4000-memory.dmp	upx
behavioral2/memory/1800-77-0x00007FF6C8450000-0x00007FF6C87A4000-memory.dmp	upx
behavioral2/memory/4416-75-0x00007FF6CF360000-0x00007FF6CF6B4000-memory.dmp	upx
behavioral2/files/0x000700000002423a-74.dat	upx
behavioral2/memory/1356-73-0x00007FF684980000-0x00007FF684CD4000-memory.dmp	upx
behavioral2/memory/5784-70-0x00007FF7ACA30000-0x00007FF7ACD84000-memory.dmp	upx
behavioral2/memory/6116-69-0x00007FF7ABBA0000-0x00007FF7ABEF4000-memory.dmp	upx
behavioral2/files/0x000800000002422d-63.dat	upx
behavioral2/memory/4220-112-0x00007FF710EC0000-0x00007FF711214000-memory.dmp	upx
behavioral2/files/0x0007000000024240-116.dat	upx
behavioral2/memory/4708-119-0x00007FF74F750000-0x00007FF74FAA4000-memory.dmp	upx
behavioral2/files/0x0007000000024241-121.dat	upx
behavioral2/memory/5332-125-0x00007FF65E4F0000-0x00007FF65E844000-memory.dmp	upx
behavioral2/files/0x0007000000024242-130.dat	upx
behavioral2/memory/4796-132-0x00007FF6040F0000-0x00007FF604444000-memory.dmp	upx
behavioral2/memory/5616-126-0x00007FF7751E0000-0x00007FF775534000-memory.dmp	upx
behavioral2/memory/2964-118-0x00007FF709C80000-0x00007FF709FD4000-memory.dmp	upx
behavioral2/files/0x0007000000024243-137.dat	upx
behavioral2/memory/4416-142-0x00007FF6CF360000-0x00007FF6CF6B4000-memory.dmp	upx
behavioral2/files/0x0007000000024245-148.dat	upx
behavioral2/memory/6004-166-0x00007FF67FA40000-0x00007FF67FD94000-memory.dmp	upx
behavioral2/memory/5180-173-0x00007FF799BE0000-0x00007FF799F34000-memory.dmp	upx
behavioral2/memory/4608-172-0x00007FF7A6FD0000-0x00007FF7A7324000-memory.dmp	upx
behavioral2/memory/6080-171-0x00007FF7C6760000-0x00007FF7C6AB4000-memory.dmp	upx
behavioral2/files/0x0007000000024248-169.dat	upx
behavioral2/files/0x0007000000024247-167.dat	upx
behavioral2/memory/4548-161-0x00007FF6829D0000-0x00007FF682D24000-memory.dmp	upx
behavioral2/memory/4460-160-0x00007FF60BAB0000-0x00007FF60BE04000-memory.dmp	upx
behavioral2/files/0x0007000000024246-157.dat	upx
behavioral2/memory/4644-177-0x00007FF73E3F0000-0x00007FF73E744000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\CeOQphc.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\TBlyYWs.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\bVlDicc.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\XfYgRPO.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\RuUXKXk.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\svhOlIk.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\sDdNIun.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\DDilPCz.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\xeWqVIU.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\EpQHZwd.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\ULysZVS.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\dqVbNBk.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\jrUYRdD.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\BESyIrP.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\qpOzDMH.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\MRnKnIu.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\VwfXUZM.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\rhxGtZc.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\CyMjzCi.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\OSmybkw.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\onyYHvs.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\ecUEAqv.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\VFzavwl.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\TXLLgVb.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\OOnFYwH.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\EYJwEzO.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\WKukVCF.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\WkXVmxW.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\LifvhRs.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\fWNkliC.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\NWQdSOw.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\AsqCwli.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\BJeWUfE.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\mxJBXnh.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\tlTqPfY.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\AaPsHSt.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\rrFEZYc.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\tWYjMwq.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\TxiARZe.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\yztCSYQ.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\jWUbEup.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\nSBJmNE.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\hSHVYlf.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\GWYDaHK.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\dWxDkhW.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\BsHfaTO.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\WeGmPHC.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\OhGYWYk.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\USqjiTq.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\doBpDUk.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\nBCkWXv.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\CfksNrY.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\Hiqvmhg.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\LVIgqeU.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\eMXhMJV.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\NkzKZjk.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\YvVvixz.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\nMwmter.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\JpEBiGZ.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\GfVZclC.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\RKRJNHn.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\mBrPrJS.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\kNaimtl.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
File created	C:\Windows\System\lCJsBWX.exe	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2624	dwm.exe
Token: SeChangeNotifyPrivilege	2624	dwm.exe
Token: 33	2624	dwm.exe
Token: SeIncBasePriorityPrivilege	2624	dwm.exe
Token: SeShutdownPrivilege	2624	dwm.exe
Token: SeCreatePagefilePrivilege	2624	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6116 wrote to memory of 1356	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	89
PID 6116 wrote to memory of 1356	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	89
PID 6116 wrote to memory of 1800	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	90
PID 6116 wrote to memory of 1800	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	90
PID 6116 wrote to memory of 216	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	91
PID 6116 wrote to memory of 216	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	91
PID 6116 wrote to memory of 1564	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	92
PID 6116 wrote to memory of 1564	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	92
PID 6116 wrote to memory of 4424	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	93
PID 6116 wrote to memory of 4424	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	93
PID 6116 wrote to memory of 1692	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	94
PID 6116 wrote to memory of 1692	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	94
PID 6116 wrote to memory of 4220	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	95
PID 6116 wrote to memory of 4220	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	95
PID 6116 wrote to memory of 2964	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	96
PID 6116 wrote to memory of 2964	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	96
PID 6116 wrote to memory of 5332	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	97
PID 6116 wrote to memory of 5332	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	97
PID 6116 wrote to memory of 5784	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	98
PID 6116 wrote to memory of 5784	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	98
PID 6116 wrote to memory of 1688	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	99
PID 6116 wrote to memory of 1688	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	99
PID 6116 wrote to memory of 4416	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	100
PID 6116 wrote to memory of 4416	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	100
PID 6116 wrote to memory of 3732	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	101
PID 6116 wrote to memory of 3732	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	101
PID 6116 wrote to memory of 4460	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	102
PID 6116 wrote to memory of 4460	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	102
PID 6116 wrote to memory of 4548	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	103
PID 6116 wrote to memory of 4548	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	103
PID 6116 wrote to memory of 4608	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	104
PID 6116 wrote to memory of 4608	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	104
PID 6116 wrote to memory of 4644	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	105
PID 6116 wrote to memory of 4644	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	105
PID 6116 wrote to memory of 4708	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	106
PID 6116 wrote to memory of 4708	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	106
PID 6116 wrote to memory of 5616	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	107
PID 6116 wrote to memory of 5616	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	107
PID 6116 wrote to memory of 4796	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	108
PID 6116 wrote to memory of 4796	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	108
PID 6116 wrote to memory of 5112	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	109
PID 6116 wrote to memory of 5112	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	109
PID 6116 wrote to memory of 1588	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	113
PID 6116 wrote to memory of 1588	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	113
PID 6116 wrote to memory of 5544	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	114
PID 6116 wrote to memory of 5544	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	114
PID 6116 wrote to memory of 6004	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	115
PID 6116 wrote to memory of 6004	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	115
PID 6116 wrote to memory of 5180	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	116
PID 6116 wrote to memory of 5180	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	116
PID 6116 wrote to memory of 6080	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	117
PID 6116 wrote to memory of 6080	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	117
PID 6116 wrote to memory of 2804	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	118
PID 6116 wrote to memory of 2804	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	118
PID 6116 wrote to memory of 5076	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	119
PID 6116 wrote to memory of 5076	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	119
PID 6116 wrote to memory of 5192	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	120
PID 6116 wrote to memory of 5192	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	120
PID 6116 wrote to memory of 3528	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	121
PID 6116 wrote to memory of 3528	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	121
PID 6116 wrote to memory of 1696	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	124
PID 6116 wrote to memory of 1696	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	124
PID 6116 wrote to memory of 3540	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	125
PID 6116 wrote to memory of 3540	6116	30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe	125

C:\Users\Admin\AppData\Local\Temp\30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe
"C:\Users\Admin\AppData\Local\Temp\30f36b6a49b783c10883cec925b0cd629234f9ea2772adeb1234789507e8237d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:6116
- C:\Windows\System\vUqZmSm.exe
  C:\Windows\System\vUqZmSm.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\YpmVltQ.exe
  C:\Windows\System\YpmVltQ.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\OyHqdtg.exe
  C:\Windows\System\OyHqdtg.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\exYYtJK.exe
  C:\Windows\System\exYYtJK.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\iVnHOCC.exe
  C:\Windows\System\iVnHOCC.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\RPFcqhh.exe
  C:\Windows\System\RPFcqhh.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\eMXhMJV.exe
  C:\Windows\System\eMXhMJV.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\IywgVTZ.exe
  C:\Windows\System\IywgVTZ.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\koPgaXi.exe
  C:\Windows\System\koPgaXi.exe
  2⤵
  - Executes dropped EXE
  PID:5332
- C:\Windows\System\TbhydIg.exe
  C:\Windows\System\TbhydIg.exe
  2⤵
  - Executes dropped EXE
  PID:5784
- C:\Windows\System\vLMoLhx.exe
  C:\Windows\System\vLMoLhx.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\ilYHgNd.exe
  C:\Windows\System\ilYHgNd.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\xBmFAqc.exe
  C:\Windows\System\xBmFAqc.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\EPPBaMb.exe
  C:\Windows\System\EPPBaMb.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\bpgxMSQ.exe
  C:\Windows\System\bpgxMSQ.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\svhOlIk.exe
  C:\Windows\System\svhOlIk.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\UbIvUZL.exe
  C:\Windows\System\UbIvUZL.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\rIhxCBQ.exe
  C:\Windows\System\rIhxCBQ.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\vTgbryk.exe
  C:\Windows\System\vTgbryk.exe
  2⤵
  - Executes dropped EXE
  PID:5616
- C:\Windows\System\gbXrMeF.exe
  C:\Windows\System\gbXrMeF.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\WeGmPHC.exe
  C:\Windows\System\WeGmPHC.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\mTBfBKc.exe
  C:\Windows\System\mTBfBKc.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\XgLMHJJ.exe
  C:\Windows\System\XgLMHJJ.exe
  2⤵
  - Executes dropped EXE
  PID:5544
- C:\Windows\System\psEElAw.exe
  C:\Windows\System\psEElAw.exe
  2⤵
  - Executes dropped EXE
  PID:6004
- C:\Windows\System\koNxbLx.exe
  C:\Windows\System\koNxbLx.exe
  2⤵
  - Executes dropped EXE
  PID:5180
- C:\Windows\System\GoCTKIq.exe
  C:\Windows\System\GoCTKIq.exe
  2⤵
  - Executes dropped EXE
  PID:6080
- C:\Windows\System\PsBsMVn.exe
  C:\Windows\System\PsBsMVn.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\FYXyzGo.exe
  C:\Windows\System\FYXyzGo.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\hwGmAty.exe
  C:\Windows\System\hwGmAty.exe
  2⤵
  - Executes dropped EXE
  PID:5192
- C:\Windows\System\OhGYWYk.exe
  C:\Windows\System\OhGYWYk.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\cXyfiOR.exe
  C:\Windows\System\cXyfiOR.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\JNVgJYJ.exe
  C:\Windows\System\JNVgJYJ.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\JSgwQGW.exe
  C:\Windows\System\JSgwQGW.exe
  2⤵
  - Executes dropped EXE
  PID:5552
- C:\Windows\System\FZtVIlX.exe
  C:\Windows\System\FZtVIlX.exe
  2⤵
  - Executes dropped EXE
  PID:5908
- C:\Windows\System\kNaimtl.exe
  C:\Windows\System\kNaimtl.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\tfhZzxz.exe
  C:\Windows\System\tfhZzxz.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\ULysZVS.exe
  C:\Windows\System\ULysZVS.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\GyrTwJM.exe
  C:\Windows\System\GyrTwJM.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\LvzdiIU.exe
  C:\Windows\System\LvzdiIU.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\NkzKZjk.exe
  C:\Windows\System\NkzKZjk.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\wOnRmEg.exe
  C:\Windows\System\wOnRmEg.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\yBunMhU.exe
  C:\Windows\System\yBunMhU.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\niwkVEe.exe
  C:\Windows\System\niwkVEe.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\rhxGtZc.exe
  C:\Windows\System\rhxGtZc.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\pGdvWBv.exe
  C:\Windows\System\pGdvWBv.exe
  2⤵
  - Executes dropped EXE
  PID:5968
- C:\Windows\System\HkOreoU.exe
  C:\Windows\System\HkOreoU.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\NefdiWD.exe
  C:\Windows\System\NefdiWD.exe
  2⤵
  - Executes dropped EXE
  PID:5468
- C:\Windows\System\lmOMzUE.exe
  C:\Windows\System\lmOMzUE.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\LFUcmHy.exe
  C:\Windows\System\LFUcmHy.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\ZvXolPg.exe
  C:\Windows\System\ZvXolPg.exe
  2⤵
  - Executes dropped EXE
  PID:5728
- C:\Windows\System\CqLimoq.exe
  C:\Windows\System\CqLimoq.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\cqnCLqq.exe
  C:\Windows\System\cqnCLqq.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\ogMrMxO.exe
  C:\Windows\System\ogMrMxO.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\BzRKnay.exe
  C:\Windows\System\BzRKnay.exe
  2⤵
  - Executes dropped EXE
  PID:5352
- C:\Windows\System\lCJsBWX.exe
  C:\Windows\System\lCJsBWX.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\SJiydlo.exe
  C:\Windows\System\SJiydlo.exe
  2⤵
  - Executes dropped EXE
  PID:5692
- C:\Windows\System\kIKEKgW.exe
  C:\Windows\System\kIKEKgW.exe
  2⤵
  - Executes dropped EXE
  PID:5336
- C:\Windows\System\EdiqziJ.exe
  C:\Windows\System\EdiqziJ.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\TOfuJxn.exe
  C:\Windows\System\TOfuJxn.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\byCKuRl.exe
  C:\Windows\System\byCKuRl.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\hUQedJh.exe
  C:\Windows\System\hUQedJh.exe
  2⤵
  - Executes dropped EXE
  PID:6084
- C:\Windows\System\vNpWath.exe
  C:\Windows\System\vNpWath.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\OtMUJsg.exe
  C:\Windows\System\OtMUJsg.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\GteNKuV.exe
  C:\Windows\System\GteNKuV.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\yBHUrEO.exe
  C:\Windows\System\yBHUrEO.exe
  2⤵
  PID:1620
- C:\Windows\System\PUgKQdo.exe
  C:\Windows\System\PUgKQdo.exe
  2⤵
  PID:5008
- C:\Windows\System\kngytgY.exe
  C:\Windows\System\kngytgY.exe
  2⤵
  PID:4524
- C:\Windows\System\KunNKMR.exe
  C:\Windows\System\KunNKMR.exe
  2⤵
  PID:3436
- C:\Windows\System\jyzpHvk.exe
  C:\Windows\System\jyzpHvk.exe
  2⤵
  PID:4172
- C:\Windows\System\DruFkEP.exe
  C:\Windows\System\DruFkEP.exe
  2⤵
  PID:4860
- C:\Windows\System\yjjwJdl.exe
  C:\Windows\System\yjjwJdl.exe
  2⤵
  PID:2220
- C:\Windows\System\NDcREQH.exe
  C:\Windows\System\NDcREQH.exe
  2⤵
  PID:4696
- C:\Windows\System\dvSAkJz.exe
  C:\Windows\System\dvSAkJz.exe
  2⤵
  PID:6076
- C:\Windows\System\sDdNIun.exe
  C:\Windows\System\sDdNIun.exe
  2⤵
  PID:3296
- C:\Windows\System\pTrbrEZ.exe
  C:\Windows\System\pTrbrEZ.exe
  2⤵
  PID:3680
- C:\Windows\System\zvHOaWC.exe
  C:\Windows\System\zvHOaWC.exe
  2⤵
  PID:2648
- C:\Windows\System\GaHiYuU.exe
  C:\Windows\System\GaHiYuU.exe
  2⤵
  PID:1128
- C:\Windows\System\fsAxBHa.exe
  C:\Windows\System\fsAxBHa.exe
  2⤵
  PID:1936
- C:\Windows\System\HITzIhk.exe
  C:\Windows\System\HITzIhk.exe
  2⤵
  PID:4536
- C:\Windows\System\solbSLT.exe
  C:\Windows\System\solbSLT.exe
  2⤵
  PID:1360
- C:\Windows\System\jAIqHSo.exe
  C:\Windows\System\jAIqHSo.exe
  2⤵
  PID:5216
- C:\Windows\System\OTTkGyX.exe
  C:\Windows\System\OTTkGyX.exe
  2⤵
  PID:3096
- C:\Windows\System\hWkSSXO.exe
  C:\Windows\System\hWkSSXO.exe
  2⤵
  PID:6108
- C:\Windows\System\yVvKNna.exe
  C:\Windows\System\yVvKNna.exe
  2⤵
  PID:4604
- C:\Windows\System\sBmcjPi.exe
  C:\Windows\System\sBmcjPi.exe
  2⤵
  PID:4996
- C:\Windows\System\YvVvixz.exe
  C:\Windows\System\YvVvixz.exe
  2⤵
  PID:6044
- C:\Windows\System\ojaAXWK.exe
  C:\Windows\System\ojaAXWK.exe
  2⤵
  PID:3228
- C:\Windows\System\hkZFyFC.exe
  C:\Windows\System\hkZFyFC.exe
  2⤵
  PID:5744
- C:\Windows\System\jknqFqt.exe
  C:\Windows\System\jknqFqt.exe
  2⤵
  PID:4024
- C:\Windows\System\KAkTovO.exe
  C:\Windows\System\KAkTovO.exe
  2⤵
  PID:3392
- C:\Windows\System\dkepbSr.exe
  C:\Windows\System\dkepbSr.exe
  2⤵
  PID:4392
- C:\Windows\System\gWuLoUL.exe
  C:\Windows\System\gWuLoUL.exe
  2⤵
  PID:6016
- C:\Windows\System\pVozBBp.exe
  C:\Windows\System\pVozBBp.exe
  2⤵
  PID:3400
- C:\Windows\System\ebImcoF.exe
  C:\Windows\System\ebImcoF.exe
  2⤵
  PID:3776
- C:\Windows\System\IesBhBa.exe
  C:\Windows\System\IesBhBa.exe
  2⤵
  PID:5300
- C:\Windows\System\TJxlymv.exe
  C:\Windows\System\TJxlymv.exe
  2⤵
  PID:1636
- C:\Windows\System\eDQyLFB.exe
  C:\Windows\System\eDQyLFB.exe
  2⤵
  PID:4324
- C:\Windows\System\seHLcYv.exe
  C:\Windows\System\seHLcYv.exe
  2⤵
  PID:6128
- C:\Windows\System\qoTCLWa.exe
  C:\Windows\System\qoTCLWa.exe
  2⤵
  PID:4104
- C:\Windows\System\XQLQLZS.exe
  C:\Windows\System\XQLQLZS.exe
  2⤵
  PID:2132
- C:\Windows\System\aykFkGH.exe
  C:\Windows\System\aykFkGH.exe
  2⤵
  PID:4640
- C:\Windows\System\bfvKOqR.exe
  C:\Windows\System\bfvKOqR.exe
  2⤵
  PID:4168
- C:\Windows\System\AQYNNcF.exe
  C:\Windows\System\AQYNNcF.exe
  2⤵
  PID:4200
- C:\Windows\System\GGDChym.exe
  C:\Windows\System\GGDChym.exe
  2⤵
  PID:4780
- C:\Windows\System\yUXqFaU.exe
  C:\Windows\System\yUXqFaU.exe
  2⤵
  PID:640
- C:\Windows\System\wAQsyUO.exe
  C:\Windows\System\wAQsyUO.exe
  2⤵
  PID:4376
- C:\Windows\System\vtFxgXh.exe
  C:\Windows\System\vtFxgXh.exe
  2⤵
  PID:5084
- C:\Windows\System\RVqiAVD.exe
  C:\Windows\System\RVqiAVD.exe
  2⤵
  PID:4648
- C:\Windows\System\NZBoajA.exe
  C:\Windows\System\NZBoajA.exe
  2⤵
  PID:5556
- C:\Windows\System\aclgOCl.exe
  C:\Windows\System\aclgOCl.exe
  2⤵
  PID:3836
- C:\Windows\System\TKZtRaX.exe
  C:\Windows\System\TKZtRaX.exe
  2⤵
  PID:5588
- C:\Windows\System\LawTazu.exe
  C:\Windows\System\LawTazu.exe
  2⤵
  PID:1668
- C:\Windows\System\xaDmkqj.exe
  C:\Windows\System\xaDmkqj.exe
  2⤵
  PID:5696
- C:\Windows\System\OPKqCJA.exe
  C:\Windows\System\OPKqCJA.exe
  2⤵
  PID:3952
- C:\Windows\System\wmjUhDN.exe
  C:\Windows\System\wmjUhDN.exe
  2⤵
  PID:6028
- C:\Windows\System\ZBeYIwE.exe
  C:\Windows\System\ZBeYIwE.exe
  2⤵
  PID:3792
- C:\Windows\System\ceuPUpG.exe
  C:\Windows\System\ceuPUpG.exe
  2⤵
  PID:5320
- C:\Windows\System\ZvUioGZ.exe
  C:\Windows\System\ZvUioGZ.exe
  2⤵
  PID:1532
- C:\Windows\System\DDilPCz.exe
  C:\Windows\System\DDilPCz.exe
  2⤵
  PID:2316
- C:\Windows\System\CPsvuoq.exe
  C:\Windows\System\CPsvuoq.exe
  2⤵
  PID:456
- C:\Windows\System\TBlyYWs.exe
  C:\Windows\System\TBlyYWs.exe
  2⤵
  PID:3164
- C:\Windows\System\qRBArXg.exe
  C:\Windows\System\qRBArXg.exe
  2⤵
  PID:808
- C:\Windows\System\jWuFCSu.exe
  C:\Windows\System\jWuFCSu.exe
  2⤵
  PID:4544
- C:\Windows\System\WKukVCF.exe
  C:\Windows\System\WKukVCF.exe
  2⤵
  PID:4268
- C:\Windows\System\USqjiTq.exe
  C:\Windows\System\USqjiTq.exe
  2⤵
  PID:5700
- C:\Windows\System\PdbJCII.exe
  C:\Windows\System\PdbJCII.exe
  2⤵
  PID:2616
- C:\Windows\System\doBpDUk.exe
  C:\Windows\System\doBpDUk.exe
  2⤵
  PID:3864
- C:\Windows\System\dUswBcy.exe
  C:\Windows\System\dUswBcy.exe
  2⤵
  PID:2140
- C:\Windows\System\STXsSIp.exe
  C:\Windows\System\STXsSIp.exe
  2⤵
  PID:1584
- C:\Windows\System\COBDgdp.exe
  C:\Windows\System\COBDgdp.exe
  2⤵
  PID:5340
- C:\Windows\System\hPtSiPL.exe
  C:\Windows\System\hPtSiPL.exe
  2⤵
  PID:3940
- C:\Windows\System\kdYvKBM.exe
  C:\Windows\System\kdYvKBM.exe
  2⤵
  PID:4312
- C:\Windows\System\rsjvRwE.exe
  C:\Windows\System\rsjvRwE.exe
  2⤵
  PID:5328
- C:\Windows\System\GEeTqqU.exe
  C:\Windows\System\GEeTqqU.exe
  2⤵
  PID:4880
- C:\Windows\System\rrFEZYc.exe
  C:\Windows\System\rrFEZYc.exe
  2⤵
  PID:4628
- C:\Windows\System\aWdEUZv.exe
  C:\Windows\System\aWdEUZv.exe
  2⤵
  PID:5912
- C:\Windows\System\vTutQWp.exe
  C:\Windows\System\vTutQWp.exe
  2⤵
  PID:2536
- C:\Windows\System\zWAbVWA.exe
  C:\Windows\System\zWAbVWA.exe
  2⤵
  PID:6160
- C:\Windows\System\mxZusAb.exe
  C:\Windows\System\mxZusAb.exe
  2⤵
  PID:6180
- C:\Windows\System\itRDPue.exe
  C:\Windows\System\itRDPue.exe
  2⤵
  PID:6196
- C:\Windows\System\RmEuEDe.exe
  C:\Windows\System\RmEuEDe.exe
  2⤵
  PID:6224
- C:\Windows\System\WPYjKBJ.exe
  C:\Windows\System\WPYjKBJ.exe
  2⤵
  PID:6288
- C:\Windows\System\UgYWzXo.exe
  C:\Windows\System\UgYWzXo.exe
  2⤵
  PID:6320
- C:\Windows\System\gIZIUjk.exe
  C:\Windows\System\gIZIUjk.exe
  2⤵
  PID:6344
- C:\Windows\System\PIJPtGc.exe
  C:\Windows\System\PIJPtGc.exe
  2⤵
  PID:6372
- C:\Windows\System\fNCGIOp.exe
  C:\Windows\System\fNCGIOp.exe
  2⤵
  PID:6404
- C:\Windows\System\rLARngS.exe
  C:\Windows\System\rLARngS.exe
  2⤵
  PID:6428
- C:\Windows\System\StEXeCM.exe
  C:\Windows\System\StEXeCM.exe
  2⤵
  PID:6456
- C:\Windows\System\GimHtYt.exe
  C:\Windows\System\GimHtYt.exe
  2⤵
  PID:6484
- C:\Windows\System\bnbGKvN.exe
  C:\Windows\System\bnbGKvN.exe
  2⤵
  PID:6512
- C:\Windows\System\OrQinaQ.exe
  C:\Windows\System\OrQinaQ.exe
  2⤵
  PID:6532
- C:\Windows\System\MQDRjCl.exe
  C:\Windows\System\MQDRjCl.exe
  2⤵
  PID:6568
- C:\Windows\System\KQjFBUt.exe
  C:\Windows\System\KQjFBUt.exe
  2⤵
  PID:6600
- C:\Windows\System\ywCwLQA.exe
  C:\Windows\System\ywCwLQA.exe
  2⤵
  PID:6632
- C:\Windows\System\bPfSSCV.exe
  C:\Windows\System\bPfSSCV.exe
  2⤵
  PID:6660
- C:\Windows\System\UUDhcAh.exe
  C:\Windows\System\UUDhcAh.exe
  2⤵
  PID:6684
- C:\Windows\System\nBCkWXv.exe
  C:\Windows\System\nBCkWXv.exe
  2⤵
  PID:6716
- C:\Windows\System\PVTxxGu.exe
  C:\Windows\System\PVTxxGu.exe
  2⤵
  PID:6736
- C:\Windows\System\NpUoLiD.exe
  C:\Windows\System\NpUoLiD.exe
  2⤵
  PID:6772
- C:\Windows\System\AsqCwli.exe
  C:\Windows\System\AsqCwli.exe
  2⤵
  PID:6796
- C:\Windows\System\JJfNKmd.exe
  C:\Windows\System\JJfNKmd.exe
  2⤵
  PID:6828
- C:\Windows\System\itkERDW.exe
  C:\Windows\System\itkERDW.exe
  2⤵
  PID:6852
- C:\Windows\System\alIONTS.exe
  C:\Windows\System\alIONTS.exe
  2⤵
  PID:6880
- C:\Windows\System\zfPmrcp.exe
  C:\Windows\System\zfPmrcp.exe
  2⤵
  PID:6912
- C:\Windows\System\QMWFwwO.exe
  C:\Windows\System\QMWFwwO.exe
  2⤵
  PID:6928
- C:\Windows\System\YkajrVT.exe
  C:\Windows\System\YkajrVT.exe
  2⤵
  PID:6968
- C:\Windows\System\JOTCGOH.exe
  C:\Windows\System\JOTCGOH.exe
  2⤵
  PID:6992
- C:\Windows\System\avUldhU.exe
  C:\Windows\System\avUldhU.exe
  2⤵
  PID:7020
- C:\Windows\System\lmAADKs.exe
  C:\Windows\System\lmAADKs.exe
  2⤵
  PID:7052
- C:\Windows\System\BqqARAy.exe
  C:\Windows\System\BqqARAy.exe
  2⤵
  PID:7068
- C:\Windows\System\eSpZLbe.exe
  C:\Windows\System\eSpZLbe.exe
  2⤵
  PID:7112
- C:\Windows\System\gJUbKkJ.exe
  C:\Windows\System\gJUbKkJ.exe
  2⤵
  PID:7140
- C:\Windows\System\Ymajref.exe
  C:\Windows\System\Ymajref.exe
  2⤵
  PID:6152
- C:\Windows\System\vdWHdnq.exe
  C:\Windows\System\vdWHdnq.exe
  2⤵
  PID:6220
- C:\Windows\System\SquvMdD.exe
  C:\Windows\System\SquvMdD.exe
  2⤵
  PID:6264
- C:\Windows\System\cJLRHXC.exe
  C:\Windows\System\cJLRHXC.exe
  2⤵
  PID:5496
- C:\Windows\System\wfQxqjM.exe
  C:\Windows\System\wfQxqjM.exe
  2⤵
  PID:6412
- C:\Windows\System\LecIMMa.exe
  C:\Windows\System\LecIMMa.exe
  2⤵
  PID:6468
- C:\Windows\System\BtPjuvz.exe
  C:\Windows\System\BtPjuvz.exe
  2⤵
  PID:4184
- C:\Windows\System\HhqgEhS.exe
  C:\Windows\System\HhqgEhS.exe
  2⤵
  PID:6584
- C:\Windows\System\HTAbMWf.exe
  C:\Windows\System\HTAbMWf.exe
  2⤵
  PID:6652
- C:\Windows\System\XgmbzZM.exe
  C:\Windows\System\XgmbzZM.exe
  2⤵
  PID:6712
- C:\Windows\System\iBQXRFa.exe
  C:\Windows\System\iBQXRFa.exe
  2⤵
  PID:6760
- C:\Windows\System\NDaUsTz.exe
  C:\Windows\System\NDaUsTz.exe
  2⤵
  PID:6836
- C:\Windows\System\rsuaSjC.exe
  C:\Windows\System\rsuaSjC.exe
  2⤵
  PID:6908
- C:\Windows\System\rUZGlYl.exe
  C:\Windows\System\rUZGlYl.exe
  2⤵
  PID:6960
- C:\Windows\System\NExTfPQ.exe
  C:\Windows\System\NExTfPQ.exe
  2⤵
  PID:7028
- C:\Windows\System\CyMjzCi.exe
  C:\Windows\System\CyMjzCi.exe
  2⤵
  PID:7080
- C:\Windows\System\CfksNrY.exe
  C:\Windows\System\CfksNrY.exe
  2⤵
  PID:7152
- C:\Windows\System\hSHVYlf.exe
  C:\Windows\System\hSHVYlf.exe
  2⤵
  PID:6204
- C:\Windows\System\hLAPQnx.exe
  C:\Windows\System\hLAPQnx.exe
  2⤵
  PID:6364
- C:\Windows\System\QJuyyLk.exe
  C:\Windows\System\QJuyyLk.exe
  2⤵
  PID:6504
- C:\Windows\System\vhQChfN.exe
  C:\Windows\System\vhQChfN.exe
  2⤵
  PID:6640
- C:\Windows\System\nbLcSDd.exe
  C:\Windows\System\nbLcSDd.exe
  2⤵
  PID:6752
- C:\Windows\System\BJeWUfE.exe
  C:\Windows\System\BJeWUfE.exe
  2⤵
  PID:6892
- C:\Windows\System\CnfvFpX.exe
  C:\Windows\System\CnfvFpX.exe
  2⤵
  PID:7060
- C:\Windows\System\qeMtvue.exe
  C:\Windows\System\qeMtvue.exe
  2⤵
  PID:6256
- C:\Windows\System\GWYDaHK.exe
  C:\Windows\System\GWYDaHK.exe
  2⤵
  PID:6448
- C:\Windows\System\tvhiEiY.exe
  C:\Windows\System\tvhiEiY.exe
  2⤵
  PID:6868
- C:\Windows\System\uUlkVnZ.exe
  C:\Windows\System\uUlkVnZ.exe
  2⤵
  PID:6352
- C:\Windows\System\esxkYpP.exe
  C:\Windows\System\esxkYpP.exe
  2⤵
  PID:7132
- C:\Windows\System\qPEhLWY.exe
  C:\Windows\System\qPEhLWY.exe
  2⤵
  PID:6768
- C:\Windows\System\jBwsOgy.exe
  C:\Windows\System\jBwsOgy.exe
  2⤵
  PID:7200
- C:\Windows\System\BzpGGwH.exe
  C:\Windows\System\BzpGGwH.exe
  2⤵
  PID:7228
- C:\Windows\System\QNpVety.exe
  C:\Windows\System\QNpVety.exe
  2⤵
  PID:7256
- C:\Windows\System\Hiqvmhg.exe
  C:\Windows\System\Hiqvmhg.exe
  2⤵
  PID:7288
- C:\Windows\System\yovKprI.exe
  C:\Windows\System\yovKprI.exe
  2⤵
  PID:7312
- C:\Windows\System\GuuoPnz.exe
  C:\Windows\System\GuuoPnz.exe
  2⤵
  PID:7340
- C:\Windows\System\RGNxjlF.exe
  C:\Windows\System\RGNxjlF.exe
  2⤵
  PID:7372
- C:\Windows\System\XdZfCcA.exe
  C:\Windows\System\XdZfCcA.exe
  2⤵
  PID:7400
- C:\Windows\System\sQYjAiY.exe
  C:\Windows\System\sQYjAiY.exe
  2⤵
  PID:7424
- C:\Windows\System\KhAyuIq.exe
  C:\Windows\System\KhAyuIq.exe
  2⤵
  PID:7452
- C:\Windows\System\LrjsoRl.exe
  C:\Windows\System\LrjsoRl.exe
  2⤵
  PID:7472
- C:\Windows\System\nQwWBvM.exe
  C:\Windows\System\nQwWBvM.exe
  2⤵
  PID:7500
- C:\Windows\System\uvLJlQN.exe
  C:\Windows\System\uvLJlQN.exe
  2⤵
  PID:7536
- C:\Windows\System\PCEORQf.exe
  C:\Windows\System\PCEORQf.exe
  2⤵
  PID:7556
- C:\Windows\System\TthxIkR.exe
  C:\Windows\System\TthxIkR.exe
  2⤵
  PID:7584
- C:\Windows\System\EqYrrlT.exe
  C:\Windows\System\EqYrrlT.exe
  2⤵
  PID:7620
- C:\Windows\System\vQbqyYO.exe
  C:\Windows\System\vQbqyYO.exe
  2⤵
  PID:7640
- C:\Windows\System\BrvJwDY.exe
  C:\Windows\System\BrvJwDY.exe
  2⤵
  PID:7668
- C:\Windows\System\oTUJBwS.exe
  C:\Windows\System\oTUJBwS.exe
  2⤵
  PID:7696
- C:\Windows\System\JZwXNnj.exe
  C:\Windows\System\JZwXNnj.exe
  2⤵
  PID:7724
- C:\Windows\System\gsNhYOc.exe
  C:\Windows\System\gsNhYOc.exe
  2⤵
  PID:7764
- C:\Windows\System\cRKSDUg.exe
  C:\Windows\System\cRKSDUg.exe
  2⤵
  PID:7780
- C:\Windows\System\poPSAiN.exe
  C:\Windows\System\poPSAiN.exe
  2⤵
  PID:7824
- C:\Windows\System\HvKoHiP.exe
  C:\Windows\System\HvKoHiP.exe
  2⤵
  PID:7856
- C:\Windows\System\mZhNfOQ.exe
  C:\Windows\System\mZhNfOQ.exe
  2⤵
  PID:7896
- C:\Windows\System\YeVkelQ.exe
  C:\Windows\System\YeVkelQ.exe
  2⤵
  PID:7916
- C:\Windows\System\BpYpODP.exe
  C:\Windows\System\BpYpODP.exe
  2⤵
  PID:7932
- C:\Windows\System\KCXenfR.exe
  C:\Windows\System\KCXenfR.exe
  2⤵
  PID:7960
- C:\Windows\System\AZMhbzk.exe
  C:\Windows\System\AZMhbzk.exe
  2⤵
  PID:8012
- C:\Windows\System\lrBQvOb.exe
  C:\Windows\System\lrBQvOb.exe
  2⤵
  PID:8028
- C:\Windows\System\xlwkcZQ.exe
  C:\Windows\System\xlwkcZQ.exe
  2⤵
  PID:8064
- C:\Windows\System\uHQXiEp.exe
  C:\Windows\System\uHQXiEp.exe
  2⤵
  PID:8104
- C:\Windows\System\BiCtoXN.exe
  C:\Windows\System\BiCtoXN.exe
  2⤵
  PID:8124
- C:\Windows\System\QmhHPqU.exe
  C:\Windows\System\QmhHPqU.exe
  2⤵
  PID:8152
- C:\Windows\System\WCLfRGg.exe
  C:\Windows\System\WCLfRGg.exe
  2⤵
  PID:8184
- C:\Windows\System\wXRgHbX.exe
  C:\Windows\System\wXRgHbX.exe
  2⤵
  PID:428
- C:\Windows\System\TnoTaGP.exe
  C:\Windows\System\TnoTaGP.exe
  2⤵
  PID:5020
- C:\Windows\System\TPpHRXs.exe
  C:\Windows\System\TPpHRXs.exe
  2⤵
  PID:7212
- C:\Windows\System\cJjLDXo.exe
  C:\Windows\System\cJjLDXo.exe
  2⤵
  PID:7264
- C:\Windows\System\fYzprsj.exe
  C:\Windows\System\fYzprsj.exe
  2⤵
  PID:7320
- C:\Windows\System\Ozbhwnq.exe
  C:\Windows\System\Ozbhwnq.exe
  2⤵
  PID:7380
- C:\Windows\System\GdBlYsY.exe
  C:\Windows\System\GdBlYsY.exe
  2⤵
  PID:7444
- C:\Windows\System\NyuPCAr.exe
  C:\Windows\System\NyuPCAr.exe
  2⤵
  PID:7520
- C:\Windows\System\tBBGuar.exe
  C:\Windows\System\tBBGuar.exe
  2⤵
  PID:7576
- C:\Windows\System\iENDFvi.exe
  C:\Windows\System\iENDFvi.exe
  2⤵
  PID:7652
- C:\Windows\System\zTnsfsq.exe
  C:\Windows\System\zTnsfsq.exe
  2⤵
  PID:7716
- C:\Windows\System\wDpnDOo.exe
  C:\Windows\System\wDpnDOo.exe
  2⤵
  PID:7772
- C:\Windows\System\ntFkgBM.exe
  C:\Windows\System\ntFkgBM.exe
  2⤵
  PID:7848
- C:\Windows\System\rETVahz.exe
  C:\Windows\System\rETVahz.exe
  2⤵
  PID:7928
- C:\Windows\System\EboUYcP.exe
  C:\Windows\System\EboUYcP.exe
  2⤵
  PID:8008
- C:\Windows\System\HTOcYvh.exe
  C:\Windows\System\HTOcYvh.exe
  2⤵
  PID:8048
- C:\Windows\System\DEWzORy.exe
  C:\Windows\System\DEWzORy.exe
  2⤵
  PID:8116
- C:\Windows\System\GjUnNIK.exe
  C:\Windows\System\GjUnNIK.exe
  2⤵
  PID:8148
- C:\Windows\System\JClMQbh.exe
  C:\Windows\System\JClMQbh.exe
  2⤵
  PID:7184
- C:\Windows\System\CEQKaNh.exe
  C:\Windows\System\CEQKaNh.exe
  2⤵
  PID:7240
- C:\Windows\System\omBsAtb.exe
  C:\Windows\System\omBsAtb.exe
  2⤵
  PID:7364
- C:\Windows\System\gDDtPDO.exe
  C:\Windows\System\gDDtPDO.exe
  2⤵
  PID:7544
- C:\Windows\System\NrwZYUm.exe
  C:\Windows\System\NrwZYUm.exe
  2⤵
  PID:7744
- C:\Windows\System\MWArvFm.exe
  C:\Windows\System\MWArvFm.exe
  2⤵
  PID:7836
- C:\Windows\System\ftgcJOQ.exe
  C:\Windows\System\ftgcJOQ.exe
  2⤵
  PID:8040
- C:\Windows\System\VgYRaqE.exe
  C:\Windows\System\VgYRaqE.exe
  2⤵
  PID:8144
- C:\Windows\System\BhObPpV.exe
  C:\Windows\System\BhObPpV.exe
  2⤵
  PID:7236
- C:\Windows\System\PxFIbft.exe
  C:\Windows\System\PxFIbft.exe
  2⤵
  PID:7628
- C:\Windows\System\AbcDeXp.exe
  C:\Windows\System\AbcDeXp.exe
  2⤵
  PID:7968
- C:\Windows\System\nAnatdU.exe
  C:\Windows\System\nAnatdU.exe
  2⤵
  PID:7208
- C:\Windows\System\ijeelRk.exe
  C:\Windows\System\ijeelRk.exe
  2⤵
  PID:2744
- C:\Windows\System\KGugNvc.exe
  C:\Windows\System\KGugNvc.exe
  2⤵
  PID:8196
- C:\Windows\System\BOmsisH.exe
  C:\Windows\System\BOmsisH.exe
  2⤵
  PID:8216
- C:\Windows\System\BJkNyqk.exe
  C:\Windows\System\BJkNyqk.exe
  2⤵
  PID:8252
- C:\Windows\System\onyYHvs.exe
  C:\Windows\System\onyYHvs.exe
  2⤵
  PID:8272
- C:\Windows\System\kYIRPCC.exe
  C:\Windows\System\kYIRPCC.exe
  2⤵
  PID:8308
- C:\Windows\System\TMDxGGy.exe
  C:\Windows\System\TMDxGGy.exe
  2⤵
  PID:8328
- C:\Windows\System\QKIBbVp.exe
  C:\Windows\System\QKIBbVp.exe
  2⤵
  PID:8356
- C:\Windows\System\AhuydoU.exe
  C:\Windows\System\AhuydoU.exe
  2⤵
  PID:8388
- C:\Windows\System\vBvKFrQ.exe
  C:\Windows\System\vBvKFrQ.exe
  2⤵
  PID:8412
- C:\Windows\System\lKSkjmf.exe
  C:\Windows\System\lKSkjmf.exe
  2⤵
  PID:8440
- C:\Windows\System\icNebBL.exe
  C:\Windows\System\icNebBL.exe
  2⤵
  PID:8468
- C:\Windows\System\EKCqJez.exe
  C:\Windows\System\EKCqJez.exe
  2⤵
  PID:8504
- C:\Windows\System\oeJvDHx.exe
  C:\Windows\System\oeJvDHx.exe
  2⤵
  PID:8524
- C:\Windows\System\GqqvsrN.exe
  C:\Windows\System\GqqvsrN.exe
  2⤵
  PID:8556
- C:\Windows\System\DYYlkaM.exe
  C:\Windows\System\DYYlkaM.exe
  2⤵
  PID:8596
- C:\Windows\System\HSUbDhT.exe
  C:\Windows\System\HSUbDhT.exe
  2⤵
  PID:8612
- C:\Windows\System\lQGJRew.exe
  C:\Windows\System\lQGJRew.exe
  2⤵
  PID:8640
- C:\Windows\System\IRwdoqA.exe
  C:\Windows\System\IRwdoqA.exe
  2⤵
  PID:8668
- C:\Windows\System\rgdsEUt.exe
  C:\Windows\System\rgdsEUt.exe
  2⤵
  PID:8700
- C:\Windows\System\LoLtQIg.exe
  C:\Windows\System\LoLtQIg.exe
  2⤵
  PID:8724
- C:\Windows\System\qbaYmNd.exe
  C:\Windows\System\qbaYmNd.exe
  2⤵
  PID:8752
- C:\Windows\System\XkcMyqG.exe
  C:\Windows\System\XkcMyqG.exe
  2⤵
  PID:8780
- C:\Windows\System\QfaIfYE.exe
  C:\Windows\System\QfaIfYE.exe
  2⤵
  PID:8808
- C:\Windows\System\WulZfGH.exe
  C:\Windows\System\WulZfGH.exe
  2⤵
  PID:8844
- C:\Windows\System\QQzUQWm.exe
  C:\Windows\System\QQzUQWm.exe
  2⤵
  PID:8892
- C:\Windows\System\yJGSGvX.exe
  C:\Windows\System\yJGSGvX.exe
  2⤵
  PID:8916
- C:\Windows\System\UMAdGfG.exe
  C:\Windows\System\UMAdGfG.exe
  2⤵
  PID:8956
- C:\Windows\System\ARubSCQ.exe
  C:\Windows\System\ARubSCQ.exe
  2⤵
  PID:8984
- C:\Windows\System\WtFRwWI.exe
  C:\Windows\System\WtFRwWI.exe
  2⤵
  PID:9008
- C:\Windows\System\hSKDDFp.exe
  C:\Windows\System\hSKDDFp.exe
  2⤵
  PID:9032
- C:\Windows\System\WkXVmxW.exe
  C:\Windows\System\WkXVmxW.exe
  2⤵
  PID:9060
- C:\Windows\System\ecUEAqv.exe
  C:\Windows\System\ecUEAqv.exe
  2⤵
  PID:9088
- C:\Windows\System\nMwmter.exe
  C:\Windows\System\nMwmter.exe
  2⤵
  PID:9116
- C:\Windows\System\qFWWIVg.exe
  C:\Windows\System\qFWWIVg.exe
  2⤵
  PID:9144
- C:\Windows\System\dYUUuSD.exe
  C:\Windows\System\dYUUuSD.exe
  2⤵
  PID:9172
- C:\Windows\System\TPshvUw.exe
  C:\Windows\System\TPshvUw.exe
  2⤵
  PID:9200
- C:\Windows\System\NfIlXdN.exe
  C:\Windows\System\NfIlXdN.exe
  2⤵
  PID:8212
- C:\Windows\System\ioeyXMh.exe
  C:\Windows\System\ioeyXMh.exe
  2⤵
  PID:8284
- C:\Windows\System\VTbfwIw.exe
  C:\Windows\System\VTbfwIw.exe
  2⤵
  PID:8324
- C:\Windows\System\XuqMeaK.exe
  C:\Windows\System\XuqMeaK.exe
  2⤵
  PID:2488
- C:\Windows\System\votqpSc.exe
  C:\Windows\System\votqpSc.exe
  2⤵
  PID:8452
- C:\Windows\System\prXvcyW.exe
  C:\Windows\System\prXvcyW.exe
  2⤵
  PID:8492
- C:\Windows\System\TXUVgPO.exe
  C:\Windows\System\TXUVgPO.exe
  2⤵
  PID:8592
- C:\Windows\System\AkFTDcq.exe
  C:\Windows\System\AkFTDcq.exe
  2⤵
  PID:8636
- C:\Windows\System\rzOuPoW.exe
  C:\Windows\System\rzOuPoW.exe
  2⤵
  PID:8692
- C:\Windows\System\mxJBXnh.exe
  C:\Windows\System\mxJBXnh.exe
  2⤵
  PID:8772
- C:\Windows\System\BzWiCLt.exe
  C:\Windows\System\BzWiCLt.exe
  2⤵
  PID:8852
- C:\Windows\System\utyWYFM.exe
  C:\Windows\System\utyWYFM.exe
  2⤵
  PID:8912
- C:\Windows\System\HxssNTA.exe
  C:\Windows\System\HxssNTA.exe
  2⤵
  PID:8992
- C:\Windows\System\XyjubUZ.exe
  C:\Windows\System\XyjubUZ.exe
  2⤵
  PID:9052
- C:\Windows\System\EEzBgwX.exe
  C:\Windows\System\EEzBgwX.exe
  2⤵
  PID:9112
- C:\Windows\System\yxPtffY.exe
  C:\Windows\System\yxPtffY.exe
  2⤵
  PID:9184
- C:\Windows\System\WACDzdN.exe
  C:\Windows\System\WACDzdN.exe
  2⤵
  PID:8240
- C:\Windows\System\EcWcMjP.exe
  C:\Windows\System\EcWcMjP.exe
  2⤵
  PID:8376
- C:\Windows\System\GKojYFs.exe
  C:\Windows\System\GKojYFs.exe
  2⤵
  PID:8548
- C:\Windows\System\urQsZyh.exe
  C:\Windows\System\urQsZyh.exe
  2⤵
  PID:8680
- C:\Windows\System\ZNMEEFw.exe
  C:\Windows\System\ZNMEEFw.exe
  2⤵
  PID:8820
- C:\Windows\System\xoWLIEm.exe
  C:\Windows\System\xoWLIEm.exe
  2⤵
  PID:9044
- C:\Windows\System\VtEbXdj.exe
  C:\Windows\System\VtEbXdj.exe
  2⤵
  PID:9164
- C:\Windows\System\fNjGPMD.exe
  C:\Windows\System\fNjGPMD.exe
  2⤵
  PID:8368
- C:\Windows\System\sXMDFUX.exe
  C:\Windows\System\sXMDFUX.exe
  2⤵
  PID:8744
- C:\Windows\System\JZMQCkt.exe
  C:\Windows\System\JZMQCkt.exe
  2⤵
  PID:9108
- C:\Windows\System\iymbFmQ.exe
  C:\Windows\System\iymbFmQ.exe
  2⤵
  PID:8664
- C:\Windows\System\wCCsXAl.exe
  C:\Windows\System\wCCsXAl.exe
  2⤵
  PID:8488
- C:\Windows\System\LifvhRs.exe
  C:\Windows\System\LifvhRs.exe
  2⤵
  PID:9236
- C:\Windows\System\EuIXVlm.exe
  C:\Windows\System\EuIXVlm.exe
  2⤵
  PID:9272
- C:\Windows\System\JzoRLIM.exe
  C:\Windows\System\JzoRLIM.exe
  2⤵
  PID:9292
- C:\Windows\System\EDjPpBY.exe
  C:\Windows\System\EDjPpBY.exe
  2⤵
  PID:9320
- C:\Windows\System\YDUbbyn.exe
  C:\Windows\System\YDUbbyn.exe
  2⤵
  PID:9352
- C:\Windows\System\ldOhvwF.exe
  C:\Windows\System\ldOhvwF.exe
  2⤵
  PID:9376
- C:\Windows\System\jYxzDkf.exe
  C:\Windows\System\jYxzDkf.exe
  2⤵
  PID:9404
- C:\Windows\System\nOeQrbS.exe
  C:\Windows\System\nOeQrbS.exe
  2⤵
  PID:9432
- C:\Windows\System\CLcXWWF.exe
  C:\Windows\System\CLcXWWF.exe
  2⤵
  PID:9460
- C:\Windows\System\rYzrQMO.exe
  C:\Windows\System\rYzrQMO.exe
  2⤵
  PID:9492
- C:\Windows\System\AVplQFt.exe
  C:\Windows\System\AVplQFt.exe
  2⤵
  PID:9516
- C:\Windows\System\JpEBiGZ.exe
  C:\Windows\System\JpEBiGZ.exe
  2⤵
  PID:9544
- C:\Windows\System\bYfnNcp.exe
  C:\Windows\System\bYfnNcp.exe
  2⤵
  PID:9572
- C:\Windows\System\jhwySua.exe
  C:\Windows\System\jhwySua.exe
  2⤵
  PID:9600
- C:\Windows\System\JGipCoB.exe
  C:\Windows\System\JGipCoB.exe
  2⤵
  PID:9640
- C:\Windows\System\munCElm.exe
  C:\Windows\System\munCElm.exe
  2⤵
  PID:9660
- C:\Windows\System\pvcxztE.exe
  C:\Windows\System\pvcxztE.exe
  2⤵
  PID:9688
- C:\Windows\System\oxWSnMO.exe
  C:\Windows\System\oxWSnMO.exe
  2⤵
  PID:9716
- C:\Windows\System\IVntfqa.exe
  C:\Windows\System\IVntfqa.exe
  2⤵
  PID:9752
- C:\Windows\System\CKXlagR.exe
  C:\Windows\System\CKXlagR.exe
  2⤵
  PID:9772
- C:\Windows\System\QfDoyLN.exe
  C:\Windows\System\QfDoyLN.exe
  2⤵
  PID:9800
- C:\Windows\System\PXxEaTz.exe
  C:\Windows\System\PXxEaTz.exe
  2⤵
  PID:9832
- C:\Windows\System\GoHmoUi.exe
  C:\Windows\System\GoHmoUi.exe
  2⤵
  PID:9868
- C:\Windows\System\tWYjMwq.exe
  C:\Windows\System\tWYjMwq.exe
  2⤵
  PID:9896
- C:\Windows\System\PKVXQak.exe
  C:\Windows\System\PKVXQak.exe
  2⤵
  PID:9916
- C:\Windows\System\vtsAArR.exe
  C:\Windows\System\vtsAArR.exe
  2⤵
  PID:9944
- C:\Windows\System\BnxvpFc.exe
  C:\Windows\System\BnxvpFc.exe
  2⤵
  PID:9972
- C:\Windows\System\JOXuagb.exe
  C:\Windows\System\JOXuagb.exe
  2⤵
  PID:10008
- C:\Windows\System\oJtYseM.exe
  C:\Windows\System\oJtYseM.exe
  2⤵
  PID:10040
- C:\Windows\System\AIsuiLw.exe
  C:\Windows\System\AIsuiLw.exe
  2⤵
  PID:10056
- C:\Windows\System\quogdit.exe
  C:\Windows\System\quogdit.exe
  2⤵
  PID:10084
- C:\Windows\System\AqFjjxC.exe
  C:\Windows\System\AqFjjxC.exe
  2⤵
  PID:10120
- C:\Windows\System\IVWxJkk.exe
  C:\Windows\System\IVWxJkk.exe
  2⤵
  PID:10148
- C:\Windows\System\GfVZclC.exe
  C:\Windows\System\GfVZclC.exe
  2⤵
  PID:10172
- C:\Windows\System\kqrTuxT.exe
  C:\Windows\System\kqrTuxT.exe
  2⤵
  PID:10204
- C:\Windows\System\dSLeLmP.exe
  C:\Windows\System\dSLeLmP.exe
  2⤵
  PID:10224
- C:\Windows\System\IezWirS.exe
  C:\Windows\System\IezWirS.exe
  2⤵
  PID:9248
- C:\Windows\System\QnlTlhS.exe
  C:\Windows\System\QnlTlhS.exe
  2⤵
  PID:9312
- C:\Windows\System\AhUUMGv.exe
  C:\Windows\System\AhUUMGv.exe
  2⤵
  PID:9388
- C:\Windows\System\UzVJYyE.exe
  C:\Windows\System\UzVJYyE.exe
  2⤵
  PID:9452
- C:\Windows\System\IFDFcVc.exe
  C:\Windows\System\IFDFcVc.exe
  2⤵
  PID:9508
- C:\Windows\System\ayHBJRd.exe
  C:\Windows\System\ayHBJRd.exe
  2⤵
  PID:9568
- C:\Windows\System\FHlYjyO.exe
  C:\Windows\System\FHlYjyO.exe
  2⤵
  PID:9648
- C:\Windows\System\YNrbhWN.exe
  C:\Windows\System\YNrbhWN.exe
  2⤵
  PID:9708
- C:\Windows\System\mHNOPRI.exe
  C:\Windows\System\mHNOPRI.exe
  2⤵
  PID:9768
- C:\Windows\System\APlKAig.exe
  C:\Windows\System\APlKAig.exe
  2⤵
  PID:9840
- C:\Windows\System\FRaAYek.exe
  C:\Windows\System\FRaAYek.exe
  2⤵
  PID:9908
- C:\Windows\System\mPDqjVx.exe
  C:\Windows\System\mPDqjVx.exe
  2⤵
  PID:9968
- C:\Windows\System\OauHvdx.exe
  C:\Windows\System\OauHvdx.exe
  2⤵
  PID:10024
- C:\Windows\System\cJNjPSN.exe
  C:\Windows\System\cJNjPSN.exe
  2⤵
  PID:10104
- C:\Windows\System\nVxgLqY.exe
  C:\Windows\System\nVxgLqY.exe
  2⤵
  PID:10164
- C:\Windows\System\uOKjrst.exe
  C:\Windows\System\uOKjrst.exe
  2⤵
  PID:10236
- C:\Windows\System\qEeiXQx.exe
  C:\Windows\System\qEeiXQx.exe
  2⤵
  PID:9360
- C:\Windows\System\fdwMRCO.exe
  C:\Windows\System\fdwMRCO.exe
  2⤵
  PID:9500
- C:\Windows\System\gNieBuv.exe
  C:\Windows\System\gNieBuv.exe
  2⤵
  PID:9736
- C:\Windows\System\fcJBVGQ.exe
  C:\Windows\System\fcJBVGQ.exe
  2⤵
  PID:9884
- C:\Windows\System\CqtdHpF.exe
  C:\Windows\System\CqtdHpF.exe
  2⤵
  PID:9996
- C:\Windows\System\YkvQegs.exe
  C:\Windows\System\YkvQegs.exe
  2⤵
  PID:10132
- C:\Windows\System\rTPNLXr.exe
  C:\Windows\System\rTPNLXr.exe
  2⤵
  PID:9304
- C:\Windows\System\EbsgDks.exe
  C:\Windows\System\EbsgDks.exe
  2⤵
  PID:9700
- C:\Windows\System\zWpyOUe.exe
  C:\Windows\System\zWpyOUe.exe
  2⤵
  PID:10036
- C:\Windows\System\ZetsbeO.exe
  C:\Windows\System\ZetsbeO.exe
  2⤵
  PID:9564
- C:\Windows\System\QjhArov.exe
  C:\Windows\System\QjhArov.exe
  2⤵
  PID:9472
- C:\Windows\System\DXErIju.exe
  C:\Windows\System\DXErIju.exe
  2⤵
  PID:10256
- C:\Windows\System\TkMOelP.exe
  C:\Windows\System\TkMOelP.exe
  2⤵
  PID:10284
- C:\Windows\System\McVEmZa.exe
  C:\Windows\System\McVEmZa.exe
  2⤵
  PID:10312
- C:\Windows\System\bVlDicc.exe
  C:\Windows\System\bVlDicc.exe
  2⤵
  PID:10340
- C:\Windows\System\spoGXPx.exe
  C:\Windows\System\spoGXPx.exe
  2⤵
  PID:10368
- C:\Windows\System\xeWqVIU.exe
  C:\Windows\System\xeWqVIU.exe
  2⤵
  PID:10388
- C:\Windows\System\jSduRML.exe
  C:\Windows\System\jSduRML.exe
  2⤵
  PID:10424
- C:\Windows\System\RYpsfUs.exe
  C:\Windows\System\RYpsfUs.exe
  2⤵
  PID:10452
- C:\Windows\System\eUsrold.exe
  C:\Windows\System\eUsrold.exe
  2⤵
  PID:10472
- C:\Windows\System\wjYUsxA.exe
  C:\Windows\System\wjYUsxA.exe
  2⤵
  PID:10508
- C:\Windows\System\fPiMdAF.exe
  C:\Windows\System\fPiMdAF.exe
  2⤵
  PID:10532
- C:\Windows\System\vrfVAjr.exe
  C:\Windows\System\vrfVAjr.exe
  2⤵
  PID:10552
- C:\Windows\System\lLaoAhV.exe
  C:\Windows\System\lLaoAhV.exe
  2⤵
  PID:10600
- C:\Windows\System\njQgpwW.exe
  C:\Windows\System\njQgpwW.exe
  2⤵
  PID:10620
- C:\Windows\System\nPOgiFk.exe
  C:\Windows\System\nPOgiFk.exe
  2⤵
  PID:10648
- C:\Windows\System\LAnLewf.exe
  C:\Windows\System\LAnLewf.exe
  2⤵
  PID:10676
- C:\Windows\System\GzdbtIx.exe
  C:\Windows\System\GzdbtIx.exe
  2⤵
  PID:10716
- C:\Windows\System\TxiARZe.exe
  C:\Windows\System\TxiARZe.exe
  2⤵
  PID:10744
- C:\Windows\System\uzVIUln.exe
  C:\Windows\System\uzVIUln.exe
  2⤵
  PID:10760
- C:\Windows\System\xnjPRdr.exe
  C:\Windows\System\xnjPRdr.exe
  2⤵
  PID:10784
- C:\Windows\System\DTszwGi.exe
  C:\Windows\System\DTszwGi.exe
  2⤵
  PID:10808
- C:\Windows\System\sPuWZbh.exe
  C:\Windows\System\sPuWZbh.exe
  2⤵
  PID:10836
- C:\Windows\System\FBAvTkG.exe
  C:\Windows\System\FBAvTkG.exe
  2⤵
  PID:10880
- C:\Windows\System\vElduEi.exe
  C:\Windows\System\vElduEi.exe
  2⤵
  PID:10908
- C:\Windows\System\JfYHYue.exe
  C:\Windows\System\JfYHYue.exe
  2⤵
  PID:10936
- C:\Windows\System\pLQqNiD.exe
  C:\Windows\System\pLQqNiD.exe
  2⤵
  PID:10964
- C:\Windows\System\sJfzxcH.exe
  C:\Windows\System\sJfzxcH.exe
  2⤵
  PID:10992
- C:\Windows\System\vMRCHeu.exe
  C:\Windows\System\vMRCHeu.exe
  2⤵
  PID:11012
- C:\Windows\System\atgsfqB.exe
  C:\Windows\System\atgsfqB.exe
  2⤵
  PID:11048
- C:\Windows\System\nyPRKJZ.exe
  C:\Windows\System\nyPRKJZ.exe
  2⤵
  PID:11080
- C:\Windows\System\lgegBlt.exe
  C:\Windows\System\lgegBlt.exe
  2⤵
  PID:11132
- C:\Windows\System\KpdTRRG.exe
  C:\Windows\System\KpdTRRG.exe
  2⤵
  PID:11160
- C:\Windows\System\YFQXumt.exe
  C:\Windows\System\YFQXumt.exe
  2⤵
  PID:11200
- C:\Windows\System\LtPTrps.exe
  C:\Windows\System\LtPTrps.exe
  2⤵
  PID:11224
- C:\Windows\System\bXTDwVX.exe
  C:\Windows\System\bXTDwVX.exe
  2⤵
  PID:11252
- C:\Windows\System\AdwIJnn.exe
  C:\Windows\System\AdwIJnn.exe
  2⤵
  PID:10276
- C:\Windows\System\GsWfoYL.exe
  C:\Windows\System\GsWfoYL.exe
  2⤵
  PID:10328
- C:\Windows\System\ryBIUWA.exe
  C:\Windows\System\ryBIUWA.exe
  2⤵
  PID:10412
- C:\Windows\System\uFEvIzV.exe
  C:\Windows\System\uFEvIzV.exe
  2⤵
  PID:10460
- C:\Windows\System\erARhQl.exe
  C:\Windows\System\erARhQl.exe
  2⤵
  PID:10544
- C:\Windows\System\yJynVVf.exe
  C:\Windows\System\yJynVVf.exe
  2⤵
  PID:10608
- C:\Windows\System\PMSzBxG.exe
  C:\Windows\System\PMSzBxG.exe
  2⤵
  PID:10672
- C:\Windows\System\whRpRjQ.exe
  C:\Windows\System\whRpRjQ.exe
  2⤵
  PID:10776
- C:\Windows\System\MvoxBfe.exe
  C:\Windows\System\MvoxBfe.exe
  2⤵
  PID:2832
- C:\Windows\System\kQhyLgT.exe
  C:\Windows\System\kQhyLgT.exe
  2⤵
  PID:10868
- C:\Windows\System\TgXAVxL.exe
  C:\Windows\System\TgXAVxL.exe
  2⤵
  PID:10944
- C:\Windows\System\SwiSGBV.exe
  C:\Windows\System\SwiSGBV.exe
  2⤵
  PID:11020
- C:\Windows\System\YSdkqVK.exe
  C:\Windows\System\YSdkqVK.exe
  2⤵
  PID:11072
- C:\Windows\System\jORwOni.exe
  C:\Windows\System\jORwOni.exe
  2⤵
  PID:11104
- C:\Windows\System\tNNHuqA.exe
  C:\Windows\System\tNNHuqA.exe
  2⤵
  PID:11128
- C:\Windows\System\WxqeyWM.exe
  C:\Windows\System\WxqeyWM.exe
  2⤵
  PID:11172
- C:\Windows\System\zfoVdzm.exe
  C:\Windows\System\zfoVdzm.exe
  2⤵
  PID:212
- C:\Windows\System\dqVbNBk.exe
  C:\Windows\System\dqVbNBk.exe
  2⤵
  PID:10296
- C:\Windows\System\oVEiuBt.exe
  C:\Windows\System\oVEiuBt.exe
  2⤵
  PID:10448
- C:\Windows\System\FEPfqaq.exe
  C:\Windows\System\FEPfqaq.exe
  2⤵
  PID:10548
- C:\Windows\System\sSvLclE.exe
  C:\Windows\System\sSvLclE.exe
  2⤵
  PID:4108
- C:\Windows\System\ypxsJoH.exe
  C:\Windows\System\ypxsJoH.exe
  2⤵
  PID:3140
- C:\Windows\System\xWyRiZX.exe
  C:\Windows\System\xWyRiZX.exe
  2⤵
  PID:10988
- C:\Windows\System\QcdmKXO.exe
  C:\Windows\System\QcdmKXO.exe
  2⤵
  PID:5592
- C:\Windows\System\tlTqPfY.exe
  C:\Windows\System\tlTqPfY.exe
  2⤵
  PID:2920
- C:\Windows\System\AgNalUz.exe
  C:\Windows\System\AgNalUz.exe
  2⤵
  PID:10248
- C:\Windows\System\LVIgqeU.exe
  C:\Windows\System\LVIgqeU.exe
  2⤵
  PID:10632
- C:\Windows\System\oClpZsa.exe
  C:\Windows\System\oClpZsa.exe
  2⤵
  PID:5764
- C:\Windows\System\RKRJNHn.exe
  C:\Windows\System\RKRJNHn.exe
  2⤵
  PID:4124
- C:\Windows\System\PQslEzr.exe
  C:\Windows\System\PQslEzr.exe
  2⤵
  PID:9288
- C:\Windows\System\mZeIQxT.exe
  C:\Windows\System\mZeIQxT.exe
  2⤵
  PID:1612
- C:\Windows\System\VFzavwl.exe
  C:\Windows\System\VFzavwl.exe
  2⤵
  PID:10824
- C:\Windows\System\FYFupmg.exe
  C:\Windows\System\FYFupmg.exe
  2⤵
  PID:11272
- C:\Windows\System\vCtxbZZ.exe
  C:\Windows\System\vCtxbZZ.exe
  2⤵
  PID:11300
- C:\Windows\System\LKzLHFB.exe
  C:\Windows\System\LKzLHFB.exe
  2⤵
  PID:11328
- C:\Windows\System\MskusDT.exe
  C:\Windows\System\MskusDT.exe
  2⤵
  PID:11356
- C:\Windows\System\KOuVlJX.exe
  C:\Windows\System\KOuVlJX.exe
  2⤵
  PID:11384
- C:\Windows\System\jrUYRdD.exe
  C:\Windows\System\jrUYRdD.exe
  2⤵
  PID:11420
- C:\Windows\System\FFpcAZR.exe
  C:\Windows\System\FFpcAZR.exe
  2⤵
  PID:11452
- C:\Windows\System\LnPzAWx.exe
  C:\Windows\System\LnPzAWx.exe
  2⤵
  PID:11480
- C:\Windows\System\TCkKkwd.exe
  C:\Windows\System\TCkKkwd.exe
  2⤵
  PID:11500
- C:\Windows\System\wEJvvuv.exe
  C:\Windows\System\wEJvvuv.exe
  2⤵
  PID:11524
- C:\Windows\System\MyOTxnm.exe
  C:\Windows\System\MyOTxnm.exe
  2⤵
  PID:11556
- C:\Windows\System\efEHOMY.exe
  C:\Windows\System\efEHOMY.exe
  2⤵
  PID:11580
- C:\Windows\System\YXweXbw.exe
  C:\Windows\System\YXweXbw.exe
  2⤵
  PID:11608
- C:\Windows\System\gQUqNVw.exe
  C:\Windows\System\gQUqNVw.exe
  2⤵
  PID:11636
- C:\Windows\System\dWxDkhW.exe
  C:\Windows\System\dWxDkhW.exe
  2⤵
  PID:11664
- C:\Windows\System\ggfTdIZ.exe
  C:\Windows\System\ggfTdIZ.exe
  2⤵
  PID:11692
- C:\Windows\System\UxWmuQM.exe
  C:\Windows\System\UxWmuQM.exe
  2⤵
  PID:11720
- C:\Windows\System\IDBeYrE.exe
  C:\Windows\System\IDBeYrE.exe
  2⤵
  PID:11748
- C:\Windows\System\QcLJoiJ.exe
  C:\Windows\System\QcLJoiJ.exe
  2⤵
  PID:11776
- C:\Windows\System\TZqCuSU.exe
  C:\Windows\System\TZqCuSU.exe
  2⤵
  PID:11804
- C:\Windows\System\rmqSOxU.exe
  C:\Windows\System\rmqSOxU.exe
  2⤵
  PID:11832
- C:\Windows\System\mxrMQOp.exe
  C:\Windows\System\mxrMQOp.exe
  2⤵
  PID:11860
- C:\Windows\System\WKywSzN.exe
  C:\Windows\System\WKywSzN.exe
  2⤵
  PID:11888
- C:\Windows\System\fNpApVG.exe
  C:\Windows\System\fNpApVG.exe
  2⤵
  PID:11916
- C:\Windows\System\KdTLYlE.exe
  C:\Windows\System\KdTLYlE.exe
  2⤵
  PID:11944
- C:\Windows\System\qXdupAN.exe
  C:\Windows\System\qXdupAN.exe
  2⤵
  PID:11972
- C:\Windows\System\jrvLoit.exe
  C:\Windows\System\jrvLoit.exe
  2⤵
  PID:11988
- C:\Windows\System\yztCSYQ.exe
  C:\Windows\System\yztCSYQ.exe
  2⤵
  PID:12028
- C:\Windows\System\ZULtOQd.exe
  C:\Windows\System\ZULtOQd.exe
  2⤵
  PID:12056
- C:\Windows\System\MEZBAaw.exe
  C:\Windows\System\MEZBAaw.exe
  2⤵
  PID:12092
- C:\Windows\System\KfBZVMd.exe
  C:\Windows\System\KfBZVMd.exe
  2⤵
  PID:12144
- C:\Windows\System\Yreuyft.exe
  C:\Windows\System\Yreuyft.exe
  2⤵
  PID:12180
- C:\Windows\System\BESyIrP.exe
  C:\Windows\System\BESyIrP.exe
  2⤵
  PID:12208
- C:\Windows\System\OcJLfze.exe
  C:\Windows\System\OcJLfze.exe
  2⤵
  PID:12236
- C:\Windows\System\wKIoChV.exe
  C:\Windows\System\wKIoChV.exe
  2⤵
  PID:12264
- C:\Windows\System\mBrPrJS.exe
  C:\Windows\System\mBrPrJS.exe
  2⤵
  PID:11284
- C:\Windows\System\eTFiQHt.exe
  C:\Windows\System\eTFiQHt.exe
  2⤵
  PID:11348
- C:\Windows\System\CQtvNrN.exe
  C:\Windows\System\CQtvNrN.exe
  2⤵
  PID:11428
- C:\Windows\System\yelxIZC.exe
  C:\Windows\System\yelxIZC.exe
  2⤵
  PID:1108
- C:\Windows\System\HZhuIjj.exe
  C:\Windows\System\HZhuIjj.exe
  2⤵
  PID:11492
- C:\Windows\System\JYKMJoC.exe
  C:\Windows\System\JYKMJoC.exe
  2⤵
  PID:11544
- C:\Windows\System\aOAIDzK.exe
  C:\Windows\System\aOAIDzK.exe
  2⤵
  PID:11600
- C:\Windows\System\wOOMnTd.exe
  C:\Windows\System\wOOMnTd.exe
  2⤵
  PID:11660
- C:\Windows\System\uUmGKlR.exe
  C:\Windows\System\uUmGKlR.exe
  2⤵
  PID:11740
- C:\Windows\System\LdgtxGm.exe
  C:\Windows\System\LdgtxGm.exe
  2⤵
  PID:11796
- C:\Windows\System\pmubnvb.exe
  C:\Windows\System\pmubnvb.exe
  2⤵
  PID:11856
- C:\Windows\System\GzvpCxd.exe
  C:\Windows\System\GzvpCxd.exe
  2⤵
  PID:11928
- C:\Windows\System\RxxHtoI.exe
  C:\Windows\System\RxxHtoI.exe
  2⤵
  PID:11980
- C:\Windows\System\oRNPKvD.exe
  C:\Windows\System\oRNPKvD.exe
  2⤵
  PID:12048
- C:\Windows\System\UlQsjQJ.exe
  C:\Windows\System\UlQsjQJ.exe
  2⤵
  PID:12156
- C:\Windows\System\LeokcxV.exe
  C:\Windows\System\LeokcxV.exe
  2⤵
  PID:10516
- C:\Windows\System\OVtqaWE.exe
  C:\Windows\System\OVtqaWE.exe
  2⤵
  PID:12192
- C:\Windows\System\shVBEYH.exe
  C:\Windows\System\shVBEYH.exe
  2⤵
  PID:12256
- C:\Windows\System\SPCMsKH.exe
  C:\Windows\System\SPCMsKH.exe
  2⤵
  PID:11340
- C:\Windows\System\MwWpuvo.exe
  C:\Windows\System\MwWpuvo.exe
  2⤵
  PID:11436
- C:\Windows\System\WBimORR.exe
  C:\Windows\System\WBimORR.exe
  2⤵
  PID:11564
- C:\Windows\System\FRKUmes.exe
  C:\Windows\System\FRKUmes.exe
  2⤵
  PID:11712
- C:\Windows\System\TXLLgVb.exe
  C:\Windows\System\TXLLgVb.exe
  2⤵
  PID:11852
- C:\Windows\System\gNZDBGH.exe
  C:\Windows\System\gNZDBGH.exe
  2⤵
  PID:12020
- C:\Windows\System\rwNNhvg.exe
  C:\Windows\System\rwNNhvg.exe
  2⤵
  PID:11216
- C:\Windows\System\NHQptHp.exe
  C:\Windows\System\NHQptHp.exe
  2⤵
  PID:12248
- C:\Windows\System\UuzHYPg.exe
  C:\Windows\System\UuzHYPg.exe
  2⤵
  PID:11464
- C:\Windows\System\IRDCjBa.exe
  C:\Windows\System\IRDCjBa.exe
  2⤵
  PID:11824
- C:\Windows\System\AIIiPNd.exe
  C:\Windows\System\AIIiPNd.exe
  2⤵
  PID:12220
- C:\Windows\System\pMXPaIR.exe
  C:\Windows\System\pMXPaIR.exe
  2⤵
  PID:11964
- C:\Windows\System\dGWTEpv.exe
  C:\Windows\System\dGWTEpv.exe
  2⤵
  PID:5108
- C:\Windows\System\ObtyQVq.exe
  C:\Windows\System\ObtyQVq.exe
  2⤵
  PID:12296
- C:\Windows\System\oGUqBMN.exe
  C:\Windows\System\oGUqBMN.exe
  2⤵
  PID:12332
- C:\Windows\System\fIORJOM.exe
  C:\Windows\System\fIORJOM.exe
  2⤵
  PID:12352
- C:\Windows\System\eSqjcQm.exe
  C:\Windows\System\eSqjcQm.exe
  2⤵
  PID:12380
- C:\Windows\System\CeOQphc.exe
  C:\Windows\System\CeOQphc.exe
  2⤵
  PID:12420
- C:\Windows\System\pjCrDAc.exe
  C:\Windows\System\pjCrDAc.exe
  2⤵
  PID:12436
- C:\Windows\System\QRmaCbn.exe
  C:\Windows\System\QRmaCbn.exe
  2⤵
  PID:12464
- C:\Windows\System\iTLuXLr.exe
  C:\Windows\System\iTLuXLr.exe
  2⤵
  PID:12496
- C:\Windows\System\OWfnwwr.exe
  C:\Windows\System\OWfnwwr.exe
  2⤵
  PID:12520
- C:\Windows\System\UqHxQlL.exe
  C:\Windows\System\UqHxQlL.exe
  2⤵
  PID:12556
- C:\Windows\System\YWZwhon.exe
  C:\Windows\System\YWZwhon.exe
  2⤵
  PID:12576
- C:\Windows\System\uCqWMVD.exe
  C:\Windows\System\uCqWMVD.exe
  2⤵
  PID:12604
- C:\Windows\System\elomBGE.exe
  C:\Windows\System\elomBGE.exe
  2⤵
  PID:12632
- C:\Windows\System\YbgMVGa.exe
  C:\Windows\System\YbgMVGa.exe
  2⤵
  PID:12660
- C:\Windows\System\YEWcDFC.exe
  C:\Windows\System\YEWcDFC.exe
  2⤵
  PID:12688
- C:\Windows\System\wpWENuk.exe
  C:\Windows\System\wpWENuk.exe
  2⤵
  PID:12716
- C:\Windows\System\aWyqWLB.exe
  C:\Windows\System\aWyqWLB.exe
  2⤵
  PID:12744
- C:\Windows\System\gwkxVdv.exe
  C:\Windows\System\gwkxVdv.exe
  2⤵
  PID:12772
- C:\Windows\System\urUUmeV.exe
  C:\Windows\System\urUUmeV.exe
  2⤵
  PID:12800
- C:\Windows\System\xvMoeUF.exe
  C:\Windows\System\xvMoeUF.exe
  2⤵
  PID:12828
- C:\Windows\System\ekFeJwt.exe
  C:\Windows\System\ekFeJwt.exe
  2⤵
  PID:12856
- C:\Windows\System\DbILJYI.exe
  C:\Windows\System\DbILJYI.exe
  2⤵
  PID:12884
- C:\Windows\System\qmSCQPy.exe
  C:\Windows\System\qmSCQPy.exe
  2⤵
  PID:12912
- C:\Windows\System\dsmDZrD.exe
  C:\Windows\System\dsmDZrD.exe
  2⤵
  PID:12940
- C:\Windows\System\tJpHlSC.exe
  C:\Windows\System\tJpHlSC.exe
  2⤵
  PID:12968
- C:\Windows\System\mRXkkXt.exe
  C:\Windows\System\mRXkkXt.exe
  2⤵
  PID:12996
- C:\Windows\System\zFkIUjb.exe
  C:\Windows\System\zFkIUjb.exe
  2⤵
  PID:13024
- C:\Windows\System\KMtANNQ.exe
  C:\Windows\System\KMtANNQ.exe
  2⤵
  PID:13052
- C:\Windows\System\UsuKBGB.exe
  C:\Windows\System\UsuKBGB.exe
  2⤵
  PID:13080
- C:\Windows\System\fvwuEvG.exe
  C:\Windows\System\fvwuEvG.exe
  2⤵
  PID:13108
- C:\Windows\System\fkvRxJQ.exe
  C:\Windows\System\fkvRxJQ.exe
  2⤵
  PID:13136
- C:\Windows\System\CnArmvT.exe
  C:\Windows\System\CnArmvT.exe
  2⤵
  PID:13164
- C:\Windows\System\eDGtGWS.exe
  C:\Windows\System\eDGtGWS.exe
  2⤵
  PID:13192
- C:\Windows\System\qfWqMAt.exe
  C:\Windows\System\qfWqMAt.exe
  2⤵
  PID:13220
- C:\Windows\System\KxiiwGD.exe
  C:\Windows\System\KxiiwGD.exe
  2⤵
  PID:13248
- C:\Windows\System\fYyQkjU.exe
  C:\Windows\System\fYyQkjU.exe
  2⤵
  PID:13276
- C:\Windows\System\AesnXVR.exe
  C:\Windows\System\AesnXVR.exe
  2⤵
  PID:13304
- C:\Windows\System\AtDZyNb.exe
  C:\Windows\System\AtDZyNb.exe
  2⤵
  PID:12340
- C:\Windows\System\fWNkliC.exe
  C:\Windows\System\fWNkliC.exe
  2⤵
  PID:12400
- C:\Windows\System\EeOPfOz.exe
  C:\Windows\System\EeOPfOz.exe
  2⤵
  PID:12460
- C:\Windows\System\HUQhLjQ.exe
  C:\Windows\System\HUQhLjQ.exe
  2⤵
  PID:12532
- C:\Windows\System\KKbayma.exe
  C:\Windows\System\KKbayma.exe
  2⤵
  PID:12596
- C:\Windows\System\Ymgpuuo.exe
  C:\Windows\System\Ymgpuuo.exe
  2⤵
  PID:12656
- C:\Windows\System\sKlgIrZ.exe
  C:\Windows\System\sKlgIrZ.exe
  2⤵
  PID:12728
- C:\Windows\System\vkmozUk.exe
  C:\Windows\System\vkmozUk.exe
  2⤵
  PID:12792
- C:\Windows\System\xGudyho.exe
  C:\Windows\System\xGudyho.exe
  2⤵
  PID:12876
- C:\Windows\System\nwkIeNd.exe
  C:\Windows\System\nwkIeNd.exe
  2⤵
  PID:12924
- C:\Windows\System\RbXIDSc.exe
  C:\Windows\System\RbXIDSc.exe
  2⤵
  PID:12988
- C:\Windows\System\nQaEpEm.exe
  C:\Windows\System\nQaEpEm.exe
  2⤵
  PID:13048
- C:\Windows\System\jmDMavF.exe
  C:\Windows\System\jmDMavF.exe
  2⤵
  PID:13100
- C:\Windows\System\rAzixDh.exe
  C:\Windows\System\rAzixDh.exe
  2⤵
  PID:13176
- C:\Windows\System\zReiuKT.exe
  C:\Windows\System\zReiuKT.exe
  2⤵
  PID:13240
- C:\Windows\System\OOnFYwH.exe
  C:\Windows\System\OOnFYwH.exe
  2⤵
  PID:4792
- C:\Windows\System\AngvJpT.exe
  C:\Windows\System\AngvJpT.exe
  2⤵
  PID:12376
- C:\Windows\System\KhjffTs.exe
  C:\Windows\System\KhjffTs.exe
  2⤵
  PID:12484
- C:\Windows\System\ehAIcLO.exe
  C:\Windows\System\ehAIcLO.exe
  2⤵
  PID:12624
- C:\Windows\System\mVQwkqO.exe
  C:\Windows\System\mVQwkqO.exe
  2⤵
  PID:12712
- C:\Windows\System\ERuRlLQ.exe
  C:\Windows\System\ERuRlLQ.exe
  2⤵
  PID:12848
- C:\Windows\System\RQoFiDy.exe
  C:\Windows\System\RQoFiDy.exe
  2⤵
  PID:13016
- C:\Windows\System\PcPwaBm.exe
  C:\Windows\System\PcPwaBm.exe
  2⤵
  PID:13156
- C:\Windows\System\NLtHYrf.exe
  C:\Windows\System\NLtHYrf.exe
  2⤵
  PID:13288
- C:\Windows\System\zGKPDhN.exe
  C:\Windows\System\zGKPDhN.exe
  2⤵
  PID:12456
- C:\Windows\System\eUDVnwl.exe
  C:\Windows\System\eUDVnwl.exe
  2⤵
  PID:12708
- C:\Windows\System\KADBSNK.exe
  C:\Windows\System\KADBSNK.exe
  2⤵
  PID:12964
- C:\Windows\System\vYiSMzU.exe
  C:\Windows\System\vYiSMzU.exe
  2⤵
  PID:13216
- C:\Windows\System\verdCJd.exe
  C:\Windows\System\verdCJd.exe
  2⤵
  PID:5952
- C:\Windows\System\KsvNNMv.exe
  C:\Windows\System\KsvNNMv.exe
  2⤵
  PID:5384
- C:\Windows\System\NeSHDqI.exe
  C:\Windows\System\NeSHDqI.exe
  2⤵
  PID:4956
- C:\Windows\System\hejjSWx.exe
  C:\Windows\System\hejjSWx.exe
  2⤵
  PID:13332
- C:\Windows\System\QsvlFoU.exe
  C:\Windows\System\QsvlFoU.exe
  2⤵
  PID:13360
- C:\Windows\System\ahTrnpa.exe
  C:\Windows\System\ahTrnpa.exe
  2⤵
  PID:13400
- C:\Windows\System\sYBQYVK.exe
  C:\Windows\System\sYBQYVK.exe
  2⤵
  PID:13416
- C:\Windows\System\CHGNTcI.exe
  C:\Windows\System\CHGNTcI.exe
  2⤵
  PID:13444
- C:\Windows\System\BoOOLyX.exe
  C:\Windows\System\BoOOLyX.exe
  2⤵
  PID:13472
- C:\Windows\System\HzTacFY.exe
  C:\Windows\System\HzTacFY.exe
  2⤵
  PID:13500
- C:\Windows\System\qpOzDMH.exe
  C:\Windows\System\qpOzDMH.exe
  2⤵
  PID:13528
- C:\Windows\System\LPOYfvk.exe
  C:\Windows\System\LPOYfvk.exe
  2⤵
  PID:13556
- C:\Windows\System\JmCHMvg.exe
  C:\Windows\System\JmCHMvg.exe
  2⤵
  PID:13592
- C:\Windows\System\FztjSwM.exe
  C:\Windows\System\FztjSwM.exe
  2⤵
  PID:13612
- C:\Windows\System\vGMekdC.exe
  C:\Windows\System\vGMekdC.exe
  2⤵
  PID:13640
- C:\Windows\System\YZLJXXS.exe
  C:\Windows\System\YZLJXXS.exe
  2⤵
  PID:13668
- C:\Windows\System\wmefKcB.exe
  C:\Windows\System\wmefKcB.exe
  2⤵
  PID:13696
- C:\Windows\System\lHSFUED.exe
  C:\Windows\System\lHSFUED.exe
  2⤵
  PID:13728
- C:\Windows\System\AaPsHSt.exe
  C:\Windows\System\AaPsHSt.exe
  2⤵
  PID:13752
- C:\Windows\System\uZEjpDi.exe
  C:\Windows\System\uZEjpDi.exe
  2⤵
  PID:13780
- C:\Windows\System\hpmPUdf.exe
  C:\Windows\System\hpmPUdf.exe
  2⤵
  PID:13808
- C:\Windows\System\scInvkx.exe
  C:\Windows\System\scInvkx.exe
  2⤵
  PID:13836
- C:\Windows\System\XfYgRPO.exe
  C:\Windows\System\XfYgRPO.exe
  2⤵
  PID:13864
- C:\Windows\System\XEKBhBa.exe
  C:\Windows\System\XEKBhBa.exe
  2⤵
  PID:13892
- C:\Windows\System\hlWuzbA.exe
  C:\Windows\System\hlWuzbA.exe
  2⤵
  PID:13920
- C:\Windows\System\rsqpLAO.exe
  C:\Windows\System\rsqpLAO.exe
  2⤵
  PID:13948
- C:\Windows\System\BJWxdCb.exe
  C:\Windows\System\BJWxdCb.exe
  2⤵
  PID:13988
- C:\Windows\System\BEUoOmT.exe
  C:\Windows\System\BEUoOmT.exe
  2⤵
  PID:14004
- C:\Windows\System\sZXVcCI.exe
  C:\Windows\System\sZXVcCI.exe
  2⤵
  PID:14032
- C:\Windows\System\CwuLtfJ.exe
  C:\Windows\System\CwuLtfJ.exe
  2⤵
  PID:14060
- C:\Windows\System\BsHfaTO.exe
  C:\Windows\System\BsHfaTO.exe
  2⤵
  PID:14088
- C:\Windows\System\NhSwmxw.exe
  C:\Windows\System\NhSwmxw.exe
  2⤵
  PID:14116
- C:\Windows\System\lxiCuLy.exe
  C:\Windows\System\lxiCuLy.exe
  2⤵
  PID:14144
- C:\Windows\System\amyGEiH.exe
  C:\Windows\System\amyGEiH.exe
  2⤵
  PID:14172
- C:\Windows\System\AUureKv.exe
  C:\Windows\System\AUureKv.exe
  2⤵
  PID:14200
- C:\Windows\System\BmHhLTd.exe
  C:\Windows\System\BmHhLTd.exe
  2⤵
  PID:14228
- C:\Windows\System\ByHGkzf.exe
  C:\Windows\System\ByHGkzf.exe
  2⤵
  PID:14256
- C:\Windows\System\hQbuwsL.exe
  C:\Windows\System\hQbuwsL.exe
  2⤵
  PID:14284
- C:\Windows\System\xVRdxGL.exe
  C:\Windows\System\xVRdxGL.exe
  2⤵
  PID:14312
- C:\Windows\System\fXkQnOz.exe
  C:\Windows\System\fXkQnOz.exe
  2⤵
  PID:13316
- C:\Windows\System\tvsFfnu.exe
  C:\Windows\System\tvsFfnu.exe
  2⤵
  PID:13380
- C:\Windows\System\xPPcEso.exe
  C:\Windows\System\xPPcEso.exe
  2⤵
  PID:13440
- C:\Windows\System\oLWnkta.exe
  C:\Windows\System\oLWnkta.exe
  2⤵
  PID:13512
- C:\Windows\System\GndqFsZ.exe
  C:\Windows\System\GndqFsZ.exe
  2⤵
  PID:5028
- C:\Windows\System\eHuwLdk.exe
  C:\Windows\System\eHuwLdk.exe
  2⤵
  PID:13624
- C:\Windows\System\bMiltaq.exe
  C:\Windows\System\bMiltaq.exe
  2⤵
  PID:13688
- C:\Windows\System\ZHDnoGS.exe
  C:\Windows\System\ZHDnoGS.exe
  2⤵
  PID:13748
- C:\Windows\System\ZzCRutm.exe
  C:\Windows\System\ZzCRutm.exe
  2⤵
  PID:13820
- C:\Windows\System\mBCCjRo.exe
  C:\Windows\System\mBCCjRo.exe
  2⤵
  PID:13860
- C:\Windows\System\UMFvHQN.exe
  C:\Windows\System\UMFvHQN.exe
  2⤵
  PID:13912
- C:\Windows\System\xkkyTYb.exe
  C:\Windows\System\xkkyTYb.exe
  2⤵
  PID:13972
- C:\Windows\System\WJcMOTs.exe
  C:\Windows\System\WJcMOTs.exe
  2⤵
  PID:14000
- C:\Windows\System\QxtCwIK.exe
  C:\Windows\System\QxtCwIK.exe
  2⤵
  PID:14072
- C:\Windows\System\YdGcgnN.exe
  C:\Windows\System\YdGcgnN.exe
  2⤵
  PID:14136
- C:\Windows\System\fKqttRH.exe
  C:\Windows\System\fKqttRH.exe
  2⤵
  PID:14196
- C:\Windows\System\ZSSupbc.exe
  C:\Windows\System\ZSSupbc.exe
  2⤵
  PID:2408
- C:\Windows\System\FBbsbkP.exe
  C:\Windows\System\FBbsbkP.exe
  2⤵
  PID:3948
- C:\Windows\System\zrfUkLM.exe
  C:\Windows\System\zrfUkLM.exe
  2⤵
  PID:14324
- C:\Windows\System\mHGSIVD.exe
  C:\Windows\System\mHGSIVD.exe
  2⤵
  PID:13428
- C:\Windows\System\eUHsZEu.exe
  C:\Windows\System\eUHsZEu.exe
  2⤵
  PID:13568
- C:\Windows\System\cezmRYV.exe
  C:\Windows\System\cezmRYV.exe
  2⤵
  PID:13744
- C:\Windows\System\wlFeTWq.exe
  C:\Windows\System\wlFeTWq.exe
  2⤵
  PID:4904
- C:\Windows\System\GwoGppo.exe
  C:\Windows\System\GwoGppo.exe
  2⤵
  PID:13968
- C:\Windows\System\wWJcLUm.exe
  C:\Windows\System\wWJcLUm.exe
  2⤵
  PID:14100
- C:\Windows\System\iwbIdrn.exe
  C:\Windows\System\iwbIdrn.exe
  2⤵
  PID:5128
- C:\Windows\System\NWQdSOw.exe
  C:\Windows\System\NWQdSOw.exe
  2⤵
  PID:14308
- C:\Windows\System\FuZFZSD.exe
  C:\Windows\System\FuZFZSD.exe
  2⤵
  PID:13608
- C:\Windows\System\EpQHZwd.exe
  C:\Windows\System\EpQHZwd.exe
  2⤵
  PID:13940
- C:\Windows\System\oxqNOCI.exe
  C:\Windows\System\oxqNOCI.exe
  2⤵
  PID:14280
- C:\Windows\System\RyJVAqw.exe
  C:\Windows\System\RyJVAqw.exe
  2⤵
  PID:13800
- C:\Windows\System\IRYVXXq.exe
  C:\Windows\System\IRYVXXq.exe
  2⤵
  PID:3108
- C:\Windows\System\aEfdYGE.exe
  C:\Windows\System\aEfdYGE.exe
  2⤵
  PID:13552
- C:\Windows\System\KkYHbnC.exe
  C:\Windows\System\KkYHbnC.exe
  2⤵
  PID:1848
- C:\Windows\System\yShvgLn.exe
  C:\Windows\System\yShvgLn.exe
  2⤵
  PID:14340
- C:\Windows\System\LYIHcdC.exe
  C:\Windows\System\LYIHcdC.exe
  2⤵
  PID:14360
- C:\Windows\System\SfBaJxP.exe
  C:\Windows\System\SfBaJxP.exe
  2⤵
  PID:14388
- C:\Windows\System\XWWAOCq.exe
  C:\Windows\System\XWWAOCq.exe
  2⤵
  PID:14416
- C:\Windows\System\DvxfRnl.exe
  C:\Windows\System\DvxfRnl.exe
  2⤵
  PID:14444
- C:\Windows\System\tRBHvML.exe
  C:\Windows\System\tRBHvML.exe
  2⤵
  PID:14472
- C:\Windows\System\skPZHmq.exe
  C:\Windows\System\skPZHmq.exe
  2⤵
  PID:14500
- C:\Windows\System\XiVZMMp.exe
  C:\Windows\System\XiVZMMp.exe
  2⤵
  PID:14528
- C:\Windows\System\ulcdaDM.exe
  C:\Windows\System\ulcdaDM.exe
  2⤵
  PID:14556
- C:\Windows\System\txUnMJU.exe
  C:\Windows\System\txUnMJU.exe
  2⤵
  PID:14584
- C:\Windows\System\UcfonuO.exe
  C:\Windows\System\UcfonuO.exe
  2⤵
  PID:14612
- C:\Windows\System\Hjuppih.exe
  C:\Windows\System\Hjuppih.exe
  2⤵
  PID:14640
- C:\Windows\System\abdhOUv.exe
  C:\Windows\System\abdhOUv.exe
  2⤵
  PID:14668
- C:\Windows\System\wBlNPop.exe
  C:\Windows\System\wBlNPop.exe
  2⤵
  PID:14696
- C:\Windows\System\Xjsosmn.exe
  C:\Windows\System\Xjsosmn.exe
  2⤵
  PID:14724
- C:\Windows\System\PwhzUUh.exe
  C:\Windows\System\PwhzUUh.exe
  2⤵
  PID:14752
- C:\Windows\System\IjsjAJg.exe
  C:\Windows\System\IjsjAJg.exe
  2⤵
  PID:14780
- C:\Windows\System\VqOoAyL.exe
  C:\Windows\System\VqOoAyL.exe
  2⤵
  PID:14812
- C:\Windows\System\xGaswif.exe
  C:\Windows\System\xGaswif.exe
  2⤵
  PID:14840
- C:\Windows\System\dbhJAgG.exe
  C:\Windows\System\dbhJAgG.exe
  2⤵
  PID:14872
- C:\Windows\System\jZAqteO.exe
  C:\Windows\System\jZAqteO.exe
  2⤵
  PID:14900
- C:\Windows\System\DwqqUoj.exe
  C:\Windows\System\DwqqUoj.exe
  2⤵
  PID:14928
- C:\Windows\System\FfcRMsV.exe
  C:\Windows\System\FfcRMsV.exe
  2⤵
  PID:14960
- C:\Windows\System\qFBUJHF.exe
  C:\Windows\System\qFBUJHF.exe
  2⤵
  PID:14988
- C:\Windows\System\cWrKGjt.exe
  C:\Windows\System\cWrKGjt.exe
  2⤵
  PID:15020
- C:\Windows\System\rooEPXq.exe
  C:\Windows\System\rooEPXq.exe
  2⤵
  PID:15052
- C:\Windows\System\VLWGBRY.exe
  C:\Windows\System\VLWGBRY.exe
  2⤵
  PID:15084
- C:\Windows\System\kshYMfa.exe
  C:\Windows\System\kshYMfa.exe
  2⤵
  PID:15112
- C:\Windows\System\FXmByEj.exe
  C:\Windows\System\FXmByEj.exe
  2⤵
  PID:15140
- C:\Windows\System\FXjCMDw.exe
  C:\Windows\System\FXjCMDw.exe
  2⤵
  PID:15172
- C:\Windows\System\saykGsR.exe
  C:\Windows\System\saykGsR.exe
  2⤵
  PID:15204
- C:\Windows\System\bfkISRk.exe
  C:\Windows\System\bfkISRk.exe
  2⤵
  PID:15232
- C:\Windows\System\ZxoQsMt.exe
  C:\Windows\System\ZxoQsMt.exe
  2⤵
  PID:15280
- C:\Windows\System\efJBMXH.exe
  C:\Windows\System\efJBMXH.exe
  2⤵
  PID:2464
- C:\Windows\System\OimfmVB.exe
  C:\Windows\System\OimfmVB.exe
  2⤵
  PID:14356
- C:\Windows\System\eUuTpeR.exe
  C:\Windows\System\eUuTpeR.exe
  2⤵
  PID:14436
- C:\Windows\System\AEkHxlA.exe
  C:\Windows\System\AEkHxlA.exe
  2⤵
  PID:14492
- C:\Windows\System\voWRqMn.exe
  C:\Windows\System\voWRqMn.exe
  2⤵
  PID:844
- C:\Windows\System\GzBZebo.exe
  C:\Windows\System\GzBZebo.exe
  2⤵
  PID:14716
- C:\Windows\System\MSfphmf.exe
  C:\Windows\System\MSfphmf.exe
  2⤵
  PID:2736
- C:\Windows\System\UebVtkj.exe
  C:\Windows\System\UebVtkj.exe
  2⤵
  PID:14796
- C:\Windows\System\IYOQYjf.exe
  C:\Windows\System\IYOQYjf.exe
  2⤵
  PID:1548
- C:\Windows\System\EYJwEzO.exe
  C:\Windows\System\EYJwEzO.exe
  2⤵
  PID:14956
- C:\Windows\System\uvOlIsG.exe
  C:\Windows\System\uvOlIsG.exe
  2⤵
  PID:3224
- C:\Windows\System\mAmoFxQ.exe
  C:\Windows\System\mAmoFxQ.exe
  2⤵
  PID:3416
- C:\Windows\System\EUuAUft.exe
  C:\Windows\System\EUuAUft.exe
  2⤵
  PID:4540

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EPPBaMb.exe

Filesize
6.1MB

MD5
101d0d675b4b6f4d7867c908da7f1a68

SHA1
c3c5ae521a78c7479e70cf90ab0b2c976d5dbedf

SHA256
dd56aca5cb2aedd55185af4c00be1de5cbab5caf299d3ffae63c86a0474c447b

SHA512
37c355b8064c611a8719739a6e0ea44486852f18dbf0bb8fb6ae8466a098f6426cdcfe6b5396d782d58add408a8c8e574963c846d71e05c2fda3a6c720cd4107

Download Submit
C:\Windows\System\FYXyzGo.exe

Filesize
6.1MB

MD5
ff0029b8c696553cd3854bd0ef5783bc

SHA1
04162f162856f652740b6428da75f36503762c93

SHA256
8124359f85d850181c508a9e6428ee5c89b08d92f003d150fe06deb225b6d7d8

SHA512
9bed77982d7f60e793e5f23c6a892f8bde5ebaee030a68a70c4fd3a94ab570bceb9e2c31347ecb8ff672c6b11d5d340d9ab7d8703ce19f607c904bcc87d832af

Download Submit
C:\Windows\System\GoCTKIq.exe

Filesize
6.1MB

MD5
4b9ab76b4efc38b00247e0852d9ee406

SHA1
eafd633165337bc7a93475f3e71c50b5bc628708

SHA256
ca52093c80864bc053aa1618c2dbeda1f257731c7e32f9d3e5a95122504f98c0

SHA512
aca65120a1b4108ca317d6c9175393ddd1c93b592a7a911c175a4c259e8255fcd5a399c7d5a4737d0004550398ceb223160fda4dd12371dae1403309cd469932

Download Submit
C:\Windows\System\IywgVTZ.exe

Filesize
6.0MB

MD5
a9254076ede8b139705d11761044f745

SHA1
912b234a3c366230664401b53bdc030ae9f701dc

SHA256
20ef73d785d365b729a6c06293da857dbcf1f9bdca4d31888a085797979b26d6

SHA512
8e1fb8b2a5a78d0322bf90b2ae57a2f39340e9e0ebeab719fd1ea976025b64387f0d70415ca7c4a4909b08ec63c398fd007f3ffa9d5dd27c028ab74d130c864f

Download Submit
C:\Windows\System\JNVgJYJ.exe

Filesize
6.1MB

MD5
7a063df23c0f81a4190f895991700b9f

SHA1
857b5dc96afeca67da40c7ee540444b685797307

SHA256
3f6c5096227084aab5113d19b52ec1306f055c05fb8afebf85b0591050bf02cc

SHA512
ecc2e2493a126f35b4e2745577ea72aa9771e6dad5e413a1d70a9bfb79e1c88f1c9afd4cd20db5ec47cdbca9e6f10847b8247a54aabc6adb15e0e7fc53b1b332

Download Submit
C:\Windows\System\OhGYWYk.exe

Filesize
6.1MB

MD5
0d601ea91bdd789ff04224fc1a9e16b3

SHA1
5d64b9e544a3ce629cafe74d435ee2cc646efe22

SHA256
e245bd3763d5e65fac43b09224f3683a3a4c62e06bd1fdef7a6741ebabf778ce

SHA512
d3f4061f52d914a3ee3a28c947ddcb4fa54ce0e4adad609874c351aec79bfabd4b894251d4bfa263828f3af7928861993be6ed512ac273256595b9dfa377ad83

Download Submit
C:\Windows\System\OyHqdtg.exe

Filesize
6.0MB

MD5
e17f89c545ffe205d4e07ce3f31448b9

SHA1
b89a543a4d55f1ddd0eab958cb60589135594961

SHA256
e9fbc363b1796857649f69a2c41b4d27fd17ada7acffb310decff8917590a21d

SHA512
21a81194eed9370d30d05cfb708598cc6143faad4e78dea1f483c6e03cfb9b9f33ae56bbd5e4928a7a3f5265ca9ca2ba4f5f4dc4d56892022977b8e80518da09

Download Submit
C:\Windows\System\PsBsMVn.exe

Filesize
6.1MB

MD5
b10a878a495106389aaa2531b9978ac8

SHA1
30ed166909dcbc9e73f8513f97b46e674a1c1457

SHA256
022a10b9d4a184e0253fdc33e3761b33911c0b3b35eaa2e3758cf8b3d808a63c

SHA512
03f4faebd5ffdff0cdb6f288bdcc9b866737fc4dedddb89e55d01a83ed70ca4bf2d60f4eb3accb1b1b4479bf2f6fabc54231b2e2508b00222b3fd79e3bd141e7

Download Submit
C:\Windows\System\RPFcqhh.exe

Filesize
6.0MB

MD5
f5b43dbdadf962e41bad08e275f74a20

SHA1
5f964d1b74cb17dfc280684713e6dd9c4d22e157

SHA256
4baccb53ccea1dcb31c8a2d796c7a4ca9032a13dc3f4c9e164c8e7ca5b5b8756

SHA512
edc7d0cb08397f4a55897a7d11caace04972f76cbf3f7a1d88d315f7ca7775755e2228be292508e4eb411fdfae68a746ef42a1da13e9492657179cc72f9f233e

Download Submit
C:\Windows\System\TbhydIg.exe

Filesize
6.1MB

MD5
b728073b2a2e2a9cb54827588e51fb3c

SHA1
72fb87e9cdb00e5124067574ba6d21ab9fc4c4c3

SHA256
0334d350cfde17fe94d6c742c4d6eeae8be92d98c7d1f4a7f48728af82c485ba

SHA512
619a2acf4ea6ca9272ad38c66f07f6c7e85bbc23652873eb2851728beacafc9bf1c9add7899dc19f4c98bd98e9c83b71e59bf4ea06f772e684f03ca59dc70c20

Download Submit
C:\Windows\System\UbIvUZL.exe

Filesize
6.1MB

MD5
377321aef87357a0926e3f26b20f661c

SHA1
91ee4742b3082fc8899ab39da903be5d8a13a612

SHA256
e4eb9d563ad84fd2477277cd11cea657dbc735754e25662920bf69605745b91a

SHA512
69424fd9228d6c9f753522e9ec7068ec0c26ec03b39e130dac4366721ae38d0aa6de506ba54ddb189f95c3a88034d34a83a9f5c42976e6222b567d8f099de034

Download Submit
C:\Windows\System\WeGmPHC.exe

Filesize
6.1MB

MD5
a1c1e1067abdd5694f302c7fabab2e6c

SHA1
2962eb63693bf7cbed6047744d069d5b2d0360b6

SHA256
6fbdd2bcd1dc4a7b09c2e6033ddb6768f0c3bfa5ec91aba640cf1ddca7ca5635

SHA512
ddd9b6113acbaf64dd4baf6953e7d16a848afbee5196e6ca50110774843e24bdeabe10110b500c78a509d8126a37186bac412f46e06a863980f7097256b2ea1b

Download Submit
C:\Windows\System\XgLMHJJ.exe

Filesize
6.1MB

MD5
865eed95b7bd65934a87f96acdb51e90

SHA1
3061e1000e502cdafae377e8aa262681d3bdff95

SHA256
40f06e51afd816bf3956881d16537f0f97835ade8c23c0fe78e00f83ea9c7193

SHA512
2fd9ce44fd35daf71df4becd1eee6a80e8f18ba2927ab41a08aa0645af807c4d2571ab6176e9a6dcc7532ed00ef81bbf332feb6f3fd8253c2388e724d86a1a2b

Download Submit
C:\Windows\System\YpmVltQ.exe

Filesize
6.0MB

MD5
33e78e9410f9f7e8a61bab067ccee783

SHA1
ed48e5d7f91874c45ec450017ff47d800f492f0a

SHA256
c09db04000c94e421d85d8e36838a82c0286cebd3cba002367767b27b1cc2da2

SHA512
71ea30e91e6584a0ea2e8d738716dad24cdf16334b97b8b64619a6c4ca788d8c58d9042fe0911803d39736a4d3403f08a82f1a67fdcdb531b2d91a324569be1a

Download Submit
C:\Windows\System\bpgxMSQ.exe

Filesize
6.1MB

MD5
448176da334646732b5619154b14979e

SHA1
a1efd550965ee8e2051eb48977cfbcd43a8b9758

SHA256
4ea59e862f3509b70d1d94d5aed7195c2369475178aa6735e83d84e367d35b60

SHA512
e80b7e553440c81aa28133139e2737dbd30d04bb3ff1c7e56bdd24c60b55257507211892bfc33e87c0c3f9ebcea06d1b7c44b4ce9e9805708df9c0b208e266c1

Download Submit
C:\Windows\System\cXyfiOR.exe

Filesize
6.1MB

MD5
32cbe87422c39138437f6f89c11a6fb8

SHA1
6e5df7d453756045364fb3e8c57c6abc1b5f20c8

SHA256
bc9c13dc2054614e1aa35f6d37b341056afd35407bd19a58fb1d8e71c364b0cf

SHA512
df80a39e925566cfddfa0b74fe5d403ac3ba91c3b3d954829f9f99a1325709742009e5499bc3161d798944bf781fd3f2bff4144700c3d19b8449ee0391876d3a

Download Submit
C:\Windows\System\eMXhMJV.exe

Filesize
6.0MB

MD5
5255cdf6e2f7ec5647b4d277a4022ef9

SHA1
2fc029a3095beecaa9a37b13e8b4a83c39dcca36

SHA256
530590a0a4b7a4131491d25dc160e3c5b74a051b6b2621b3bd9dfc160dd6c0a0

SHA512
3caf46718477deb16f6067da1f5e691e3ca2f984288b9bc23dd730534d1281d0c3ed03c674afb29deab7df2626aabd603fe866b1780796d8b93e02e46a4a6ed6

Download Submit
C:\Windows\System\exYYtJK.exe

Filesize
6.0MB

MD5
5b6e3a250cb9e66463b7fbcc66c6f80d

SHA1
9ca309a64ce1492fce087c8c4b7986316e488f33

SHA256
5bb740a07d7f077d94528c320c936bfc3bfe59beed538aa8ca731dea7a4409a0

SHA512
dbcb88065649e0bdfe89bd6967c1f03de8d4bed1eb51db5bbdcf4cfa5310a385aba10a73c92b35abb39cdf10e5a4406a9bb9c24dba8470c8f3c3cec248b7848e

Download Submit
C:\Windows\System\gbXrMeF.exe

Filesize
6.1MB

MD5
dbfd79f09cf47b73bc1d23ae5c2548a5

SHA1
225eb2a6e349db08ec699418d98b62a3bda0ccdd

SHA256
4a9bce2a2015187b7c2d26baaf15e4b20545ebe33b5bd393d4389d5ee8fc24e2

SHA512
e18d534b7f476c8aa68ed317bd544a4a4be98accce56ea3d655a334e3e4dede19f708d0b34f554c0c0015ecd59a39ed7b67036626fd40e6c3c4a73a6eaf3d5f2

Download Submit
C:\Windows\System\hwGmAty.exe

Filesize
6.1MB

MD5
97df3f24aa3c66cae7897bac4ed55bc4

SHA1
b29e7c6fb96ceaabfb7702357a256118f46dbbf0

SHA256
13b95740f54cb840d237a27a55441f99654fb0003f166111f0ea2e722182639f

SHA512
e1fb586bbb4c0947410d3c7a5a80f154dd989b073e755548d228874ca6e34a3519fc839343fc6498bc9517988132c2ced74d5dc7c029b506325ff4ab6f8daea5

Download Submit
C:\Windows\System\iVnHOCC.exe

Filesize
6.0MB

MD5
26ef1d3355098e0ee7003c406a3097e7

SHA1
c4a357912295153a80e14d1cbac8c7d404942e61

SHA256
b5be2a282b97007a0a045ae87f69bf5d15ca52737cdc451974879578746428c9

SHA512
9954c662e7cdb44617928fe0da7d9d44d79b2042441f9a6b821fdf179d6bf6a9f8786cc561ebee40ac26ffecd04f180891f24c45600a37d347a17eb539b4cbcf

Download Submit
C:\Windows\System\ilYHgNd.exe

Filesize
6.1MB

MD5
ef89408a8fb4fb7352f7b47fb651d4c3

SHA1
254a85d76a64da0f3356759027d9730bdbb158d7

SHA256
e25b853bf1e019fa434d24c3a1e2faf060269b6f4b4b68c7368780e795faa7e9

SHA512
ba98cd91cf09de2cf066bb2492ece600b1d2fd262620a90fec1e2326d334433ce3e4c3c6579c507ee67b6d8e3b2580b81853c4cd77726aec7ce8db89a64a9085

Download Submit
C:\Windows\System\koNxbLx.exe

Filesize
6.1MB

MD5
18b0794151200240f55d55f5ec3ee374

SHA1
e955814fbebc2ac0675387c8f49ac0a5c0fb4ad7

SHA256
0df992538f3970901a96762718e24c411946d6c39eabf6df5015e580e99f4c2a

SHA512
b9a9f915ddacc655897ea1170cadd36b4217f164c65724b44d1e0897e1ce177b41c6f66e701d5733b9524abe1736ee9edc44eb71761fc5214f34de8c690148ed

Download Submit
C:\Windows\System\koPgaXi.exe

Filesize
6.0MB

MD5
4abdfe260c8a95f9dfc4a64a6d083175

SHA1
7d8158c7f0eb0412752d633cb5c0f05ddd839124

SHA256
c954cf0574b4e8233e0204367de144722926b7165680102a27f9faae8ca2e60d

SHA512
eaaf439a1afc14577cc620982a98d57590b3e56a47e485e304c9e0258222e30f117ecc0e2f6264cefda34f1a8eec51b38966fa89bb7bfdc5e3bc5b1142af14c9

Download Submit
C:\Windows\System\mTBfBKc.exe

Filesize
6.1MB

MD5
bdbb30771ad642979048385d1f5b74b3

SHA1
ec1c35475290951cd878bfcac7752f5d79150775

SHA256
5075419b2d7601c066a25f0ad17a4d6c1294ff4e90fb56e0ad53c7a6732bb52c

SHA512
381fc3cc3672eb99e1050cc8d90cefafdacb257e5680c3327ebfa3dbde57fe7e57e4daa2ef802f61f63d3ada23ed0684811c4623e11f25d68e07db3efd32463b

Download Submit
C:\Windows\System\psEElAw.exe

Filesize
6.1MB

MD5
eed8f4f66627fee80928b68a33b0ca38

SHA1
917953d39127955a1331e3d33a7b8eb42ee982b6

SHA256
d045b2ba5689fc291a1b5f8d3681550c9cebe1f24575c92fb1b869456711eb16

SHA512
c5c9881c0b883655291f4c50841aeb833835a4143c87c733987136c32d95f492c8dcb0825ced04890a937bf2559aa425e8347084d00e66e709719b7c2b34210e

Download Submit
C:\Windows\System\rIhxCBQ.exe

Filesize
6.1MB

MD5
6fbb3eff43f6182692791caade8aa84b

SHA1
edd07bb5d88650b486296afc079ab02914a1edce

SHA256
3c27baa3d84f52ca170f5fa577045eb9cfcdce3242c25c971de1c766b316b5ef

SHA512
8c6885dd58544714f7f6a04d1b565a4aa8cf859980dd35683d62884cf959a01dd332904f242f640a6a105f4760ae53dd313e14940c273ccce02a07f6967c7aa8

Download Submit
C:\Windows\System\svhOlIk.exe

Filesize
6.1MB

MD5
b512dbdc86ab79c9d49f3c837bc25c99

SHA1
cf5810790805a77d39f79a5e9a75d659e7984799

SHA256
3bc5eb18c4d168406adf4f69476a206de03b9c10cc1f5505c8ce6844ead239aa

SHA512
b4bd1a12e3ee340340592e7440a33e42f23825c77057088198ed10379810b41d39581fd37c317ecb6b8c5b58c2a8e53622bf67125a1df9dafe1209583847956e

Download Submit
C:\Windows\System\vLMoLhx.exe

Filesize
6.1MB

MD5
20370511363254a8659af87bd0731222

SHA1
4751820b967dfa9b593bd4b75ed81023f83af1c6

SHA256
f4cf8e50785eb795a2af028e1367f97b1157f1fcd44c390327cdbc1f4b495954

SHA512
f86ce0c7c8c5adc89b577688f770c20d920dc0925091a7d0cfd8a0b68d44b158f96ffcb4cf6bff4acce8d2226c0c8799ae58a2fc73d53e2e337067293163642b

Download Submit
C:\Windows\System\vTgbryk.exe

Filesize
6.1MB

MD5
5b1e22dc8c68e1d231d48964e5d1c26e

SHA1
4f4954c2104ff3621c9339dfb3d5621cbd2e93f3

SHA256
437ace7e4f4b53042bafde4f62eb86cccb784cb938aa4e6189357d7d7d4b9560

SHA512
80eb06fefe3975df808f6e76a18805319db95d65ccd1183ef356679a7028b0d2bf6528614340363e008be1483d57eb3fa101feec6f4f4d3bac4078bed566aa3f

Download Submit
C:\Windows\System\vUqZmSm.exe

Filesize
6.0MB

MD5
9cbe18d8fde4134b2e493b144af2e256

SHA1
23d012866a936bd9d6b5be104b2d3d4660117999

SHA256
e00b55df4ead5e77553ca19c5881c7459e7927c10bd6b1498f308e42ae01f117

SHA512
8099f470228c5682e46401ccada0fe4beb04f2434f141ed7a4a737eb29f08d1ca25cbd69c3dec313c1b15ec20e62aeb4329b08e879655e15b7390d921c67a676

Download Submit
C:\Windows\System\xBmFAqc.exe

Filesize
6.1MB

MD5
070f90e732288bfdd9842d3f20570dce

SHA1
b96e717a45987ab6467c9cb31d21eb6cd18fe603

SHA256
931e201deeb8a8ee1621bf90aee8da1a7a9e3a790e6b4bdbea7f3d7db426ebe8

SHA512
08ad5009d4e3b0dc66d958796535542e975968a720793860a3a86723f8115a5233aefe09c475380c1aede1af616679f5e6256f7f2851684aec80839420e3c6c8

Download Submit
memory/216-81-0x00007FF732A90000-0x00007FF732DE4000-memory.dmp

Filesize
3.3MB

Download
memory/216-19-0x00007FF732A90000-0x00007FF732DE4000-memory.dmp

Filesize
3.3MB

Download
memory/216-2183-0x00007FF732A90000-0x00007FF732DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-73-0x00007FF684980000-0x00007FF684CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-8-0x00007FF684980000-0x00007FF684CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-2165-0x00007FF684980000-0x00007FF684CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1564-2190-0x00007FF74AEA0000-0x00007FF74B1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1564-24-0x00007FF74AEA0000-0x00007FF74B1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1564-86-0x00007FF74AEA0000-0x00007FF74B1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-143-0x00007FF74E390000-0x00007FF74E6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-377-0x00007FF74E390000-0x00007FF74E6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-2390-0x00007FF74E390000-0x00007FF74E6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-2250-0x00007FF757610000-0x00007FF757964000-memory.dmp

Filesize
3.3MB

Download
memory/1688-72-0x00007FF757610000-0x00007FF757964000-memory.dmp

Filesize
3.3MB

Download
memory/1692-2198-0x00007FF6293C0000-0x00007FF629714000-memory.dmp

Filesize
3.3MB

Download
memory/1692-35-0x00007FF6293C0000-0x00007FF629714000-memory.dmp

Filesize
3.3MB

Download
memory/1692-104-0x00007FF6293C0000-0x00007FF629714000-memory.dmp

Filesize
3.3MB

Download
memory/1800-2172-0x00007FF6C8450000-0x00007FF6C87A4000-memory.dmp

Filesize
3.3MB

Download
memory/1800-77-0x00007FF6C8450000-0x00007FF6C87A4000-memory.dmp

Filesize
3.3MB

Download
memory/1800-13-0x00007FF6C8450000-0x00007FF6C87A4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-2395-0x00007FF64E2A0000-0x00007FF64E5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-178-0x00007FF64E2A0000-0x00007FF64E5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-566-0x00007FF64E2A0000-0x00007FF64E5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-48-0x00007FF709C80000-0x00007FF709FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-118-0x00007FF709C80000-0x00007FF709FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-2208-0x00007FF709C80000-0x00007FF709FD4000-memory.dmp

Filesize
3.3MB

Download
memory/3732-149-0x00007FF674750000-0x00007FF674AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3732-85-0x00007FF674750000-0x00007FF674AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4220-112-0x00007FF710EC0000-0x00007FF711214000-memory.dmp

Filesize
3.3MB

Download
memory/4220-2207-0x00007FF710EC0000-0x00007FF711214000-memory.dmp

Filesize
3.3MB

Download
memory/4220-44-0x00007FF710EC0000-0x00007FF711214000-memory.dmp

Filesize
3.3MB

Download
memory/4416-75-0x00007FF6CF360000-0x00007FF6CF6B4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-142-0x00007FF6CF360000-0x00007FF6CF6B4000-memory.dmp

Filesize
3.3MB

Download
memory/4424-2194-0x00007FF758490000-0x00007FF7587E4000-memory.dmp

Filesize
3.3MB

Download
memory/4424-93-0x00007FF758490000-0x00007FF7587E4000-memory.dmp

Filesize
3.3MB

Download
memory/4424-30-0x00007FF758490000-0x00007FF7587E4000-memory.dmp

Filesize
3.3MB

Download
memory/4460-89-0x00007FF60BAB0000-0x00007FF60BE04000-memory.dmp

Filesize
3.3MB

Download
memory/4460-160-0x00007FF60BAB0000-0x00007FF60BE04000-memory.dmp

Filesize
3.3MB

Download
memory/4548-161-0x00007FF6829D0000-0x00007FF682D24000-memory.dmp

Filesize
3.3MB

Download
memory/4548-103-0x00007FF6829D0000-0x00007FF682D24000-memory.dmp

Filesize
3.3MB

Download
memory/4608-172-0x00007FF7A6FD0000-0x00007FF7A7324000-memory.dmp

Filesize
3.3MB

Download
memory/4608-101-0x00007FF7A6FD0000-0x00007FF7A7324000-memory.dmp

Filesize
3.3MB

Download
memory/4644-177-0x00007FF73E3F0000-0x00007FF73E744000-memory.dmp

Filesize
3.3MB

Download
memory/4644-105-0x00007FF73E3F0000-0x00007FF73E744000-memory.dmp

Filesize
3.3MB

Download
memory/4644-2299-0x00007FF73E3F0000-0x00007FF73E744000-memory.dmp

Filesize
3.3MB

Download
memory/4708-119-0x00007FF74F750000-0x00007FF74FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/4796-132-0x00007FF6040F0000-0x00007FF604444000-memory.dmp

Filesize
3.3MB

Download
memory/4796-255-0x00007FF6040F0000-0x00007FF604444000-memory.dmp

Filesize
3.3MB

Download
memory/4796-2388-0x00007FF6040F0000-0x00007FF604444000-memory.dmp

Filesize
3.3MB

Download
memory/5076-637-0x00007FF6C0240000-0x00007FF6C0594000-memory.dmp

Filesize
3.3MB

Download
memory/5076-184-0x00007FF6C0240000-0x00007FF6C0594000-memory.dmp

Filesize
3.3MB

Download
memory/5076-2396-0x00007FF6C0240000-0x00007FF6C0594000-memory.dmp

Filesize
3.3MB

Download
memory/5112-313-0x00007FF65FFA0000-0x00007FF6602F4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-2389-0x00007FF65FFA0000-0x00007FF6602F4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-136-0x00007FF65FFA0000-0x00007FF6602F4000-memory.dmp

Filesize
3.3MB

Download
memory/5180-2393-0x00007FF799BE0000-0x00007FF799F34000-memory.dmp

Filesize
3.3MB

Download
memory/5180-173-0x00007FF799BE0000-0x00007FF799F34000-memory.dmp

Filesize
3.3MB

Download
memory/5192-698-0x00007FF702CE0000-0x00007FF703034000-memory.dmp

Filesize
3.3MB

Download
memory/5192-190-0x00007FF702CE0000-0x00007FF703034000-memory.dmp

Filesize
3.3MB

Download
memory/5192-2397-0x00007FF702CE0000-0x00007FF703034000-memory.dmp

Filesize
3.3MB

Download
memory/5332-55-0x00007FF65E4F0000-0x00007FF65E844000-memory.dmp

Filesize
3.3MB

Download
memory/5332-125-0x00007FF65E4F0000-0x00007FF65E844000-memory.dmp

Filesize
3.3MB

Download
memory/5544-150-0x00007FF7F0650000-0x00007FF7F09A4000-memory.dmp

Filesize
3.3MB

Download
memory/5544-432-0x00007FF7F0650000-0x00007FF7F09A4000-memory.dmp

Filesize
3.3MB

Download
memory/5544-2391-0x00007FF7F0650000-0x00007FF7F09A4000-memory.dmp

Filesize
3.3MB

Download
memory/5616-126-0x00007FF7751E0000-0x00007FF775534000-memory.dmp

Filesize
3.3MB

Download
memory/5784-70-0x00007FF7ACA30000-0x00007FF7ACD84000-memory.dmp

Filesize
3.3MB

Download
memory/6004-166-0x00007FF67FA40000-0x00007FF67FD94000-memory.dmp

Filesize
3.3MB

Download
memory/6004-2392-0x00007FF67FA40000-0x00007FF67FD94000-memory.dmp

Filesize
3.3MB

Download
memory/6080-503-0x00007FF7C6760000-0x00007FF7C6AB4000-memory.dmp

Filesize
3.3MB

Download
memory/6080-171-0x00007FF7C6760000-0x00007FF7C6AB4000-memory.dmp

Filesize
3.3MB

Download
memory/6080-2394-0x00007FF7C6760000-0x00007FF7C6AB4000-memory.dmp

Filesize
3.3MB

Download
memory/6116-1-0x000001AD03A40000-0x000001AD03A50000-memory.dmp

Filesize
64KB

Download
memory/6116-69-0x00007FF7ABBA0000-0x00007FF7ABEF4000-memory.dmp

Filesize
3.3MB

Download
memory/6116-0-0x00007FF7ABBA0000-0x00007FF7ABEF4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads