xmrig | 90eb78275bc64dc36ae21287e225233f2e093a5692e35418cb41832ee1c9fdad

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1cdfc65e5d12c2e436b29c00c44ae04.exe
Size

2.7MB
MD5

c1cdfc65e5d12c2e436b29c00c44ae04
SHA1

cc5385f23449535b3ac4cd197ac57dcd68f47898
SHA256

90eb78275bc64dc36ae21287e225233f2e093a5692e35418cb41832ee1c9fdad
SHA512

8ca76ae21f1cb14bbf40775ca1cef3421fe2a59b93d542c8e84f4a7dac6ab13edc442f5c66a612d284165c7d35ed9a6ae506d9aff733b580aa0e5f5fba0e22f5
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkiYv0NkZU:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3160-0-0x00007FF7D73E0000-0x00007FF7D77D6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023202-9.dat	xmrig
behavioral2/files/0x0006000000023212-19.dat	xmrig
behavioral2/files/0x0007000000023202-14.dat	xmrig
behavioral2/memory/4124-13-0x00007FF7CB860000-0x00007FF7CBC56000-memory.dmp	xmrig
behavioral2/files/0x00070000000231ff-10.dat	xmrig
behavioral2/files/0x00090000000231f0-6.dat	xmrig
behavioral2/memory/4292-18-0x00007FF7C04C0000-0x00007FF7C08B6000-memory.dmp	xmrig
behavioral2/memory/1212-29-0x00007FF7538E0000-0x00007FF753CD6000-memory.dmp	xmrig
behavioral2/files/0x0006000000023213-32.dat	xmrig
behavioral2/files/0x0006000000023214-40.dat	xmrig
behavioral2/files/0x0006000000023218-54.dat	xmrig
behavioral2/files/0x000600000002321a-73.dat	xmrig
behavioral2/files/0x000600000002321b-78.dat	xmrig
behavioral2/files/0x00090000000231f1-83.dat	xmrig
behavioral2/memory/3312-86-0x00007FF7166A0000-0x00007FF716A96000-memory.dmp	xmrig
behavioral2/memory/4232-88-0x00007FF63E8A0000-0x00007FF63EC96000-memory.dmp	xmrig
behavioral2/memory/3852-87-0x00007FF775420000-0x00007FF775816000-memory.dmp	xmrig
behavioral2/memory/3764-89-0x00007FF6AA440000-0x00007FF6AA836000-memory.dmp	xmrig
behavioral2/memory/2928-90-0x00007FF7AEF30000-0x00007FF7AF326000-memory.dmp	xmrig
behavioral2/files/0x000600000002321d-95.dat	xmrig
behavioral2/files/0x000600000002321d-105.dat	xmrig
behavioral2/memory/4064-104-0x00007FF767370000-0x00007FF767766000-memory.dmp	xmrig
behavioral2/memory/1856-117-0x00007FF6B4B50000-0x00007FF6B4F46000-memory.dmp	xmrig
behavioral2/memory/4784-122-0x00007FF638400000-0x00007FF6387F6000-memory.dmp	xmrig
behavioral2/memory/3804-126-0x00007FF62C440000-0x00007FF62C836000-memory.dmp	xmrig
behavioral2/memory/1324-129-0x00007FF77EC60000-0x00007FF77F056000-memory.dmp	xmrig
behavioral2/files/0x000700000002321f-133.dat	xmrig
behavioral2/files/0x0007000000023220-131.dat	xmrig
behavioral2/memory/724-130-0x00007FF795210000-0x00007FF795606000-memory.dmp	xmrig
behavioral2/files/0x000700000002321f-128.dat	xmrig
behavioral2/files/0x0007000000023220-125.dat	xmrig
behavioral2/files/0x0006000000023221-116.dat	xmrig
behavioral2/files/0x0006000000023221-118.dat	xmrig
behavioral2/memory/1820-114-0x00007FF757570000-0x00007FF757966000-memory.dmp	xmrig
behavioral2/files/0x000600000002321e-111.dat	xmrig
behavioral2/files/0x000600000002321c-93.dat	xmrig
behavioral2/memory/3204-85-0x00007FF67C200000-0x00007FF67C5F6000-memory.dmp	xmrig
behavioral2/files/0x000600000002321c-82.dat	xmrig
behavioral2/files/0x00090000000231f1-77.dat	xmrig
behavioral2/files/0x000600000002321b-72.dat	xmrig
behavioral2/files/0x0006000000023219-67.dat	xmrig
behavioral2/files/0x0006000000023218-65.dat	xmrig
behavioral2/files/0x000600000002321a-64.dat	xmrig
behavioral2/files/0x0006000000023219-60.dat	xmrig
behavioral2/memory/1424-58-0x00007FF737740000-0x00007FF737B36000-memory.dmp	xmrig
behavioral2/files/0x0006000000023217-57.dat	xmrig
behavioral2/memory/1332-53-0x00007FF6ADB20000-0x00007FF6ADF16000-memory.dmp	xmrig
behavioral2/files/0x0006000000023215-46.dat	xmrig
behavioral2/files/0x0006000000023217-45.dat	xmrig
behavioral2/files/0x0006000000023223-154.dat	xmrig
behavioral2/files/0x0006000000023227-157.dat	xmrig
behavioral2/memory/3100-169-0x00007FF721530000-0x00007FF721926000-memory.dmp	xmrig
behavioral2/files/0x0006000000023228-182.dat	xmrig
behavioral2/files/0x0006000000023226-189.dat	xmrig
behavioral2/memory/2368-207-0x00007FF6BEAE0000-0x00007FF6BEED6000-memory.dmp	xmrig
behavioral2/memory/4804-216-0x00007FF705C20000-0x00007FF706016000-memory.dmp	xmrig
behavioral2/memory/4496-224-0x00007FF6A2620000-0x00007FF6A2A16000-memory.dmp	xmrig
behavioral2/memory/1672-229-0x00007FF7804C0000-0x00007FF7808B6000-memory.dmp	xmrig
behavioral2/memory/4844-237-0x00007FF7E14D0000-0x00007FF7E18C6000-memory.dmp	xmrig
behavioral2/memory/4344-244-0x00007FF615800000-0x00007FF615BF6000-memory.dmp	xmrig
behavioral2/memory/2324-251-0x00007FF6E6A10000-0x00007FF6E6E06000-memory.dmp	xmrig
behavioral2/memory/816-261-0x00007FF708C20000-0x00007FF709016000-memory.dmp	xmrig
behavioral2/memory/4028-287-0x00007FF696200000-0x00007FF6965F6000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	4468	powershell.exe
16	4468	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4124	LZwoeKu.exe
4736	kzeNljL.exe
4292	fFbpCLb.exe
1212	nAlWxJp.exe
4232	qmtsdWJ.exe
3768	vOrPEcg.exe
3764	vXVCTSu.exe
1332	LgwhviC.exe
1424	FOtMJpN.exe
2928	tuHTDAz.exe
3204	xIRieYV.exe
4064	iPQKDje.exe
1820	cppAVIY.exe
3312	NFZJgaE.exe
3852	PigNCfa.exe
1856	WLOtNKZ.exe
4784	xkLiLFw.exe
3804	MCaNShZ.exe
1324	ECAwGNy.exe
724	kHvBAxn.exe
4116	HLXGiow.exe
1288	ayJVcYD.exe
964	rdKPSAG.exe
3100	WyjWsSr.exe
3144	bvrofoj.exe
4224	MvLwbGW.exe
4028	bPrTbiK.exe
2368	zCBXJGD.exe
1776	AwFdayP.exe
4804	nQpoibq.exe
2836	zQnbDmi.exe
4496	EOqzFEn.exe
4392	VEyikOr.exe
8	jIlHUPo.exe
1672	VVLiXnP.exe
3060	OsvkvQg.exe
4844	MjkUbMH.exe
4776	KpnsYPH.exe
3500	iaNrnVE.exe
4828	Ndppkxd.exe
4344	BoDUZEs.exe
1456	wRqpuNQ.exe
2324	yJzdcwQ.exe
2584	xDAPmQk.exe
2084	VbQlYHj.exe
4076	RtmvKyY.exe
2356	QmqDfpw.exe
816	PQXZLKs.exe
4836	QFpqves.exe
2248	CPKoTuC.exe
4728	mGKOqmJ.exe
3512	cimYMVZ.exe
2428	kpSCAIN.exe
3300	aKMQvmg.exe
3748	MTuyTGn.exe
1380	COBwoGP.exe
5076	ZMqNGLF.exe
2688	TvMgjVb.exe
2484	WEHCeNX.exe
3176	WekZoXw.exe
3268	PclcUzZ.exe
4404	uwaapFG.exe
4852	cSqheSQ.exe
2544	HTjpNUd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3160-0-0x00007FF7D73E0000-0x00007FF7D77D6000-memory.dmp	upx
behavioral2/files/0x0007000000023202-9.dat	upx
behavioral2/files/0x0006000000023212-19.dat	upx
behavioral2/files/0x0007000000023202-14.dat	upx
behavioral2/memory/4124-13-0x00007FF7CB860000-0x00007FF7CBC56000-memory.dmp	upx
behavioral2/files/0x00070000000231ff-10.dat	upx
behavioral2/files/0x00090000000231f0-6.dat	upx
behavioral2/memory/4292-18-0x00007FF7C04C0000-0x00007FF7C08B6000-memory.dmp	upx
behavioral2/memory/1212-29-0x00007FF7538E0000-0x00007FF753CD6000-memory.dmp	upx
behavioral2/files/0x0006000000023213-32.dat	upx
behavioral2/files/0x0006000000023214-40.dat	upx
behavioral2/files/0x0006000000023218-54.dat	upx
behavioral2/files/0x000600000002321a-73.dat	upx
behavioral2/files/0x000600000002321b-78.dat	upx
behavioral2/files/0x00090000000231f1-83.dat	upx
behavioral2/memory/3312-86-0x00007FF7166A0000-0x00007FF716A96000-memory.dmp	upx
behavioral2/memory/4232-88-0x00007FF63E8A0000-0x00007FF63EC96000-memory.dmp	upx
behavioral2/memory/3852-87-0x00007FF775420000-0x00007FF775816000-memory.dmp	upx
behavioral2/memory/3764-89-0x00007FF6AA440000-0x00007FF6AA836000-memory.dmp	upx
behavioral2/memory/2928-90-0x00007FF7AEF30000-0x00007FF7AF326000-memory.dmp	upx
behavioral2/files/0x000600000002321d-95.dat	upx
behavioral2/files/0x000600000002321d-105.dat	upx
behavioral2/memory/4064-104-0x00007FF767370000-0x00007FF767766000-memory.dmp	upx
behavioral2/memory/1856-117-0x00007FF6B4B50000-0x00007FF6B4F46000-memory.dmp	upx
behavioral2/memory/4784-122-0x00007FF638400000-0x00007FF6387F6000-memory.dmp	upx
behavioral2/memory/3804-126-0x00007FF62C440000-0x00007FF62C836000-memory.dmp	upx
behavioral2/memory/1324-129-0x00007FF77EC60000-0x00007FF77F056000-memory.dmp	upx
behavioral2/files/0x000700000002321f-133.dat	upx
behavioral2/files/0x0007000000023220-131.dat	upx
behavioral2/memory/724-130-0x00007FF795210000-0x00007FF795606000-memory.dmp	upx
behavioral2/files/0x000700000002321f-128.dat	upx
behavioral2/files/0x0007000000023220-125.dat	upx
behavioral2/files/0x0006000000023221-116.dat	upx
behavioral2/files/0x0006000000023221-118.dat	upx
behavioral2/memory/1820-114-0x00007FF757570000-0x00007FF757966000-memory.dmp	upx
behavioral2/files/0x000600000002321e-111.dat	upx
behavioral2/files/0x000600000002321c-93.dat	upx
behavioral2/memory/3204-85-0x00007FF67C200000-0x00007FF67C5F6000-memory.dmp	upx
behavioral2/files/0x000600000002321c-82.dat	upx
behavioral2/files/0x00090000000231f1-77.dat	upx
behavioral2/files/0x000600000002321b-72.dat	upx
behavioral2/files/0x0006000000023219-67.dat	upx
behavioral2/files/0x0006000000023218-65.dat	upx
behavioral2/files/0x000600000002321a-64.dat	upx
behavioral2/files/0x0006000000023219-60.dat	upx
behavioral2/memory/1424-58-0x00007FF737740000-0x00007FF737B36000-memory.dmp	upx
behavioral2/files/0x0006000000023217-57.dat	upx
behavioral2/memory/1332-53-0x00007FF6ADB20000-0x00007FF6ADF16000-memory.dmp	upx
behavioral2/files/0x0006000000023215-46.dat	upx
behavioral2/files/0x0006000000023217-45.dat	upx
behavioral2/files/0x0006000000023223-154.dat	upx
behavioral2/files/0x0006000000023227-157.dat	upx
behavioral2/memory/3100-169-0x00007FF721530000-0x00007FF721926000-memory.dmp	upx
behavioral2/files/0x0006000000023228-182.dat	upx
behavioral2/files/0x0006000000023226-189.dat	upx
behavioral2/memory/2368-207-0x00007FF6BEAE0000-0x00007FF6BEED6000-memory.dmp	upx
behavioral2/memory/4804-216-0x00007FF705C20000-0x00007FF706016000-memory.dmp	upx
behavioral2/memory/4496-224-0x00007FF6A2620000-0x00007FF6A2A16000-memory.dmp	upx
behavioral2/memory/1672-229-0x00007FF7804C0000-0x00007FF7808B6000-memory.dmp	upx
behavioral2/memory/4844-237-0x00007FF7E14D0000-0x00007FF7E18C6000-memory.dmp	upx
behavioral2/memory/4344-244-0x00007FF615800000-0x00007FF615BF6000-memory.dmp	upx
behavioral2/memory/2324-251-0x00007FF6E6A10000-0x00007FF6E6E06000-memory.dmp	upx
behavioral2/memory/816-261-0x00007FF708C20000-0x00007FF709016000-memory.dmp	upx
behavioral2/memory/4028-287-0x00007FF696200000-0x00007FF6965F6000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\qmtsdWJ.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\PQXZLKs.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\yPYesJY.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\vRziwDr.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\uVMpXBd.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\obfYgJB.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\FFXBaPW.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\ObmtvcP.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\lQOuhZb.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\zQnbDmi.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\cKWRjsd.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\EmcMHkP.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\mpMBIyZ.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\SPLGDfQ.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\WLOtNKZ.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\OsvkvQg.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\wxhhIos.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\cSqheSQ.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\nIMKZkX.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\WauajvI.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\jMVZIFW.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\QvlrEvs.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\vBXoCWN.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\AjPjgQR.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\zdLEgde.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\RcdUNWy.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\vjFtNzt.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\wJUlxng.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\CjcLYMg.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\drEIarM.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\OJTopjf.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\XicicNH.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\xaIjJol.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\XmKYOWM.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\wtYQmZb.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\wqOHyqB.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\qNqvPLm.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\xOduEYt.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\ZoWPugG.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\iGFDzDv.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\kWbQaQm.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\uwaapFG.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\qfHcofk.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\zwSZhbS.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\lbiJhog.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\VYkKqif.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\QPUzCeQ.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\PclcUzZ.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\TvMgjVb.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\AbgXswE.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\nvYSxVM.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\YcTRPDv.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\LZNPgRE.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\cbAZOHs.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\LjsqZVt.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\cBgLeKR.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\aJMoKpK.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\kzeNljL.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\nQpoibq.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\MlMEcBK.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\ZMqNGLF.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\zxCHMJd.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\iPQKDje.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe
File created	C:\Windows\System\Ndppkxd.exe	c1cdfc65e5d12c2e436b29c00c44ae04.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe
Token: SeLockMemoryPrivilege	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe
Token: SeDebugPrivilege	4468	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4468	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	86
PID 3160 wrote to memory of 4468	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	86
PID 3160 wrote to memory of 4124	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	87
PID 3160 wrote to memory of 4124	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	87
PID 3160 wrote to memory of 4736	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	88
PID 3160 wrote to memory of 4736	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	88
PID 3160 wrote to memory of 4292	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	89
PID 3160 wrote to memory of 4292	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	89
PID 3160 wrote to memory of 1212	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	90
PID 3160 wrote to memory of 1212	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	90
PID 3160 wrote to memory of 3768	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	91
PID 3160 wrote to memory of 3768	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	91
PID 3160 wrote to memory of 4232	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	92
PID 3160 wrote to memory of 4232	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	92
PID 3160 wrote to memory of 3764	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	93
PID 3160 wrote to memory of 3764	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	93
PID 3160 wrote to memory of 1332	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	94
PID 3160 wrote to memory of 1332	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	94
PID 3160 wrote to memory of 1424	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	95
PID 3160 wrote to memory of 1424	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	95
PID 3160 wrote to memory of 2928	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	96
PID 3160 wrote to memory of 2928	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	96
PID 3160 wrote to memory of 3204	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	97
PID 3160 wrote to memory of 3204	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	97
PID 3160 wrote to memory of 4064	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	98
PID 3160 wrote to memory of 4064	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	98
PID 3160 wrote to memory of 1820	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	99
PID 3160 wrote to memory of 1820	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	99
PID 3160 wrote to memory of 3312	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	100
PID 3160 wrote to memory of 3312	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	100
PID 3160 wrote to memory of 3852	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	101
PID 3160 wrote to memory of 3852	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	101
PID 3160 wrote to memory of 1856	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	102
PID 3160 wrote to memory of 1856	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	102
PID 3160 wrote to memory of 4784	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	103
PID 3160 wrote to memory of 4784	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	103
PID 3160 wrote to memory of 3804	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	104
PID 3160 wrote to memory of 3804	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	104
PID 3160 wrote to memory of 1324	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	105
PID 3160 wrote to memory of 1324	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	105
PID 3160 wrote to memory of 724	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	106
PID 3160 wrote to memory of 724	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	106
PID 3160 wrote to memory of 4116	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	107
PID 3160 wrote to memory of 4116	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	107
PID 3160 wrote to memory of 1288	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	108
PID 3160 wrote to memory of 1288	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	108
PID 3160 wrote to memory of 3100	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	109
PID 3160 wrote to memory of 3100	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	109
PID 3160 wrote to memory of 964	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	110
PID 3160 wrote to memory of 964	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	110
PID 3160 wrote to memory of 4224	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	111
PID 3160 wrote to memory of 4224	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	111
PID 3160 wrote to memory of 3144	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	112
PID 3160 wrote to memory of 3144	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	112
PID 3160 wrote to memory of 4028	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	113
PID 3160 wrote to memory of 4028	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	113
PID 3160 wrote to memory of 2368	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	114
PID 3160 wrote to memory of 2368	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	114
PID 3160 wrote to memory of 1776	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	115
PID 3160 wrote to memory of 1776	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	115
PID 3160 wrote to memory of 4804	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	116
PID 3160 wrote to memory of 4804	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	116
PID 3160 wrote to memory of 2836	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	117
PID 3160 wrote to memory of 2836	3160	c1cdfc65e5d12c2e436b29c00c44ae04.exe	117

C:\Users\Admin\AppData\Local\Temp\c1cdfc65e5d12c2e436b29c00c44ae04.exe
"C:\Users\Admin\AppData\Local\Temp\c1cdfc65e5d12c2e436b29c00c44ae04.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4468" "2940" "2916" "2944" "0" "0" "2948" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9544
- C:\Windows\System\LZwoeKu.exe
  C:\Windows\System\LZwoeKu.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\kzeNljL.exe
  C:\Windows\System\kzeNljL.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\fFbpCLb.exe
  C:\Windows\System\fFbpCLb.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\nAlWxJp.exe
  C:\Windows\System\nAlWxJp.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\vOrPEcg.exe
  C:\Windows\System\vOrPEcg.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\qmtsdWJ.exe
  C:\Windows\System\qmtsdWJ.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\vXVCTSu.exe
  C:\Windows\System\vXVCTSu.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\LgwhviC.exe
  C:\Windows\System\LgwhviC.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\FOtMJpN.exe
  C:\Windows\System\FOtMJpN.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\tuHTDAz.exe
  C:\Windows\System\tuHTDAz.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\xIRieYV.exe
  C:\Windows\System\xIRieYV.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\iPQKDje.exe
  C:\Windows\System\iPQKDje.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\cppAVIY.exe
  C:\Windows\System\cppAVIY.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\NFZJgaE.exe
  C:\Windows\System\NFZJgaE.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\PigNCfa.exe
  C:\Windows\System\PigNCfa.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\WLOtNKZ.exe
  C:\Windows\System\WLOtNKZ.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\xkLiLFw.exe
  C:\Windows\System\xkLiLFw.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\MCaNShZ.exe
  C:\Windows\System\MCaNShZ.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\ECAwGNy.exe
  C:\Windows\System\ECAwGNy.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\kHvBAxn.exe
  C:\Windows\System\kHvBAxn.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System\HLXGiow.exe
  C:\Windows\System\HLXGiow.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\ayJVcYD.exe
  C:\Windows\System\ayJVcYD.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\WyjWsSr.exe
  C:\Windows\System\WyjWsSr.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\rdKPSAG.exe
  C:\Windows\System\rdKPSAG.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\MvLwbGW.exe
  C:\Windows\System\MvLwbGW.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\bvrofoj.exe
  C:\Windows\System\bvrofoj.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\bPrTbiK.exe
  C:\Windows\System\bPrTbiK.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\zCBXJGD.exe
  C:\Windows\System\zCBXJGD.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\AwFdayP.exe
  C:\Windows\System\AwFdayP.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\nQpoibq.exe
  C:\Windows\System\nQpoibq.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\zQnbDmi.exe
  C:\Windows\System\zQnbDmi.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\EOqzFEn.exe
  C:\Windows\System\EOqzFEn.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\VEyikOr.exe
  C:\Windows\System\VEyikOr.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\MjkUbMH.exe
  C:\Windows\System\MjkUbMH.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\jIlHUPo.exe
  C:\Windows\System\jIlHUPo.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\VVLiXnP.exe
  C:\Windows\System\VVLiXnP.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\OsvkvQg.exe
  C:\Windows\System\OsvkvQg.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\KpnsYPH.exe
  C:\Windows\System\KpnsYPH.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\iaNrnVE.exe
  C:\Windows\System\iaNrnVE.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\Ndppkxd.exe
  C:\Windows\System\Ndppkxd.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\BoDUZEs.exe
  C:\Windows\System\BoDUZEs.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\wRqpuNQ.exe
  C:\Windows\System\wRqpuNQ.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\yJzdcwQ.exe
  C:\Windows\System\yJzdcwQ.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\xDAPmQk.exe
  C:\Windows\System\xDAPmQk.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\VbQlYHj.exe
  C:\Windows\System\VbQlYHj.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\QmqDfpw.exe
  C:\Windows\System\QmqDfpw.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\RtmvKyY.exe
  C:\Windows\System\RtmvKyY.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\PQXZLKs.exe
  C:\Windows\System\PQXZLKs.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\QFpqves.exe
  C:\Windows\System\QFpqves.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\CPKoTuC.exe
  C:\Windows\System\CPKoTuC.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\mGKOqmJ.exe
  C:\Windows\System\mGKOqmJ.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\cimYMVZ.exe
  C:\Windows\System\cimYMVZ.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\kpSCAIN.exe
  C:\Windows\System\kpSCAIN.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\aKMQvmg.exe
  C:\Windows\System\aKMQvmg.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\MTuyTGn.exe
  C:\Windows\System\MTuyTGn.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\COBwoGP.exe
  C:\Windows\System\COBwoGP.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\ZMqNGLF.exe
  C:\Windows\System\ZMqNGLF.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\PclcUzZ.exe
  C:\Windows\System\PclcUzZ.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\TvMgjVb.exe
  C:\Windows\System\TvMgjVb.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\cSqheSQ.exe
  C:\Windows\System\cSqheSQ.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\WEHCeNX.exe
  C:\Windows\System\WEHCeNX.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\WekZoXw.exe
  C:\Windows\System\WekZoXw.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\uwaapFG.exe
  C:\Windows\System\uwaapFG.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\HTjpNUd.exe
  C:\Windows\System\HTjpNUd.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\JHlauRw.exe
  C:\Windows\System\JHlauRw.exe
  2⤵
  PID:2480
- C:\Windows\System\cBgLeKR.exe
  C:\Windows\System\cBgLeKR.exe
  2⤵
  PID:4696
- C:\Windows\System\eoexaow.exe
  C:\Windows\System\eoexaow.exe
  2⤵
  PID:4492
- C:\Windows\System\XCDIgLM.exe
  C:\Windows\System\XCDIgLM.exe
  2⤵
  PID:1988
- C:\Windows\System\CCDwtHV.exe
  C:\Windows\System\CCDwtHV.exe
  2⤵
  PID:2932
- C:\Windows\System\gnYLKDn.exe
  C:\Windows\System\gnYLKDn.exe
  2⤵
  PID:872
- C:\Windows\System\iTupxkI.exe
  C:\Windows\System\iTupxkI.exe
  2⤵
  PID:4924
- C:\Windows\System\ZCageWm.exe
  C:\Windows\System\ZCageWm.exe
  2⤵
  PID:2988
- C:\Windows\System\ImALiNL.exe
  C:\Windows\System\ImALiNL.exe
  2⤵
  PID:4908
- C:\Windows\System\PONUuPg.exe
  C:\Windows\System\PONUuPg.exe
  2⤵
  PID:60
- C:\Windows\System\aLCfJAu.exe
  C:\Windows\System\aLCfJAu.exe
  2⤵
  PID:220
- C:\Windows\System\jpKNoGf.exe
  C:\Windows\System\jpKNoGf.exe
  2⤵
  PID:3488
- C:\Windows\System\JAKmPGI.exe
  C:\Windows\System\JAKmPGI.exe
  2⤵
  PID:3588
- C:\Windows\System\XbNwdft.exe
  C:\Windows\System\XbNwdft.exe
  2⤵
  PID:2116
- C:\Windows\System\YWpjrsn.exe
  C:\Windows\System\YWpjrsn.exe
  2⤵
  PID:1600
- C:\Windows\System\kAwVlUE.exe
  C:\Windows\System\kAwVlUE.exe
  2⤵
  PID:4572
- C:\Windows\System\nCPmMfV.exe
  C:\Windows\System\nCPmMfV.exe
  2⤵
  PID:4724
- C:\Windows\System\psvlxVo.exe
  C:\Windows\System\psvlxVo.exe
  2⤵
  PID:3428
- C:\Windows\System\RxkfARd.exe
  C:\Windows\System\RxkfARd.exe
  2⤵
  PID:5176
- C:\Windows\System\BfCbKcE.exe
  C:\Windows\System\BfCbKcE.exe
  2⤵
  PID:5192
- C:\Windows\System\dxWCOYb.exe
  C:\Windows\System\dxWCOYb.exe
  2⤵
  PID:5224
- C:\Windows\System\EPXTJsZ.exe
  C:\Windows\System\EPXTJsZ.exe
  2⤵
  PID:5240
- C:\Windows\System\qAwUzEe.exe
  C:\Windows\System\qAwUzEe.exe
  2⤵
  PID:5256
- C:\Windows\System\dibcVtP.exe
  C:\Windows\System\dibcVtP.exe
  2⤵
  PID:5276
- C:\Windows\System\kYOSeyB.exe
  C:\Windows\System\kYOSeyB.exe
  2⤵
  PID:5332
- C:\Windows\System\yzZbLJh.exe
  C:\Windows\System\yzZbLJh.exe
  2⤵
  PID:5360
- C:\Windows\System\byhSkRA.exe
  C:\Windows\System\byhSkRA.exe
  2⤵
  PID:5388
- C:\Windows\System\tCjaUpZ.exe
  C:\Windows\System\tCjaUpZ.exe
  2⤵
  PID:5436
- C:\Windows\System\JWKgFeL.exe
  C:\Windows\System\JWKgFeL.exe
  2⤵
  PID:5468
- C:\Windows\System\uLtGgog.exe
  C:\Windows\System\uLtGgog.exe
  2⤵
  PID:5488
- C:\Windows\System\EwfTZdq.exe
  C:\Windows\System\EwfTZdq.exe
  2⤵
  PID:5504
- C:\Windows\System\hZmaMrJ.exe
  C:\Windows\System\hZmaMrJ.exe
  2⤵
  PID:5572
- C:\Windows\System\xsrDUtm.exe
  C:\Windows\System\xsrDUtm.exe
  2⤵
  PID:5588
- C:\Windows\System\zJvGVTv.exe
  C:\Windows\System\zJvGVTv.exe
  2⤵
  PID:5616
- C:\Windows\System\RSOTQJz.exe
  C:\Windows\System\RSOTQJz.exe
  2⤵
  PID:5640
- C:\Windows\System\LZNPgRE.exe
  C:\Windows\System\LZNPgRE.exe
  2⤵
  PID:5660
- C:\Windows\System\ShWzZVp.exe
  C:\Windows\System\ShWzZVp.exe
  2⤵
  PID:5700
- C:\Windows\System\uxCaMcO.exe
  C:\Windows\System\uxCaMcO.exe
  2⤵
  PID:5744
- C:\Windows\System\sLcPScl.exe
  C:\Windows\System\sLcPScl.exe
  2⤵
  PID:5832
- C:\Windows\System\ybDpOOV.exe
  C:\Windows\System\ybDpOOV.exe
  2⤵
  PID:5852
- C:\Windows\System\wgIUMlZ.exe
  C:\Windows\System\wgIUMlZ.exe
  2⤵
  PID:5876
- C:\Windows\System\CKUofmx.exe
  C:\Windows\System\CKUofmx.exe
  2⤵
  PID:5920
- C:\Windows\System\NSbIlHx.exe
  C:\Windows\System\NSbIlHx.exe
  2⤵
  PID:5956
- C:\Windows\System\zakbttd.exe
  C:\Windows\System\zakbttd.exe
  2⤵
  PID:5980
- C:\Windows\System\wqOHyqB.exe
  C:\Windows\System\wqOHyqB.exe
  2⤵
  PID:5996
- C:\Windows\System\FcADcMx.exe
  C:\Windows\System\FcADcMx.exe
  2⤵
  PID:6016
- C:\Windows\System\gkjfqaa.exe
  C:\Windows\System\gkjfqaa.exe
  2⤵
  PID:6036
- C:\Windows\System\qfACXbA.exe
  C:\Windows\System\qfACXbA.exe
  2⤵
  PID:6052
- C:\Windows\System\UJuSfHy.exe
  C:\Windows\System\UJuSfHy.exe
  2⤵
  PID:6080
- C:\Windows\System\RcdUNWy.exe
  C:\Windows\System\RcdUNWy.exe
  2⤵
  PID:6096
- C:\Windows\System\SIYxliS.exe
  C:\Windows\System\SIYxliS.exe
  2⤵
  PID:6116
- C:\Windows\System\XESSxHU.exe
  C:\Windows\System\XESSxHU.exe
  2⤵
  PID:6136
- C:\Windows\System\LwgUGCi.exe
  C:\Windows\System\LwgUGCi.exe
  2⤵
  PID:3032
- C:\Windows\System\KuStPiq.exe
  C:\Windows\System\KuStPiq.exe
  2⤵
  PID:5172
- C:\Windows\System\kmhNUth.exe
  C:\Windows\System\kmhNUth.exe
  2⤵
  PID:5212
- C:\Windows\System\jwThHxW.exe
  C:\Windows\System\jwThHxW.exe
  2⤵
  PID:5320
- C:\Windows\System\BKIgNdv.exe
  C:\Windows\System\BKIgNdv.exe
  2⤵
  PID:5316
- C:\Windows\System\uunJCjn.exe
  C:\Windows\System\uunJCjn.exe
  2⤵
  PID:5356
- C:\Windows\System\vjFtNzt.exe
  C:\Windows\System\vjFtNzt.exe
  2⤵
  PID:5520
- C:\Windows\System\OuzUGqF.exe
  C:\Windows\System\OuzUGqF.exe
  2⤵
  PID:5584
- C:\Windows\System\GRRctFF.exe
  C:\Windows\System\GRRctFF.exe
  2⤵
  PID:5500
- C:\Windows\System\ZCHEuSJ.exe
  C:\Windows\System\ZCHEuSJ.exe
  2⤵
  PID:5540
- C:\Windows\System\BoiZxMc.exe
  C:\Windows\System\BoiZxMc.exe
  2⤵
  PID:5648
- C:\Windows\System\RsSWOVk.exe
  C:\Windows\System\RsSWOVk.exe
  2⤵
  PID:5788
- C:\Windows\System\HuLCULs.exe
  C:\Windows\System\HuLCULs.exe
  2⤵
  PID:2684
- C:\Windows\System\yPYesJY.exe
  C:\Windows\System\yPYesJY.exe
  2⤵
  PID:5900
- C:\Windows\System\fVotZmx.exe
  C:\Windows\System\fVotZmx.exe
  2⤵
  PID:5968
- C:\Windows\System\icxIpwi.exe
  C:\Windows\System\icxIpwi.exe
  2⤵
  PID:6048
- C:\Windows\System\zwSZhbS.exe
  C:\Windows\System\zwSZhbS.exe
  2⤵
  PID:6088
- C:\Windows\System\OJTopjf.exe
  C:\Windows\System\OJTopjf.exe
  2⤵
  PID:6124
- C:\Windows\System\YNbZVUh.exe
  C:\Windows\System\YNbZVUh.exe
  2⤵
  PID:4092
- C:\Windows\System\gsuwwkk.exe
  C:\Windows\System\gsuwwkk.exe
  2⤵
  PID:5132
- C:\Windows\System\zDnkFUr.exe
  C:\Windows\System\zDnkFUr.exe
  2⤵
  PID:5308
- C:\Windows\System\qVSFsDa.exe
  C:\Windows\System\qVSFsDa.exe
  2⤵
  PID:5352
- C:\Windows\System\GZmUDmH.exe
  C:\Windows\System\GZmUDmH.exe
  2⤵
  PID:5460
- C:\Windows\System\wFQmAon.exe
  C:\Windows\System\wFQmAon.exe
  2⤵
  PID:5580
- C:\Windows\System\jGybceR.exe
  C:\Windows\System\jGybceR.exe
  2⤵
  PID:5656
- C:\Windows\System\cKWRjsd.exe
  C:\Windows\System\cKWRjsd.exe
  2⤵
  PID:5672
- C:\Windows\System\ZoWPugG.exe
  C:\Windows\System\ZoWPugG.exe
  2⤵
  PID:1216
- C:\Windows\System\kVswHXs.exe
  C:\Windows\System\kVswHXs.exe
  2⤵
  PID:4644
- C:\Windows\System\lWUFvYR.exe
  C:\Windows\System\lWUFvYR.exe
  2⤵
  PID:5824
- C:\Windows\System\XEbZjGH.exe
  C:\Windows\System\XEbZjGH.exe
  2⤵
  PID:5944
- C:\Windows\System\VwMxTqU.exe
  C:\Windows\System\VwMxTqU.exe
  2⤵
  PID:3616
- C:\Windows\System\uXlUlao.exe
  C:\Windows\System\uXlUlao.exe
  2⤵
  PID:5220
- C:\Windows\System\pxjXWJU.exe
  C:\Windows\System\pxjXWJU.exe
  2⤵
  PID:2560
- C:\Windows\System\WauajvI.exe
  C:\Windows\System\WauajvI.exe
  2⤵
  PID:1224
- C:\Windows\System\lbiJhog.exe
  C:\Windows\System\lbiJhog.exe
  2⤵
  PID:5780
- C:\Windows\System\lfClMwx.exe
  C:\Windows\System\lfClMwx.exe
  2⤵
  PID:6032
- C:\Windows\System\kayPjxm.exe
  C:\Windows\System\kayPjxm.exe
  2⤵
  PID:4720
- C:\Windows\System\CBzScjk.exe
  C:\Windows\System\CBzScjk.exe
  2⤵
  PID:5564
- C:\Windows\System\jMVZIFW.exe
  C:\Windows\System\jMVZIFW.exe
  2⤵
  PID:6152
- C:\Windows\System\njZigSp.exe
  C:\Windows\System\njZigSp.exe
  2⤵
  PID:6172
- C:\Windows\System\QvlrEvs.exe
  C:\Windows\System\QvlrEvs.exe
  2⤵
  PID:6220
- C:\Windows\System\FfCDPFo.exe
  C:\Windows\System\FfCDPFo.exe
  2⤵
  PID:6236
- C:\Windows\System\BybtkYd.exe
  C:\Windows\System\BybtkYd.exe
  2⤵
  PID:6260
- C:\Windows\System\Yrgqzus.exe
  C:\Windows\System\Yrgqzus.exe
  2⤵
  PID:6308
- C:\Windows\System\UKcKUHA.exe
  C:\Windows\System\UKcKUHA.exe
  2⤵
  PID:6372
- C:\Windows\System\cbAZOHs.exe
  C:\Windows\System\cbAZOHs.exe
  2⤵
  PID:6388
- C:\Windows\System\BrBuDvq.exe
  C:\Windows\System\BrBuDvq.exe
  2⤵
  PID:6408
- C:\Windows\System\XicicNH.exe
  C:\Windows\System\XicicNH.exe
  2⤵
  PID:6432
- C:\Windows\System\DlwSzgS.exe
  C:\Windows\System\DlwSzgS.exe
  2⤵
  PID:6456
- C:\Windows\System\xRuWZMj.exe
  C:\Windows\System\xRuWZMj.exe
  2⤵
  PID:6476
- C:\Windows\System\uRUZfaN.exe
  C:\Windows\System\uRUZfaN.exe
  2⤵
  PID:6532
- C:\Windows\System\wxhhIos.exe
  C:\Windows\System\wxhhIos.exe
  2⤵
  PID:6556
- C:\Windows\System\CJumQql.exe
  C:\Windows\System\CJumQql.exe
  2⤵
  PID:6588
- C:\Windows\System\KvMHjZT.exe
  C:\Windows\System\KvMHjZT.exe
  2⤵
  PID:6636
- C:\Windows\System\xWugVwr.exe
  C:\Windows\System\xWugVwr.exe
  2⤵
  PID:6664
- C:\Windows\System\IulptAs.exe
  C:\Windows\System\IulptAs.exe
  2⤵
  PID:6684
- C:\Windows\System\JITUraQ.exe
  C:\Windows\System\JITUraQ.exe
  2⤵
  PID:6708
- C:\Windows\System\vYbdfCE.exe
  C:\Windows\System\vYbdfCE.exe
  2⤵
  PID:6724
- C:\Windows\System\zlNKcNb.exe
  C:\Windows\System\zlNKcNb.exe
  2⤵
  PID:6744
- C:\Windows\System\CFXokwI.exe
  C:\Windows\System\CFXokwI.exe
  2⤵
  PID:6764
- C:\Windows\System\XrPHsAH.exe
  C:\Windows\System\XrPHsAH.exe
  2⤵
  PID:6832
- C:\Windows\System\iwqIjHc.exe
  C:\Windows\System\iwqIjHc.exe
  2⤵
  PID:6856
- C:\Windows\System\EmcMHkP.exe
  C:\Windows\System\EmcMHkP.exe
  2⤵
  PID:6872
- C:\Windows\System\GAliLRo.exe
  C:\Windows\System\GAliLRo.exe
  2⤵
  PID:6888
- C:\Windows\System\oqVnTBi.exe
  C:\Windows\System\oqVnTBi.exe
  2⤵
  PID:6912
- C:\Windows\System\mDVDlRX.exe
  C:\Windows\System\mDVDlRX.exe
  2⤵
  PID:6932
- C:\Windows\System\PRpneuG.exe
  C:\Windows\System\PRpneuG.exe
  2⤵
  PID:6964
- C:\Windows\System\ZcUGqoO.exe
  C:\Windows\System\ZcUGqoO.exe
  2⤵
  PID:6984
- C:\Windows\System\QhyaHen.exe
  C:\Windows\System\QhyaHen.exe
  2⤵
  PID:7052
- C:\Windows\System\oWsWcvC.exe
  C:\Windows\System\oWsWcvC.exe
  2⤵
  PID:7068
- C:\Windows\System\YDVrjJI.exe
  C:\Windows\System\YDVrjJI.exe
  2⤵
  PID:7084
- C:\Windows\System\sELmTZF.exe
  C:\Windows\System\sELmTZF.exe
  2⤵
  PID:7108
- C:\Windows\System\jiWfwSo.exe
  C:\Windows\System\jiWfwSo.exe
  2⤵
  PID:7124
- C:\Windows\System\TzeOXEZ.exe
  C:\Windows\System\TzeOXEZ.exe
  2⤵
  PID:5560
- C:\Windows\System\LkLvbWk.exe
  C:\Windows\System\LkLvbWk.exe
  2⤵
  PID:5044
- C:\Windows\System\prMcXLv.exe
  C:\Windows\System\prMcXLv.exe
  2⤵
  PID:4112
- C:\Windows\System\QaloIEO.exe
  C:\Windows\System\QaloIEO.exe
  2⤵
  PID:6304
- C:\Windows\System\dozhMWk.exe
  C:\Windows\System\dozhMWk.exe
  2⤵
  PID:1876
- C:\Windows\System\imYIlRK.exe
  C:\Windows\System\imYIlRK.exe
  2⤵
  PID:6384
- C:\Windows\System\QnYSzwa.exe
  C:\Windows\System\QnYSzwa.exe
  2⤵
  PID:6488
- C:\Windows\System\JuDuQJY.exe
  C:\Windows\System\JuDuQJY.exe
  2⤵
  PID:6448
- C:\Windows\System\klDfofq.exe
  C:\Windows\System\klDfofq.exe
  2⤵
  PID:6600
- C:\Windows\System\eAZsTgI.exe
  C:\Windows\System\eAZsTgI.exe
  2⤵
  PID:6676
- C:\Windows\System\FNYkpei.exe
  C:\Windows\System\FNYkpei.exe
  2⤵
  PID:6732
- C:\Windows\System\xhcXejT.exe
  C:\Windows\System\xhcXejT.exe
  2⤵
  PID:6752
- C:\Windows\System\GruCfIE.exe
  C:\Windows\System\GruCfIE.exe
  2⤵
  PID:6792
- C:\Windows\System\LjsqZVt.exe
  C:\Windows\System\LjsqZVt.exe
  2⤵
  PID:6924
- C:\Windows\System\NizsUVG.exe
  C:\Windows\System\NizsUVG.exe
  2⤵
  PID:6824
- C:\Windows\System\vfANKOG.exe
  C:\Windows\System\vfANKOG.exe
  2⤵
  PID:6868
- C:\Windows\System\BeQgPkH.exe
  C:\Windows\System\BeQgPkH.exe
  2⤵
  PID:6948
- C:\Windows\System\CHMZLvo.exe
  C:\Windows\System\CHMZLvo.exe
  2⤵
  PID:7064
- C:\Windows\System\VgSgGfE.exe
  C:\Windows\System\VgSgGfE.exe
  2⤵
  PID:7140
- C:\Windows\System\yOZSXsj.exe
  C:\Windows\System\yOZSXsj.exe
  2⤵
  PID:3856
- C:\Windows\System\jQaBRna.exe
  C:\Windows\System\jQaBRna.exe
  2⤵
  PID:6148
- C:\Windows\System\qtKIRgU.exe
  C:\Windows\System\qtKIRgU.exe
  2⤵
  PID:5464
- C:\Windows\System\vNajCXW.exe
  C:\Windows\System\vNajCXW.exe
  2⤵
  PID:6252
- C:\Windows\System\vBXoCWN.exe
  C:\Windows\System\vBXoCWN.exe
  2⤵
  PID:6472
- C:\Windows\System\DBpYAOD.exe
  C:\Windows\System\DBpYAOD.exe
  2⤵
  PID:6300
- C:\Windows\System\AbgXswE.exe
  C:\Windows\System\AbgXswE.exe
  2⤵
  PID:6400
- C:\Windows\System\WGwSDcX.exe
  C:\Windows\System\WGwSDcX.exe
  2⤵
  PID:6576
- C:\Windows\System\TRXelje.exe
  C:\Windows\System\TRXelje.exe
  2⤵
  PID:4400
- C:\Windows\System\EPjNYTf.exe
  C:\Windows\System\EPjNYTf.exe
  2⤵
  PID:1904
- C:\Windows\System\mpMBIyZ.exe
  C:\Windows\System\mpMBIyZ.exe
  2⤵
  PID:6776
- C:\Windows\System\FRAEeTs.exe
  C:\Windows\System\FRAEeTs.exe
  2⤵
  PID:4820
- C:\Windows\System\EMDlGEx.exe
  C:\Windows\System\EMDlGEx.exe
  2⤵
  PID:7032
- C:\Windows\System\nIMKZkX.exe
  C:\Windows\System\nIMKZkX.exe
  2⤵
  PID:7220
- C:\Windows\System\FpdatFW.exe
  C:\Windows\System\FpdatFW.exe
  2⤵
  PID:7248
- C:\Windows\System\ZlZmBTs.exe
  C:\Windows\System\ZlZmBTs.exe
  2⤵
  PID:7304
- C:\Windows\System\oVPITvg.exe
  C:\Windows\System\oVPITvg.exe
  2⤵
  PID:7332
- C:\Windows\System\KLwIrNu.exe
  C:\Windows\System\KLwIrNu.exe
  2⤵
  PID:7348
- C:\Windows\System\GfeeaLe.exe
  C:\Windows\System\GfeeaLe.exe
  2⤵
  PID:7396
- C:\Windows\System\ckzcNpI.exe
  C:\Windows\System\ckzcNpI.exe
  2⤵
  PID:7412
- C:\Windows\System\uEoRcEx.exe
  C:\Windows\System\uEoRcEx.exe
  2⤵
  PID:7436
- C:\Windows\System\hrHdgfD.exe
  C:\Windows\System\hrHdgfD.exe
  2⤵
  PID:7500
- C:\Windows\System\wJUlxng.exe
  C:\Windows\System\wJUlxng.exe
  2⤵
  PID:7576
- C:\Windows\System\jBgZBPt.exe
  C:\Windows\System\jBgZBPt.exe
  2⤵
  PID:7616
- C:\Windows\System\YgNilSM.exe
  C:\Windows\System\YgNilSM.exe
  2⤵
  PID:7640
- C:\Windows\System\DOzCncF.exe
  C:\Windows\System\DOzCncF.exe
  2⤵
  PID:7672
- C:\Windows\System\ftMjMlJ.exe
  C:\Windows\System\ftMjMlJ.exe
  2⤵
  PID:7696
- C:\Windows\System\JYGpubW.exe
  C:\Windows\System\JYGpubW.exe
  2⤵
  PID:7724
- C:\Windows\System\vRziwDr.exe
  C:\Windows\System\vRziwDr.exe
  2⤵
  PID:7740
- C:\Windows\System\wQHdcAe.exe
  C:\Windows\System\wQHdcAe.exe
  2⤵
  PID:7764
- C:\Windows\System\NGsvHYG.exe
  C:\Windows\System\NGsvHYG.exe
  2⤵
  PID:7780
- C:\Windows\System\YeNKkrV.exe
  C:\Windows\System\YeNKkrV.exe
  2⤵
  PID:7796
- C:\Windows\System\OSIjPDX.exe
  C:\Windows\System\OSIjPDX.exe
  2⤵
  PID:7816
- C:\Windows\System\JruglqC.exe
  C:\Windows\System\JruglqC.exe
  2⤵
  PID:7848
- C:\Windows\System\kAPDljq.exe
  C:\Windows\System\kAPDljq.exe
  2⤵
  PID:7864
- C:\Windows\System\xEeIKSE.exe
  C:\Windows\System\xEeIKSE.exe
  2⤵
  PID:7884
- C:\Windows\System\nvYSxVM.exe
  C:\Windows\System\nvYSxVM.exe
  2⤵
  PID:7900
- C:\Windows\System\NZVwkGL.exe
  C:\Windows\System\NZVwkGL.exe
  2⤵
  PID:7968
- C:\Windows\System\NyBWujV.exe
  C:\Windows\System\NyBWujV.exe
  2⤵
  PID:8040
- C:\Windows\System\BbAfYkD.exe
  C:\Windows\System\BbAfYkD.exe
  2⤵
  PID:8060
- C:\Windows\System\DRZeldq.exe
  C:\Windows\System\DRZeldq.exe
  2⤵
  PID:8088
- C:\Windows\System\aJMoKpK.exe
  C:\Windows\System\aJMoKpK.exe
  2⤵
  PID:8112
- C:\Windows\System\gqDQBlH.exe
  C:\Windows\System\gqDQBlH.exe
  2⤵
  PID:8176
- C:\Windows\System\ySJFaon.exe
  C:\Windows\System\ySJFaon.exe
  2⤵
  PID:3672
- C:\Windows\System\axVWGME.exe
  C:\Windows\System\axVWGME.exe
  2⤵
  PID:6620
- C:\Windows\System\lQOuhZb.exe
  C:\Windows\System\lQOuhZb.exe
  2⤵
  PID:6624
- C:\Windows\System\iGFDzDv.exe
  C:\Windows\System\iGFDzDv.exe
  2⤵
  PID:6468
- C:\Windows\System\PqtCjCv.exe
  C:\Windows\System\PqtCjCv.exe
  2⤵
  PID:3564
- C:\Windows\System\KXjhhkQ.exe
  C:\Windows\System\KXjhhkQ.exe
  2⤵
  PID:6848
- C:\Windows\System\uskAhMw.exe
  C:\Windows\System\uskAhMw.exe
  2⤵
  PID:7208
- C:\Windows\System\SOjEXBZ.exe
  C:\Windows\System\SOjEXBZ.exe
  2⤵
  PID:7344
- C:\Windows\System\DIAnTkl.exe
  C:\Windows\System\DIAnTkl.exe
  2⤵
  PID:7312
- C:\Windows\System\dHvHcrj.exe
  C:\Windows\System\dHvHcrj.exe
  2⤵
  PID:7364
- C:\Windows\System\dpQQiOj.exe
  C:\Windows\System\dpQQiOj.exe
  2⤵
  PID:7496
- C:\Windows\System\wckNOja.exe
  C:\Windows\System\wckNOja.exe
  2⤵
  PID:7428
- C:\Windows\System\bxBojaV.exe
  C:\Windows\System\bxBojaV.exe
  2⤵
  PID:7488
- C:\Windows\System\PEdQswh.exe
  C:\Windows\System\PEdQswh.exe
  2⤵
  PID:7560
- C:\Windows\System\kkojgqz.exe
  C:\Windows\System\kkojgqz.exe
  2⤵
  PID:1520
- C:\Windows\System\aHlTPBE.exe
  C:\Windows\System\aHlTPBE.exe
  2⤵
  PID:7836
- C:\Windows\System\uwqNLpj.exe
  C:\Windows\System\uwqNLpj.exe
  2⤵
  PID:7860
- C:\Windows\System\IkJvTQc.exe
  C:\Windows\System\IkJvTQc.exe
  2⤵
  PID:7928
- C:\Windows\System\SnyVlLU.exe
  C:\Windows\System\SnyVlLU.exe
  2⤵
  PID:8004
- C:\Windows\System\iDTtZBh.exe
  C:\Windows\System\iDTtZBh.exe
  2⤵
  PID:8028
- C:\Windows\System\obfYgJB.exe
  C:\Windows\System\obfYgJB.exe
  2⤵
  PID:8172
- C:\Windows\System\XQXYhXg.exe
  C:\Windows\System\XQXYhXg.exe
  2⤵
  PID:6756
- C:\Windows\System\ZyLpOfC.exe
  C:\Windows\System\ZyLpOfC.exe
  2⤵
  PID:1004
- C:\Windows\System\MKCLHMg.exe
  C:\Windows\System\MKCLHMg.exe
  2⤵
  PID:6952
- C:\Windows\System\bMKUskq.exe
  C:\Windows\System\bMKUskq.exe
  2⤵
  PID:7432
- C:\Windows\System\yHJJJtP.exe
  C:\Windows\System\yHJJJtP.exe
  2⤵
  PID:7212
- C:\Windows\System\AytwWTA.exe
  C:\Windows\System\AytwWTA.exe
  2⤵
  PID:7544
- C:\Windows\System\ytKQkee.exe
  C:\Windows\System\ytKQkee.exe
  2⤵
  PID:7328
- C:\Windows\System\hhlrtRu.exe
  C:\Windows\System\hhlrtRu.exe
  2⤵
  PID:7600
- C:\Windows\System\xaIjJol.exe
  C:\Windows\System\xaIjJol.exe
  2⤵
  PID:7856
- C:\Windows\System\PEiRAjb.exe
  C:\Windows\System\PEiRAjb.exe
  2⤵
  PID:7980
- C:\Windows\System\ilexzJt.exe
  C:\Windows\System\ilexzJt.exe
  2⤵
  PID:8140
- C:\Windows\System\GcodKnO.exe
  C:\Windows\System\GcodKnO.exe
  2⤵
  PID:8084
- C:\Windows\System\qfHcofk.exe
  C:\Windows\System\qfHcofk.exe
  2⤵
  PID:4052
- C:\Windows\System\EvOOwHl.exe
  C:\Windows\System\EvOOwHl.exe
  2⤵
  PID:6720
- C:\Windows\System\ZGHVkOT.exe
  C:\Windows\System\ZGHVkOT.exe
  2⤵
  PID:7228
- C:\Windows\System\nNlVTxY.exe
  C:\Windows\System\nNlVTxY.exe
  2⤵
  PID:7776
- C:\Windows\System\qNqvPLm.exe
  C:\Windows\System\qNqvPLm.exe
  2⤵
  PID:7684
- C:\Windows\System\ubPzLfo.exe
  C:\Windows\System\ubPzLfo.exe
  2⤵
  PID:6512
- C:\Windows\System\FfemlXC.exe
  C:\Windows\System\FfemlXC.exe
  2⤵
  PID:8204
- C:\Windows\System\AjPjgQR.exe
  C:\Windows\System\AjPjgQR.exe
  2⤵
  PID:8224
- C:\Windows\System\vjvISaT.exe
  C:\Windows\System\vjvISaT.exe
  2⤵
  PID:8256
- C:\Windows\System\ASUBIiC.exe
  C:\Windows\System\ASUBIiC.exe
  2⤵
  PID:8280
- C:\Windows\System\xdpzJfV.exe
  C:\Windows\System\xdpzJfV.exe
  2⤵
  PID:8296
- C:\Windows\System\FFXBaPW.exe
  C:\Windows\System\FFXBaPW.exe
  2⤵
  PID:8320
- C:\Windows\System\FYAZkZt.exe
  C:\Windows\System\FYAZkZt.exe
  2⤵
  PID:8372
- C:\Windows\System\uVMpXBd.exe
  C:\Windows\System\uVMpXBd.exe
  2⤵
  PID:8392
- C:\Windows\System\CjcLYMg.exe
  C:\Windows\System\CjcLYMg.exe
  2⤵
  PID:8416
- C:\Windows\System\puoXyIG.exe
  C:\Windows\System\puoXyIG.exe
  2⤵
  PID:8432
- C:\Windows\System\cJtwtdz.exe
  C:\Windows\System\cJtwtdz.exe
  2⤵
  PID:8448
- C:\Windows\System\kWbQaQm.exe
  C:\Windows\System\kWbQaQm.exe
  2⤵
  PID:8468
- C:\Windows\System\rIPuUZs.exe
  C:\Windows\System\rIPuUZs.exe
  2⤵
  PID:8492
- C:\Windows\System\sOyvUrm.exe
  C:\Windows\System\sOyvUrm.exe
  2⤵
  PID:8560
- C:\Windows\System\leilUGN.exe
  C:\Windows\System\leilUGN.exe
  2⤵
  PID:8584
- C:\Windows\System\GOUwKGo.exe
  C:\Windows\System\GOUwKGo.exe
  2⤵
  PID:8604
- C:\Windows\System\eYxyOjE.exe
  C:\Windows\System\eYxyOjE.exe
  2⤵
  PID:8652
- C:\Windows\System\zdLEgde.exe
  C:\Windows\System\zdLEgde.exe
  2⤵
  PID:8720
- C:\Windows\System\jXGdqHe.exe
  C:\Windows\System\jXGdqHe.exe
  2⤵
  PID:8752
- C:\Windows\System\IMNHpLO.exe
  C:\Windows\System\IMNHpLO.exe
  2⤵
  PID:8772
- C:\Windows\System\TsCILwz.exe
  C:\Windows\System\TsCILwz.exe
  2⤵
  PID:8788
- C:\Windows\System\XmKYOWM.exe
  C:\Windows\System\XmKYOWM.exe
  2⤵
  PID:8804
- C:\Windows\System\KKMEyAc.exe
  C:\Windows\System\KKMEyAc.exe
  2⤵
  PID:8824
- C:\Windows\System\rwqFcYW.exe
  C:\Windows\System\rwqFcYW.exe
  2⤵
  PID:8844
- C:\Windows\System\VYkKqif.exe
  C:\Windows\System\VYkKqif.exe
  2⤵
  PID:8864
- C:\Windows\System\zKXvTdM.exe
  C:\Windows\System\zKXvTdM.exe
  2⤵
  PID:8928
- C:\Windows\System\rgHVgws.exe
  C:\Windows\System\rgHVgws.exe
  2⤵
  PID:8944
- C:\Windows\System\iXjAxVo.exe
  C:\Windows\System\iXjAxVo.exe
  2⤵
  PID:8968
- C:\Windows\System\IJfoUjF.exe
  C:\Windows\System\IJfoUjF.exe
  2⤵
  PID:8984
- C:\Windows\System\ipIAKTn.exe
  C:\Windows\System\ipIAKTn.exe
  2⤵
  PID:9004
- C:\Windows\System\eBvrUsg.exe
  C:\Windows\System\eBvrUsg.exe
  2⤵
  PID:9036
- C:\Windows\System\NPhDxfo.exe
  C:\Windows\System\NPhDxfo.exe
  2⤵
  PID:9088
- C:\Windows\System\kxgAOiw.exe
  C:\Windows\System\kxgAOiw.exe
  2⤵
  PID:9112
- C:\Windows\System\cyUpxLL.exe
  C:\Windows\System\cyUpxLL.exe
  2⤵
  PID:9140
- C:\Windows\System\TXRUGLu.exe
  C:\Windows\System\TXRUGLu.exe
  2⤵
  PID:9156
- C:\Windows\System\pCdotnP.exe
  C:\Windows\System\pCdotnP.exe
  2⤵
  PID:9188
- C:\Windows\System\NNjBfRD.exe
  C:\Windows\System\NNjBfRD.exe
  2⤵
  PID:9204
- C:\Windows\System\rcdAseY.exe
  C:\Windows\System\rcdAseY.exe
  2⤵
  PID:6068
- C:\Windows\System\YIbEwJh.exe
  C:\Windows\System\YIbEwJh.exe
  2⤵
  PID:8328
- C:\Windows\System\wtYQmZb.exe
  C:\Windows\System\wtYQmZb.exe
  2⤵
  PID:8428
- C:\Windows\System\WbAhUyf.exe
  C:\Windows\System\WbAhUyf.exe
  2⤵
  PID:8276
- C:\Windows\System\ObmtvcP.exe
  C:\Windows\System\ObmtvcP.exe
  2⤵
  PID:8364
- C:\Windows\System\DkARbOa.exe
  C:\Windows\System\DkARbOa.exe
  2⤵
  PID:8672
- C:\Windows\System\bxcdUwI.exe
  C:\Windows\System\bxcdUwI.exe
  2⤵
  PID:8760
- C:\Windows\System\uwTnlmU.exe
  C:\Windows\System\uwTnlmU.exe
  2⤵
  PID:8820
- C:\Windows\System\strYpDv.exe
  C:\Windows\System\strYpDv.exe
  2⤵
  PID:8836
- C:\Windows\System\UauyYNf.exe
  C:\Windows\System\UauyYNf.exe
  2⤵
  PID:8780
- C:\Windows\System\YcTRPDv.exe
  C:\Windows\System\YcTRPDv.exe
  2⤵
  PID:8980
- C:\Windows\System\xOduEYt.exe
  C:\Windows\System\xOduEYt.exe
  2⤵
  PID:8936
- C:\Windows\System\PoYXkbS.exe
  C:\Windows\System\PoYXkbS.exe
  2⤵
  PID:8956
- C:\Windows\System\zxCHMJd.exe
  C:\Windows\System\zxCHMJd.exe
  2⤵
  PID:9076
- C:\Windows\System\hLNWOYo.exe
  C:\Windows\System\hLNWOYo.exe
  2⤵
  PID:9064
- C:\Windows\System\QHJDzQQ.exe
  C:\Windows\System\QHJDzQQ.exe
  2⤵
  PID:8196
- C:\Windows\System\dnZMrTN.exe
  C:\Windows\System\dnZMrTN.exe
  2⤵
  PID:9184
- C:\Windows\System\cruqCdC.exe
  C:\Windows\System\cruqCdC.exe
  2⤵
  PID:7180
- C:\Windows\System\kozgnhE.exe
  C:\Windows\System\kozgnhE.exe
  2⤵
  PID:8308
- C:\Windows\System\khKkegV.exe
  C:\Windows\System\khKkegV.exe
  2⤵
  PID:8528
- C:\Windows\System\vtoLoCS.exe
  C:\Windows\System\vtoLoCS.exe
  2⤵
  PID:8728
- C:\Windows\System\VtzrZre.exe
  C:\Windows\System\VtzrZre.exe
  2⤵
  PID:8712
- C:\Windows\System\SOxtUcd.exe
  C:\Windows\System\SOxtUcd.exe
  2⤵
  PID:9080
- C:\Windows\System\BLxxAem.exe
  C:\Windows\System\BLxxAem.exe
  2⤵
  PID:9200
- C:\Windows\System\HdElhkN.exe
  C:\Windows\System\HdElhkN.exe
  2⤵
  PID:9180
- C:\Windows\System\ZtKVluH.exe
  C:\Windows\System\ZtKVluH.exe
  2⤵
  PID:8268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5uylgjz1.oa0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AwFdayP.exe

Filesize
2.7MB

MD5
a5bcd68eb46557a15dd198f55a142bde

SHA1
c26525127862cfb2acc6423051bdcaaf044acf61

SHA256
2e514811bc22ae4aa49ff11a1596fa5903cef36ee76441f069186dc58c1bf034

SHA512
0b1da303639136112928ce0afcfeb3298d9602c4eae3d5ac4360e39cd03c8c591209c6786e2d90195c6ae50921cb96face0a7c9d12bea072211a874631ae99c2

Download Submit
C:\Windows\System\ECAwGNy.exe

Filesize
491KB

MD5
d92d448a1b006fa9d34e21240c19d3d3

SHA1
4753af75107efac8653befcf547877babc1db62d

SHA256
ef8752aaa289f418fd3a2d98c06df4597bd2409be38b26d1bfdf7926eaf678d4

SHA512
52e7f42e9cec851b187ae9a34d84885e9c407b92b8fcbf3596f7bfa1012846f3505f564d08132ad5d29d2cd3bc8fb30cb6a3b75266ebb44fe7a98b05becfc346

Download Submit
C:\Windows\System\ECAwGNy.exe

Filesize
318KB

MD5
8c65080ec14b05848ef558511fb981d2

SHA1
37fcada0d4538713ee3fd02c4158e3d087b91360

SHA256
886f1df347cd3a3642e38a490063f5e31c9dbc28c524c8b7e96a3b06242bc9be

SHA512
32f5dc0092f165a2b8914c437ca3d1c0d576638d28da20c7745452e18b9b767d9684a7d49f258c2a5ffa0175a3457576bb23d5e6a9745f32956fd574ec0613e5

Download Submit
C:\Windows\System\EOqzFEn.exe

Filesize
2.7MB

MD5
83870bb4c9ff26b200c570db655d9697

SHA1
f485fa5db81b54b1fed4304ef2886ee69784d917

SHA256
172ab8b8c8a9af850bed0aa17966f429bb48d79f4fb1353fc59efde2d2c01bfb

SHA512
973d2a9b09c217f588a529cb3e69ae1e8cdadd1923cff073e0d793b5ddd581e7a8c8b3edd4800ccf762716648f07596c3e2bff82c330117f0f307f13fc44bd53

Download Submit
C:\Windows\System\FOtMJpN.exe

Filesize
1.4MB

MD5
edf6c9527928e54d56591939e71dd0ae

SHA1
b6077c647d78b1a7b1d193d5d8f83e945c8cc063

SHA256
c04893270955975219b34801c21ba91f6123f7def76fcae5828eae6d8fb2ad2f

SHA512
16ce0535e689c714d1306801deff18e1813266e4ff1c26a0c597cb1795669356b7b2dd5adadf482fb1e30cf8aff262eca57d5d523c2b10e66af36998565d5e67

Download Submit
C:\Windows\System\FOtMJpN.exe

Filesize
1.4MB

MD5
0905409290a4c59bb6d86754ebacbce0

SHA1
b6b072b79585364139c2a6009d361728b2106404

SHA256
51c4f3c659fcb3ece8797231dd589890651b9d3e984f871e39661554fdeb3301

SHA512
6fcb1b1fae83b6d1d2f296c123b4125583c9653e8ade46946607d493ade0c797ca40d667beb33da1467106ec26e3f1ab7a5128975142ef1cbadfaf4e3126b2d3

Download Submit
C:\Windows\System\HLXGiow.exe

Filesize
2.0MB

MD5
7fba42a1cc252c8eeae3e9c22e42faec

SHA1
344cb5eda26bb7769a3e91f4c1f4e9101df1e0df

SHA256
ad8c3a4f6fd431ac49399b3335845ecb242bccb5f312c9286418e1447a946602

SHA512
086ec8f5d2e96a4cff45086e8f96082184531c3269e21d14b54b18ee5dc823c9a5e2ee72fcf5494c6a4137c61ce2d097caa067e1913a6015844969c876510b24

Download Submit
C:\Windows\System\HLXGiow.exe

Filesize
2.7MB

MD5
1e3ae0f78871ce798ef0c1453c8690b2

SHA1
105227de145cf41ae0911042d2a2f3c8a3c78789

SHA256
5a98b85dc282bad789edcef04976468c65fd4bb0ccb81bdcca11cf1b5f8c9173

SHA512
a4f9c9abe7cb11cb52ff1460b3def729c5cc423905a116b29d40be4b720a3d42212b318473fcabbf733f1dcd7e86595b4f7a491e738494b35861484c742d25dc

Download Submit
C:\Windows\System\LZwoeKu.exe

Filesize
832KB

MD5
1750a025724849321bdd8be071f18bd8

SHA1
c09cdec7be3dfd09b56d45fd1e21b72d777ab2e1

SHA256
4a764f27bcd06afeb03015fef8349c7d0837753c27d79d2fa25c8ef64b2a1d4a

SHA512
7c695a6f1d05d5b14d2ee9bdafacb5d07029aea94f1396ef87da23aed7bbab78b9a2b7c05a07e3d6f496158d828482af7004b9d63581313659920e36dbcb054c

Download Submit
C:\Windows\System\LgwhviC.exe

Filesize
2.7MB

MD5
d350f56aa55ff5374310eed3f4925346

SHA1
16200e12bc25fb9182c16e993cfb7174fdb05144

SHA256
469c7b1a87184ac243defd0fbbc79ba4c082e2b9b69cf2fbe0ce1342e120b1e5

SHA512
3c13cc69ec0233f2264c8140d7f1fd7421db2b373cbc8dd2c6a0108aa8aea8ac9bdf5001961892e0ef60507c518c4e0e4a433e8a8224f6153b437bca2b9ff2c9

Download Submit
C:\Windows\System\MCaNShZ.exe

Filesize
504KB

MD5
dd823f8a8f3b485589bcc8256c110829

SHA1
f9e8fe1a3ab496ae16e11ae0c6300d975a826c47

SHA256
5bbe9e0c99318429b2a468eb23e9ea8d90d16d38bf2cc10bc6c1bf6d80718bf6

SHA512
79091231b133f621b5c4a8638dbd5b41ee1c76ca8918eacbbad599918078ee74e053b11c894af4444a560c6b993df66789273f52e0669a2f8afd8c9400af7948

Download Submit
C:\Windows\System\MCaNShZ.exe

Filesize
797KB

MD5
7f7c3b123babfa3a427a0e24ffe3ef13

SHA1
0f51c6547e8f6b44710a59a0bcb793907ebb808f

SHA256
073232e00a282d4e46ddd5f3238f8f1273669f564d82e55e727878c4e7797a33

SHA512
7b1c95862f1de69dad5e687426e668567cdea04e9f958ae989d98c83a66f8fbcdcdb0f8a6b29553edb8077fd3f1994f20e49845bcfe9eea662c33191aae3e63c

Download Submit
C:\Windows\System\MvLwbGW.exe

Filesize
2.7MB

MD5
d469054a7535d591ab4de161065fed7e

SHA1
d8ee81def6e2ccd6352f2af55d31e0a83a3cdf3b

SHA256
8c77ffbfdead035abd303de0efe5c4a941fe69733cc4d3842774e4796e094d9f

SHA512
9ce86269497f2869af667422439e442f4ec40f62eae6b304825006f9e0193d08913658d36038ff98ba22e1bfac33fb31e3bdbd38b32c55c16a36a00f766440e3

Download Submit
C:\Windows\System\MvLwbGW.exe

Filesize
18KB

MD5
8847bdc5bff81706dc48a9913b20c9b8

SHA1
80b706962ebf7d5e8bdf147d08abb655507ced84

SHA256
49d2621655587eb0939145060530d8599949aa7bd73e2d9e4458a0a46e0ad6fa

SHA512
a656c424fe0f89274d3fc8f813d891a2db8b0db4c4d65075f4faff97beaa423f0bb12abf52b839ef9b892ebcce27639dc6c9faabf58e476ad962b6787a640128

Download Submit
C:\Windows\System\NFZJgaE.exe

Filesize
1.3MB

MD5
ced7e5d7abf662c962b7b30eca89c36a

SHA1
4b06d0b31d937a50ed21ca28d1e166e25c66d3f4

SHA256
fd9437acf7ad83a136e447cffb7b4228926c54976bb551ac602a1ee1113647e6

SHA512
17d094a49fea39241f1ca0c448b8806d21d3e4a0ca51b9a8b0662159cc23b4a9e4a901f73931c89477b698e6ff88b233c04060629d224c4bc5ebd73c6a0e42cf

Download Submit
C:\Windows\System\NFZJgaE.exe

Filesize
330KB

MD5
216ef2f03d3c749d08c37dd0955e53f0

SHA1
ef58bf6c9bf28332a03848c3abbe4eb5a64c7611

SHA256
e7506ca3a137e489b33d1d68d08cc878a6deef8a34a5a90c44d03da4e41ae838

SHA512
8e6096c77a4cea66184b09576431a6d173823ac94fb0fa80cf77b46200515c9e1203565a08abff3af93e398409790c0976b1460180dcc658f80c02e01bb10f12

Download Submit
C:\Windows\System\PigNCfa.exe

Filesize
783KB

MD5
f06a544a09cd803e7823aa4c5f09cd9a

SHA1
0db66a957c697cb871349933c9734aa592e3bf93

SHA256
4453fcc1800b6a17eb44d700b08c176cbf10ed2be9cd1813c7e79116bf2f1bdc

SHA512
5f63a9d4d030371740779cae2bf9f55204cc38bd0ad73f66a8d43fed104740c279f8b9ce4139469aa7017bceae34220968777c73fd2145387822e52a6787015e

Download Submit
C:\Windows\System\PigNCfa.exe

Filesize
734KB

MD5
58436a03c3db7585f0dcd9be71a9466e

SHA1
f7937b2cf61d3455400adc56475a34afbf2dea23

SHA256
632c2992f34809e096a783879a7258f46d96a402ecc4288644bba59ba632596c

SHA512
a3d3eec14f8eb3ffdc2221b1b818df4628ffb6c1a9880952aebf3ec4a8d4a21d914b4a713a64ffaf293f659dcedbfd12e70eb8388dee57c40d18a89b349fd718

Download Submit
C:\Windows\System\VEyikOr.exe

Filesize
2.7MB

MD5
ea2da2d591169864524b2c77f189e5bc

SHA1
3de48cb555938f7ee707095f51cd42b5da19aff6

SHA256
dab9bded3191fe6d4f0813a5b5c55c2510aba3ede7132c912aba376932f55b62

SHA512
7072c9af6dbe7d9b19cfaaf85d78015e564f58848918c4a10a803d7d13cf6795090a7c51520457955e1d2f4e30631c687d043f8c6e2d872af65dda2c0f44b710

Download Submit
C:\Windows\System\WLOtNKZ.exe

Filesize
175KB

MD5
8654b3ded79ebf561d13920917c9da7f

SHA1
417fb8318de1933e2f19fa1e6658847facd49d53

SHA256
da65a2f2a188001b3e989711791634a916db1aa57f39a562c1b506e887ec5474

SHA512
e291f073b15e3ac0b44a36f47c1df6f464dc62e2e267d3d0a8a223ed3af677e664648b7fa24df04eb21d5a9b16ec27ae5e5707cfdd9fc1f0b915f7b23f7f0a79

Download Submit
C:\Windows\System\WLOtNKZ.exe

Filesize
316KB

MD5
e2436b9a1100c1885eb65683437048d0

SHA1
f70f408f248497ddba8f3d40342d86537ae10971

SHA256
af7351bf1125c9351d407ee2974b2b3dcf54c9d43306f7d050adbe7715cf94b0

SHA512
6204372132ca7e438fc8b64214b1e8b7dc7a6ae46acbf6e53818297ae847e66bfb71542df5b0850be8bc62c95f24c6a2e638f906e916cb48294fa490f3ee4f80

Download Submit
C:\Windows\System\WyjWsSr.exe

Filesize
2.7MB

MD5
b673a0476bcb4aaff48b9ef7b0e05a90

SHA1
cd48dc1dc079b199a5487bb573bc0cd5ad225b8d

SHA256
e2ab2bd635d2b768496d648fb14f100a404e540f66bee068c5606f945adcc7d4

SHA512
416d1f12c01c7d8908c20ecafd3903944f07d42ad75abd41bc6dad38ed69686b816614df30232d22ddcae40f8c9be1c2a181437b22a5e1a5b8ae9d28b49d56cf

Download Submit
C:\Windows\System\ayJVcYD.exe

Filesize
2.7MB

MD5
9efb0a1d97e407eebc7e714075ac1548

SHA1
d65f610a3c0c2250572207a3d3b0762980673d3c

SHA256
630cc7b961e847c8eebc1a9982e01ae4959e7ee682205baffdce2c1cdf88ca72

SHA512
174aaf856a5df1f8acc7839e55958c1bb9e73781c8116c21264fb602d1cf0c931071b2aeb29752242a456532fafe5ae3a8d983a776818122a7605a4760180a62

Download Submit
C:\Windows\System\ayJVcYD.exe

Filesize
79KB

MD5
43b7034daa294e75f8005322b7b486ea

SHA1
739a941b89e33f23c4e61df326fe39e8566f454e

SHA256
40de577b13b50f80c9a9bb0538298141e760ee6a583fcc3e25991005a50624a8

SHA512
0381747c93b6be1a932ccb445bd209bde2728ebf25ddeea4c15598975ac014ac3fc0f042c9ccf5a21ecd81630b7313eb3f862cc60362e25349a121cee48e0e7e

Download Submit
C:\Windows\System\bPrTbiK.exe

Filesize
2.7MB

MD5
47746bb2d829926b3c724374e3d5ad20

SHA1
10a1db824742ebf104689a73bb6dc9d6a51590b9

SHA256
c8d604b1da9b0714a2064d2ad16d5910d2a28ff24c3aef2157524d62de7bab99

SHA512
e8b2624f299260ba0dc7b48eafcbc371e63e633f429a1d10eab7d01d56155dbe96ed465682e50cb1f9ad8fcdcf6fc375cf90c507af1fb2234d838d8f201f582a

Download Submit
C:\Windows\System\bPrTbiK.exe

Filesize
42KB

MD5
7d0b9f63922c3d670362f2540540ccd5

SHA1
cea3f9fc413bf4a683b445ed371ffd10ebe5c3df

SHA256
a537f2b74b778043ece7cab7015146f3de84a606a9efbfeb3aa698f54e47e56f

SHA512
ed0a16db5437cf81ae9d44908e34fb804e9d4f4325de1df79d9a477889e1662ef78f3615395cfa15817f6233d5488f79d792762f0d55d2507c197d076277d13d

Download Submit
C:\Windows\System\bvrofoj.exe

Filesize
2.7MB

MD5
d1a8efe9376bab8ecf40d4a342a587f3

SHA1
389b9706e7e4bf09c5ae562e771d1d1e31d8e5a1

SHA256
3035b8a8d97f60043a0887970495f5329c0f1ab65975f8449b25a29743d2f44f

SHA512
d2b56eafa112e4b0ab71b2ea21da4cf08b4df3f25bcbc3c40b6fede51f51e8b4e40d84b6edb002d820bd4071d2721385727a2e76221f439d55e1ca658b4bcfdd

Download Submit
C:\Windows\System\bvrofoj.exe

Filesize
82KB

MD5
cf9c6de49bcae50d5f4d6879b1c638b0

SHA1
4e273925cae9c5695b83a6ea9d90876fd7b13624

SHA256
123dd5997719cccd942036360a61825628f5fe488735f833265d2b13ccaf562a

SHA512
a5b27cdbdc216c44e0583c3a7b2187efb59e73bf414559a27ac7d1dd598dc05e6aa03a6fc8b702aae40bbc6b7082a5a9c9903d99a6f268f58e09b5d26639f591

Download Submit
C:\Windows\System\cppAVIY.exe

Filesize
936KB

MD5
06c10432e48961874abdd1eec378f55c

SHA1
57a30580c37c16cf042df076eb7abfbda96e34cc

SHA256
529d505fdad349ff314bf6352598cc874ee206a15fb9c48572030f065cb596e5

SHA512
b608f803adc4d1470047fd0063e20622175888c0c12cdff77101a476bda10a577de05205cfc69e2c77fe65ffdf696772e54d062d9e597f3e9f3f98c896b0f32b

Download Submit
C:\Windows\System\cppAVIY.exe

Filesize
261KB

MD5
72de8fd8d63da54cff167c88df684d89

SHA1
2b8fd4872a1080d377b99ca0b076bb16c38cefc6

SHA256
0c705d2d6b82ab4c0e9cd310cf31036e846112d139a71fa5744ace17fdcc5bf0

SHA512
1203b25ddbb42659d9b265930d50b002779787186c2e6397a8bc216e3d5f3b6e1076bfa8cafedcf63de620b502b231068bc0306a457c746ae7d9905a40b66381

Download Submit
C:\Windows\System\fFbpCLb.exe

Filesize
1.2MB

MD5
7f8e0a6822531fc1039d8a6bce159083

SHA1
47f95f1a7a9eaabad4c50ffd816906e278c8681b

SHA256
7a9b71aff99bdc53b469fe135d78fffcb8e850e481cd5dafb394f3135a4b110a

SHA512
3e01ce51d419b5de20cca0c3752b0e65c3202aa31ad07946000247de428decb271df4d7e3c87c55d789b045bebf11c9d1f77094a55f7186c779e72c45cd12ea4

Download Submit
C:\Windows\System\fFbpCLb.exe

Filesize
2.7MB

MD5
658dca9cc4b7a6514ce3dade5d6a8ccb

SHA1
57f1c79bccb322d6242ae9ff02b032061aefa6e8

SHA256
8b67cc6f2e88443d1959de19acd0818b16bbabdb495fedf16d491e2d4eab6c7b

SHA512
a8970ac274c064f35c4bdbbb703d89419961ba0fe16c21fd8f17b761726aad7191a4aeef41ea3179f4e07b943933471d20d156b299541f98d433c8ff09e481a1

Download Submit
C:\Windows\System\fFbpCLb.exe

Filesize
512KB

MD5
11919e0af7b24147ac37cca00c131c08

SHA1
51eab11b595b560c0f72211a12292f040f64ae1d

SHA256
a7af9d97db88616ccc62ccadac85874aeaa7586513a10601cac25ae399e8a745

SHA512
9fcff0829323b730f336c14aebee40a0d3e43ec1ddd2fea6e8f617259cec15b88841574db7ae5b34cf89ecab7ba6878fef9c1fabc26d29234ea49badc2dd064b

Download Submit
C:\Windows\System\iPQKDje.exe

Filesize
1.1MB

MD5
686d5cbe82ea6c2cd81ac88666e5fa53

SHA1
f1c27824402fc58f4bd3a3251f3b4c5b54173b27

SHA256
6e2df3c87bb0e92d7b772ef4b8982921dc8744483471864d8e03528f2cb5c3cf

SHA512
093532ff5f62f01dc89d85acc1860fd1a5dbf7c892d141b52cdd5872de56d528d652942c37160b19a6374adcb42bc2b779d674baaba802f4ac75d58bb904625f

Download Submit
C:\Windows\System\iPQKDje.exe

Filesize
411KB

MD5
4c86c3f6eb9e974cc46a4cd89bdeefe9

SHA1
653df8425d29b6867b6643870f3818033ed1dca2

SHA256
64471b256a4c4481219018b7d30f691ed7b498ddef6dda2aa5287d91a2bccf66

SHA512
4e01daeb89d1d9e48a1ed88c3fed3cd7c66d41f07d806f2dcafda3b04d9948fa0dcfa4bfaec02748fac9c3e55f87fbeac08ec5fa7a9f021b9d5dfd8b471de550

Download Submit
C:\Windows\System\jEkNCJa.exe

Filesize
8B

MD5
d6349613f683bded6d69a7d02ace4275

SHA1
1627fabfdfae3cac338500241f4e9e969ee50ac5

SHA256
4a54b14258d08729a6205b09d8643680d1fcbeb6eaed5e636cae813e537ac662

SHA512
d83aa606a1ca4c9ad32d8a91f5b2cf833fc395e62b938477a618ca3509fa52443c5e33121c0988fd90e65d2855a59276136a584d3f8258054273372e5fbf3292

Download Submit
C:\Windows\System\kHvBAxn.exe

Filesize
432KB

MD5
6bce0bcbe5d3930dfcafca8c1f5cdd58

SHA1
90fc4b1e9f96fa01bf3695d36cdbb22c78250f92

SHA256
14955c8e0ec9853cea2cf89536f10357c9d267e164704e599f38af108bea0600

SHA512
0e59f8804781faca493fbcf19f3978b07e74709b98cb1d9f0c5f5567f722155ce43f57fe3a61f5b03eb3e4d92438bd56b362a7d35ee5e193ee20308c482e7e65

Download Submit
C:\Windows\System\kHvBAxn.exe

Filesize
510KB

MD5
88e42f70c1fc41908ff88d77d5c54898

SHA1
e233fde840fcd1af058b0a3a3424629f07f61b6b

SHA256
eaca45686ab59541175f3478d01cbfd9b1ac6d50f973a5c6172b35f279ca2408

SHA512
f6e706c9ecbee75ba2ffef2dfe7c356e4e15e5ceb6463adee7fef6f85fe882371d537d2b202ea9cf9653577950bde8558893e88078288b7954fc22da5d97381d

Download Submit
C:\Windows\System\kzeNljL.exe

Filesize
704KB

MD5
5a859925859f724ae2b914bf73771a10

SHA1
3df34971be00c0068091dce2a8ea5796aa651c6e

SHA256
1b3eed38414adafdc420537e2d5f9bc88aa15318f9c670cb8e0551824c8cca10

SHA512
3f5d88a5b779da3350575bc72ae2f6dd7fb4666d1d0a92c7d8595a771881cc3dcef58c5dfdbcb193c58bc45a13d9e7090800030875cce71a7c5332d4c3a6b7ff

Download Submit
C:\Windows\System\kzeNljL.exe

Filesize
2.7MB

MD5
36edc58fef63eb8269d6a79648c56502

SHA1
cea0633c70b62d1ffddb545664ebc91a597752b0

SHA256
39db80b44ea99852ed13d18b92c1d3f7a79682d5d0e18e84813ea215119e3de6

SHA512
6efca801d3a904f4219081c3ba9fd251d845ad201d51bdc52a2672b27cf8365c0ea37580df5f80c24baadfb21f7e77aa2e5a4dd22776c3c6d23859cf1a12f4b1

Download Submit
C:\Windows\System\nAlWxJp.exe

Filesize
448KB

MD5
e1b0e4f1e9d27696701c4b8e6c1fb92b

SHA1
250208f24df0f6e2fcc93e3aa36248290d5d3931

SHA256
eb3827c3694890dc070aaa28840c68cfcfc203a791b424202cd641eb85c99a00

SHA512
2b738d074a6a5aecc2b0f251addf87d8ecf7d947a5d74da76a342d8cf7552a86ebc16e178b4dc3f81b74b6184ec7c8274716ff5f4a3bfd524669584da29cce48

Download Submit
C:\Windows\System\nAlWxJp.exe

Filesize
2.7MB

MD5
bf20634b66af4fb03b16587f640613ee

SHA1
5626b2727ffc55d247588d831f7a77eb72ccffb1

SHA256
8597d5b3d358c6a5a0ce4fab9d074992718c1c98d9368c404590fc2f74b90fcf

SHA512
91981910df4a004b7c5a5858150b7d3457557523cd194a198c2d89dec97140c40e62714bdcbed45bed2b8f6226f71bf9918606b1a5ae7552327f53232c66bc54

Download Submit
C:\Windows\System\nQpoibq.exe

Filesize
2.7MB

MD5
27e9a1cf6222a548755d620ed5fff2fa

SHA1
ac9c76091c36f870c36590af53a815076132a008

SHA256
cd810778367c3ab4b3551d99200dad204eb9e47fc4bfba3a6a85951d114464c5

SHA512
2b1703ef5fd24e07651ce3486375ae38c322b2d332d526ea4780102c3e0ea513c3ef3769a57411674b63df666c0b817d4df7f18778ab777c2ed530268ebf3c2e

Download Submit
C:\Windows\System\qmtsdWJ.exe

Filesize
2.7MB

MD5
b4f19dd83020e51c2a71195189bc4f33

SHA1
a2d71b5071f4e0f743ea84b45b295b1b59395c8d

SHA256
8f5c080a9cf5aea8c00feb50966ee4705f8de5102f7b81fbf003c84c001b1f99

SHA512
dd5b9c08b5cc2ad3761bf5fab59c9644fb7d1411833232b6f28372427188c10d4e2bc0a67f961daa3f8e17762edeba8c1b67bc4e1a092c6404728ce1aca6da7f

Download Submit
C:\Windows\System\qmtsdWJ.exe

Filesize
122KB

MD5
a64d51da1ebae77460e88fda2f8a7700

SHA1
13e4f7a572453292c56454bcfbb16a3ef98c79b7

SHA256
99b1bcd9aa5a5077313ba23c7ce61d80db20873700497943d38dc1421570c00c

SHA512
22a8f64ae63ebd5cd5eefb7e1a1716cd9779cefb55d79c60c75baaad6a99828e7275983c45514ef26abe8d9d6999df073c8f41a68c0a67042eb157dd60a7480b

Download Submit
C:\Windows\System\rdKPSAG.exe

Filesize
2.7MB

MD5
69b33eb3434539e20681a6c84413fcb6

SHA1
531d99b0f0ddf8afc1b14bd541e836fa761fd024

SHA256
19a588a8c0230c1fae62a58e5780869cb28ce0fe6cf91dcbdec5719dd4369ace

SHA512
c0002c79657e1fc33a002c27cda0f212c7f59f6d145e63dbea997f2a4be5b13eca55aa0fa19516606e1208b77e7f6286f0b1385a45ab65d9e94b6a72b9d9844f

Download Submit
C:\Windows\System\tuHTDAz.exe

Filesize
538KB

MD5
94d073a83fd32191fb4ecae62e109ed1

SHA1
95114d087612b6bac13333cb267caae4ad51a5b4

SHA256
49879af77abf6802c59c720a915b11a1e75578d3dbd8c3a15b46269ba3fe6f08

SHA512
6f060b0b98664441847cf5e781e9603c7a5d9be4e8df854987abc9f5003457d4572d52b471f71a2e75ac648cfbff6206f30f9b8b0364624a9aba915f7d01528b

Download Submit
C:\Windows\System\tuHTDAz.exe

Filesize
1.5MB

MD5
0a392e4ea806a9a47995ab003d3dc1ab

SHA1
4f231401c75c5fa77ed6068c52dafbd90b9177bd

SHA256
fee04b0d5fe5a2f531cfc662664d6ca363104a9ac5246d8d30a74be22840501e

SHA512
c2becc3fcb7e47c46e4ba82f6310fa1c8d7c8274ac4ea72380563f3b8c738025567b593d151d0530851b554d062ea0a53bc49a6977dbf2d4de62a6f2bd2532ae

Download Submit
C:\Windows\System\vOrPEcg.exe

Filesize
256KB

MD5
88378dfd338095457afd4118632d1638

SHA1
72d639166d2ac9e089c67c4d5d3bb9c469c4a91c

SHA256
fbf5e2889e8f26ed9fa194de059531318728f6b6119312a77d0520d7f69cc6c4

SHA512
9f8718a49cf1955035e70ee2f5bdfe60308ec4722eddfcb1d204c3a701c29fae45cde0aebe2898f85e9f0fc4d144489f9f4c7087f1985fd29f13673a09a0be55

Download Submit
C:\Windows\System\vOrPEcg.exe

Filesize
2.7MB

MD5
f99e7ad8609e028b287ce963c8e84016

SHA1
b5236ca2aa0131e959013ed0f6f3d82e9f3849c1

SHA256
c267bd8ed8de5cd3c0a00c20cc0dacc9c24ea930e3d81cbdcddb615db63671e8

SHA512
39e7147ee7c13ec647ee111625afbc3affc888def16bbf491c96f2661698306958d3f199a820e53b5e90222671748cf9d7cbe47171b1a02b93d3370a9f14cbb6

Download Submit
C:\Windows\System\vXVCTSu.exe

Filesize
2.7MB

MD5
b7593c969dc3c8f17c87527d2040aad6

SHA1
69f49efa3ff8eb691f05d4445b001ff526ebeb72

SHA256
c21a2f6c200350516148d051526a7aa4de732a13cf603ad678d4a10d5195919a

SHA512
e7c0828bc1de7c2d61f61fc890a0dc1c2303a6d67ef263d468334f248b0414d97ce37ecdcde70137cd2fcf7c9e031c9eea688501f8884d40c91815032c010779

Download Submit
C:\Windows\System\vXVCTSu.exe

Filesize
1.9MB

MD5
496d2bd61ef83dafc5ae018569c66626

SHA1
08d768ae4e449b4c13192830da69b2db86f994cd

SHA256
7d811886e790cc72f2bc49383947030b401416c0189617bb01c20dfb7ba47eb8

SHA512
127eeac7fc3182b6b2bb674f6cab06c885db9aed480252c35a02d43a1e39cfc2c76534ca135233946eb9c45b605a49ee464f8d4b1615cafaf2a0fbdb5e618c0d

Download Submit
C:\Windows\System\xIRieYV.exe

Filesize
1.5MB

MD5
9b7358e837ae24d3ab5b932735dae30a

SHA1
af94612cb7d925edca2a58c01083ffbde57ef883

SHA256
14f196243606c4034a39d5bca3cf244bcbcd3804313fab53aed131d7b460488a

SHA512
45d04a99684ad28924194126a62805d11d2c53447f17594015307fd9d129883975c3b78ae60fa713a50bad8ebd880e63d85179031a5f9ee722752a3f1c6a9b5a

Download Submit
C:\Windows\System\xIRieYV.exe

Filesize
1.1MB

MD5
474ec83c4fcf013d4a9954b3cafd7842

SHA1
9d353f9f28ea27271945d1697cf72cb9a16fe78c

SHA256
bb6a250074c2292f8c80ef4670286155dd8187dc9ff157941d753bc7018bfd2a

SHA512
f653762544a3a03b489b01f9e84ed34c2497c4c5489c48bd015dd67a1780ef99d62eb2629d54a15138f95583dd915c8a2eae92a32f093dfa2822f079f4beb0f8

Download Submit
C:\Windows\System\xkLiLFw.exe

Filesize
544KB

MD5
5970f1952dea7affd1c503214ceb34d7

SHA1
7939e31d05d552f51a6429d5708ab3e2912fbb4b

SHA256
26d5bde5989213edacb4a98abca4f5913488a513247a41204231e2dd6ea73d25

SHA512
ea2798e1fd2baf86a11eed40687deb17fe2070b0f37c5108910e9f1d61370a96bb22829655182fc8a27dd71916ae0c792efbb86c7466e46616eb0eafeb435bcd

Download Submit
C:\Windows\System\zCBXJGD.exe

Filesize
2.7MB

MD5
395f962f0b664cd119cac6a5e3d9e8d3

SHA1
b092483640dd36b1c57150cbafce9d140e6242fc

SHA256
880f09b43340cc06e78c9e42ab4b9b2ea2c5a3b17dfa667fdbe094baa259675d

SHA512
8545ea5121333636bf82000c5f56c6901648407e730453afb7a587df51a605a2c2ad794f502563ce700d4d46a3b4dda0452ed8f435ca8a2607160c1f955ab841

Download Submit
C:\Windows\System\zQnbDmi.exe

Filesize
2.7MB

MD5
1719af4df8377702d222874bcb06d9e1

SHA1
6872d002e3023aa2fe5f58a0a8433de16b464a25

SHA256
19cff1bbe1ccab04db4f6ed4fcd19dbbdc6f8739fb37878204f49e96a0415919

SHA512
3e143fed4dd00ff6f8565833d23ff1f5820d610ec44441a5d3277fdc5dd5dec3a81d16fd69d483396292b74753d3647508feea59ac949b862e4e6e93544091fd

Download Submit
memory/8-306-0x00007FF6C9BD0000-0x00007FF6C9FC6000-memory.dmp

Filesize
4.0MB

Download
memory/724-130-0x00007FF795210000-0x00007FF795606000-memory.dmp

Filesize
4.0MB

Download
memory/816-261-0x00007FF708C20000-0x00007FF709016000-memory.dmp

Filesize
4.0MB

Download
memory/964-159-0x00007FF6AAF60000-0x00007FF6AB356000-memory.dmp

Filesize
4.0MB

Download
memory/1212-29-0x00007FF7538E0000-0x00007FF753CD6000-memory.dmp

Filesize
4.0MB

Download
memory/1288-268-0x00007FF73E790000-0x00007FF73EB86000-memory.dmp

Filesize
4.0MB

Download
memory/1324-129-0x00007FF77EC60000-0x00007FF77F056000-memory.dmp

Filesize
4.0MB

Download
memory/1332-53-0x00007FF6ADB20000-0x00007FF6ADF16000-memory.dmp

Filesize
4.0MB

Download
memory/1424-58-0x00007FF737740000-0x00007FF737B36000-memory.dmp

Filesize
4.0MB

Download
memory/1456-340-0x00007FF7C4710000-0x00007FF7C4B06000-memory.dmp

Filesize
4.0MB

Download
memory/1672-229-0x00007FF7804C0000-0x00007FF7808B6000-memory.dmp

Filesize
4.0MB

Download
memory/1776-210-0x00007FF7AAAA0000-0x00007FF7AAE96000-memory.dmp

Filesize
4.0MB

Download
memory/1820-114-0x00007FF757570000-0x00007FF757966000-memory.dmp

Filesize
4.0MB

Download
memory/1856-117-0x00007FF6B4B50000-0x00007FF6B4F46000-memory.dmp

Filesize
4.0MB

Download
memory/2084-360-0x00007FF6B20A0000-0x00007FF6B2496000-memory.dmp

Filesize
4.0MB

Download
memory/2324-251-0x00007FF6E6A10000-0x00007FF6E6E06000-memory.dmp

Filesize
4.0MB

Download
memory/2356-258-0x00007FF7F1260000-0x00007FF7F1656000-memory.dmp

Filesize
4.0MB

Download
memory/2368-207-0x00007FF6BEAE0000-0x00007FF6BEED6000-memory.dmp

Filesize
4.0MB

Download
memory/2584-356-0x00007FF6E14E0000-0x00007FF6E18D6000-memory.dmp

Filesize
4.0MB

Download
memory/2688-428-0x00007FF7EBED0000-0x00007FF7EC2C6000-memory.dmp

Filesize
4.0MB

Download
memory/2836-299-0x00007FF6E1420000-0x00007FF6E1816000-memory.dmp

Filesize
4.0MB

Download
memory/2928-90-0x00007FF7AEF30000-0x00007FF7AF326000-memory.dmp

Filesize
4.0MB

Download
memory/3060-309-0x00007FF602910000-0x00007FF602D06000-memory.dmp

Filesize
4.0MB

Download
memory/3100-169-0x00007FF721530000-0x00007FF721926000-memory.dmp

Filesize
4.0MB

Download
memory/3144-193-0x00007FF6A3340000-0x00007FF6A3736000-memory.dmp

Filesize
4.0MB

Download
memory/3160-0-0x00007FF7D73E0000-0x00007FF7D77D6000-memory.dmp

Filesize
4.0MB

Download
memory/3160-1-0x000002553CD60000-0x000002553CD70000-memory.dmp

Filesize
64KB

Download
memory/3176-431-0x00007FF712CB0000-0x00007FF7130A6000-memory.dmp

Filesize
4.0MB

Download
memory/3204-85-0x00007FF67C200000-0x00007FF67C5F6000-memory.dmp

Filesize
4.0MB

Download
memory/3268-442-0x00007FF6F0F60000-0x00007FF6F1356000-memory.dmp

Filesize
4.0MB

Download
memory/3300-404-0x00007FF7A0B50000-0x00007FF7A0F46000-memory.dmp

Filesize
4.0MB

Download
memory/3312-86-0x00007FF7166A0000-0x00007FF716A96000-memory.dmp

Filesize
4.0MB

Download
memory/3500-323-0x00007FF792B70000-0x00007FF792F66000-memory.dmp

Filesize
4.0MB

Download
memory/3512-395-0x00007FF786E00000-0x00007FF7871F6000-memory.dmp

Filesize
4.0MB

Download
memory/3748-413-0x00007FF7DF9B0000-0x00007FF7DFDA6000-memory.dmp

Filesize
4.0MB

Download
memory/3764-89-0x00007FF6AA440000-0x00007FF6AA836000-memory.dmp

Filesize
4.0MB

Download
memory/3768-39-0x00007FF73E260000-0x00007FF73E656000-memory.dmp

Filesize
4.0MB

Download
memory/3804-126-0x00007FF62C440000-0x00007FF62C836000-memory.dmp

Filesize
4.0MB

Download
memory/3852-87-0x00007FF775420000-0x00007FF775816000-memory.dmp

Filesize
4.0MB

Download
memory/4028-287-0x00007FF696200000-0x00007FF6965F6000-memory.dmp

Filesize
4.0MB

Download
memory/4064-104-0x00007FF767370000-0x00007FF767766000-memory.dmp

Filesize
4.0MB

Download
memory/4076-366-0x00007FF75D0D0000-0x00007FF75D4C6000-memory.dmp

Filesize
4.0MB

Download
memory/4116-151-0x00007FF7EEB30000-0x00007FF7EEF26000-memory.dmp

Filesize
4.0MB

Download
memory/4124-13-0x00007FF7CB860000-0x00007FF7CBC56000-memory.dmp

Filesize
4.0MB

Download
memory/4224-277-0x00007FF652470000-0x00007FF652866000-memory.dmp

Filesize
4.0MB

Download
memory/4232-88-0x00007FF63E8A0000-0x00007FF63EC96000-memory.dmp

Filesize
4.0MB

Download
memory/4292-18-0x00007FF7C04C0000-0x00007FF7C08B6000-memory.dmp

Filesize
4.0MB

Download
memory/4344-244-0x00007FF615800000-0x00007FF615BF6000-memory.dmp

Filesize
4.0MB

Download
memory/4392-227-0x00007FF7599D0000-0x00007FF759DC6000-memory.dmp

Filesize
4.0MB

Download
memory/4468-101-0x00007FF851B30000-0x00007FF8525F1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-63-0x000002B1F4300000-0x000002B1F4310000-memory.dmp

Filesize
64KB

Download
memory/4468-115-0x000002B1F4DF0000-0x000002B1F4E12000-memory.dmp

Filesize
136KB

Download
memory/4468-380-0x000002B1F5940000-0x000002B1F60E6000-memory.dmp

Filesize
7.6MB

Download
memory/4468-69-0x000002B1F4300000-0x000002B1F4310000-memory.dmp

Filesize
64KB

Download
memory/4496-224-0x00007FF6A2620000-0x00007FF6A2A16000-memory.dmp

Filesize
4.0MB

Download
memory/4728-392-0x00007FF7F4510000-0x00007FF7F4906000-memory.dmp

Filesize
4.0MB

Download
memory/4736-23-0x00007FF75EEE0000-0x00007FF75F2D6000-memory.dmp

Filesize
4.0MB

Download
memory/4776-319-0x00007FF617ED0000-0x00007FF6182C6000-memory.dmp

Filesize
4.0MB

Download
memory/4784-122-0x00007FF638400000-0x00007FF6387F6000-memory.dmp

Filesize
4.0MB

Download
memory/4804-216-0x00007FF705C20000-0x00007FF706016000-memory.dmp

Filesize
4.0MB

Download
memory/4828-241-0x00007FF747810000-0x00007FF747C06000-memory.dmp

Filesize
4.0MB

Download
memory/4836-383-0x00007FF669210000-0x00007FF669606000-memory.dmp

Filesize
4.0MB

Download
memory/4844-237-0x00007FF7E14D0000-0x00007FF7E18C6000-memory.dmp

Filesize
4.0MB

Download
memory/4852-443-0x00007FF60A460000-0x00007FF60A856000-memory.dmp

Filesize
4.0MB

Download
memory/5076-421-0x00007FF676090000-0x00007FF676486000-memory.dmp

Filesize
4.0MB

Download