xmrig | 96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 00:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
Size

1.5MB
MD5

41450cbd14921c345ee9d32c5500d32d
SHA1

eae74a50ff0202aa0fa93f683139bd7acd6f291a
SHA256

96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0
SHA512

7038f9ac2aafe3bca6fe8976007aaa51f298b916211c9a4a0e2a0f7c31f449da173ffedc5b06aafc7b4e66377541172cdc05062cebfb3db89ad6bbd1f288323c
SSDEEP

24576:RVIl/WDGCi7/qkatXBF6727ZvhwoVzBhgOX1cysFOP0qdrOZtpwfMwKvd+khDeYG:ROdWCCi7/rahFxxXgA5Bc+QvdL5KrN

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 10928 created 13472	10928	WerFaultSecure.exe	692

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4836-0-0x00007FF76E1A0000-0x00007FF76E4F1000-memory.dmp	UPX
behavioral2/files/0x000b000000023214-5.dat	UPX
behavioral2/memory/4816-8-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	UPX
behavioral2/files/0x000700000002323e-11.dat	UPX
behavioral2/files/0x000700000002323f-16.dat	UPX
behavioral2/memory/3836-15-0x00007FF73B8B0000-0x00007FF73BC01000-memory.dmp	UPX
behavioral2/files/0x0007000000023240-23.dat	UPX
behavioral2/memory/1796-20-0x00007FF652C40000-0x00007FF652F91000-memory.dmp	UPX
behavioral2/files/0x000800000002323b-29.dat	UPX
behavioral2/memory/1548-32-0x00007FF761A20000-0x00007FF761D71000-memory.dmp	UPX
behavioral2/memory/2408-26-0x00007FF738B30000-0x00007FF738E81000-memory.dmp	UPX
behavioral2/files/0x0007000000023241-35.dat	UPX
behavioral2/files/0x0007000000023242-42.dat	UPX
behavioral2/files/0x0007000000023244-48.dat	UPX
behavioral2/files/0x0007000000023243-52.dat	UPX
behavioral2/memory/1256-56-0x00007FF61D7D0000-0x00007FF61DB21000-memory.dmp	UPX
behavioral2/files/0x0007000000023246-60.dat	UPX
behavioral2/memory/4056-62-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp	UPX
behavioral2/memory/3816-66-0x00007FF6B49F0000-0x00007FF6B4D41000-memory.dmp	UPX
behavioral2/files/0x0007000000023245-68.dat	UPX
behavioral2/files/0x0007000000023247-72.dat	UPX
behavioral2/memory/4132-57-0x00007FF680AE0000-0x00007FF680E31000-memory.dmp	UPX
behavioral2/memory/1724-49-0x00007FF74F080000-0x00007FF74F3D1000-memory.dmp	UPX
behavioral2/files/0x0007000000023248-80.dat	UPX
behavioral2/files/0x000700000002324a-86.dat	UPX
behavioral2/files/0x0007000000023249-82.dat	UPX
behavioral2/memory/3468-47-0x00007FF6CCCE0000-0x00007FF6CD031000-memory.dmp	UPX
behavioral2/files/0x000700000002324b-91.dat	UPX
behavioral2/files/0x000700000002324c-96.dat	UPX
behavioral2/files/0x000700000002324d-102.dat	UPX
behavioral2/files/0x000700000002324f-111.dat	UPX
behavioral2/files/0x0007000000023251-122.dat	UPX
behavioral2/files/0x0007000000023252-127.dat	UPX
behavioral2/files/0x0007000000023253-132.dat	UPX
behavioral2/files/0x0007000000023257-152.dat	UPX
behavioral2/files/0x0007000000023258-160.dat	UPX
behavioral2/memory/4836-247-0x00007FF76E1A0000-0x00007FF76E4F1000-memory.dmp	UPX
behavioral2/memory/3852-249-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	UPX
behavioral2/memory/1248-259-0x00007FF67C420000-0x00007FF67C771000-memory.dmp	UPX
behavioral2/memory/1928-260-0x00007FF63BA40000-0x00007FF63BD91000-memory.dmp	UPX
behavioral2/memory/1408-263-0x00007FF68D420000-0x00007FF68D771000-memory.dmp	UPX
behavioral2/memory/2440-265-0x00007FF6184A0000-0x00007FF6187F1000-memory.dmp	UPX
behavioral2/memory/4180-270-0x00007FF6BAFE0000-0x00007FF6BB331000-memory.dmp	UPX
behavioral2/memory/4396-272-0x00007FF69AEA0000-0x00007FF69B1F1000-memory.dmp	UPX
behavioral2/memory/1244-274-0x00007FF7D91C0000-0x00007FF7D9511000-memory.dmp	UPX
behavioral2/memory/3668-273-0x00007FF6BD650000-0x00007FF6BD9A1000-memory.dmp	UPX
behavioral2/memory/3644-277-0x00007FF68C260000-0x00007FF68C5B1000-memory.dmp	UPX
behavioral2/memory/3356-271-0x00007FF739120000-0x00007FF739471000-memory.dmp	UPX
behavioral2/memory/1768-279-0x00007FF754560000-0x00007FF7548B1000-memory.dmp	UPX
behavioral2/memory/2900-269-0x00007FF61EC60000-0x00007FF61EFB1000-memory.dmp	UPX
behavioral2/memory/2044-262-0x00007FF6C4290000-0x00007FF6C45E1000-memory.dmp	UPX
behavioral2/memory/2016-261-0x00007FF609270000-0x00007FF6095C1000-memory.dmp	UPX
behavioral2/memory/5068-254-0x00007FF7E0D20000-0x00007FF7E1071000-memory.dmp	UPX
behavioral2/files/0x000700000002325b-172.dat	UPX
behavioral2/files/0x000700000002325a-167.dat	UPX
behavioral2/files/0x0007000000023259-162.dat	UPX
behavioral2/files/0x0007000000023256-147.dat	UPX
behavioral2/files/0x0007000000023255-144.dat	UPX
behavioral2/files/0x0007000000023254-140.dat	UPX
behavioral2/files/0x0007000000023250-120.dat	UPX
behavioral2/memory/740-287-0x00007FF7C2D80000-0x00007FF7C30D1000-memory.dmp	UPX
behavioral2/files/0x000700000002324e-107.dat	UPX
behavioral2/memory/3684-309-0x00007FF600180000-0x00007FF6004D1000-memory.dmp	UPX
behavioral2/memory/4816-802-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral2/memory/4816-8-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	xmrig
behavioral2/memory/1548-32-0x00007FF761A20000-0x00007FF761D71000-memory.dmp	xmrig
behavioral2/memory/2408-26-0x00007FF738B30000-0x00007FF738E81000-memory.dmp	xmrig
behavioral2/memory/4132-57-0x00007FF680AE0000-0x00007FF680E31000-memory.dmp	xmrig
behavioral2/memory/4836-247-0x00007FF76E1A0000-0x00007FF76E4F1000-memory.dmp	xmrig
behavioral2/memory/3852-249-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	xmrig
behavioral2/memory/1248-259-0x00007FF67C420000-0x00007FF67C771000-memory.dmp	xmrig
behavioral2/memory/1928-260-0x00007FF63BA40000-0x00007FF63BD91000-memory.dmp	xmrig
behavioral2/memory/1408-263-0x00007FF68D420000-0x00007FF68D771000-memory.dmp	xmrig
behavioral2/memory/2440-265-0x00007FF6184A0000-0x00007FF6187F1000-memory.dmp	xmrig
behavioral2/memory/4180-270-0x00007FF6BAFE0000-0x00007FF6BB331000-memory.dmp	xmrig
behavioral2/memory/4396-272-0x00007FF69AEA0000-0x00007FF69B1F1000-memory.dmp	xmrig
behavioral2/memory/1244-274-0x00007FF7D91C0000-0x00007FF7D9511000-memory.dmp	xmrig
behavioral2/memory/3668-273-0x00007FF6BD650000-0x00007FF6BD9A1000-memory.dmp	xmrig
behavioral2/memory/3644-277-0x00007FF68C260000-0x00007FF68C5B1000-memory.dmp	xmrig
behavioral2/memory/3356-271-0x00007FF739120000-0x00007FF739471000-memory.dmp	xmrig
behavioral2/memory/1768-279-0x00007FF754560000-0x00007FF7548B1000-memory.dmp	xmrig
behavioral2/memory/2900-269-0x00007FF61EC60000-0x00007FF61EFB1000-memory.dmp	xmrig
behavioral2/memory/2044-262-0x00007FF6C4290000-0x00007FF6C45E1000-memory.dmp	xmrig
behavioral2/memory/2016-261-0x00007FF609270000-0x00007FF6095C1000-memory.dmp	xmrig
behavioral2/memory/5068-254-0x00007FF7E0D20000-0x00007FF7E1071000-memory.dmp	xmrig
behavioral2/memory/740-287-0x00007FF7C2D80000-0x00007FF7C30D1000-memory.dmp	xmrig
behavioral2/memory/3684-309-0x00007FF600180000-0x00007FF6004D1000-memory.dmp	xmrig
behavioral2/memory/4816-802-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	xmrig
behavioral2/memory/4816-2088-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	xmrig
behavioral2/memory/3836-2090-0x00007FF73B8B0000-0x00007FF73BC01000-memory.dmp	xmrig
behavioral2/memory/1796-2092-0x00007FF652C40000-0x00007FF652F91000-memory.dmp	xmrig
behavioral2/memory/2408-2094-0x00007FF738B30000-0x00007FF738E81000-memory.dmp	xmrig
behavioral2/memory/1548-2097-0x00007FF761A20000-0x00007FF761D71000-memory.dmp	xmrig
behavioral2/memory/3468-2101-0x00007FF6CCCE0000-0x00007FF6CD031000-memory.dmp	xmrig
behavioral2/memory/4132-2117-0x00007FF680AE0000-0x00007FF680E31000-memory.dmp	xmrig
behavioral2/memory/4056-2131-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp	xmrig
behavioral2/memory/3852-2141-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	xmrig
behavioral2/memory/3816-2139-0x00007FF6B49F0000-0x00007FF6B4D41000-memory.dmp	xmrig
behavioral2/memory/1256-2123-0x00007FF61D7D0000-0x00007FF61DB21000-memory.dmp	xmrig
behavioral2/memory/1724-2113-0x00007FF74F080000-0x00007FF74F3D1000-memory.dmp	xmrig
behavioral2/memory/1248-2178-0x00007FF67C420000-0x00007FF67C771000-memory.dmp	xmrig
behavioral2/memory/5068-2179-0x00007FF7E0D20000-0x00007FF7E1071000-memory.dmp	xmrig
behavioral2/memory/1928-2190-0x00007FF63BA40000-0x00007FF63BD91000-memory.dmp	xmrig
behavioral2/memory/2016-2210-0x00007FF609270000-0x00007FF6095C1000-memory.dmp	xmrig
behavioral2/memory/2044-2226-0x00007FF6C4290000-0x00007FF6C45E1000-memory.dmp	xmrig
behavioral2/memory/2900-2228-0x00007FF61EC60000-0x00007FF61EFB1000-memory.dmp	xmrig
behavioral2/memory/3356-2247-0x00007FF739120000-0x00007FF739471000-memory.dmp	xmrig
behavioral2/memory/4180-2246-0x00007FF6BAFE0000-0x00007FF6BB331000-memory.dmp	xmrig
behavioral2/memory/4396-2256-0x00007FF69AEA0000-0x00007FF69B1F1000-memory.dmp	xmrig
behavioral2/memory/1408-2236-0x00007FF68D420000-0x00007FF68D771000-memory.dmp	xmrig
behavioral2/memory/2440-2243-0x00007FF6184A0000-0x00007FF6187F1000-memory.dmp	xmrig
behavioral2/memory/3668-2258-0x00007FF6BD650000-0x00007FF6BD9A1000-memory.dmp	xmrig
behavioral2/memory/1244-2291-0x00007FF7D91C0000-0x00007FF7D9511000-memory.dmp	xmrig
behavioral2/memory/740-2292-0x00007FF7C2D80000-0x00007FF7C30D1000-memory.dmp	xmrig
behavioral2/memory/3644-2290-0x00007FF68C260000-0x00007FF68C5B1000-memory.dmp	xmrig
behavioral2/memory/1768-2288-0x00007FF754560000-0x00007FF7548B1000-memory.dmp	xmrig
behavioral2/memory/3684-2287-0x00007FF600180000-0x00007FF6004D1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4816	CJoWZec.exe
3836	bBtOEUB.exe
1796	miQLgHN.exe
2408	cmpFeBd.exe
1548	LUnfioM.exe
3468	YtQJycj.exe
1724	bfXrNGH.exe
1256	udnuhkn.exe
4132	NcDMFfP.exe
4056	CvvBirN.exe
3816	zVMalGf.exe
3852	rTIRGvg.exe
5068	xMvssRa.exe
1248	UUUBVUI.exe
1928	BpOZokO.exe
2016	ztcWpIi.exe
2044	IUhOQzd.exe
1408	WduttEo.exe
2440	BAXfJmS.exe
2900	IbiOCLk.exe
4180	tbTNuFQ.exe
3356	PECeAJp.exe
4396	nvVTQir.exe
3668	xTtOEvG.exe
1244	frDjzhs.exe
3644	KzJipCh.exe
1768	BciORpT.exe
740	BcJserb.exe
3684	iEncKcz.exe
2088	nlxixJG.exe
4920	gkOpalG.exe
3012	ZpNyVTa.exe
388	PJYchYZ.exe
2412	jOJlVxu.exe
2792	BbvRiMz.exe
4296	ojGfSgY.exe
4268	WCBylWe.exe
4020	xkwlaRf.exe
5116	xIHmyhg.exe
2356	SpmvYTC.exe
944	LLKOsBD.exe
864	flDdSTA.exe
2100	sjCyAVo.exe
4212	nDMNZlG.exe
2832	VVmWIpO.exe
2180	TMKnIry.exe
3516	zXWFwgT.exe
1676	LdOHMFi.exe
3628	qvHrrVD.exe
4216	pZHhlMF.exe
3792	gGYkEUI.exe
836	nVhgSzF.exe
1484	dOUbIpl.exe
4676	KrcxPeq.exe
3696	nCrfRHB.exe
4144	XjkAamy.exe
1212	hemdwnf.exe
2632	gDTPlEE.exe
872	ajFYCxQ.exe
3660	QcURFgA.exe
2604	ktLjaUD.exe
3932	kTNpMGa.exe
2644	DpUxUdw.exe
4988	bbUBEZL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4836-0-0x00007FF76E1A0000-0x00007FF76E4F1000-memory.dmp	upx
behavioral2/files/0x000b000000023214-5.dat	upx
behavioral2/memory/4816-8-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	upx
behavioral2/files/0x000700000002323e-11.dat	upx
behavioral2/files/0x000700000002323f-16.dat	upx
behavioral2/memory/3836-15-0x00007FF73B8B0000-0x00007FF73BC01000-memory.dmp	upx
behavioral2/files/0x0007000000023240-23.dat	upx
behavioral2/memory/1796-20-0x00007FF652C40000-0x00007FF652F91000-memory.dmp	upx
behavioral2/files/0x000800000002323b-29.dat	upx
behavioral2/memory/1548-32-0x00007FF761A20000-0x00007FF761D71000-memory.dmp	upx
behavioral2/memory/2408-26-0x00007FF738B30000-0x00007FF738E81000-memory.dmp	upx
behavioral2/files/0x0007000000023241-35.dat	upx
behavioral2/files/0x0007000000023242-42.dat	upx
behavioral2/files/0x0007000000023244-48.dat	upx
behavioral2/files/0x0007000000023243-52.dat	upx
behavioral2/memory/1256-56-0x00007FF61D7D0000-0x00007FF61DB21000-memory.dmp	upx
behavioral2/files/0x0007000000023246-60.dat	upx
behavioral2/memory/4056-62-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp	upx
behavioral2/memory/3816-66-0x00007FF6B49F0000-0x00007FF6B4D41000-memory.dmp	upx
behavioral2/files/0x0007000000023245-68.dat	upx
behavioral2/files/0x0007000000023247-72.dat	upx
behavioral2/memory/4132-57-0x00007FF680AE0000-0x00007FF680E31000-memory.dmp	upx
behavioral2/memory/1724-49-0x00007FF74F080000-0x00007FF74F3D1000-memory.dmp	upx
behavioral2/files/0x0007000000023248-80.dat	upx
behavioral2/files/0x000700000002324a-86.dat	upx
behavioral2/files/0x0007000000023249-82.dat	upx
behavioral2/memory/3468-47-0x00007FF6CCCE0000-0x00007FF6CD031000-memory.dmp	upx
behavioral2/files/0x000700000002324b-91.dat	upx
behavioral2/files/0x000700000002324c-96.dat	upx
behavioral2/files/0x000700000002324d-102.dat	upx
behavioral2/files/0x000700000002324f-111.dat	upx
behavioral2/files/0x0007000000023251-122.dat	upx
behavioral2/files/0x0007000000023252-127.dat	upx
behavioral2/files/0x0007000000023253-132.dat	upx
behavioral2/files/0x0007000000023257-152.dat	upx
behavioral2/files/0x0007000000023258-160.dat	upx
behavioral2/memory/4836-247-0x00007FF76E1A0000-0x00007FF76E4F1000-memory.dmp	upx
behavioral2/memory/3852-249-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	upx
behavioral2/memory/1248-259-0x00007FF67C420000-0x00007FF67C771000-memory.dmp	upx
behavioral2/memory/1928-260-0x00007FF63BA40000-0x00007FF63BD91000-memory.dmp	upx
behavioral2/memory/1408-263-0x00007FF68D420000-0x00007FF68D771000-memory.dmp	upx
behavioral2/memory/2440-265-0x00007FF6184A0000-0x00007FF6187F1000-memory.dmp	upx
behavioral2/memory/4180-270-0x00007FF6BAFE0000-0x00007FF6BB331000-memory.dmp	upx
behavioral2/memory/4396-272-0x00007FF69AEA0000-0x00007FF69B1F1000-memory.dmp	upx
behavioral2/memory/1244-274-0x00007FF7D91C0000-0x00007FF7D9511000-memory.dmp	upx
behavioral2/memory/3668-273-0x00007FF6BD650000-0x00007FF6BD9A1000-memory.dmp	upx
behavioral2/memory/3644-277-0x00007FF68C260000-0x00007FF68C5B1000-memory.dmp	upx
behavioral2/memory/3356-271-0x00007FF739120000-0x00007FF739471000-memory.dmp	upx
behavioral2/memory/1768-279-0x00007FF754560000-0x00007FF7548B1000-memory.dmp	upx
behavioral2/memory/2900-269-0x00007FF61EC60000-0x00007FF61EFB1000-memory.dmp	upx
behavioral2/memory/2044-262-0x00007FF6C4290000-0x00007FF6C45E1000-memory.dmp	upx
behavioral2/memory/2016-261-0x00007FF609270000-0x00007FF6095C1000-memory.dmp	upx
behavioral2/memory/5068-254-0x00007FF7E0D20000-0x00007FF7E1071000-memory.dmp	upx
behavioral2/files/0x000700000002325b-172.dat	upx
behavioral2/files/0x000700000002325a-167.dat	upx
behavioral2/files/0x0007000000023259-162.dat	upx
behavioral2/files/0x0007000000023256-147.dat	upx
behavioral2/files/0x0007000000023255-144.dat	upx
behavioral2/files/0x0007000000023254-140.dat	upx
behavioral2/files/0x0007000000023250-120.dat	upx
behavioral2/memory/740-287-0x00007FF7C2D80000-0x00007FF7C30D1000-memory.dmp	upx
behavioral2/files/0x000700000002324e-107.dat	upx
behavioral2/memory/3684-309-0x00007FF600180000-0x00007FF6004D1000-memory.dmp	upx
behavioral2/memory/4816-802-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\OkiArhg.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\AkzWDTf.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\KEAnPsM.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\RIVbtiP.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\veOivKo.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\sCnuGta.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\urxletf.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\IdDSttm.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\IzxOBdH.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\hLLZlir.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\UBqTMiy.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\dqOEosC.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\TtwKGPo.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\xTtOEvG.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\rFhnpeF.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\XiYpepY.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\ZTCybNf.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\JiVKjUO.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\sNavSCB.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\okFxMYn.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\LvNhxTH.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\vuZdFfD.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\dUjSAfE.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\KzfssRm.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\YdBJJck.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\ieKZCHn.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\rENYqdd.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\XjkAamy.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\OPFcXpj.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\Dajjnmu.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\BvUBVEb.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\AgruCSB.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\XmwQYVp.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\dQpMPfN.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\BsGCYdt.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\BQhkovb.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\AjRCssW.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\sCDxFbV.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\KzJipCh.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\pOVTlEu.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\JAiHNek.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\LLKOsBD.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\YeKYHFj.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\tRHBpMW.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\UIPACfV.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\awSOnHA.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\LGMFpwH.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\WQEczoF.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\rYHZYMc.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\ROayHmu.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\XjLhvOG.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\OQWGjcr.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\USYGauS.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\JzmVMac.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\CNGEmOh.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\uIJhYhG.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\TEfbGoP.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\NrHoxIA.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\siRwnOB.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\crfMEyW.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\AqEJRVf.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\fFTVfld.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\UPlMhSS.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
File created	C:\Windows\System\RKcaOpo.exe	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5176	WerFaultSecure.exe
5176	WerFaultSecure.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4816	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	91
PID 4836 wrote to memory of 4816	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	91
PID 4836 wrote to memory of 3836	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	92
PID 4836 wrote to memory of 3836	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	92
PID 4836 wrote to memory of 1796	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	93
PID 4836 wrote to memory of 1796	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	93
PID 4836 wrote to memory of 2408	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	94
PID 4836 wrote to memory of 2408	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	94
PID 4836 wrote to memory of 1548	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	95
PID 4836 wrote to memory of 1548	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	95
PID 4836 wrote to memory of 3468	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	96
PID 4836 wrote to memory of 3468	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	96
PID 4836 wrote to memory of 1724	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	97
PID 4836 wrote to memory of 1724	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	97
PID 4836 wrote to memory of 1256	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	98
PID 4836 wrote to memory of 1256	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	98
PID 4836 wrote to memory of 4132	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	99
PID 4836 wrote to memory of 4132	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	99
PID 4836 wrote to memory of 3816	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	100
PID 4836 wrote to memory of 3816	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	100
PID 4836 wrote to memory of 4056	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	101
PID 4836 wrote to memory of 4056	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	101
PID 4836 wrote to memory of 3852	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	102
PID 4836 wrote to memory of 3852	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	102
PID 4836 wrote to memory of 5068	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	103
PID 4836 wrote to memory of 5068	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	103
PID 4836 wrote to memory of 1248	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	104
PID 4836 wrote to memory of 1248	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	104
PID 4836 wrote to memory of 1928	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	105
PID 4836 wrote to memory of 1928	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	105
PID 4836 wrote to memory of 2016	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	106
PID 4836 wrote to memory of 2016	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	106
PID 4836 wrote to memory of 2044	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	107
PID 4836 wrote to memory of 2044	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	107
PID 4836 wrote to memory of 1408	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	108
PID 4836 wrote to memory of 1408	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	108
PID 4836 wrote to memory of 2440	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	109
PID 4836 wrote to memory of 2440	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	109
PID 4836 wrote to memory of 2900	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	110
PID 4836 wrote to memory of 2900	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	110
PID 4836 wrote to memory of 4180	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	111
PID 4836 wrote to memory of 4180	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	111
PID 4836 wrote to memory of 3356	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	112
PID 4836 wrote to memory of 3356	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	112
PID 4836 wrote to memory of 4396	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	113
PID 4836 wrote to memory of 4396	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	113
PID 4836 wrote to memory of 3668	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	114
PID 4836 wrote to memory of 3668	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	114
PID 4836 wrote to memory of 1244	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	115
PID 4836 wrote to memory of 1244	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	115
PID 4836 wrote to memory of 3644	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	116
PID 4836 wrote to memory of 3644	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	116
PID 4836 wrote to memory of 1768	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	117
PID 4836 wrote to memory of 1768	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	117
PID 4836 wrote to memory of 740	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	118
PID 4836 wrote to memory of 740	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	118
PID 4836 wrote to memory of 3684	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	119
PID 4836 wrote to memory of 3684	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	119
PID 4836 wrote to memory of 2088	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	120
PID 4836 wrote to memory of 2088	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	120
PID 4836 wrote to memory of 4920	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	121
PID 4836 wrote to memory of 4920	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	121
PID 4836 wrote to memory of 3012	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	122
PID 4836 wrote to memory of 3012	4836	96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe	122

C:\Users\Admin\AppData\Local\Temp\96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe
"C:\Users\Admin\AppData\Local\Temp\96841da7858ce7d46e12f4bcaa655b21d6997dbd1242d7dc493f2b13465ccaf0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\System\CJoWZec.exe
  C:\Windows\System\CJoWZec.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\bBtOEUB.exe
  C:\Windows\System\bBtOEUB.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\miQLgHN.exe
  C:\Windows\System\miQLgHN.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\cmpFeBd.exe
  C:\Windows\System\cmpFeBd.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\LUnfioM.exe
  C:\Windows\System\LUnfioM.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\YtQJycj.exe
  C:\Windows\System\YtQJycj.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\bfXrNGH.exe
  C:\Windows\System\bfXrNGH.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\udnuhkn.exe
  C:\Windows\System\udnuhkn.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\NcDMFfP.exe
  C:\Windows\System\NcDMFfP.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\zVMalGf.exe
  C:\Windows\System\zVMalGf.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\CvvBirN.exe
  C:\Windows\System\CvvBirN.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\rTIRGvg.exe
  C:\Windows\System\rTIRGvg.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\xMvssRa.exe
  C:\Windows\System\xMvssRa.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\UUUBVUI.exe
  C:\Windows\System\UUUBVUI.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\BpOZokO.exe
  C:\Windows\System\BpOZokO.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\ztcWpIi.exe
  C:\Windows\System\ztcWpIi.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\IUhOQzd.exe
  C:\Windows\System\IUhOQzd.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\WduttEo.exe
  C:\Windows\System\WduttEo.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\BAXfJmS.exe
  C:\Windows\System\BAXfJmS.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\IbiOCLk.exe
  C:\Windows\System\IbiOCLk.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\tbTNuFQ.exe
  C:\Windows\System\tbTNuFQ.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\PECeAJp.exe
  C:\Windows\System\PECeAJp.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\nvVTQir.exe
  C:\Windows\System\nvVTQir.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\xTtOEvG.exe
  C:\Windows\System\xTtOEvG.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\frDjzhs.exe
  C:\Windows\System\frDjzhs.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\KzJipCh.exe
  C:\Windows\System\KzJipCh.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\BciORpT.exe
  C:\Windows\System\BciORpT.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\BcJserb.exe
  C:\Windows\System\BcJserb.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\iEncKcz.exe
  C:\Windows\System\iEncKcz.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\nlxixJG.exe
  C:\Windows\System\nlxixJG.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\gkOpalG.exe
  C:\Windows\System\gkOpalG.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\ZpNyVTa.exe
  C:\Windows\System\ZpNyVTa.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\PJYchYZ.exe
  C:\Windows\System\PJYchYZ.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\jOJlVxu.exe
  C:\Windows\System\jOJlVxu.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\BbvRiMz.exe
  C:\Windows\System\BbvRiMz.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\ojGfSgY.exe
  C:\Windows\System\ojGfSgY.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\WCBylWe.exe
  C:\Windows\System\WCBylWe.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\xkwlaRf.exe
  C:\Windows\System\xkwlaRf.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\xIHmyhg.exe
  C:\Windows\System\xIHmyhg.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\SpmvYTC.exe
  C:\Windows\System\SpmvYTC.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\LLKOsBD.exe
  C:\Windows\System\LLKOsBD.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\flDdSTA.exe
  C:\Windows\System\flDdSTA.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System\sjCyAVo.exe
  C:\Windows\System\sjCyAVo.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\nDMNZlG.exe
  C:\Windows\System\nDMNZlG.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\VVmWIpO.exe
  C:\Windows\System\VVmWIpO.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\TMKnIry.exe
  C:\Windows\System\TMKnIry.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\zXWFwgT.exe
  C:\Windows\System\zXWFwgT.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\LdOHMFi.exe
  C:\Windows\System\LdOHMFi.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\qvHrrVD.exe
  C:\Windows\System\qvHrrVD.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\pZHhlMF.exe
  C:\Windows\System\pZHhlMF.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\gGYkEUI.exe
  C:\Windows\System\gGYkEUI.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\nVhgSzF.exe
  C:\Windows\System\nVhgSzF.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\dOUbIpl.exe
  C:\Windows\System\dOUbIpl.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\KrcxPeq.exe
  C:\Windows\System\KrcxPeq.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\nCrfRHB.exe
  C:\Windows\System\nCrfRHB.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\XjkAamy.exe
  C:\Windows\System\XjkAamy.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\hemdwnf.exe
  C:\Windows\System\hemdwnf.exe
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\System\gDTPlEE.exe
  C:\Windows\System\gDTPlEE.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\QcURFgA.exe
  C:\Windows\System\QcURFgA.exe
  2⤵
  - Executes dropped EXE
  PID:3660
- C:\Windows\System\ajFYCxQ.exe
  C:\Windows\System\ajFYCxQ.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\ktLjaUD.exe
  C:\Windows\System\ktLjaUD.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\kTNpMGa.exe
  C:\Windows\System\kTNpMGa.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\DpUxUdw.exe
  C:\Windows\System\DpUxUdw.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\bbUBEZL.exe
  C:\Windows\System\bbUBEZL.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\TZlprbU.exe
  C:\Windows\System\TZlprbU.exe
  2⤵
  PID:1132
- C:\Windows\System\CHkjyyT.exe
  C:\Windows\System\CHkjyyT.exe
  2⤵
  PID:1656
- C:\Windows\System\bweWsHe.exe
  C:\Windows\System\bweWsHe.exe
  2⤵
  PID:916
- C:\Windows\System\BUnENwu.exe
  C:\Windows\System\BUnENwu.exe
  2⤵
  PID:2916
- C:\Windows\System\KcsTnsH.exe
  C:\Windows\System\KcsTnsH.exe
  2⤵
  PID:3560
- C:\Windows\System\PQwAUgH.exe
  C:\Windows\System\PQwAUgH.exe
  2⤵
  PID:2164
- C:\Windows\System\XEOCVjz.exe
  C:\Windows\System\XEOCVjz.exe
  2⤵
  PID:3256
- C:\Windows\System\GwlKVQs.exe
  C:\Windows\System\GwlKVQs.exe
  2⤵
  PID:4432
- C:\Windows\System\CPnoEAR.exe
  C:\Windows\System\CPnoEAR.exe
  2⤵
  PID:3676
- C:\Windows\System\vuZdFfD.exe
  C:\Windows\System\vuZdFfD.exe
  2⤵
  PID:2636
- C:\Windows\System\UuqmFMm.exe
  C:\Windows\System\UuqmFMm.exe
  2⤵
  PID:5044
- C:\Windows\System\USYGauS.exe
  C:\Windows\System\USYGauS.exe
  2⤵
  PID:4300
- C:\Windows\System\TLgsutA.exe
  C:\Windows\System\TLgsutA.exe
  2⤵
  PID:1424
- C:\Windows\System\DpJhrDM.exe
  C:\Windows\System\DpJhrDM.exe
  2⤵
  PID:4516
- C:\Windows\System\vDRvETh.exe
  C:\Windows\System\vDRvETh.exe
  2⤵
  PID:1568
- C:\Windows\System\mbhQhkV.exe
  C:\Windows\System\mbhQhkV.exe
  2⤵
  PID:4924
- C:\Windows\System\CYkNhFy.exe
  C:\Windows\System\CYkNhFy.exe
  2⤵
  PID:3988
- C:\Windows\System\tshekUd.exe
  C:\Windows\System\tshekUd.exe
  2⤵
  PID:2652
- C:\Windows\System\omnqKyv.exe
  C:\Windows\System\omnqKyv.exe
  2⤵
  PID:5148
- C:\Windows\System\MoHHuNW.exe
  C:\Windows\System\MoHHuNW.exe
  2⤵
  PID:5180
- C:\Windows\System\JzmVMac.exe
  C:\Windows\System\JzmVMac.exe
  2⤵
  PID:5220
- C:\Windows\System\nfDKKig.exe
  C:\Windows\System\nfDKKig.exe
  2⤵
  PID:5244
- C:\Windows\System\JVyfJmj.exe
  C:\Windows\System\JVyfJmj.exe
  2⤵
  PID:5268
- C:\Windows\System\UHriWui.exe
  C:\Windows\System\UHriWui.exe
  2⤵
  PID:5292
- C:\Windows\System\OPFcXpj.exe
  C:\Windows\System\OPFcXpj.exe
  2⤵
  PID:5320
- C:\Windows\System\DiKnYOo.exe
  C:\Windows\System\DiKnYOo.exe
  2⤵
  PID:5340
- C:\Windows\System\YeKYHFj.exe
  C:\Windows\System\YeKYHFj.exe
  2⤵
  PID:5360
- C:\Windows\System\oczLhFt.exe
  C:\Windows\System\oczLhFt.exe
  2⤵
  PID:5400
- C:\Windows\System\LtncSWn.exe
  C:\Windows\System\LtncSWn.exe
  2⤵
  PID:5416
- C:\Windows\System\grMuUun.exe
  C:\Windows\System\grMuUun.exe
  2⤵
  PID:5440
- C:\Windows\System\efOPhJV.exe
  C:\Windows\System\efOPhJV.exe
  2⤵
  PID:5456
- C:\Windows\System\yoBsKob.exe
  C:\Windows\System\yoBsKob.exe
  2⤵
  PID:5484
- C:\Windows\System\AZJevOT.exe
  C:\Windows\System\AZJevOT.exe
  2⤵
  PID:5504
- C:\Windows\System\jgmVUYf.exe
  C:\Windows\System\jgmVUYf.exe
  2⤵
  PID:5580
- C:\Windows\System\oZDEMCK.exe
  C:\Windows\System\oZDEMCK.exe
  2⤵
  PID:5600
- C:\Windows\System\NINlqbW.exe
  C:\Windows\System\NINlqbW.exe
  2⤵
  PID:5624
- C:\Windows\System\rFhnpeF.exe
  C:\Windows\System\rFhnpeF.exe
  2⤵
  PID:5664
- C:\Windows\System\tjknNeJ.exe
  C:\Windows\System\tjknNeJ.exe
  2⤵
  PID:5708
- C:\Windows\System\XiYpepY.exe
  C:\Windows\System\XiYpepY.exe
  2⤵
  PID:5728
- C:\Windows\System\KZauCFx.exe
  C:\Windows\System\KZauCFx.exe
  2⤵
  PID:5744
- C:\Windows\System\KEAnPsM.exe
  C:\Windows\System\KEAnPsM.exe
  2⤵
  PID:5764
- C:\Windows\System\vdfCylU.exe
  C:\Windows\System\vdfCylU.exe
  2⤵
  PID:5800
- C:\Windows\System\ORgsLKF.exe
  C:\Windows\System\ORgsLKF.exe
  2⤵
  PID:5828
- C:\Windows\System\nYXyszr.exe
  C:\Windows\System\nYXyszr.exe
  2⤵
  PID:5844
- C:\Windows\System\QqMtwbb.exe
  C:\Windows\System\QqMtwbb.exe
  2⤵
  PID:5864
- C:\Windows\System\YnpuCou.exe
  C:\Windows\System\YnpuCou.exe
  2⤵
  PID:5888
- C:\Windows\System\MYahlsY.exe
  C:\Windows\System\MYahlsY.exe
  2⤵
  PID:5904
- C:\Windows\System\IuDXURi.exe
  C:\Windows\System\IuDXURi.exe
  2⤵
  PID:5928
- C:\Windows\System\QsWVREF.exe
  C:\Windows\System\QsWVREF.exe
  2⤵
  PID:5972
- C:\Windows\System\dNfdGeU.exe
  C:\Windows\System\dNfdGeU.exe
  2⤵
  PID:6016
- C:\Windows\System\IEKaHWE.exe
  C:\Windows\System\IEKaHWE.exe
  2⤵
  PID:6040
- C:\Windows\System\slbvLNN.exe
  C:\Windows\System\slbvLNN.exe
  2⤵
  PID:6060
- C:\Windows\System\ttMDmWt.exe
  C:\Windows\System\ttMDmWt.exe
  2⤵
  PID:6076
- C:\Windows\System\TelDhUj.exe
  C:\Windows\System\TelDhUj.exe
  2⤵
  PID:6116
- C:\Windows\System\bmijBSB.exe
  C:\Windows\System\bmijBSB.exe
  2⤵
  PID:4820
- C:\Windows\System\jYgkbOM.exe
  C:\Windows\System\jYgkbOM.exe
  2⤵
  PID:5128
- C:\Windows\System\rAuiXxZ.exe
  C:\Windows\System\rAuiXxZ.exe
  2⤵
  PID:5208
- C:\Windows\System\zVwuggX.exe
  C:\Windows\System\zVwuggX.exe
  2⤵
  PID:5308
- C:\Windows\System\WQEczoF.exe
  C:\Windows\System\WQEczoF.exe
  2⤵
  PID:5332
- C:\Windows\System\bOSKJGi.exe
  C:\Windows\System\bOSKJGi.exe
  2⤵
  PID:5372
- C:\Windows\System\DDhPAEi.exe
  C:\Windows\System\DDhPAEi.exe
  2⤵
  PID:5452
- C:\Windows\System\bPaFOaX.exe
  C:\Windows\System\bPaFOaX.exe
  2⤵
  PID:5428
- C:\Windows\System\KslRNSB.exe
  C:\Windows\System\KslRNSB.exe
  2⤵
  PID:5592
- C:\Windows\System\DMAZtWY.exe
  C:\Windows\System\DMAZtWY.exe
  2⤵
  PID:5612
- C:\Windows\System\EwzOqmw.exe
  C:\Windows\System\EwzOqmw.exe
  2⤵
  PID:5640
- C:\Windows\System\mWWinDj.exe
  C:\Windows\System\mWWinDj.exe
  2⤵
  PID:5736
- C:\Windows\System\bzTRlyo.exe
  C:\Windows\System\bzTRlyo.exe
  2⤵
  PID:5840
- C:\Windows\System\ulqEpca.exe
  C:\Windows\System\ulqEpca.exe
  2⤵
  PID:5924
- C:\Windows\System\elIWgpf.exe
  C:\Windows\System\elIWgpf.exe
  2⤵
  PID:6032
- C:\Windows\System\XmwQYVp.exe
  C:\Windows\System\XmwQYVp.exe
  2⤵
  PID:6128
- C:\Windows\System\uMaWkfq.exe
  C:\Windows\System\uMaWkfq.exe
  2⤵
  PID:6056
- C:\Windows\System\nxmIGtu.exe
  C:\Windows\System\nxmIGtu.exe
  2⤵
  PID:6140
- C:\Windows\System\oebWZCP.exe
  C:\Windows\System\oebWZCP.exe
  2⤵
  PID:4364
- C:\Windows\System\SJpoVYb.exe
  C:\Windows\System\SJpoVYb.exe
  2⤵
  PID:5264
- C:\Windows\System\pHZVUFZ.exe
  C:\Windows\System\pHZVUFZ.exe
  2⤵
  PID:5328
- C:\Windows\System\xQFYbHH.exe
  C:\Windows\System\xQFYbHH.exe
  2⤵
  PID:5644
- C:\Windows\System\rVsOMWr.exe
  C:\Windows\System\rVsOMWr.exe
  2⤵
  PID:5608
- C:\Windows\System\qpyEUzQ.exe
  C:\Windows\System\qpyEUzQ.exe
  2⤵
  PID:5760
- C:\Windows\System\UYlZKvo.exe
  C:\Windows\System\UYlZKvo.exe
  2⤵
  PID:5988
- C:\Windows\System\eTZpKoq.exe
  C:\Windows\System\eTZpKoq.exe
  2⤵
  PID:5896
- C:\Windows\System\YhrONaB.exe
  C:\Windows\System\YhrONaB.exe
  2⤵
  PID:6052
- C:\Windows\System\NJXeHTT.exe
  C:\Windows\System\NJXeHTT.exe
  2⤵
  PID:5656
- C:\Windows\System\FNWDDVp.exe
  C:\Windows\System\FNWDDVp.exe
  2⤵
  PID:5716
- C:\Windows\System\NAqBwoY.exe
  C:\Windows\System\NAqBwoY.exe
  2⤵
  PID:6148
- C:\Windows\System\IdVPijp.exe
  C:\Windows\System\IdVPijp.exe
  2⤵
  PID:6172
- C:\Windows\System\IzxOBdH.exe
  C:\Windows\System\IzxOBdH.exe
  2⤵
  PID:6204
- C:\Windows\System\qkUfIzf.exe
  C:\Windows\System\qkUfIzf.exe
  2⤵
  PID:6232
- C:\Windows\System\tRHBpMW.exe
  C:\Windows\System\tRHBpMW.exe
  2⤵
  PID:6284
- C:\Windows\System\CUTPdOx.exe
  C:\Windows\System\CUTPdOx.exe
  2⤵
  PID:6328
- C:\Windows\System\SDjHbeD.exe
  C:\Windows\System\SDjHbeD.exe
  2⤵
  PID:6356
- C:\Windows\System\JJeBNFB.exe
  C:\Windows\System\JJeBNFB.exe
  2⤵
  PID:6384
- C:\Windows\System\LsjasoH.exe
  C:\Windows\System\LsjasoH.exe
  2⤵
  PID:6400
- C:\Windows\System\XwDDqJt.exe
  C:\Windows\System\XwDDqJt.exe
  2⤵
  PID:6424
- C:\Windows\System\VKUXxlM.exe
  C:\Windows\System\VKUXxlM.exe
  2⤵
  PID:6444
- C:\Windows\System\hVIFfPv.exe
  C:\Windows\System\hVIFfPv.exe
  2⤵
  PID:6472
- C:\Windows\System\BYcEEgZ.exe
  C:\Windows\System\BYcEEgZ.exe
  2⤵
  PID:6488
- C:\Windows\System\NAwcECg.exe
  C:\Windows\System\NAwcECg.exe
  2⤵
  PID:6532
- C:\Windows\System\dQpMPfN.exe
  C:\Windows\System\dQpMPfN.exe
  2⤵
  PID:6552
- C:\Windows\System\YmWSXoW.exe
  C:\Windows\System\YmWSXoW.exe
  2⤵
  PID:6568
- C:\Windows\System\TKFXjgM.exe
  C:\Windows\System\TKFXjgM.exe
  2⤵
  PID:6596
- C:\Windows\System\ylRrSKV.exe
  C:\Windows\System\ylRrSKV.exe
  2⤵
  PID:6664
- C:\Windows\System\NdhZStl.exe
  C:\Windows\System\NdhZStl.exe
  2⤵
  PID:6688
- C:\Windows\System\oRmIPDW.exe
  C:\Windows\System\oRmIPDW.exe
  2⤵
  PID:6708
- C:\Windows\System\ZfgwZDu.exe
  C:\Windows\System\ZfgwZDu.exe
  2⤵
  PID:6728
- C:\Windows\System\KtbgrCF.exe
  C:\Windows\System\KtbgrCF.exe
  2⤵
  PID:6788
- C:\Windows\System\kmuGWxN.exe
  C:\Windows\System\kmuGWxN.exe
  2⤵
  PID:6808
- C:\Windows\System\hEqcSPk.exe
  C:\Windows\System\hEqcSPk.exe
  2⤵
  PID:6840
- C:\Windows\System\WPTtNms.exe
  C:\Windows\System\WPTtNms.exe
  2⤵
  PID:6892
- C:\Windows\System\BsGCYdt.exe
  C:\Windows\System\BsGCYdt.exe
  2⤵
  PID:6948
- C:\Windows\System\RlhaFbF.exe
  C:\Windows\System\RlhaFbF.exe
  2⤵
  PID:6964
- C:\Windows\System\OOaeIpg.exe
  C:\Windows\System\OOaeIpg.exe
  2⤵
  PID:7008
- C:\Windows\System\cBzNpIg.exe
  C:\Windows\System\cBzNpIg.exe
  2⤵
  PID:7028
- C:\Windows\System\CMWkhuC.exe
  C:\Windows\System\CMWkhuC.exe
  2⤵
  PID:7056
- C:\Windows\System\OPDhIjt.exe
  C:\Windows\System\OPDhIjt.exe
  2⤵
  PID:7080
- C:\Windows\System\HsvSaDd.exe
  C:\Windows\System\HsvSaDd.exe
  2⤵
  PID:7100
- C:\Windows\System\YWuDGJQ.exe
  C:\Windows\System\YWuDGJQ.exe
  2⤵
  PID:7132
- C:\Windows\System\PqKnATL.exe
  C:\Windows\System\PqKnATL.exe
  2⤵
  PID:7148
- C:\Windows\System\kJjxGgz.exe
  C:\Windows\System\kJjxGgz.exe
  2⤵
  PID:6180
- C:\Windows\System\qSfEryQ.exe
  C:\Windows\System\qSfEryQ.exe
  2⤵
  PID:5912
- C:\Windows\System\traGHfj.exe
  C:\Windows\System\traGHfj.exe
  2⤵
  PID:6280
- C:\Windows\System\gnYhsZT.exe
  C:\Windows\System\gnYhsZT.exe
  2⤵
  PID:6420
- C:\Windows\System\ZFQrTwI.exe
  C:\Windows\System\ZFQrTwI.exe
  2⤵
  PID:6460
- C:\Windows\System\XCPOign.exe
  C:\Windows\System\XCPOign.exe
  2⤵
  PID:6516
- C:\Windows\System\UocCmwY.exe
  C:\Windows\System\UocCmwY.exe
  2⤵
  PID:6628
- C:\Windows\System\EDiFicm.exe
  C:\Windows\System\EDiFicm.exe
  2⤵
  PID:6588
- C:\Windows\System\yjNnazm.exe
  C:\Windows\System\yjNnazm.exe
  2⤵
  PID:6696
- C:\Windows\System\ZGzJLhR.exe
  C:\Windows\System\ZGzJLhR.exe
  2⤵
  PID:6800
- C:\Windows\System\hbuPDjv.exe
  C:\Windows\System\hbuPDjv.exe
  2⤵
  PID:6848
- C:\Windows\System\NPuuUnr.exe
  C:\Windows\System\NPuuUnr.exe
  2⤵
  PID:6936
- C:\Windows\System\NrHoxIA.exe
  C:\Windows\System\NrHoxIA.exe
  2⤵
  PID:6972
- C:\Windows\System\YNoCHyT.exe
  C:\Windows\System\YNoCHyT.exe
  2⤵
  PID:7076
- C:\Windows\System\smjUwZF.exe
  C:\Windows\System\smjUwZF.exe
  2⤵
  PID:7108
- C:\Windows\System\sAvLlQY.exe
  C:\Windows\System\sAvLlQY.exe
  2⤵
  PID:7128
- C:\Windows\System\jEiQecb.exe
  C:\Windows\System\jEiQecb.exe
  2⤵
  PID:6348
- C:\Windows\System\JQqeYbo.exe
  C:\Windows\System\JQqeYbo.exe
  2⤵
  PID:6560
- C:\Windows\System\HDzpOVC.exe
  C:\Windows\System\HDzpOVC.exe
  2⤵
  PID:6612
- C:\Windows\System\RIVbtiP.exe
  C:\Windows\System\RIVbtiP.exe
  2⤵
  PID:6900
- C:\Windows\System\yNkNmlp.exe
  C:\Windows\System\yNkNmlp.exe
  2⤵
  PID:6772
- C:\Windows\System\AZinspE.exe
  C:\Windows\System\AZinspE.exe
  2⤵
  PID:7096
- C:\Windows\System\WOTzDVj.exe
  C:\Windows\System\WOTzDVj.exe
  2⤵
  PID:6636
- C:\Windows\System\ecDmWiA.exe
  C:\Windows\System\ecDmWiA.exe
  2⤵
  PID:6704
- C:\Windows\System\FZOsiZm.exe
  C:\Windows\System\FZOsiZm.exe
  2⤵
  PID:3168
- C:\Windows\System\CNGEmOh.exe
  C:\Windows\System\CNGEmOh.exe
  2⤵
  PID:6680
- C:\Windows\System\FUYNjzo.exe
  C:\Windows\System\FUYNjzo.exe
  2⤵
  PID:7188
- C:\Windows\System\XRsHKYn.exe
  C:\Windows\System\XRsHKYn.exe
  2⤵
  PID:7228
- C:\Windows\System\XjLhvOG.exe
  C:\Windows\System\XjLhvOG.exe
  2⤵
  PID:7252
- C:\Windows\System\dWoDMEg.exe
  C:\Windows\System\dWoDMEg.exe
  2⤵
  PID:7272
- C:\Windows\System\dMVfdBN.exe
  C:\Windows\System\dMVfdBN.exe
  2⤵
  PID:7332
- C:\Windows\System\xorkUgj.exe
  C:\Windows\System\xorkUgj.exe
  2⤵
  PID:7352
- C:\Windows\System\BKsGDWc.exe
  C:\Windows\System\BKsGDWc.exe
  2⤵
  PID:7372
- C:\Windows\System\cVjJlay.exe
  C:\Windows\System\cVjJlay.exe
  2⤵
  PID:7416
- C:\Windows\System\ohPbfqM.exe
  C:\Windows\System\ohPbfqM.exe
  2⤵
  PID:7476
- C:\Windows\System\FMvNlEi.exe
  C:\Windows\System\FMvNlEi.exe
  2⤵
  PID:7508
- C:\Windows\System\veOivKo.exe
  C:\Windows\System\veOivKo.exe
  2⤵
  PID:7524
- C:\Windows\System\MBQIcUP.exe
  C:\Windows\System\MBQIcUP.exe
  2⤵
  PID:7552
- C:\Windows\System\OcraEVc.exe
  C:\Windows\System\OcraEVc.exe
  2⤵
  PID:7584
- C:\Windows\System\pomkenX.exe
  C:\Windows\System\pomkenX.exe
  2⤵
  PID:7604
- C:\Windows\System\isdYJRD.exe
  C:\Windows\System\isdYJRD.exe
  2⤵
  PID:7652
- C:\Windows\System\MTqYODF.exe
  C:\Windows\System\MTqYODF.exe
  2⤵
  PID:7676
- C:\Windows\System\WWegCRw.exe
  C:\Windows\System\WWegCRw.exe
  2⤵
  PID:7700
- C:\Windows\System\OPssPAs.exe
  C:\Windows\System\OPssPAs.exe
  2⤵
  PID:7872
- C:\Windows\System\xiAxjGE.exe
  C:\Windows\System\xiAxjGE.exe
  2⤵
  PID:7888
- C:\Windows\System\LswCPBs.exe
  C:\Windows\System\LswCPBs.exe
  2⤵
  PID:7908
- C:\Windows\System\wuexDSw.exe
  C:\Windows\System\wuexDSw.exe
  2⤵
  PID:7936
- C:\Windows\System\YnbCXGb.exe
  C:\Windows\System\YnbCXGb.exe
  2⤵
  PID:7956
- C:\Windows\System\JzLblVs.exe
  C:\Windows\System\JzLblVs.exe
  2⤵
  PID:7980
- C:\Windows\System\qWCNzXr.exe
  C:\Windows\System\qWCNzXr.exe
  2⤵
  PID:8000
- C:\Windows\System\WOGwHps.exe
  C:\Windows\System\WOGwHps.exe
  2⤵
  PID:8020
- C:\Windows\System\ptsiaVV.exe
  C:\Windows\System\ptsiaVV.exe
  2⤵
  PID:8044
- C:\Windows\System\nxpFXSb.exe
  C:\Windows\System\nxpFXSb.exe
  2⤵
  PID:8064
- C:\Windows\System\HxkwJPc.exe
  C:\Windows\System\HxkwJPc.exe
  2⤵
  PID:8080
- C:\Windows\System\xPTgrMs.exe
  C:\Windows\System\xPTgrMs.exe
  2⤵
  PID:8100
- C:\Windows\System\dUjSAfE.exe
  C:\Windows\System\dUjSAfE.exe
  2⤵
  PID:8120
- C:\Windows\System\HHnTvcH.exe
  C:\Windows\System\HHnTvcH.exe
  2⤵
  PID:8140
- C:\Windows\System\wTIrVAP.exe
  C:\Windows\System\wTIrVAP.exe
  2⤵
  PID:8156
- C:\Windows\System\exGCWHm.exe
  C:\Windows\System\exGCWHm.exe
  2⤵
  PID:8184
- C:\Windows\System\ZYfjUFi.exe
  C:\Windows\System\ZYfjUFi.exe
  2⤵
  PID:7220
- C:\Windows\System\pOVTlEu.exe
  C:\Windows\System\pOVTlEu.exe
  2⤵
  PID:7180
- C:\Windows\System\nyLJJoK.exe
  C:\Windows\System\nyLJJoK.exe
  2⤵
  PID:7200
- C:\Windows\System\Rdjobjq.exe
  C:\Windows\System\Rdjobjq.exe
  2⤵
  PID:7328
- C:\Windows\System\HQHJqzS.exe
  C:\Windows\System\HQHJqzS.exe
  2⤵
  PID:7292
- C:\Windows\System\tgnQouu.exe
  C:\Windows\System\tgnQouu.exe
  2⤵
  PID:7364
- C:\Windows\System\KKcBrMf.exe
  C:\Windows\System\KKcBrMf.exe
  2⤵
  PID:7448
- C:\Windows\System\ZcgDkqX.exe
  C:\Windows\System\ZcgDkqX.exe
  2⤵
  PID:7504
- C:\Windows\System\FRiEbyv.exe
  C:\Windows\System\FRiEbyv.exe
  2⤵
  PID:7564
- C:\Windows\System\lizbCXV.exe
  C:\Windows\System\lizbCXV.exe
  2⤵
  PID:7580
- C:\Windows\System\ZeBvErW.exe
  C:\Windows\System\ZeBvErW.exe
  2⤵
  PID:7632
- C:\Windows\System\OFvylbE.exe
  C:\Windows\System\OFvylbE.exe
  2⤵
  PID:7692
- C:\Windows\System\rYHZYMc.exe
  C:\Windows\System\rYHZYMc.exe
  2⤵
  PID:7736
- C:\Windows\System\VbZQwyF.exe
  C:\Windows\System\VbZQwyF.exe
  2⤵
  PID:7756
- C:\Windows\System\rMOHEBb.exe
  C:\Windows\System\rMOHEBb.exe
  2⤵
  PID:7796
- C:\Windows\System\twUblyK.exe
  C:\Windows\System\twUblyK.exe
  2⤵
  PID:7800
- C:\Windows\System\DOmENBo.exe
  C:\Windows\System\DOmENBo.exe
  2⤵
  PID:7836
- C:\Windows\System\CZrBOZS.exe
  C:\Windows\System\CZrBOZS.exe
  2⤵
  PID:7844
- C:\Windows\System\gIrykIH.exe
  C:\Windows\System\gIrykIH.exe
  2⤵
  PID:7860
- C:\Windows\System\BvUBVEb.exe
  C:\Windows\System\BvUBVEb.exe
  2⤵
  PID:7884
- C:\Windows\System\xtNfScm.exe
  C:\Windows\System\xtNfScm.exe
  2⤵
  PID:7900
- C:\Windows\System\TZtCDxQ.exe
  C:\Windows\System\TZtCDxQ.exe
  2⤵
  PID:7944
- C:\Windows\System\BjUSTaR.exe
  C:\Windows\System\BjUSTaR.exe
  2⤵
  PID:7972
- C:\Windows\System\lTSpXhi.exe
  C:\Windows\System\lTSpXhi.exe
  2⤵
  PID:8076
- C:\Windows\System\uuUxyYi.exe
  C:\Windows\System\uuUxyYi.exe
  2⤵
  PID:8112
- C:\Windows\System\hHhBKZf.exe
  C:\Windows\System\hHhBKZf.exe
  2⤵
  PID:8164
- C:\Windows\System\MdTnLJc.exe
  C:\Windows\System\MdTnLJc.exe
  2⤵
  PID:7576
- C:\Windows\System\bHnullS.exe
  C:\Windows\System\bHnullS.exe
  2⤵
  PID:7760
- C:\Windows\System\SNRmsNZ.exe
  C:\Windows\System\SNRmsNZ.exe
  2⤵
  PID:7672
- C:\Windows\System\ZxyJrUk.exe
  C:\Windows\System\ZxyJrUk.exe
  2⤵
  PID:7444
- C:\Windows\System\gGxXUCq.exe
  C:\Windows\System\gGxXUCq.exe
  2⤵
  PID:7824
- C:\Windows\System\KLbbHyz.exe
  C:\Windows\System\KLbbHyz.exe
  2⤵
  PID:8208
- C:\Windows\System\dUhcSYl.exe
  C:\Windows\System\dUhcSYl.exe
  2⤵
  PID:8240
- C:\Windows\System\ofYirwa.exe
  C:\Windows\System\ofYirwa.exe
  2⤵
  PID:8260
- C:\Windows\System\qAOhxno.exe
  C:\Windows\System\qAOhxno.exe
  2⤵
  PID:8292
- C:\Windows\System\KgeuPPl.exe
  C:\Windows\System\KgeuPPl.exe
  2⤵
  PID:8308
- C:\Windows\System\kBMviYz.exe
  C:\Windows\System\kBMviYz.exe
  2⤵
  PID:8344
- C:\Windows\System\qEwsLEh.exe
  C:\Windows\System\qEwsLEh.exe
  2⤵
  PID:8364
- C:\Windows\System\xjzSUzv.exe
  C:\Windows\System\xjzSUzv.exe
  2⤵
  PID:8380
- C:\Windows\System\JTyLevf.exe
  C:\Windows\System\JTyLevf.exe
  2⤵
  PID:8404
- C:\Windows\System\hEkpDwS.exe
  C:\Windows\System\hEkpDwS.exe
  2⤵
  PID:8428
- C:\Windows\System\eStjGpq.exe
  C:\Windows\System\eStjGpq.exe
  2⤵
  PID:8452
- C:\Windows\System\lgJGWLj.exe
  C:\Windows\System\lgJGWLj.exe
  2⤵
  PID:8468
- C:\Windows\System\aTZeGDI.exe
  C:\Windows\System\aTZeGDI.exe
  2⤵
  PID:8496
- C:\Windows\System\xWooKwr.exe
  C:\Windows\System\xWooKwr.exe
  2⤵
  PID:8512
- C:\Windows\System\PuIKiGh.exe
  C:\Windows\System\PuIKiGh.exe
  2⤵
  PID:8540
- C:\Windows\System\nNiMUsB.exe
  C:\Windows\System\nNiMUsB.exe
  2⤵
  PID:8560
- C:\Windows\System\ypzRMcR.exe
  C:\Windows\System\ypzRMcR.exe
  2⤵
  PID:8580
- C:\Windows\System\jhNzgfj.exe
  C:\Windows\System\jhNzgfj.exe
  2⤵
  PID:8596
- C:\Windows\System\nRuRjAs.exe
  C:\Windows\System\nRuRjAs.exe
  2⤵
  PID:8624
- C:\Windows\System\UAJZmRq.exe
  C:\Windows\System\UAJZmRq.exe
  2⤵
  PID:8676
- C:\Windows\System\uzosxOk.exe
  C:\Windows\System\uzosxOk.exe
  2⤵
  PID:8696
- C:\Windows\System\wKpLQxC.exe
  C:\Windows\System\wKpLQxC.exe
  2⤵
  PID:8716
- C:\Windows\System\VMLHbSH.exe
  C:\Windows\System\VMLHbSH.exe
  2⤵
  PID:8740
- C:\Windows\System\oQOKRgI.exe
  C:\Windows\System\oQOKRgI.exe
  2⤵
  PID:8760
- C:\Windows\System\UbbvWHX.exe
  C:\Windows\System\UbbvWHX.exe
  2⤵
  PID:8780
- C:\Windows\System\NxJxaZH.exe
  C:\Windows\System\NxJxaZH.exe
  2⤵
  PID:8804
- C:\Windows\System\ROayHmu.exe
  C:\Windows\System\ROayHmu.exe
  2⤵
  PID:8828
- C:\Windows\System\DQIhJfZ.exe
  C:\Windows\System\DQIhJfZ.exe
  2⤵
  PID:8844
- C:\Windows\System\VKdrkba.exe
  C:\Windows\System\VKdrkba.exe
  2⤵
  PID:8868
- C:\Windows\System\DeDdphs.exe
  C:\Windows\System\DeDdphs.exe
  2⤵
  PID:8888
- C:\Windows\System\EJGYDSI.exe
  C:\Windows\System\EJGYDSI.exe
  2⤵
  PID:8908
- C:\Windows\System\KzfssRm.exe
  C:\Windows\System\KzfssRm.exe
  2⤵
  PID:8932
- C:\Windows\System\afYhPGS.exe
  C:\Windows\System\afYhPGS.exe
  2⤵
  PID:8948
- C:\Windows\System\rrlbwVV.exe
  C:\Windows\System\rrlbwVV.exe
  2⤵
  PID:8968
- C:\Windows\System\nyrXvEN.exe
  C:\Windows\System\nyrXvEN.exe
  2⤵
  PID:8988
- C:\Windows\System\RFxXJhp.exe
  C:\Windows\System\RFxXJhp.exe
  2⤵
  PID:9008
- C:\Windows\System\lhQZbeg.exe
  C:\Windows\System\lhQZbeg.exe
  2⤵
  PID:9028
- C:\Windows\System\VUkSgbG.exe
  C:\Windows\System\VUkSgbG.exe
  2⤵
  PID:9048
- C:\Windows\System\emTYFxV.exe
  C:\Windows\System\emTYFxV.exe
  2⤵
  PID:9100
- C:\Windows\System\GVvcBcQ.exe
  C:\Windows\System\GVvcBcQ.exe
  2⤵
  PID:9120
- C:\Windows\System\UyojtGY.exe
  C:\Windows\System\UyojtGY.exe
  2⤵
  PID:9140
- C:\Windows\System\rqWUcVr.exe
  C:\Windows\System\rqWUcVr.exe
  2⤵
  PID:9168
- C:\Windows\System\DBNiaWU.exe
  C:\Windows\System\DBNiaWU.exe
  2⤵
  PID:9188
- C:\Windows\System\BjySfSG.exe
  C:\Windows\System\BjySfSG.exe
  2⤵
  PID:9212
- C:\Windows\System\TekPvZI.exe
  C:\Windows\System\TekPvZI.exe
  2⤵
  PID:7468
- C:\Windows\System\MjTFPnK.exe
  C:\Windows\System\MjTFPnK.exe
  2⤵
  PID:7600
- C:\Windows\System\ZHSTNqD.exe
  C:\Windows\System\ZHSTNqD.exe
  2⤵
  PID:8072
- C:\Windows\System\mNycTAp.exe
  C:\Windows\System\mNycTAp.exe
  2⤵
  PID:7804
- C:\Windows\System\UCdanGf.exe
  C:\Windows\System\UCdanGf.exe
  2⤵
  PID:7812
- C:\Windows\System\MUUaztR.exe
  C:\Windows\System\MUUaztR.exe
  2⤵
  PID:8036
- C:\Windows\System\SBDoQJF.exe
  C:\Windows\System\SBDoQJF.exe
  2⤵
  PID:8352
- C:\Windows\System\awWoxXM.exe
  C:\Windows\System\awWoxXM.exe
  2⤵
  PID:8396
- C:\Windows\System\rznLYdI.exe
  C:\Windows\System\rznLYdI.exe
  2⤵
  PID:8440
- C:\Windows\System\IXzxbPq.exe
  C:\Windows\System\IXzxbPq.exe
  2⤵
  PID:7720
- C:\Windows\System\LPpndog.exe
  C:\Windows\System\LPpndog.exe
  2⤵
  PID:8464
- C:\Windows\System\BnbbcKV.exe
  C:\Windows\System\BnbbcKV.exe
  2⤵
  PID:8484
- C:\Windows\System\ZdcvAUo.exe
  C:\Windows\System\ZdcvAUo.exe
  2⤵
  PID:4264
- C:\Windows\System\UIPACfV.exe
  C:\Windows\System\UIPACfV.exe
  2⤵
  PID:8276
- C:\Windows\System\ZajDzZT.exe
  C:\Windows\System\ZajDzZT.exe
  2⤵
  PID:8612
- C:\Windows\System\nuzyXJq.exe
  C:\Windows\System\nuzyXJq.exe
  2⤵
  PID:8688
- C:\Windows\System\dsDmBns.exe
  C:\Windows\System\dsDmBns.exe
  2⤵
  PID:8812
- C:\Windows\System\FLzYfdk.exe
  C:\Windows\System\FLzYfdk.exe
  2⤵
  PID:8304
- C:\Windows\System\ANPTOtR.exe
  C:\Windows\System\ANPTOtR.exe
  2⤵
  PID:8904
- C:\Windows\System\OOYPNzm.exe
  C:\Windows\System\OOYPNzm.exe
  2⤵
  PID:8956
- C:\Windows\System\NokYcgD.exe
  C:\Windows\System\NokYcgD.exe
  2⤵
  PID:8372
- C:\Windows\System\boUPgtN.exe
  C:\Windows\System\boUPgtN.exe
  2⤵
  PID:9244
- C:\Windows\System\jEHGSOv.exe
  C:\Windows\System\jEHGSOv.exe
  2⤵
  PID:9264
- C:\Windows\System\BUGunxK.exe
  C:\Windows\System\BUGunxK.exe
  2⤵
  PID:9280
- C:\Windows\System\DvwSvgQ.exe
  C:\Windows\System\DvwSvgQ.exe
  2⤵
  PID:9312
- C:\Windows\System\WIghkAk.exe
  C:\Windows\System\WIghkAk.exe
  2⤵
  PID:9332
- C:\Windows\System\jaFNYwF.exe
  C:\Windows\System\jaFNYwF.exe
  2⤵
  PID:9360
- C:\Windows\System\bkpxyaM.exe
  C:\Windows\System\bkpxyaM.exe
  2⤵
  PID:9380
- C:\Windows\System\ZqhKcBb.exe
  C:\Windows\System\ZqhKcBb.exe
  2⤵
  PID:9400
- C:\Windows\System\scmtjOd.exe
  C:\Windows\System\scmtjOd.exe
  2⤵
  PID:9420
- C:\Windows\System\bYDnCsB.exe
  C:\Windows\System\bYDnCsB.exe
  2⤵
  PID:9440
- C:\Windows\System\JAiHNek.exe
  C:\Windows\System\JAiHNek.exe
  2⤵
  PID:9468
- C:\Windows\System\xKwPDDn.exe
  C:\Windows\System\xKwPDDn.exe
  2⤵
  PID:9620
- C:\Windows\System\ESyTjZc.exe
  C:\Windows\System\ESyTjZc.exe
  2⤵
  PID:9640
- C:\Windows\System\hLLZlir.exe
  C:\Windows\System\hLLZlir.exe
  2⤵
  PID:9660
- C:\Windows\System\mqbIobN.exe
  C:\Windows\System\mqbIobN.exe
  2⤵
  PID:9680
- C:\Windows\System\vDUGiwu.exe
  C:\Windows\System\vDUGiwu.exe
  2⤵
  PID:9708
- C:\Windows\System\tTrIMbe.exe
  C:\Windows\System\tTrIMbe.exe
  2⤵
  PID:9728
- C:\Windows\System\Dajjnmu.exe
  C:\Windows\System\Dajjnmu.exe
  2⤵
  PID:9744
- C:\Windows\System\jhtPVCO.exe
  C:\Windows\System\jhtPVCO.exe
  2⤵
  PID:9764
- C:\Windows\System\obDUdwX.exe
  C:\Windows\System\obDUdwX.exe
  2⤵
  PID:9780
- C:\Windows\System\pkePJQq.exe
  C:\Windows\System\pkePJQq.exe
  2⤵
  PID:9800
- C:\Windows\System\hZzXGix.exe
  C:\Windows\System\hZzXGix.exe
  2⤵
  PID:9820
- C:\Windows\System\NwQLxXg.exe
  C:\Windows\System\NwQLxXg.exe
  2⤵
  PID:9836
- C:\Windows\System\ZFjUlED.exe
  C:\Windows\System\ZFjUlED.exe
  2⤵
  PID:9860
- C:\Windows\System\QsHkVna.exe
  C:\Windows\System\QsHkVna.exe
  2⤵
  PID:9880
- C:\Windows\System\ZUzVsKD.exe
  C:\Windows\System\ZUzVsKD.exe
  2⤵
  PID:9900
- C:\Windows\System\BsTVliH.exe
  C:\Windows\System\BsTVliH.exe
  2⤵
  PID:9916
- C:\Windows\System\gRRrrfw.exe
  C:\Windows\System\gRRrrfw.exe
  2⤵
  PID:9936
- C:\Windows\System\KleyJyN.exe
  C:\Windows\System\KleyJyN.exe
  2⤵
  PID:9960
- C:\Windows\System\xaCOdFx.exe
  C:\Windows\System\xaCOdFx.exe
  2⤵
  PID:9984
- C:\Windows\System\kbrnWIX.exe
  C:\Windows\System\kbrnWIX.exe
  2⤵
  PID:10036
- C:\Windows\System\EuFXUUS.exe
  C:\Windows\System\EuFXUUS.exe
  2⤵
  PID:10056
- C:\Windows\System\OKFsfLv.exe
  C:\Windows\System\OKFsfLv.exe
  2⤵
  PID:10076
- C:\Windows\System\ngseVEh.exe
  C:\Windows\System\ngseVEh.exe
  2⤵
  PID:10096
- C:\Windows\System\CSDXUhd.exe
  C:\Windows\System\CSDXUhd.exe
  2⤵
  PID:10112
- C:\Windows\System\KQHjcfx.exe
  C:\Windows\System\KQHjcfx.exe
  2⤵
  PID:10140
- C:\Windows\System\NKUZWzb.exe
  C:\Windows\System\NKUZWzb.exe
  2⤵
  PID:10156
- C:\Windows\System\PMREwFW.exe
  C:\Windows\System\PMREwFW.exe
  2⤵
  PID:10184
- C:\Windows\System\dIbKWhF.exe
  C:\Windows\System\dIbKWhF.exe
  2⤵
  PID:10212
- C:\Windows\System\AqEJRVf.exe
  C:\Windows\System\AqEJRVf.exe
  2⤵
  PID:10232
- C:\Windows\System\NcagAai.exe
  C:\Windows\System\NcagAai.exe
  2⤵
  PID:9056
- C:\Windows\System\geqPWtD.exe
  C:\Windows\System\geqPWtD.exe
  2⤵
  PID:9112
- C:\Windows\System\kKKsNcw.exe
  C:\Windows\System\kKKsNcw.exe
  2⤵
  PID:9136
- C:\Windows\System\BnxwqIv.exe
  C:\Windows\System\BnxwqIv.exe
  2⤵
  PID:9176
- C:\Windows\System\MMVLhKS.exe
  C:\Windows\System\MMVLhKS.exe
  2⤵
  PID:8788
- C:\Windows\System\QCQKTEw.exe
  C:\Windows\System\QCQKTEw.exe
  2⤵
  PID:8940
- C:\Windows\System\uqLnQPv.exe
  C:\Windows\System\uqLnQPv.exe
  2⤵
  PID:9020
- C:\Windows\System\galoFpp.exe
  C:\Windows\System\galoFpp.exe
  2⤵
  PID:9132
- C:\Windows\System\iGqhzyB.exe
  C:\Windows\System\iGqhzyB.exe
  2⤵
  PID:9432
- C:\Windows\System\TPVeWZB.exe
  C:\Windows\System\TPVeWZB.exe
  2⤵
  PID:8736
- C:\Windows\System\GnMBXdS.exe
  C:\Windows\System\GnMBXdS.exe
  2⤵
  PID:7852
- C:\Windows\System\NTHBlzs.exe
  C:\Windows\System\NTHBlzs.exe
  2⤵
  PID:7820
- C:\Windows\System\ETnCcVq.exe
  C:\Windows\System\ETnCcVq.exe
  2⤵
  PID:8056
- C:\Windows\System\bviahoM.exe
  C:\Windows\System\bviahoM.exe
  2⤵
  PID:8204
- C:\Windows\System\pNIZTIM.exe
  C:\Windows\System\pNIZTIM.exe
  2⤵
  PID:8524
- C:\Windows\System\vIuYBzW.exe
  C:\Windows\System\vIuYBzW.exe
  2⤵
  PID:7308
- C:\Windows\System\SlIQEIq.exe
  C:\Windows\System\SlIQEIq.exe
  2⤵
  PID:8576
- C:\Windows\System\ITPEbsQ.exe
  C:\Windows\System\ITPEbsQ.exe
  2⤵
  PID:9256
- C:\Windows\System\dpWwDoh.exe
  C:\Windows\System\dpWwDoh.exe
  2⤵
  PID:9352
- C:\Windows\System\mNhLPOW.exe
  C:\Windows\System\mNhLPOW.exe
  2⤵
  PID:9460
- C:\Windows\System\ujDRJAg.exe
  C:\Windows\System\ujDRJAg.exe
  2⤵
  PID:9672
- C:\Windows\System\AsyZXfk.exe
  C:\Windows\System\AsyZXfk.exe
  2⤵
  PID:7772
- C:\Windows\System\siRwnOB.exe
  C:\Windows\System\siRwnOB.exe
  2⤵
  PID:8356
- C:\Windows\System\uyhQyyU.exe
  C:\Windows\System\uyhQyyU.exe
  2⤵
  PID:7664
- C:\Windows\System\iLsijYp.exe
  C:\Windows\System\iLsijYp.exe
  2⤵
  PID:7788
- C:\Windows\System\bvJROQy.exe
  C:\Windows\System\bvJROQy.exe
  2⤵
  PID:9908
- C:\Windows\System\jmWiQXY.exe
  C:\Windows\System\jmWiQXY.exe
  2⤵
  PID:9968
- C:\Windows\System\sCnuGta.exe
  C:\Windows\System\sCnuGta.exe
  2⤵
  PID:10016
- C:\Windows\System\xpDieQt.exe
  C:\Windows\System\xpDieQt.exe
  2⤵
  PID:2224
- C:\Windows\System\JIHQUJo.exe
  C:\Windows\System\JIHQUJo.exe
  2⤵
  PID:10048
- C:\Windows\System\xVzstyU.exe
  C:\Windows\System\xVzstyU.exe
  2⤵
  PID:9236
- C:\Windows\System\evaQLtc.exe
  C:\Windows\System\evaQLtc.exe
  2⤵
  PID:10088
- C:\Windows\System\gvmOWdI.exe
  C:\Windows\System\gvmOWdI.exe
  2⤵
  PID:10256
- C:\Windows\System\anQGZCy.exe
  C:\Windows\System\anQGZCy.exe
  2⤵
  PID:10276
- C:\Windows\System\mZWGMcO.exe
  C:\Windows\System\mZWGMcO.exe
  2⤵
  PID:10300
- C:\Windows\System\tMAZBFW.exe
  C:\Windows\System\tMAZBFW.exe
  2⤵
  PID:10316
- C:\Windows\System\kHOcbav.exe
  C:\Windows\System\kHOcbav.exe
  2⤵
  PID:10340
- C:\Windows\System\aQgwDHL.exe
  C:\Windows\System\aQgwDHL.exe
  2⤵
  PID:10368
- C:\Windows\System\JjUFKQP.exe
  C:\Windows\System\JjUFKQP.exe
  2⤵
  PID:10388
- C:\Windows\System\nxPZAfw.exe
  C:\Windows\System\nxPZAfw.exe
  2⤵
  PID:10408
- C:\Windows\System\qduZBCz.exe
  C:\Windows\System\qduZBCz.exe
  2⤵
  PID:10424
- C:\Windows\System\dMzYjsd.exe
  C:\Windows\System\dMzYjsd.exe
  2⤵
  PID:10440
- C:\Windows\System\cgVvNZb.exe
  C:\Windows\System\cgVvNZb.exe
  2⤵
  PID:10456
- C:\Windows\System\KrvhXXZ.exe
  C:\Windows\System\KrvhXXZ.exe
  2⤵
  PID:10476
- C:\Windows\System\dOylrXX.exe
  C:\Windows\System\dOylrXX.exe
  2⤵
  PID:10500
- C:\Windows\System\NCNUXyN.exe
  C:\Windows\System\NCNUXyN.exe
  2⤵
  PID:10520
- C:\Windows\System\XZHByIX.exe
  C:\Windows\System\XZHByIX.exe
  2⤵
  PID:10548
- C:\Windows\System\hFyhDNZ.exe
  C:\Windows\System\hFyhDNZ.exe
  2⤵
  PID:10564
- C:\Windows\System\oTboqDP.exe
  C:\Windows\System\oTboqDP.exe
  2⤵
  PID:10580
- C:\Windows\System\DwKPJFo.exe
  C:\Windows\System\DwKPJFo.exe
  2⤵
  PID:10596
- C:\Windows\System\FiugYdq.exe
  C:\Windows\System\FiugYdq.exe
  2⤵
  PID:10616
- C:\Windows\System\MTdAsRh.exe
  C:\Windows\System\MTdAsRh.exe
  2⤵
  PID:10632
- C:\Windows\System\kmoOOqU.exe
  C:\Windows\System\kmoOOqU.exe
  2⤵
  PID:10656
- C:\Windows\System\vzfYxTU.exe
  C:\Windows\System\vzfYxTU.exe
  2⤵
  PID:10672
- C:\Windows\System\mDgSNsQ.exe
  C:\Windows\System\mDgSNsQ.exe
  2⤵
  PID:10696
- C:\Windows\System\MTVcVmo.exe
  C:\Windows\System\MTVcVmo.exe
  2⤵
  PID:10712
- C:\Windows\System\UxJdYzI.exe
  C:\Windows\System\UxJdYzI.exe
  2⤵
  PID:10732
- C:\Windows\System\RADsvTe.exe
  C:\Windows\System\RADsvTe.exe
  2⤵
  PID:10752
- C:\Windows\System\hcRqgBC.exe
  C:\Windows\System\hcRqgBC.exe
  2⤵
  PID:10772
- C:\Windows\System\vymWMaQ.exe
  C:\Windows\System\vymWMaQ.exe
  2⤵
  PID:10788
- C:\Windows\System\UBqTMiy.exe
  C:\Windows\System\UBqTMiy.exe
  2⤵
  PID:10808
- C:\Windows\System\YiAJZcL.exe
  C:\Windows\System\YiAJZcL.exe
  2⤵
  PID:10836
- C:\Windows\System\pWUmgws.exe
  C:\Windows\System\pWUmgws.exe
  2⤵
  PID:10856
- C:\Windows\System\LUvSqnO.exe
  C:\Windows\System\LUvSqnO.exe
  2⤵
  PID:10872
- C:\Windows\System\vQkFhAw.exe
  C:\Windows\System\vQkFhAw.exe
  2⤵
  PID:10892
- C:\Windows\System\igXrVjU.exe
  C:\Windows\System\igXrVjU.exe
  2⤵
  PID:10916
- C:\Windows\System\tWtQICe.exe
  C:\Windows\System\tWtQICe.exe
  2⤵
  PID:10936
- C:\Windows\System\GjoGEkh.exe
  C:\Windows\System\GjoGEkh.exe
  2⤵
  PID:10956
- C:\Windows\System\NynLwxr.exe
  C:\Windows\System\NynLwxr.exe
  2⤵
  PID:10980
- C:\Windows\System\QxXBYkI.exe
  C:\Windows\System\QxXBYkI.exe
  2⤵
  PID:11000
- C:\Windows\System\ZTCybNf.exe
  C:\Windows\System\ZTCybNf.exe
  2⤵
  PID:11020
- C:\Windows\System\DEolbkM.exe
  C:\Windows\System\DEolbkM.exe
  2⤵
  PID:11044
- C:\Windows\System\vgugmyw.exe
  C:\Windows\System\vgugmyw.exe
  2⤵
  PID:11064
- C:\Windows\System\GmTroMO.exe
  C:\Windows\System\GmTroMO.exe
  2⤵
  PID:11080
- C:\Windows\System\oaJpgTV.exe
  C:\Windows\System\oaJpgTV.exe
  2⤵
  PID:11104
- C:\Windows\System\LGAsMTc.exe
  C:\Windows\System\LGAsMTc.exe
  2⤵
  PID:11124
- C:\Windows\System\vBbmxEk.exe
  C:\Windows\System\vBbmxEk.exe
  2⤵
  PID:11140
- C:\Windows\System\QEYVgyK.exe
  C:\Windows\System\QEYVgyK.exe
  2⤵
  PID:11156
- C:\Windows\System\BQhkovb.exe
  C:\Windows\System\BQhkovb.exe
  2⤵
  PID:11180
- C:\Windows\System\bZCztJa.exe
  C:\Windows\System\bZCztJa.exe
  2⤵
  PID:11200
- C:\Windows\System\kmjgYDn.exe
  C:\Windows\System\kmjgYDn.exe
  2⤵
  PID:11224
- C:\Windows\System\dqOEosC.exe
  C:\Windows\System\dqOEosC.exe
  2⤵
  PID:11244
- C:\Windows\System\EasAeXs.exe
  C:\Windows\System\EasAeXs.exe
  2⤵
  PID:10108
- C:\Windows\System\cdQgnXP.exe
  C:\Windows\System\cdQgnXP.exe
  2⤵
  PID:9372
- C:\Windows\System\BwPQMyR.exe
  C:\Windows\System\BwPQMyR.exe
  2⤵
  PID:10148
- C:\Windows\System\Xqpcqzf.exe
  C:\Windows\System\Xqpcqzf.exe
  2⤵
  PID:9084
- C:\Windows\System\OiGtwbf.exe
  C:\Windows\System\OiGtwbf.exe
  2⤵
  PID:9656
- C:\Windows\System\JiVKjUO.exe
  C:\Windows\System\JiVKjUO.exe
  2⤵
  PID:9736
- C:\Windows\System\YdBJJck.exe
  C:\Windows\System\YdBJJck.exe
  2⤵
  PID:9832
- C:\Windows\System\WEbmiZh.exe
  C:\Windows\System\WEbmiZh.exe
  2⤵
  PID:9892
- C:\Windows\System\rlIAyRY.exe
  C:\Windows\System\rlIAyRY.exe
  2⤵
  PID:9948
- C:\Windows\System\hkbXLtf.exe
  C:\Windows\System\hkbXLtf.exe
  2⤵
  PID:9076
- C:\Windows\System\GbelxfE.exe
  C:\Windows\System\GbelxfE.exe
  2⤵
  PID:9996
- C:\Windows\System\CdfbDMG.exe
  C:\Windows\System\CdfbDMG.exe
  2⤵
  PID:9560
- C:\Windows\System\HtzTrYo.exe
  C:\Windows\System\HtzTrYo.exe
  2⤵
  PID:11552
- C:\Windows\System\WBmwOKa.exe
  C:\Windows\System\WBmwOKa.exe
  2⤵
  PID:11572
- C:\Windows\System\sNavSCB.exe
  C:\Windows\System\sNavSCB.exe
  2⤵
  PID:11596
- C:\Windows\System\oBIzVkj.exe
  C:\Windows\System\oBIzVkj.exe
  2⤵
  PID:11616
- C:\Windows\System\ekVAfGl.exe
  C:\Windows\System\ekVAfGl.exe
  2⤵
  PID:11644
- C:\Windows\System\lXlfqUX.exe
  C:\Windows\System\lXlfqUX.exe
  2⤵
  PID:11676
- C:\Windows\System\bCCQIaG.exe
  C:\Windows\System\bCCQIaG.exe
  2⤵
  PID:11692
- C:\Windows\System\IMaceZH.exe
  C:\Windows\System\IMaceZH.exe
  2⤵
  PID:11712
- C:\Windows\System\NXniyeR.exe
  C:\Windows\System\NXniyeR.exe
  2⤵
  PID:11736
- C:\Windows\System\ouKLqxU.exe
  C:\Windows\System\ouKLqxU.exe
  2⤵
  PID:11760
- C:\Windows\System\wzqmtuE.exe
  C:\Windows\System\wzqmtuE.exe
  2⤵
  PID:11784
- C:\Windows\System\OkiArhg.exe
  C:\Windows\System\OkiArhg.exe
  2⤵
  PID:11800
- C:\Windows\System\zNDSZdN.exe
  C:\Windows\System\zNDSZdN.exe
  2⤵
  PID:11820
- C:\Windows\System\ceNWbAy.exe
  C:\Windows\System\ceNWbAy.exe
  2⤵
  PID:11840
- C:\Windows\System\TDFuQlR.exe
  C:\Windows\System\TDFuQlR.exe
  2⤵
  PID:11864
- C:\Windows\System\CmzxrVd.exe
  C:\Windows\System\CmzxrVd.exe
  2⤵
  PID:11884
- C:\Windows\System\dhLcHWh.exe
  C:\Windows\System\dhLcHWh.exe
  2⤵
  PID:11916
- C:\Windows\System\ufwfndf.exe
  C:\Windows\System\ufwfndf.exe
  2⤵
  PID:11936
- C:\Windows\System\wCDYVET.exe
  C:\Windows\System\wCDYVET.exe
  2⤵
  PID:11956
- C:\Windows\System\TedQRUL.exe
  C:\Windows\System\TedQRUL.exe
  2⤵
  PID:11972
- C:\Windows\System\kOYiIgT.exe
  C:\Windows\System\kOYiIgT.exe
  2⤵
  PID:11992
- C:\Windows\System\MdClYRe.exe
  C:\Windows\System\MdClYRe.exe
  2⤵
  PID:12016
- C:\Windows\System\UAxdrzr.exe
  C:\Windows\System\UAxdrzr.exe
  2⤵
  PID:12044
- C:\Windows\System\IHlMrif.exe
  C:\Windows\System\IHlMrif.exe
  2⤵
  PID:12064
- C:\Windows\System\JaDenpX.exe
  C:\Windows\System\JaDenpX.exe
  2⤵
  PID:12084
- C:\Windows\System\ueQguMT.exe
  C:\Windows\System\ueQguMT.exe
  2⤵
  PID:12108
- C:\Windows\System\LbPDjkh.exe
  C:\Windows\System\LbPDjkh.exe
  2⤵
  PID:12124
- C:\Windows\System\tuyZluk.exe
  C:\Windows\System\tuyZluk.exe
  2⤵
  PID:12148
- C:\Windows\System\RYVkTYV.exe
  C:\Windows\System\RYVkTYV.exe
  2⤵
  PID:12168
- C:\Windows\System\EFPxCmz.exe
  C:\Windows\System\EFPxCmz.exe
  2⤵
  PID:12196
- C:\Windows\System\QyMIfBl.exe
  C:\Windows\System\QyMIfBl.exe
  2⤵
  PID:12224
- C:\Windows\System\Sbwycsy.exe
  C:\Windows\System\Sbwycsy.exe
  2⤵
  PID:12248
- C:\Windows\System\mwGlNJz.exe
  C:\Windows\System\mwGlNJz.exe
  2⤵
  PID:12264
- C:\Windows\System\krBZzeD.exe
  C:\Windows\System\krBZzeD.exe
  2⤵
  PID:10360
- C:\Windows\System\xVXrVMt.exe
  C:\Windows\System\xVXrVMt.exe
  2⤵
  PID:10400
- C:\Windows\System\LUXSFly.exe
  C:\Windows\System\LUXSFly.exe
  2⤵
  PID:10496
- C:\Windows\System\vEAUjEG.exe
  C:\Windows\System\vEAUjEG.exe
  2⤵
  PID:9040
- C:\Windows\System\crfMEyW.exe
  C:\Windows\System\crfMEyW.exe
  2⤵
  PID:8756
- C:\Windows\System\FKJvzrU.exe
  C:\Windows\System\FKJvzrU.exe
  2⤵
  PID:8980
- C:\Windows\System\TbAKKmc.exe
  C:\Windows\System\TbAKKmc.exe
  2⤵
  PID:8656
- C:\Windows\System\AjRCssW.exe
  C:\Windows\System\AjRCssW.exe
  2⤵
  PID:7392
- C:\Windows\System\kPeYZzY.exe
  C:\Windows\System\kPeYZzY.exe
  2⤵
  PID:8884
- C:\Windows\System\VVXkeOW.exe
  C:\Windows\System\VVXkeOW.exe
  2⤵
  PID:9004
- C:\Windows\System\gDQeqLc.exe
  C:\Windows\System\gDQeqLc.exe
  2⤵
  PID:11192
- C:\Windows\System\NcdPiYe.exe
  C:\Windows\System\NcdPiYe.exe
  2⤵
  PID:8216
- C:\Windows\System\luOzRdf.exe
  C:\Windows\System\luOzRdf.exe
  2⤵
  PID:10072
- C:\Windows\System\xoacnSP.exe
  C:\Windows\System\xoacnSP.exe
  2⤵
  PID:8960
- C:\Windows\System\EwTIhhT.exe
  C:\Windows\System\EwTIhhT.exe
  2⤵
  PID:7992
- C:\Windows\System\ZqLLDkw.exe
  C:\Windows\System\ZqLLDkw.exe
  2⤵
  PID:9928
- C:\Windows\System\RASdLLf.exe
  C:\Windows\System\RASdLLf.exe
  2⤵
  PID:10312
- C:\Windows\System\ieKZCHn.exe
  C:\Windows\System\ieKZCHn.exe
  2⤵
  PID:10200
- C:\Windows\System\ErgOFeO.exe
  C:\Windows\System\ErgOFeO.exe
  2⤵
  PID:9108
- C:\Windows\System\ZRpfStJ.exe
  C:\Windows\System\ZRpfStJ.exe
  2⤵
  PID:8712
- C:\Windows\System\ClwldOS.exe
  C:\Windows\System\ClwldOS.exe
  2⤵
  PID:10692
- C:\Windows\System\OQWGjcr.exe
  C:\Windows\System\OQWGjcr.exe
  2⤵
  PID:10768
- C:\Windows\System\PRWHftm.exe
  C:\Windows\System\PRWHftm.exe
  2⤵
  PID:10888
- C:\Windows\System\lJVPymI.exe
  C:\Windows\System\lJVPymI.exe
  2⤵
  PID:11440
- C:\Windows\System\XrAGgZy.exe
  C:\Windows\System\XrAGgZy.exe
  2⤵
  PID:11036
- C:\Windows\System\HDLNarC.exe
  C:\Windows\System\HDLNarC.exe
  2⤵
  PID:11476
- C:\Windows\System\LKrRDKa.exe
  C:\Windows\System\LKrRDKa.exe
  2⤵
  PID:10828
- C:\Windows\System\lKSBIKF.exe
  C:\Windows\System\lKSBIKF.exe
  2⤵
  PID:10884
- C:\Windows\System\aGFltWw.exe
  C:\Windows\System\aGFltWw.exe
  2⤵
  PID:10948
- C:\Windows\System\iOfLbCo.exe
  C:\Windows\System\iOfLbCo.exe
  2⤵
  PID:2856
- C:\Windows\System\XyQjfRf.exe
  C:\Windows\System\XyQjfRf.exe
  2⤵
  PID:11072
- C:\Windows\System\VlPYmnu.exe
  C:\Windows\System\VlPYmnu.exe
  2⤵
  PID:12652
- C:\Windows\System\otePySZ.exe
  C:\Windows\System\otePySZ.exe
  2⤵
  PID:12672
- C:\Windows\System\MsQhtxu.exe
  C:\Windows\System\MsQhtxu.exe
  2⤵
  PID:12688
- C:\Windows\System\bvbHVCC.exe
  C:\Windows\System\bvbHVCC.exe
  2⤵
  PID:12708
- C:\Windows\System\YxDUCvt.exe
  C:\Windows\System\YxDUCvt.exe
  2⤵
  PID:12724
- C:\Windows\System\BgvWNNg.exe
  C:\Windows\System\BgvWNNg.exe
  2⤵
  PID:12740
- C:\Windows\System\DfETxrK.exe
  C:\Windows\System\DfETxrK.exe
  2⤵
  PID:12756
- C:\Windows\System\uIJhYhG.exe
  C:\Windows\System\uIJhYhG.exe
  2⤵
  PID:12776
- C:\Windows\System\AXUNYWy.exe
  C:\Windows\System\AXUNYWy.exe
  2⤵
  PID:13132
- C:\Windows\System\QDQPxEN.exe
  C:\Windows\System\QDQPxEN.exe
  2⤵
  PID:13148
- C:\Windows\System\CwYJSvA.exe
  C:\Windows\System\CwYJSvA.exe
  2⤵
  PID:13172
- C:\Windows\System\giEffal.exe
  C:\Windows\System\giEffal.exe
  2⤵
  PID:13196
- C:\Windows\System\NvJwogE.exe
  C:\Windows\System\NvJwogE.exe
  2⤵
  PID:13236
- C:\Windows\System\GBjDKiK.exe
  C:\Windows\System\GBjDKiK.exe
  2⤵
  PID:13260
- C:\Windows\System\TtwKGPo.exe
  C:\Windows\System\TtwKGPo.exe
  2⤵
  PID:11428
- C:\Windows\System\qWbvpJo.exe
  C:\Windows\System\qWbvpJo.exe
  2⤵
  PID:12056
- C:\Windows\System\UFIgJSS.exe
  C:\Windows\System\UFIgJSS.exe
  2⤵
  PID:12116
- C:\Windows\System\tmhJSVn.exe
  C:\Windows\System\tmhJSVn.exe
  2⤵
  PID:12240
- C:\Windows\System\cEFOaXe.exe
  C:\Windows\System\cEFOaXe.exe
  2⤵
  PID:9632
- C:\Windows\System\tZzAuXn.exe
  C:\Windows\System\tZzAuXn.exe
  2⤵
  PID:11212
- C:\Windows\System\gHUuUvk.exe
  C:\Windows\System\gHUuUvk.exe
  2⤵
  PID:9752
- C:\Windows\System\oDVjVKx.exe
  C:\Windows\System\oDVjVKx.exe
  2⤵
  PID:10208
- C:\Windows\System\awSOnHA.exe
  C:\Windows\System\awSOnHA.exe
  2⤵
  PID:4580
- C:\Windows\System\qTEvbaM.exe
  C:\Windows\System\qTEvbaM.exe
  2⤵
  PID:11636
- C:\Windows\System\vpiqPEa.exe
  C:\Windows\System\vpiqPEa.exe
  2⤵
  PID:11684
- C:\Windows\System\bqDScNj.exe
  C:\Windows\System\bqDScNj.exe
  2⤵
  PID:11748
- C:\Windows\System\SpVtAfY.exe
  C:\Windows\System\SpVtAfY.exe
  2⤵
  PID:12216
- C:\Windows\System\LtNsnxH.exe
  C:\Windows\System\LtNsnxH.exe
  2⤵
  PID:11120
- C:\Windows\System\caswbfg.exe
  C:\Windows\System\caswbfg.exe
  2⤵
  PID:10164
- C:\Windows\System\lqpFOkB.exe
  C:\Windows\System\lqpFOkB.exe
  2⤵
  PID:7928
- C:\Windows\System\vMpDRIm.exe
  C:\Windows\System\vMpDRIm.exe
  2⤵
  PID:11856
- C:\Windows\System\rENYqdd.exe
  C:\Windows\System\rENYqdd.exe
  2⤵
  PID:11704
- C:\Windows\System\KaaeszR.exe
  C:\Windows\System\KaaeszR.exe
  2⤵
  PID:9044
- C:\Windows\System\PEGQxjV.exe
  C:\Windows\System\PEGQxjV.exe
  2⤵
  PID:11932
- C:\Windows\System\fFTVfld.exe
  C:\Windows\System\fFTVfld.exe
  2⤵
  PID:11968
- C:\Windows\System\BCZndnp.exe
  C:\Windows\System\BCZndnp.exe
  2⤵
  PID:12032
- C:\Windows\System\kIRFyxu.exe
  C:\Windows\System\kIRFyxu.exe
  2⤵
  PID:12164
- C:\Windows\System\CvkIFSO.exe
  C:\Windows\System\CvkIFSO.exe
  2⤵
  PID:12256
- C:\Windows\System\urxletf.exe
  C:\Windows\System\urxletf.exe
  2⤵
  PID:11876
- C:\Windows\System\bJZXjFW.exe
  C:\Windows\System\bJZXjFW.exe
  2⤵
  PID:12412
- C:\Windows\System\YfuubVp.exe
  C:\Windows\System\YfuubVp.exe
  2⤵
  PID:12428
- C:\Windows\System\jAvBgNx.exe
  C:\Windows\System\jAvBgNx.exe
  2⤵
  PID:12456
- C:\Windows\System\vOtFVhQ.exe
  C:\Windows\System\vOtFVhQ.exe
  2⤵
  PID:12552
- C:\Windows\System\fVYvIGw.exe
  C:\Windows\System\fVYvIGw.exe
  2⤵
  PID:11468
- C:\Windows\System\XHwggFk.exe
  C:\Windows\System\XHwggFk.exe
  2⤵
  PID:12596
- C:\Windows\System\TYVXxQM.exe
  C:\Windows\System\TYVXxQM.exe
  2⤵
  PID:4112
- C:\Windows\System\IRPNZza.exe
  C:\Windows\System\IRPNZza.exe
  2⤵
  PID:1680
- C:\Windows\System\hIAgoqY.exe
  C:\Windows\System\hIAgoqY.exe
  2⤵
  PID:12704
- C:\Windows\System\xLDbgnN.exe
  C:\Windows\System\xLDbgnN.exe
  2⤵
  PID:10924
- C:\Windows\System\uoBiERW.exe
  C:\Windows\System\uoBiERW.exe
  2⤵
  PID:12768
- C:\Windows\System\kKGemxq.exe
  C:\Windows\System\kKGemxq.exe
  2⤵
  PID:10000
- C:\Windows\System\dJuLCtK.exe
  C:\Windows\System\dJuLCtK.exe
  2⤵
  PID:12504
- C:\Windows\System\JJRozcv.exe
  C:\Windows\System\JJRozcv.exe
  2⤵
  PID:12620
- C:\Windows\System\wsBYiSl.exe
  C:\Windows\System\wsBYiSl.exe
  2⤵
  PID:4288
- C:\Windows\System\pdQGVmW.exe
  C:\Windows\System\pdQGVmW.exe
  2⤵
  PID:10968
- C:\Windows\System\zqYPvRv.exe
  C:\Windows\System\zqYPvRv.exe
  2⤵
  PID:12668
- C:\Windows\System\HkdWjCM.exe
  C:\Windows\System\HkdWjCM.exe
  2⤵
  PID:10608
- C:\Windows\System\ejSKGem.exe
  C:\Windows\System\ejSKGem.exe
  2⤵
  PID:12816
- C:\Windows\System\uZemESv.exe
  C:\Windows\System\uZemESv.exe
  2⤵
  PID:12840
- C:\Windows\System\LqTQPLI.exe
  C:\Windows\System\LqTQPLI.exe
  2⤵
  PID:13224
- C:\Windows\System\tEfpqzz.exe
  C:\Windows\System\tEfpqzz.exe
  2⤵
  PID:13328
- C:\Windows\System\TEfbGoP.exe
  C:\Windows\System\TEfbGoP.exe
  2⤵
  PID:13348
- C:\Windows\System\wgIcGYp.exe
  C:\Windows\System\wgIcGYp.exe
  2⤵
  PID:13368
- C:\Windows\System\FnVzlMI.exe
  C:\Windows\System\FnVzlMI.exe
  2⤵
  PID:13392
- C:\Windows\System\okFxMYn.exe
  C:\Windows\System\okFxMYn.exe
  2⤵
  PID:13416
- C:\Windows\System\UPlMhSS.exe
  C:\Windows\System\UPlMhSS.exe
  2⤵
  PID:13440
- C:\Windows\System\caismVa.exe
  C:\Windows\System\caismVa.exe
  2⤵
  PID:13460
- C:\Windows\System\pMuptTl.exe
  C:\Windows\System\pMuptTl.exe
  2⤵
  PID:13616
- C:\Windows\System\YcMDtgi.exe
  C:\Windows\System\YcMDtgi.exe
  2⤵
  PID:13636
- C:\Windows\System\paGBOsL.exe
  C:\Windows\System\paGBOsL.exe
  2⤵
  PID:13652
- C:\Windows\System\mhOYGeM.exe
  C:\Windows\System\mhOYGeM.exe
  2⤵
  PID:13668
- C:\Windows\System\kclmkrM.exe
  C:\Windows\System\kclmkrM.exe
  2⤵
  PID:13692
- C:\Windows\System\wrhHovy.exe
  C:\Windows\System\wrhHovy.exe
  2⤵
  PID:13708
- C:\Windows\System\CrwefpW.exe
  C:\Windows\System\CrwefpW.exe
  2⤵
  PID:13724
- C:\Windows\System\owKICTX.exe
  C:\Windows\System\owKICTX.exe
  2⤵
  PID:13740
- C:\Windows\System\FxmwHPD.exe
  C:\Windows\System\FxmwHPD.exe
  2⤵
  PID:13756
- C:\Windows\System\cnqgQLo.exe
  C:\Windows\System\cnqgQLo.exe
  2⤵
  PID:13776
- C:\Windows\System\AgruCSB.exe
  C:\Windows\System\AgruCSB.exe
  2⤵
  PID:13792
- C:\Windows\System\WlNErIB.exe
  C:\Windows\System\WlNErIB.exe
  2⤵
  PID:13808
- C:\Windows\System\HxoFdvi.exe
  C:\Windows\System\HxoFdvi.exe
  2⤵
  PID:13824
- C:\Windows\System\CtKcNHC.exe
  C:\Windows\System\CtKcNHC.exe
  2⤵
  PID:13844
- C:\Windows\System\TLaVpII.exe
  C:\Windows\System\TLaVpII.exe
  2⤵
  PID:13860
- C:\Windows\System\hGMvSQR.exe
  C:\Windows\System\hGMvSQR.exe
  2⤵
  PID:13876
- C:\Windows\System\ZCgWsdg.exe
  C:\Windows\System\ZCgWsdg.exe
  2⤵
  PID:13892
- C:\Windows\System\LGMFpwH.exe
  C:\Windows\System\LGMFpwH.exe
  2⤵
  PID:13908
- C:\Windows\System\csUKEhU.exe
  C:\Windows\System\csUKEhU.exe
  2⤵
  PID:13924
- C:\Windows\System\XixykWC.exe
  C:\Windows\System\XixykWC.exe
  2⤵
  PID:13944
- C:\Windows\System\ALsseJh.exe
  C:\Windows\System\ALsseJh.exe
  2⤵
  PID:13960
- C:\Windows\System\WcHzshU.exe
  C:\Windows\System\WcHzshU.exe
  2⤵
  PID:14140
- C:\Windows\System\dkUimiQ.exe
  C:\Windows\System\dkUimiQ.exe
  2⤵
  PID:12680
- C:\Windows\System\RXdIQQL.exe
  C:\Windows\System\RXdIQQL.exe
  2⤵
  PID:13144
- C:\Windows\System\zeimyAX.exe
  C:\Windows\System\zeimyAX.exe
  2⤵
  PID:12924
- C:\Windows\System\FNPrvOw.exe
  C:\Windows\System\FNPrvOw.exe
  2⤵
  PID:4788
- C:\Windows\System\fUECwfa.exe
  C:\Windows\System\fUECwfa.exe
  2⤵
  PID:11964
- C:\Windows\System\cUWBIWr.exe
  C:\Windows\System\cUWBIWr.exe
  2⤵
  PID:2780
- C:\Windows\System\VcHXxAP.exe
  C:\Windows\System\VcHXxAP.exe
  2⤵
  PID:2724
- C:\Windows\System\CjefozC.exe
  C:\Windows\System\CjefozC.exe
  2⤵
  PID:3104
- C:\Windows\System\kaSMCdc.exe
  C:\Windows\System\kaSMCdc.exe
  2⤵
  PID:2252
- C:\Windows\System\BdoEOME.exe
  C:\Windows\System\BdoEOME.exe
  2⤵
  PID:4860
- C:\Windows\System\uZrzRIx.exe
  C:\Windows\System\uZrzRIx.exe
  2⤵
  PID:4608
- C:\Windows\System\bBiqRWc.exe
  C:\Windows\System\bBiqRWc.exe
  2⤵
  PID:3888
- C:\Windows\System\IGCXNHx.exe
  C:\Windows\System\IGCXNHx.exe
  2⤵
  PID:972
- C:\Windows\System\WiUJNif.exe
  C:\Windows\System\WiUJNif.exe
  2⤵
  PID:2168
- C:\Windows\System\XHEgKlc.exe
  C:\Windows\System\XHEgKlc.exe
  2⤵
  PID:1300
- C:\Windows\System\nnUTQvy.exe
  C:\Windows\System\nnUTQvy.exe
  2⤵
  PID:12720
- C:\Windows\System\sCHqSOw.exe
  C:\Windows\System\sCHqSOw.exe
  2⤵
  PID:13180
- C:\Windows\System\RKcaOpo.exe
  C:\Windows\System\RKcaOpo.exe
  2⤵
  PID:8692
- C:\Windows\System\lCzwDcU.exe
  C:\Windows\System\lCzwDcU.exe
  2⤵
  PID:12348
- C:\Windows\System\wQSremi.exe
  C:\Windows\System\wQSremi.exe
  2⤵
  PID:3284
- C:\Windows\System\urlICxF.exe
  C:\Windows\System\urlICxF.exe
  2⤵
  PID:13324
- C:\Windows\System\VIIBicv.exe
  C:\Windows\System\VIIBicv.exe
  2⤵
  PID:13288
- C:\Windows\System\pfVJxQo.exe
  C:\Windows\System\pfVJxQo.exe
  2⤵
  PID:13388
- C:\Windows\System\yJYTcPp.exe
  C:\Windows\System\yJYTcPp.exe
  2⤵
  PID:13608
- C:\Windows\System\sCDxFbV.exe
  C:\Windows\System\sCDxFbV.exe
  2⤵
  PID:12104
- C:\Windows\System\KuAwMUA.exe
  C:\Windows\System\KuAwMUA.exe
  2⤵
  PID:13480
- C:\Windows\System\AkzWDTf.exe
  C:\Windows\System\AkzWDTf.exe
  2⤵
  PID:4332
- C:\Windows\System\SuhgDZa.exe
  C:\Windows\System\SuhgDZa.exe
  2⤵
  PID:4912
- C:\Windows\System\OLPDAQP.exe
  C:\Windows\System\OLPDAQP.exe
  2⤵
  PID:4312

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 0ZXCLem3K0S7Wft8hdFADg.0.2
1⤵
PID:13472
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 13472 -s 596
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5176

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 13472 -i 13472 -h 500 -j 540 -s 552 -d 2876
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:10928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5380 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BAXfJmS.exe

Filesize
1.5MB

MD5
134b1e7581df3f9f8029a15a216f7a0e

SHA1
930990b51b351ae12eff7677362382e44c9b1053

SHA256
d739adad14287f850e747806709731bb04066126f788ece7b91e9728e96843da

SHA512
ffda6e8ce8900764312978df6554e49eee5ae60a3b93e4e07695d1cf4532c0267154c184b345da7cace20889a6165a5e87696ac593c089571d5d2861645b23ac

Download Submit
C:\Windows\System\BcJserb.exe

Filesize
1.5MB

MD5
e6bcb6164509a4de06f5a445c25b993c

SHA1
d8191d93b6939c9fd3c6a6411810cd44633f5076

SHA256
00655e5e4a0f60a23b1f540474708fdefaec73b2ed06716de85c7da4fecad20b

SHA512
eee3b3aa10ac7ad59fe91542bdd5a421d1c54bf6b05ace28fb71144936525670ad8ec8becbf255e38115ba0ca89d2be5a34ec63a7f481855bb7217bdd4b46b67

Download Submit
C:\Windows\System\BciORpT.exe

Filesize
1.5MB

MD5
f601e9936a962e2633e3b711131bf23e

SHA1
86c092e2302a89f85c99624e6e4382897417d898

SHA256
52ba8706614eaaabf49f2967985058d8805a151bb9a5e6ddeeeb49cc324b46b3

SHA512
2f83939255213a513ed96e0a4a0ad5b0ce7e59f0904ca07b7d1cc72cc6f468911577840a3c806ea9f17d3ffbfe76a78a2380334f729ced16a46fb8a90e7c1867

Download Submit
C:\Windows\System\BpOZokO.exe

Filesize
1.5MB

MD5
945debd44f6ddb519e756297e48268f0

SHA1
4de77c3def8c6f928db094ff8c3237038c41a2e7

SHA256
eaf32cbac3eef10d8554d232b42c7bdc0ee948ca43107e32857d0c2bd9aa6a69

SHA512
f9ac94952d97801f2c6f318be237441ed4eb5833c6a6dfe0ec2f42043aff068fbbe4fd340e0b9bae9fb0a412c6d5f8e483a8bedf95c251b37e9b3b615b6f87a4

Download Submit
C:\Windows\System\CJoWZec.exe

Filesize
1.5MB

MD5
bfaf005354f096cb343aba2bbfa96985

SHA1
07d143849c59e7a1a6db12e688508e4a810d0251

SHA256
2dc4f72e3ae181478ec48c78e4ed7ee3bb56df10f861872c93893959e682a412

SHA512
5a13ea2d86cf48935b5dcdb858b07a9fb3e97ac4bd01703d132eb1a23f2b5e8b8d95cfee176a0cc270d11f0ea8c47b47e1cb0703565eb2e054bbeefc7426e5d8

Download Submit
C:\Windows\System\CvvBirN.exe

Filesize
1.5MB

MD5
df4b56834e10e1351b4db3458eb19a97

SHA1
bc9821990bd61ebe61f2ad4f8151ed71f05ef805

SHA256
8379b2ee36065166eb3bd9716d4130992dd483df0f41f7a2fe2839a9e0eeb56e

SHA512
10b32881c069285ed76eea549934905ed3c27897748a0f30f132376a470ba3c07bc0656b922fa8797bbc6f65a44291305784c0b57e97fedfa7066fc5418fa081

Download Submit
C:\Windows\System\IUhOQzd.exe

Filesize
1.5MB

MD5
13f652b0b2c0b9ae423a27002fd9167d

SHA1
e4daa93d71535a7dbcdc06c699e52839462699ea

SHA256
f1e8918a32b873a84bfc723cc95acb3769967349c8d39362af087151293f9892

SHA512
46b0d62150b432720f8c500c45cf383501fa1787032836994e1cf47fc2b9050f285a00ffa2460ca4bd90cd904e500fa211afb657dcd672ec4d21e2dbd938afe4

Download Submit
C:\Windows\System\IbiOCLk.exe

Filesize
1.5MB

MD5
058452f15ca3b8118eda0cd5da0f19a0

SHA1
114d1e073288beab236d8acb490e9d01d6405c7f

SHA256
60df23bb8b48dead03f92809b31bdad1353bd9dc6113c73ff06eb35c2eb4e1ca

SHA512
7c3a0f63aaa05fdc6e412ef3a235336c76ace83afb02d2ba23185bfb18e94672949b3b221c396618550783a4769f0bb1ae24a2df4268123f7074e2b99a1341e1

Download Submit
C:\Windows\System\KzJipCh.exe

Filesize
1.5MB

MD5
68da2c450816c3848ba062f4d58dea75

SHA1
b2d4e23544469ff35fdcfbbd30eb25b3eb83efe8

SHA256
668c9b51989ae0638bfb71d672f2f6db51333646734342bd948b64cabe3dc911

SHA512
75c2852f8b757dee5ced0aa726885b9fd2ebf9654e06e6b0fec9f97410fe77420a1e72773ba63c6fdbc8fdad551f129034f7c5b91ff70d38f7e968170ee2e208

Download Submit
C:\Windows\System\LUnfioM.exe

Filesize
1.5MB

MD5
a500c03b215689afdcc899738411c901

SHA1
ee549af110b073494d03142546758bcc9a8e7c47

SHA256
15be2d86a157a03a669fe11da0764a4d4e77cf9ea33269bcfcd704babaf164aa

SHA512
f897d861f76d1edda46316ce67a5895e0485744ae896f45f4acb5650a9906635e7ec03ecc326183bba2d4194685cfffddc4b2ff9f382164cf648b7792b9fccb3

Download Submit
C:\Windows\System\NcDMFfP.exe

Filesize
1.5MB

MD5
0cf3e28d6705d78472c49ffc4a8d98a5

SHA1
3824b28d0e6d4544d3c8ca0b6e501abc6b3fd093

SHA256
dbc08c5f9448a48519e31c1c1e003fb04a9d1cc205feb1349e51b46e448adb54

SHA512
862339dc4f1a9b648ed925247f34bbb8b9c78701911e01a576fd02c71e7130042b0f548e779f2e9370273b3bb1fe3fa828fa79fa9fa791cf9ea7cc25d72085d6

Download Submit
C:\Windows\System\PECeAJp.exe

Filesize
1.5MB

MD5
dd5620616adc7fd38dead6cf9b679e6b

SHA1
54239d36c094af6c507ab954ed0eb5f9a1eaabba

SHA256
c46541e4f790ced969dd5ab138e73dfee9b41f067cc0bdb78261ab94a1b92370

SHA512
f03c8cba9dbd644692f553cb5785fe53c822f0a00a979f9cdb77a1bad63c4e877bbdcbb8243c9f81fc098bb9654653a61347d88204b15c758846abb4fba0f75e

Download Submit
C:\Windows\System\UUUBVUI.exe

Filesize
1.5MB

MD5
66f7f8c0d126c2d9ac68e854421f0f40

SHA1
4835ea1fe219bc0e4729346e284eb034291d20d2

SHA256
89214a3bdf05de015a04f36c2f67e101660eb19ecac592823aed3fb11c55ba99

SHA512
94679974a6a51faf753439b1c0abd122eebce84c6f0366cc6e5187221e9afd5883accaa4f87bd3391108057ec8329b40b148d31991294d5cfb78d8d37a925b4a

Download Submit
C:\Windows\System\WduttEo.exe

Filesize
1.5MB

MD5
7e22ab2c3ba5b8b12106890cb312c946

SHA1
e9ec8a4c362bb4a628adffd7eb5f00c68529d421

SHA256
800f4d594d467f6dfbb13c16e7f4811abdf7fefa21e0f6d05bf6a988232bef55

SHA512
60972ad5bed32da947de0e8751618195b4d298c3553f3acad93aeb5c8d61d5cb1775e62cfe57d2bb9189d161b1745155df5ee1550db00218d44c6b41fc516146

Download Submit
C:\Windows\System\YtQJycj.exe

Filesize
1.5MB

MD5
d6ff1f71fb62b7225334d6dbaf86f12a

SHA1
35cd65c4aa3e12e46b15a4d3d0b79924f5d85cab

SHA256
046ee3ed43fcc92c32f6f4a177fb684e382bec06367a0d7f580aa67412565ab1

SHA512
162cb83d24739ae1251a9824a0accfc0da3c2b927d12333a55b4fb56685024f36d63c693e304b770cd3702447e1e8ad0247caffd3232d438f4dd79ecf3a091b3

Download Submit
C:\Windows\System\ZpNyVTa.exe

Filesize
1.5MB

MD5
662481bc2b4e8016e68ebf984a2bdd08

SHA1
a42fd47da29d282e27632369155ea7e10ee182f7

SHA256
d5b36e31124e9bcf2e7f4d18a014a6d0624246c6a7f3199a9cd104ebc7e45948

SHA512
23f4af9cbc4cd04144cae8d138663d814e27581e5797d12177f410c48a13f283ded6d62936a86969c36d1ccd3401b8b5e2ef87bcde9dcbc0f669f6f1ce27fcf5

Download Submit
C:\Windows\System\bBtOEUB.exe

Filesize
1.5MB

MD5
d62438f22851c163f7c980a3327e1c99

SHA1
2fa3b47bb5dba8a16b4085b1f1ea2a3c47fc2ba1

SHA256
d839314b8d90c83a4bbfe42da30485c4722ec8a8f800fc75e077ef1d7ffc6383

SHA512
555f7a43d359b633ff62aeba8a4eca04a21e30a0543e10538567abdd4d50f028be8acb6e7024bfa1a3bf0a6f98a6227885c0f36520d5c5b1a66a5c5b2d8c1a49

Download Submit
C:\Windows\System\bfXrNGH.exe

Filesize
1.5MB

MD5
86bb02f421707b55670293e117389eac

SHA1
eadb2c6c4421c8fcbdbf33f095a69bbec6d256b9

SHA256
6df1323db1e77ba07b3fc48e86f7f11634bd25e7d1cb5e1f0d7f7f711949c61f

SHA512
59a055ee473607e32317b118e21de77e40143ae542eafa078870b3f9ccdd10c6e52d1654d849411fcc83946ef8bb9db2c815b23f08ce8f3aa040445e9e6532dd

Download Submit
C:\Windows\System\cmpFeBd.exe

Filesize
1.5MB

MD5
b813e0c7f8b4c3dc99b500e1cbe58840

SHA1
98bcb24e6673fa157714b34f80171f6493204693

SHA256
ebd5eca379b9f37895d3547c4242e5e00ef90ddce8e54b782744214b8598603d

SHA512
ebecbd9197b2f15ab7a447b33f741dfed8664d097815e98c3c13c8c2705f6fb19af024ce31faa8555938337cc9a22095a7a6d6c83c3df70c187bd48ef9c28b7f

Download Submit
C:\Windows\System\frDjzhs.exe

Filesize
1.5MB

MD5
83c4723ca06d2440373a0632783ed0fc

SHA1
8368cafc4ef8e29d8311ee1f06eeb2f436c3e652

SHA256
9b42ddb9b8ca0d2efcc87907e64a7828261ef5713a1f07835287fb4d224807e3

SHA512
9135b66a7ee82ae96766deaac6863077c7ab567dcf1fdcbfc8edfa93b7797e8406fb9a2863b114d752980ae5b8b422e506a2df7b7b7c50c8cdf241c3158a542f

Download Submit
C:\Windows\System\gkOpalG.exe

Filesize
1.5MB

MD5
31b59cb66b9a95e9dfac02e1ca74f79b

SHA1
2eeb42ce05c3a5eab0180714f69f78c8bee83c81

SHA256
3944e357930fcd2ef8c3a1562f551d7f5d548f3db092b53e228072ba73e470e6

SHA512
6ac283fd9acd4c83d92e11de9a23934c297e79fa8d3e50f9af0db4a8f8c0ab70e0912f44d310c1487766e855e2524bcc0d735266f247b2708d9f7f3779508207

Download Submit
C:\Windows\System\iEncKcz.exe

Filesize
1.5MB

MD5
d7e46e3a228a4d041ce5993d2bf05538

SHA1
3c6fe5d272e136fd3dbe4d9c1abfca649ec1d0ce

SHA256
ef8bbac432c459280f33fea781a47fc8faa6a105929a899cf368394cc9c22b96

SHA512
4ad8f7a996bd766a164167502a209478ea0c45914f229da6733a7344a458ea1af68b0a6a442dffc8bc551960d05c31a5c0d8484c80c8a85ea27ad8b2f63bba7b

Download Submit
C:\Windows\System\miQLgHN.exe

Filesize
1.5MB

MD5
f8d1e0e284257fac9c8d61dc243728b1

SHA1
a5bb400e78e00b76922934bfae21f087932bc6bd

SHA256
4aff48e21a090a23e7436c29a86101f48bb0caef4e8f8b62b2c7a362d6b97d78

SHA512
19a9f0c5ba4fc65063e240c6b3e88128cb58d536deba7691176f625997aa41f7c5b1104c9885cb3068422a336f7ef4bf590e6b7b19f3be73db755374eaa3f918

Download Submit
C:\Windows\System\nlxixJG.exe

Filesize
1.5MB

MD5
7c033f5e463a40731ccf527e5e874042

SHA1
5d65467984421d847a1f6be24e49b60af02bc643

SHA256
66eb0b3d68a538cc2eba48155960756d8733a4b270978699c4806e736f1b05ff

SHA512
5814fb903733d22a5bafb51aa9e239074db6aa5341f6c74fef65a4299091d94473ae241cc3ed44d16241f176eff5e6fc1062a678fe8888f1e68564918cfa9bbb

Download Submit
C:\Windows\System\nvVTQir.exe

Filesize
1.5MB

MD5
f89b5f4021bc744bee24fdbe4c827c70

SHA1
7ede31825ef84c8ae6b5b152de68b4660a78c0ba

SHA256
32115a69d3fe6e3e846ff5939eace9bfd902e02f26396112ecb9929c517e1b0b

SHA512
8cbd958c6f6ac8697197cba10181b9ffa3b4b37baf240ccbfd33adba7b83419480ac24ef59f0858c4667090eff6045e2d4871e1db6f9772dd1f86d84ab0929e7

Download Submit
C:\Windows\System\rTIRGvg.exe

Filesize
1.5MB

MD5
e65d58ac281e154082bffbe2008d5b78

SHA1
c25012c694c2f6ffeb03159400ffe51efe1f57f1

SHA256
3429077cc54d11589684b0e13d0a1a26b325820ec2788675813e4b5c521c6b26

SHA512
6a967df25313e6fed243e42e47e1bb855361f49571f8a0fe4189986acab37b6d22f121cc55e9e31299489a6f2e10c74ad528d2283f98099ea2a0d5a5302e211d

Download Submit
C:\Windows\System\tbTNuFQ.exe

Filesize
1.5MB

MD5
55279e423a8bfac73a8afbf9580651ce

SHA1
d42fea65b0c4930a95aff2555a4748bb69f0cecb

SHA256
a8699a7d121b151eb7501059e4e6b540807b0443b7a671d32268853156e71bfa

SHA512
dfca239fc63a06291baadb9411fefbebf2b92a3cde02a514ce2c34967b286af4ceec604ce89c727829ab70fccf08f0c422d6e192a992d3abe2b1d76415d9700f

Download Submit
C:\Windows\System\udnuhkn.exe

Filesize
1.5MB

MD5
22fa6a83e47b69d8c6eacc92fee4ee47

SHA1
558f880216a1a1d33c60357c2e741db7a3048672

SHA256
2bf7df68c33307d8662c5c252cc7a80e62fad043df9358c607fc87b5c9b49e02

SHA512
ebaee44dceae19784695c289f93eee7aea969759ce386e16994ddefb1fa11c68bc959ecdd4951a8369fa961efeaa82200c51588e8f48e8434e54dab00844f66d

Download Submit
C:\Windows\System\xMvssRa.exe

Filesize
1.5MB

MD5
0f907a87da494151ece6bcb29eea63c9

SHA1
378aa7e691dfba28119efc52728e0aa20e638ec2

SHA256
9a5164b25539ad3de8f4bb85a4a6753a621e7ef09424a6a3aec95c937a4c8e04

SHA512
0e31250586ca50c73b2234530db8d7f4d201800aa2eb1d5f14054276a175e9cb1c863b94fb87b860f167a7e893c8f197ecdaeb904fcd341667d808180bd781e2

Download Submit
C:\Windows\System\xTtOEvG.exe

Filesize
1.5MB

MD5
05f4357c7fbd265cdeb6db775a768f80

SHA1
301d61243684f3028b9de789f191a07c9dcdb2e7

SHA256
4b180c68e8ceb35c54f6b41eb7fd6b990a784effbbca7c404f0371a46c7944a2

SHA512
49f944fec368ed385876a597b1ce375cafca9d5edf46a7983bc0667de37fe106e48a0fd87a2deacf147dfe519c0a6747d3c5c6b9ba153fd53c9b736606f9c520

Download Submit
C:\Windows\System\zVMalGf.exe

Filesize
1.5MB

MD5
753b77462b8746a691ee0badb4ffe96a

SHA1
e4f781752e16d3830ab2a881095642c6e68f9307

SHA256
3076b7874a07d7761866392883621dca0f6f50c78be2e9b0bd927044523b00b2

SHA512
44c2e06132a5bfb378325c945aa725cd3b0babb2e418dc78cfa5637c67fbe6c4b6edb3536da178a6390668992781dda460a189b4bdde7972bf3af5ee8de047df

Download Submit
C:\Windows\System\ztcWpIi.exe

Filesize
1.5MB

MD5
05b58610847b5a6f33d45fc47b96dbf8

SHA1
db2000c6a7410b2351035eb7fdf916cbe454a1c4

SHA256
cbb49d055c68e79bdefebecb942f9e573cee3d9a3efa45e951afda2c9f3e4b9a

SHA512
6d23100befe9a4c1210e3394727fc4f8532e2dc611962048761a01e15cb69de5bed00258f5231831c37c94eb5004ec799300206bdd19c1bae24ca3bb2b93bbb5

Download Submit
memory/740-2292-0x00007FF7C2D80000-0x00007FF7C30D1000-memory.dmp

Filesize
3.3MB

Download
memory/740-287-0x00007FF7C2D80000-0x00007FF7C30D1000-memory.dmp

Filesize
3.3MB

Download
memory/1244-2291-0x00007FF7D91C0000-0x00007FF7D9511000-memory.dmp

Filesize
3.3MB

Download
memory/1244-274-0x00007FF7D91C0000-0x00007FF7D9511000-memory.dmp

Filesize
3.3MB

Download
memory/1248-259-0x00007FF67C420000-0x00007FF67C771000-memory.dmp

Filesize
3.3MB

Download
memory/1248-2178-0x00007FF67C420000-0x00007FF67C771000-memory.dmp

Filesize
3.3MB

Download
memory/1256-56-0x00007FF61D7D0000-0x00007FF61DB21000-memory.dmp

Filesize
3.3MB

Download
memory/1256-2123-0x00007FF61D7D0000-0x00007FF61DB21000-memory.dmp

Filesize
3.3MB

Download
memory/1408-263-0x00007FF68D420000-0x00007FF68D771000-memory.dmp

Filesize
3.3MB

Download
memory/1408-2236-0x00007FF68D420000-0x00007FF68D771000-memory.dmp

Filesize
3.3MB

Download
memory/1548-32-0x00007FF761A20000-0x00007FF761D71000-memory.dmp

Filesize
3.3MB

Download
memory/1548-2097-0x00007FF761A20000-0x00007FF761D71000-memory.dmp

Filesize
3.3MB

Download
memory/1724-2113-0x00007FF74F080000-0x00007FF74F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-49-0x00007FF74F080000-0x00007FF74F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-2288-0x00007FF754560000-0x00007FF7548B1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-279-0x00007FF754560000-0x00007FF7548B1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-2092-0x00007FF652C40000-0x00007FF652F91000-memory.dmp

Filesize
3.3MB

Download
memory/1796-20-0x00007FF652C40000-0x00007FF652F91000-memory.dmp

Filesize
3.3MB

Download
memory/1928-2190-0x00007FF63BA40000-0x00007FF63BD91000-memory.dmp

Filesize
3.3MB

Download
memory/1928-260-0x00007FF63BA40000-0x00007FF63BD91000-memory.dmp

Filesize
3.3MB

Download
memory/2016-2210-0x00007FF609270000-0x00007FF6095C1000-memory.dmp

Filesize
3.3MB

Download
memory/2016-261-0x00007FF609270000-0x00007FF6095C1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-262-0x00007FF6C4290000-0x00007FF6C45E1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-2226-0x00007FF6C4290000-0x00007FF6C45E1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-2094-0x00007FF738B30000-0x00007FF738E81000-memory.dmp

Filesize
3.3MB

Download
memory/2408-26-0x00007FF738B30000-0x00007FF738E81000-memory.dmp

Filesize
3.3MB

Download
memory/2440-2243-0x00007FF6184A0000-0x00007FF6187F1000-memory.dmp

Filesize
3.3MB

Download
memory/2440-265-0x00007FF6184A0000-0x00007FF6187F1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-269-0x00007FF61EC60000-0x00007FF61EFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-2228-0x00007FF61EC60000-0x00007FF61EFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3356-271-0x00007FF739120000-0x00007FF739471000-memory.dmp

Filesize
3.3MB

Download
memory/3356-2247-0x00007FF739120000-0x00007FF739471000-memory.dmp

Filesize
3.3MB

Download
memory/3468-47-0x00007FF6CCCE0000-0x00007FF6CD031000-memory.dmp

Filesize
3.3MB

Download
memory/3468-2101-0x00007FF6CCCE0000-0x00007FF6CD031000-memory.dmp

Filesize
3.3MB

Download
memory/3644-277-0x00007FF68C260000-0x00007FF68C5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3644-2290-0x00007FF68C260000-0x00007FF68C5B1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-273-0x00007FF6BD650000-0x00007FF6BD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-2258-0x00007FF6BD650000-0x00007FF6BD9A1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-309-0x00007FF600180000-0x00007FF6004D1000-memory.dmp

Filesize
3.3MB

Download
memory/3684-2287-0x00007FF600180000-0x00007FF6004D1000-memory.dmp

Filesize
3.3MB

Download
memory/3816-2139-0x00007FF6B49F0000-0x00007FF6B4D41000-memory.dmp

Filesize
3.3MB

Download
memory/3816-66-0x00007FF6B49F0000-0x00007FF6B4D41000-memory.dmp

Filesize
3.3MB

Download
memory/3836-2090-0x00007FF73B8B0000-0x00007FF73BC01000-memory.dmp

Filesize
3.3MB

Download
memory/3836-15-0x00007FF73B8B0000-0x00007FF73BC01000-memory.dmp

Filesize
3.3MB

Download
memory/3852-249-0x00007FF69E400000-0x00007FF69E751000-memory.dmp

Filesize
3.3MB

Download
memory/3852-2141-0x00007FF69E400000-0x00007FF69E751000-memory.dmp

Filesize
3.3MB

Download
memory/4056-62-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp

Filesize
3.3MB

Download
memory/4056-2131-0x00007FF6C4710000-0x00007FF6C4A61000-memory.dmp

Filesize
3.3MB

Download
memory/4132-57-0x00007FF680AE0000-0x00007FF680E31000-memory.dmp

Filesize
3.3MB

Download
memory/4132-2117-0x00007FF680AE0000-0x00007FF680E31000-memory.dmp

Filesize
3.3MB

Download
memory/4180-2246-0x00007FF6BAFE0000-0x00007FF6BB331000-memory.dmp

Filesize
3.3MB

Download
memory/4180-270-0x00007FF6BAFE0000-0x00007FF6BB331000-memory.dmp

Filesize
3.3MB

Download
memory/4396-2256-0x00007FF69AEA0000-0x00007FF69B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4396-272-0x00007FF69AEA0000-0x00007FF69B1F1000-memory.dmp

Filesize
3.3MB

Download
memory/4816-2088-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp

Filesize
3.3MB

Download
memory/4816-8-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp

Filesize
3.3MB

Download
memory/4816-802-0x00007FF7FF7E0000-0x00007FF7FFB31000-memory.dmp

Filesize
3.3MB

Download
memory/4836-247-0x00007FF76E1A0000-0x00007FF76E4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-0-0x00007FF76E1A0000-0x00007FF76E4F1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-1-0x000001B485520000-0x000001B485530000-memory.dmp

Filesize
64KB

Download
memory/5068-254-0x00007FF7E0D20000-0x00007FF7E1071000-memory.dmp

Filesize
3.3MB

Download
memory/5068-2179-0x00007FF7E0D20000-0x00007FF7E1071000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.