xmrig | 72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
Size

2.1MB
MD5

67fc3d27f516054c52d367aef075891b
SHA1

da9697638d6c706895a975edaec798f85d46aa9c
SHA256

72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa
SHA512

c8a37f27852207337d1cd3ec650dd94f3ddf86bd19b893cb24f60ee23409bc92514196d8b0c5baf4f58d4962215275f5ec3e8eae3bbcf351bb48d1ebb2ccfa39
SSDEEP

49152:oezaTF8FcNkNdfE0pZ9ozt4wIQwNGyXGVfC:oemTLkNdfE0pZrQ0

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4840-0-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp	UPX
behavioral2/files/0x00080000000233eb-5.dat	UPX
behavioral2/memory/1700-17-0x00007FF6E80E0000-0x00007FF6E8434000-memory.dmp	UPX
behavioral2/files/0x00070000000233f1-19.dat	UPX
behavioral2/files/0x00070000000233f0-18.dat	UPX
behavioral2/files/0x00070000000233ef-13.dat	UPX
behavioral2/memory/4652-29-0x00007FF722890000-0x00007FF722BE4000-memory.dmp	UPX
behavioral2/memory/4196-33-0x00007FF691300000-0x00007FF691654000-memory.dmp	UPX
behavioral2/files/0x00070000000233f3-40.dat	UPX
behavioral2/files/0x00070000000233f4-39.dat	UPX
behavioral2/files/0x00070000000233f7-55.dat	UPX
behavioral2/files/0x00070000000233f9-71.dat	UPX
behavioral2/files/0x0007000000023405-131.dat	UPX
behavioral2/memory/2276-372-0x00007FF79B010000-0x00007FF79B364000-memory.dmp	UPX
behavioral2/memory/5036-378-0x00007FF6331B0000-0x00007FF633504000-memory.dmp	UPX
behavioral2/memory/4476-380-0x00007FF68A410000-0x00007FF68A764000-memory.dmp	UPX
behavioral2/memory/4728-383-0x00007FF703A90000-0x00007FF703DE4000-memory.dmp	UPX
behavioral2/memory/4500-387-0x00007FF622400000-0x00007FF622754000-memory.dmp	UPX
behavioral2/memory/2028-390-0x00007FF7FDAB0000-0x00007FF7FDE04000-memory.dmp	UPX
behavioral2/memory/2332-393-0x00007FF7F24D0000-0x00007FF7F2824000-memory.dmp	UPX
behavioral2/memory/1524-392-0x00007FF6AB9F0000-0x00007FF6ABD44000-memory.dmp	UPX
behavioral2/memory/3608-391-0x00007FF7876B0000-0x00007FF787A04000-memory.dmp	UPX
behavioral2/memory/5088-389-0x00007FF638D30000-0x00007FF639084000-memory.dmp	UPX
behavioral2/memory/2016-388-0x00007FF73C310000-0x00007FF73C664000-memory.dmp	UPX
behavioral2/memory/3024-386-0x00007FF7236C0000-0x00007FF723A14000-memory.dmp	UPX
behavioral2/memory/1640-385-0x00007FF6C7E90000-0x00007FF6C81E4000-memory.dmp	UPX
behavioral2/memory/3760-384-0x00007FF72EA70000-0x00007FF72EDC4000-memory.dmp	UPX
behavioral2/memory/2136-382-0x00007FF7F1290000-0x00007FF7F15E4000-memory.dmp	UPX
behavioral2/memory/3388-381-0x00007FF65BD60000-0x00007FF65C0B4000-memory.dmp	UPX
behavioral2/memory/4804-379-0x00007FF625350000-0x00007FF6256A4000-memory.dmp	UPX
behavioral2/memory/5080-365-0x00007FF721DE0000-0x00007FF722134000-memory.dmp	UPX
behavioral2/memory/4456-364-0x00007FF79C080000-0x00007FF79C3D4000-memory.dmp	UPX
behavioral2/memory/3708-363-0x00007FF6C30E0000-0x00007FF6C3434000-memory.dmp	UPX
behavioral2/memory/3904-356-0x00007FF736110000-0x00007FF736464000-memory.dmp	UPX
behavioral2/memory/4280-352-0x00007FF7C7850000-0x00007FF7C7BA4000-memory.dmp	UPX
behavioral2/files/0x000700000002340e-170.dat	UPX
behavioral2/files/0x000700000002340c-166.dat	UPX
behavioral2/files/0x000700000002340d-165.dat	UPX
behavioral2/files/0x000700000002340b-161.dat	UPX
behavioral2/files/0x000700000002340a-155.dat	UPX
behavioral2/files/0x0007000000023409-151.dat	UPX
behavioral2/files/0x0007000000023408-146.dat	UPX
behavioral2/files/0x0007000000023407-141.dat	UPX
behavioral2/files/0x0007000000023406-136.dat	UPX
behavioral2/files/0x0007000000023404-126.dat	UPX
behavioral2/files/0x0007000000023403-121.dat	UPX
behavioral2/files/0x0007000000023402-116.dat	UPX
behavioral2/files/0x0007000000023401-111.dat	UPX
behavioral2/files/0x0007000000023400-106.dat	UPX
behavioral2/files/0x00070000000233ff-101.dat	UPX
behavioral2/files/0x00070000000233fe-95.dat	UPX
behavioral2/files/0x00070000000233fd-91.dat	UPX
behavioral2/files/0x00070000000233fc-86.dat	UPX
behavioral2/files/0x00070000000233fb-81.dat	UPX
behavioral2/files/0x00070000000233fa-76.dat	UPX
behavioral2/files/0x00070000000233f8-66.dat	UPX
behavioral2/files/0x00070000000233f6-56.dat	UPX
behavioral2/files/0x00070000000233f5-48.dat	UPX
behavioral2/memory/2852-46-0x00007FF7BCE80000-0x00007FF7BD1D4000-memory.dmp	UPX
behavioral2/memory/4876-38-0x00007FF7A8300000-0x00007FF7A8654000-memory.dmp	UPX
behavioral2/files/0x00070000000233f2-34.dat	UPX
behavioral2/memory/3620-32-0x00007FF663D90000-0x00007FF6640E4000-memory.dmp	UPX
behavioral2/memory/1300-24-0x00007FF79D890000-0x00007FF79DBE4000-memory.dmp	UPX
behavioral2/memory/4840-1939-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4840-0-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp	xmrig
behavioral2/files/0x00080000000233eb-5.dat	xmrig
behavioral2/memory/1700-17-0x00007FF6E80E0000-0x00007FF6E8434000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f1-19.dat	xmrig
behavioral2/files/0x00070000000233f0-18.dat	xmrig
behavioral2/files/0x00070000000233ef-13.dat	xmrig
behavioral2/memory/4652-29-0x00007FF722890000-0x00007FF722BE4000-memory.dmp	xmrig
behavioral2/memory/4196-33-0x00007FF691300000-0x00007FF691654000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f3-40.dat	xmrig
behavioral2/files/0x00070000000233f4-39.dat	xmrig
behavioral2/files/0x00070000000233f7-55.dat	xmrig
behavioral2/files/0x00070000000233f9-71.dat	xmrig
behavioral2/files/0x0007000000023405-131.dat	xmrig
behavioral2/memory/2276-372-0x00007FF79B010000-0x00007FF79B364000-memory.dmp	xmrig
behavioral2/memory/5036-378-0x00007FF6331B0000-0x00007FF633504000-memory.dmp	xmrig
behavioral2/memory/4476-380-0x00007FF68A410000-0x00007FF68A764000-memory.dmp	xmrig
behavioral2/memory/4728-383-0x00007FF703A90000-0x00007FF703DE4000-memory.dmp	xmrig
behavioral2/memory/4500-387-0x00007FF622400000-0x00007FF622754000-memory.dmp	xmrig
behavioral2/memory/2028-390-0x00007FF7FDAB0000-0x00007FF7FDE04000-memory.dmp	xmrig
behavioral2/memory/2332-393-0x00007FF7F24D0000-0x00007FF7F2824000-memory.dmp	xmrig
behavioral2/memory/1524-392-0x00007FF6AB9F0000-0x00007FF6ABD44000-memory.dmp	xmrig
behavioral2/memory/3608-391-0x00007FF7876B0000-0x00007FF787A04000-memory.dmp	xmrig
behavioral2/memory/5088-389-0x00007FF638D30000-0x00007FF639084000-memory.dmp	xmrig
behavioral2/memory/2016-388-0x00007FF73C310000-0x00007FF73C664000-memory.dmp	xmrig
behavioral2/memory/3024-386-0x00007FF7236C0000-0x00007FF723A14000-memory.dmp	xmrig
behavioral2/memory/1640-385-0x00007FF6C7E90000-0x00007FF6C81E4000-memory.dmp	xmrig
behavioral2/memory/3760-384-0x00007FF72EA70000-0x00007FF72EDC4000-memory.dmp	xmrig
behavioral2/memory/2136-382-0x00007FF7F1290000-0x00007FF7F15E4000-memory.dmp	xmrig
behavioral2/memory/3388-381-0x00007FF65BD60000-0x00007FF65C0B4000-memory.dmp	xmrig
behavioral2/memory/4804-379-0x00007FF625350000-0x00007FF6256A4000-memory.dmp	xmrig
behavioral2/memory/5080-365-0x00007FF721DE0000-0x00007FF722134000-memory.dmp	xmrig
behavioral2/memory/4456-364-0x00007FF79C080000-0x00007FF79C3D4000-memory.dmp	xmrig
behavioral2/memory/3708-363-0x00007FF6C30E0000-0x00007FF6C3434000-memory.dmp	xmrig
behavioral2/memory/3904-356-0x00007FF736110000-0x00007FF736464000-memory.dmp	xmrig
behavioral2/memory/4280-352-0x00007FF7C7850000-0x00007FF7C7BA4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340e-170.dat	xmrig
behavioral2/files/0x000700000002340c-166.dat	xmrig
behavioral2/files/0x000700000002340d-165.dat	xmrig
behavioral2/files/0x000700000002340b-161.dat	xmrig
behavioral2/files/0x000700000002340a-155.dat	xmrig
behavioral2/files/0x0007000000023409-151.dat	xmrig
behavioral2/files/0x0007000000023408-146.dat	xmrig
behavioral2/files/0x0007000000023407-141.dat	xmrig
behavioral2/files/0x0007000000023406-136.dat	xmrig
behavioral2/files/0x0007000000023404-126.dat	xmrig
behavioral2/files/0x0007000000023403-121.dat	xmrig
behavioral2/files/0x0007000000023402-116.dat	xmrig
behavioral2/files/0x0007000000023401-111.dat	xmrig
behavioral2/files/0x0007000000023400-106.dat	xmrig
behavioral2/files/0x00070000000233ff-101.dat	xmrig
behavioral2/files/0x00070000000233fe-95.dat	xmrig
behavioral2/files/0x00070000000233fd-91.dat	xmrig
behavioral2/files/0x00070000000233fc-86.dat	xmrig
behavioral2/files/0x00070000000233fb-81.dat	xmrig
behavioral2/files/0x00070000000233fa-76.dat	xmrig
behavioral2/files/0x00070000000233f8-66.dat	xmrig
behavioral2/files/0x00070000000233f6-56.dat	xmrig
behavioral2/files/0x00070000000233f5-48.dat	xmrig
behavioral2/memory/2852-46-0x00007FF7BCE80000-0x00007FF7BD1D4000-memory.dmp	xmrig
behavioral2/memory/4876-38-0x00007FF7A8300000-0x00007FF7A8654000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f2-34.dat	xmrig
behavioral2/memory/3620-32-0x00007FF663D90000-0x00007FF6640E4000-memory.dmp	xmrig
behavioral2/memory/1300-24-0x00007FF79D890000-0x00007FF79DBE4000-memory.dmp	xmrig
behavioral2/memory/4840-1939-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1700	UedYIgt.exe
3620	IfspapM.exe
1300	ZUYafyg.exe
4652	QQhKwvo.exe
4876	OLoAyfz.exe
4196	SgzNAxM.exe
2852	MPRvJbs.exe
4280	ePsVJlw.exe
2332	taHkyYS.exe
3904	yaaAeqI.exe
3708	QdxmwXG.exe
4456	ouqXxGX.exe
5080	ArDfXVZ.exe
2276	ABudSwt.exe
5036	wlCxGjm.exe
4804	GhGYzpb.exe
4476	EGothvR.exe
3388	CfOYhfc.exe
2136	MhOBgYI.exe
4728	gxuiglR.exe
3760	BQapWNQ.exe
1640	yPxexvY.exe
3024	jazrxIR.exe
4500	rzfdKrV.exe
2016	lErtNfl.exe
5088	epDuUYG.exe
2028	wrGPRGd.exe
3608	rGCUOyn.exe
1524	HyPHuNx.exe
2352	CyaUbaR.exe
5108	rDorMIA.exe
524	ouwHVwE.exe
1468	nOEdtqs.exe
5072	UPUykVj.exe
2272	lYiLpwU.exe
3556	zMXcOlX.exe
4680	XxFROVB.exe
2156	jkINRzj.exe
4232	PUZAnUe.exe
2176	uMEnHEt.exe
4696	RabirLN.exe
4388	NXiQEWJ.exe
4572	nXBkFjR.exe
4252	pvPgOKQ.exe
3116	lyGnCPv.exe
2392	MHeMMbq.exe
4888	bHKkNPm.exe
3452	CwhFVmk.exe
2952	nKJpiko.exe
4396	uyydfhe.exe
4084	RMiLLci.exe
4676	lyjroTJ.exe
1164	wZFhLlV.exe
3976	vBQMPQI.exe
380	JSQXGta.exe
2968	viHXUgt.exe
1696	SeqkaCZ.exe
4956	irsEfly.exe
4748	bSQnfef.exe
4460	dhqOUft.exe
4336	McOjqlE.exe
2280	VgCjYpk.exe
5052	OsJVDrQ.exe
732	WcxGlvJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4840-0-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp	upx
behavioral2/files/0x00080000000233eb-5.dat	upx
behavioral2/memory/1700-17-0x00007FF6E80E0000-0x00007FF6E8434000-memory.dmp	upx
behavioral2/files/0x00070000000233f1-19.dat	upx
behavioral2/files/0x00070000000233f0-18.dat	upx
behavioral2/files/0x00070000000233ef-13.dat	upx
behavioral2/memory/4652-29-0x00007FF722890000-0x00007FF722BE4000-memory.dmp	upx
behavioral2/memory/4196-33-0x00007FF691300000-0x00007FF691654000-memory.dmp	upx
behavioral2/files/0x00070000000233f3-40.dat	upx
behavioral2/files/0x00070000000233f4-39.dat	upx
behavioral2/files/0x00070000000233f7-55.dat	upx
behavioral2/files/0x00070000000233f9-71.dat	upx
behavioral2/files/0x0007000000023405-131.dat	upx
behavioral2/memory/2276-372-0x00007FF79B010000-0x00007FF79B364000-memory.dmp	upx
behavioral2/memory/5036-378-0x00007FF6331B0000-0x00007FF633504000-memory.dmp	upx
behavioral2/memory/4476-380-0x00007FF68A410000-0x00007FF68A764000-memory.dmp	upx
behavioral2/memory/4728-383-0x00007FF703A90000-0x00007FF703DE4000-memory.dmp	upx
behavioral2/memory/4500-387-0x00007FF622400000-0x00007FF622754000-memory.dmp	upx
behavioral2/memory/2028-390-0x00007FF7FDAB0000-0x00007FF7FDE04000-memory.dmp	upx
behavioral2/memory/2332-393-0x00007FF7F24D0000-0x00007FF7F2824000-memory.dmp	upx
behavioral2/memory/1524-392-0x00007FF6AB9F0000-0x00007FF6ABD44000-memory.dmp	upx
behavioral2/memory/3608-391-0x00007FF7876B0000-0x00007FF787A04000-memory.dmp	upx
behavioral2/memory/5088-389-0x00007FF638D30000-0x00007FF639084000-memory.dmp	upx
behavioral2/memory/2016-388-0x00007FF73C310000-0x00007FF73C664000-memory.dmp	upx
behavioral2/memory/3024-386-0x00007FF7236C0000-0x00007FF723A14000-memory.dmp	upx
behavioral2/memory/1640-385-0x00007FF6C7E90000-0x00007FF6C81E4000-memory.dmp	upx
behavioral2/memory/3760-384-0x00007FF72EA70000-0x00007FF72EDC4000-memory.dmp	upx
behavioral2/memory/2136-382-0x00007FF7F1290000-0x00007FF7F15E4000-memory.dmp	upx
behavioral2/memory/3388-381-0x00007FF65BD60000-0x00007FF65C0B4000-memory.dmp	upx
behavioral2/memory/4804-379-0x00007FF625350000-0x00007FF6256A4000-memory.dmp	upx
behavioral2/memory/5080-365-0x00007FF721DE0000-0x00007FF722134000-memory.dmp	upx
behavioral2/memory/4456-364-0x00007FF79C080000-0x00007FF79C3D4000-memory.dmp	upx
behavioral2/memory/3708-363-0x00007FF6C30E0000-0x00007FF6C3434000-memory.dmp	upx
behavioral2/memory/3904-356-0x00007FF736110000-0x00007FF736464000-memory.dmp	upx
behavioral2/memory/4280-352-0x00007FF7C7850000-0x00007FF7C7BA4000-memory.dmp	upx
behavioral2/files/0x000700000002340e-170.dat	upx
behavioral2/files/0x000700000002340c-166.dat	upx
behavioral2/files/0x000700000002340d-165.dat	upx
behavioral2/files/0x000700000002340b-161.dat	upx
behavioral2/files/0x000700000002340a-155.dat	upx
behavioral2/files/0x0007000000023409-151.dat	upx
behavioral2/files/0x0007000000023408-146.dat	upx
behavioral2/files/0x0007000000023407-141.dat	upx
behavioral2/files/0x0007000000023406-136.dat	upx
behavioral2/files/0x0007000000023404-126.dat	upx
behavioral2/files/0x0007000000023403-121.dat	upx
behavioral2/files/0x0007000000023402-116.dat	upx
behavioral2/files/0x0007000000023401-111.dat	upx
behavioral2/files/0x0007000000023400-106.dat	upx
behavioral2/files/0x00070000000233ff-101.dat	upx
behavioral2/files/0x00070000000233fe-95.dat	upx
behavioral2/files/0x00070000000233fd-91.dat	upx
behavioral2/files/0x00070000000233fc-86.dat	upx
behavioral2/files/0x00070000000233fb-81.dat	upx
behavioral2/files/0x00070000000233fa-76.dat	upx
behavioral2/files/0x00070000000233f8-66.dat	upx
behavioral2/files/0x00070000000233f6-56.dat	upx
behavioral2/files/0x00070000000233f5-48.dat	upx
behavioral2/memory/2852-46-0x00007FF7BCE80000-0x00007FF7BD1D4000-memory.dmp	upx
behavioral2/memory/4876-38-0x00007FF7A8300000-0x00007FF7A8654000-memory.dmp	upx
behavioral2/files/0x00070000000233f2-34.dat	upx
behavioral2/memory/3620-32-0x00007FF663D90000-0x00007FF6640E4000-memory.dmp	upx
behavioral2/memory/1300-24-0x00007FF79D890000-0x00007FF79DBE4000-memory.dmp	upx
behavioral2/memory/4840-1939-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\EKWVfUi.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\PcUCbIb.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\cfaCXrF.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\XRfGxox.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\WZwxyAg.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\GGGuVdr.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\JVYMmPp.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\oiHtOAa.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\leaXWJN.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\MabZOPl.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\pkkHDbQ.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\reqjwue.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\NXdeAzx.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\Efgujxd.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\ZEJMWOD.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\aTfyEPX.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\MLhIOFb.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\uNSIUEP.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\BAMNJAg.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\IEiSRbH.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\eMypCJN.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\xHVasMn.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\JPHRpqo.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\phZNqMh.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\xQynFUa.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\skQocMv.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\Ebskfpm.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\mBWUOqS.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\qjEfDka.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\WlWXgUv.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\iDDqLUk.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\LIOZtVD.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\HfHFYFm.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\ZNHCkSQ.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\zjjVAPI.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\VsbdDOg.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\epDuUYG.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\HLgAJAx.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\lfHjwoX.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\acQTdDa.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\MPpauCv.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\rogNaAO.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\mzTobAQ.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\iFiAVou.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\AxjDvgV.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\LdfbFCw.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\wZNLOgy.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\tNTNaxi.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\aFHiHvl.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\yjBUxMH.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\rfKqyjM.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\IOMeDGg.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\UNWhjXL.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\WmQDXdy.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\RBlUXoJ.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\khckvrW.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\MwlqKEF.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\DrZbGGh.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\LhLbqVM.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\HUogSHJ.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\HChzvAS.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\ZKyqsRJ.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\gFtnBHo.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
File created	C:\Windows\System\YNqRyLQ.exe	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14944	dwm.exe
Token: SeChangeNotifyPrivilege	14944	dwm.exe
Token: 33	14944	dwm.exe
Token: SeIncBasePriorityPrivilege	14944	dwm.exe
Token: SeShutdownPrivilege	14944	dwm.exe
Token: SeCreatePagefilePrivilege	14944	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
15304	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1700	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	83
PID 4840 wrote to memory of 1700	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	83
PID 4840 wrote to memory of 3620	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	84
PID 4840 wrote to memory of 3620	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	84
PID 4840 wrote to memory of 1300	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	85
PID 4840 wrote to memory of 1300	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	85
PID 4840 wrote to memory of 4652	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	86
PID 4840 wrote to memory of 4652	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	86
PID 4840 wrote to memory of 4876	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	87
PID 4840 wrote to memory of 4876	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	87
PID 4840 wrote to memory of 4196	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	88
PID 4840 wrote to memory of 4196	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	88
PID 4840 wrote to memory of 2852	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	89
PID 4840 wrote to memory of 2852	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	89
PID 4840 wrote to memory of 4280	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	90
PID 4840 wrote to memory of 4280	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	90
PID 4840 wrote to memory of 2332	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	91
PID 4840 wrote to memory of 2332	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	91
PID 4840 wrote to memory of 3904	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	92
PID 4840 wrote to memory of 3904	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	92
PID 4840 wrote to memory of 3708	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	93
PID 4840 wrote to memory of 3708	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	93
PID 4840 wrote to memory of 4456	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	94
PID 4840 wrote to memory of 4456	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	94
PID 4840 wrote to memory of 5080	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	95
PID 4840 wrote to memory of 5080	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	95
PID 4840 wrote to memory of 2276	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	96
PID 4840 wrote to memory of 2276	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	96
PID 4840 wrote to memory of 5036	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	97
PID 4840 wrote to memory of 5036	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	97
PID 4840 wrote to memory of 4804	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	98
PID 4840 wrote to memory of 4804	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	98
PID 4840 wrote to memory of 4476	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	99
PID 4840 wrote to memory of 4476	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	99
PID 4840 wrote to memory of 3388	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	100
PID 4840 wrote to memory of 3388	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	100
PID 4840 wrote to memory of 2136	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	101
PID 4840 wrote to memory of 2136	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	101
PID 4840 wrote to memory of 4728	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	102
PID 4840 wrote to memory of 4728	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	102
PID 4840 wrote to memory of 3760	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	103
PID 4840 wrote to memory of 3760	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	103
PID 4840 wrote to memory of 1640	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	104
PID 4840 wrote to memory of 1640	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	104
PID 4840 wrote to memory of 3024	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	105
PID 4840 wrote to memory of 3024	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	105
PID 4840 wrote to memory of 4500	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	106
PID 4840 wrote to memory of 4500	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	106
PID 4840 wrote to memory of 2016	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	107
PID 4840 wrote to memory of 2016	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	107
PID 4840 wrote to memory of 5088	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	108
PID 4840 wrote to memory of 5088	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	108
PID 4840 wrote to memory of 2028	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	109
PID 4840 wrote to memory of 2028	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	109
PID 4840 wrote to memory of 3608	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	110
PID 4840 wrote to memory of 3608	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	110
PID 4840 wrote to memory of 1524	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	111
PID 4840 wrote to memory of 1524	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	111
PID 4840 wrote to memory of 2352	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	112
PID 4840 wrote to memory of 2352	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	112
PID 4840 wrote to memory of 5108	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	113
PID 4840 wrote to memory of 5108	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	113
PID 4840 wrote to memory of 524	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	114
PID 4840 wrote to memory of 524	4840	72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe	114

C:\Users\Admin\AppData\Local\Temp\72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe
"C:\Users\Admin\AppData\Local\Temp\72f88101f92d30e1fb9b6b69d78f767ea3ffb790d48746e0c0faa497bcaf68fa.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\System\UedYIgt.exe
  C:\Windows\System\UedYIgt.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\IfspapM.exe
  C:\Windows\System\IfspapM.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\ZUYafyg.exe
  C:\Windows\System\ZUYafyg.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\QQhKwvo.exe
  C:\Windows\System\QQhKwvo.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\OLoAyfz.exe
  C:\Windows\System\OLoAyfz.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\SgzNAxM.exe
  C:\Windows\System\SgzNAxM.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\MPRvJbs.exe
  C:\Windows\System\MPRvJbs.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\ePsVJlw.exe
  C:\Windows\System\ePsVJlw.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\taHkyYS.exe
  C:\Windows\System\taHkyYS.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\yaaAeqI.exe
  C:\Windows\System\yaaAeqI.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\QdxmwXG.exe
  C:\Windows\System\QdxmwXG.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\ouqXxGX.exe
  C:\Windows\System\ouqXxGX.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\ArDfXVZ.exe
  C:\Windows\System\ArDfXVZ.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\ABudSwt.exe
  C:\Windows\System\ABudSwt.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\wlCxGjm.exe
  C:\Windows\System\wlCxGjm.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\GhGYzpb.exe
  C:\Windows\System\GhGYzpb.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\EGothvR.exe
  C:\Windows\System\EGothvR.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\CfOYhfc.exe
  C:\Windows\System\CfOYhfc.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\MhOBgYI.exe
  C:\Windows\System\MhOBgYI.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\gxuiglR.exe
  C:\Windows\System\gxuiglR.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\BQapWNQ.exe
  C:\Windows\System\BQapWNQ.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\yPxexvY.exe
  C:\Windows\System\yPxexvY.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\jazrxIR.exe
  C:\Windows\System\jazrxIR.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\rzfdKrV.exe
  C:\Windows\System\rzfdKrV.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\lErtNfl.exe
  C:\Windows\System\lErtNfl.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\epDuUYG.exe
  C:\Windows\System\epDuUYG.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\wrGPRGd.exe
  C:\Windows\System\wrGPRGd.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\rGCUOyn.exe
  C:\Windows\System\rGCUOyn.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\HyPHuNx.exe
  C:\Windows\System\HyPHuNx.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\CyaUbaR.exe
  C:\Windows\System\CyaUbaR.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\rDorMIA.exe
  C:\Windows\System\rDorMIA.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\ouwHVwE.exe
  C:\Windows\System\ouwHVwE.exe
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\System\nOEdtqs.exe
  C:\Windows\System\nOEdtqs.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\UPUykVj.exe
  C:\Windows\System\UPUykVj.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\lYiLpwU.exe
  C:\Windows\System\lYiLpwU.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\zMXcOlX.exe
  C:\Windows\System\zMXcOlX.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\XxFROVB.exe
  C:\Windows\System\XxFROVB.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\jkINRzj.exe
  C:\Windows\System\jkINRzj.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\PUZAnUe.exe
  C:\Windows\System\PUZAnUe.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\uMEnHEt.exe
  C:\Windows\System\uMEnHEt.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\RabirLN.exe
  C:\Windows\System\RabirLN.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\NXiQEWJ.exe
  C:\Windows\System\NXiQEWJ.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\nXBkFjR.exe
  C:\Windows\System\nXBkFjR.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\pvPgOKQ.exe
  C:\Windows\System\pvPgOKQ.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\lyGnCPv.exe
  C:\Windows\System\lyGnCPv.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\MHeMMbq.exe
  C:\Windows\System\MHeMMbq.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\bHKkNPm.exe
  C:\Windows\System\bHKkNPm.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\CwhFVmk.exe
  C:\Windows\System\CwhFVmk.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\nKJpiko.exe
  C:\Windows\System\nKJpiko.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\uyydfhe.exe
  C:\Windows\System\uyydfhe.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\RMiLLci.exe
  C:\Windows\System\RMiLLci.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\lyjroTJ.exe
  C:\Windows\System\lyjroTJ.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\wZFhLlV.exe
  C:\Windows\System\wZFhLlV.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\System\vBQMPQI.exe
  C:\Windows\System\vBQMPQI.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\JSQXGta.exe
  C:\Windows\System\JSQXGta.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\viHXUgt.exe
  C:\Windows\System\viHXUgt.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\SeqkaCZ.exe
  C:\Windows\System\SeqkaCZ.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\irsEfly.exe
  C:\Windows\System\irsEfly.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\bSQnfef.exe
  C:\Windows\System\bSQnfef.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\dhqOUft.exe
  C:\Windows\System\dhqOUft.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\McOjqlE.exe
  C:\Windows\System\McOjqlE.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\VgCjYpk.exe
  C:\Windows\System\VgCjYpk.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\OsJVDrQ.exe
  C:\Windows\System\OsJVDrQ.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\WcxGlvJ.exe
  C:\Windows\System\WcxGlvJ.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\bmIRAJI.exe
  C:\Windows\System\bmIRAJI.exe
  2⤵
  PID:1708
- C:\Windows\System\dNEsRGY.exe
  C:\Windows\System\dNEsRGY.exe
  2⤵
  PID:4816
- C:\Windows\System\WuWYIXJ.exe
  C:\Windows\System\WuWYIXJ.exe
  2⤵
  PID:4156
- C:\Windows\System\kRfIGdA.exe
  C:\Windows\System\kRfIGdA.exe
  2⤵
  PID:1324
- C:\Windows\System\UNWhjXL.exe
  C:\Windows\System\UNWhjXL.exe
  2⤵
  PID:2784
- C:\Windows\System\xSWzMMj.exe
  C:\Windows\System\xSWzMMj.exe
  2⤵
  PID:116
- C:\Windows\System\PzgNlDQ.exe
  C:\Windows\System\PzgNlDQ.exe
  2⤵
  PID:4052
- C:\Windows\System\akLThRZ.exe
  C:\Windows\System\akLThRZ.exe
  2⤵
  PID:760
- C:\Windows\System\TaBKydj.exe
  C:\Windows\System\TaBKydj.exe
  2⤵
  PID:4576
- C:\Windows\System\bLwZltg.exe
  C:\Windows\System\bLwZltg.exe
  2⤵
  PID:2668
- C:\Windows\System\PxqRTKw.exe
  C:\Windows\System\PxqRTKw.exe
  2⤵
  PID:2824
- C:\Windows\System\fDBlYnS.exe
  C:\Windows\System\fDBlYnS.exe
  2⤵
  PID:4976
- C:\Windows\System\HfHFYFm.exe
  C:\Windows\System\HfHFYFm.exe
  2⤵
  PID:908
- C:\Windows\System\aebDFmZ.exe
  C:\Windows\System\aebDFmZ.exe
  2⤵
  PID:1500
- C:\Windows\System\tDvvNIl.exe
  C:\Windows\System\tDvvNIl.exe
  2⤵
  PID:3328
- C:\Windows\System\WKPWrlk.exe
  C:\Windows\System\WKPWrlk.exe
  2⤵
  PID:712
- C:\Windows\System\RfwFssi.exe
  C:\Windows\System\RfwFssi.exe
  2⤵
  PID:988
- C:\Windows\System\KkhgaZn.exe
  C:\Windows\System\KkhgaZn.exe
  2⤵
  PID:5132
- C:\Windows\System\icBbKUh.exe
  C:\Windows\System\icBbKUh.exe
  2⤵
  PID:5160
- C:\Windows\System\qhTELcl.exe
  C:\Windows\System\qhTELcl.exe
  2⤵
  PID:5184
- C:\Windows\System\xQdjImh.exe
  C:\Windows\System\xQdjImh.exe
  2⤵
  PID:5212
- C:\Windows\System\reqjwue.exe
  C:\Windows\System\reqjwue.exe
  2⤵
  PID:5244
- C:\Windows\System\BHaRVgI.exe
  C:\Windows\System\BHaRVgI.exe
  2⤵
  PID:5272
- C:\Windows\System\FTwtlpp.exe
  C:\Windows\System\FTwtlpp.exe
  2⤵
  PID:5296
- C:\Windows\System\PmkLVUx.exe
  C:\Windows\System\PmkLVUx.exe
  2⤵
  PID:5328
- C:\Windows\System\LnxBLqu.exe
  C:\Windows\System\LnxBLqu.exe
  2⤵
  PID:5352
- C:\Windows\System\aITVxHr.exe
  C:\Windows\System\aITVxHr.exe
  2⤵
  PID:5384
- C:\Windows\System\ldMWVTt.exe
  C:\Windows\System\ldMWVTt.exe
  2⤵
  PID:5412
- C:\Windows\System\QpBaCTH.exe
  C:\Windows\System\QpBaCTH.exe
  2⤵
  PID:5440
- C:\Windows\System\URCySVg.exe
  C:\Windows\System\URCySVg.exe
  2⤵
  PID:5468
- C:\Windows\System\bxbsRsB.exe
  C:\Windows\System\bxbsRsB.exe
  2⤵
  PID:5496
- C:\Windows\System\lmKVPJL.exe
  C:\Windows\System\lmKVPJL.exe
  2⤵
  PID:5560
- C:\Windows\System\AqYyNIp.exe
  C:\Windows\System\AqYyNIp.exe
  2⤵
  PID:5584
- C:\Windows\System\EdyqrzX.exe
  C:\Windows\System\EdyqrzX.exe
  2⤵
  PID:5628
- C:\Windows\System\pqjyTPv.exe
  C:\Windows\System\pqjyTPv.exe
  2⤵
  PID:5664
- C:\Windows\System\jdzdobN.exe
  C:\Windows\System\jdzdobN.exe
  2⤵
  PID:5684
- C:\Windows\System\DiXFJAG.exe
  C:\Windows\System\DiXFJAG.exe
  2⤵
  PID:5704
- C:\Windows\System\VdIrxfZ.exe
  C:\Windows\System\VdIrxfZ.exe
  2⤵
  PID:5736
- C:\Windows\System\nhnsdKO.exe
  C:\Windows\System\nhnsdKO.exe
  2⤵
  PID:5928
- C:\Windows\System\RBReoOF.exe
  C:\Windows\System\RBReoOF.exe
  2⤵
  PID:5944
- C:\Windows\System\YDFqEOu.exe
  C:\Windows\System\YDFqEOu.exe
  2⤵
  PID:5972
- C:\Windows\System\cKosJVv.exe
  C:\Windows\System\cKosJVv.exe
  2⤵
  PID:6004
- C:\Windows\System\HRHGrBc.exe
  C:\Windows\System\HRHGrBc.exe
  2⤵
  PID:6032
- C:\Windows\System\ouOAztc.exe
  C:\Windows\System\ouOAztc.exe
  2⤵
  PID:6060
- C:\Windows\System\cmEqgxq.exe
  C:\Windows\System\cmEqgxq.exe
  2⤵
  PID:6088
- C:\Windows\System\PqnMFwC.exe
  C:\Windows\System\PqnMFwC.exe
  2⤵
  PID:6104
- C:\Windows\System\jBIRolo.exe
  C:\Windows\System\jBIRolo.exe
  2⤵
  PID:6120
- C:\Windows\System\MYOyQiK.exe
  C:\Windows\System\MYOyQiK.exe
  2⤵
  PID:2744
- C:\Windows\System\HmONVVv.exe
  C:\Windows\System\HmONVVv.exe
  2⤵
  PID:4620
- C:\Windows\System\qPDeuEo.exe
  C:\Windows\System\qPDeuEo.exe
  2⤵
  PID:1472
- C:\Windows\System\bTOFmnm.exe
  C:\Windows\System\bTOFmnm.exe
  2⤵
  PID:4408
- C:\Windows\System\BleymGE.exe
  C:\Windows\System\BleymGE.exe
  2⤵
  PID:5172
- C:\Windows\System\evvJdRg.exe
  C:\Windows\System\evvJdRg.exe
  2⤵
  PID:5232
- C:\Windows\System\voaxunb.exe
  C:\Windows\System\voaxunb.exe
  2⤵
  PID:5368
- C:\Windows\System\sBNHwDZ.exe
  C:\Windows\System\sBNHwDZ.exe
  2⤵
  PID:5432
- C:\Windows\System\RjjbMTs.exe
  C:\Windows\System\RjjbMTs.exe
  2⤵
  PID:3880
- C:\Windows\System\Flaosml.exe
  C:\Windows\System\Flaosml.exe
  2⤵
  PID:5592
- C:\Windows\System\onqiJWz.exe
  C:\Windows\System\onqiJWz.exe
  2⤵
  PID:5672
- C:\Windows\System\gFFNWXS.exe
  C:\Windows\System\gFFNWXS.exe
  2⤵
  PID:5700
- C:\Windows\System\TNsKxqc.exe
  C:\Windows\System\TNsKxqc.exe
  2⤵
  PID:5816
- C:\Windows\System\pDiXTRq.exe
  C:\Windows\System\pDiXTRq.exe
  2⤵
  PID:4448
- C:\Windows\System\TlqLBlU.exe
  C:\Windows\System\TlqLBlU.exe
  2⤵
  PID:1356
- C:\Windows\System\cmFBNYc.exe
  C:\Windows\System\cmFBNYc.exe
  2⤵
  PID:2340
- C:\Windows\System\pyzsurt.exe
  C:\Windows\System\pyzsurt.exe
  2⤵
  PID:3284
- C:\Windows\System\DldmLoP.exe
  C:\Windows\System\DldmLoP.exe
  2⤵
  PID:4612
- C:\Windows\System\BPlIFlz.exe
  C:\Windows\System\BPlIFlz.exe
  2⤵
  PID:5940
- C:\Windows\System\TcJsbro.exe
  C:\Windows\System\TcJsbro.exe
  2⤵
  PID:5984
- C:\Windows\System\fpTxgQM.exe
  C:\Windows\System\fpTxgQM.exe
  2⤵
  PID:1960
- C:\Windows\System\OccsdhR.exe
  C:\Windows\System\OccsdhR.exe
  2⤵
  PID:1724
- C:\Windows\System\iEoVYdT.exe
  C:\Windows\System\iEoVYdT.exe
  2⤵
  PID:6052
- C:\Windows\System\MaqslnQ.exe
  C:\Windows\System\MaqslnQ.exe
  2⤵
  PID:4760
- C:\Windows\System\xSPDvZB.exe
  C:\Windows\System\xSPDvZB.exe
  2⤵
  PID:6112
- C:\Windows\System\YNqRyLQ.exe
  C:\Windows\System\YNqRyLQ.exe
  2⤵
  PID:3664
- C:\Windows\System\bVTIVLD.exe
  C:\Windows\System\bVTIVLD.exe
  2⤵
  PID:5208
- C:\Windows\System\VvVLYwd.exe
  C:\Windows\System\VvVLYwd.exe
  2⤵
  PID:5292
- C:\Windows\System\eHXPUxi.exe
  C:\Windows\System\eHXPUxi.exe
  2⤵
  PID:5424
- C:\Windows\System\KrHYTxY.exe
  C:\Windows\System\KrHYTxY.exe
  2⤵
  PID:5580
- C:\Windows\System\qukpcdK.exe
  C:\Windows\System\qukpcdK.exe
  2⤵
  PID:708
- C:\Windows\System\sgrojuF.exe
  C:\Windows\System\sgrojuF.exe
  2⤵
  PID:3064
- C:\Windows\System\EpUSgAH.exe
  C:\Windows\System\EpUSgAH.exe
  2⤵
  PID:408
- C:\Windows\System\IrrpSuT.exe
  C:\Windows\System\IrrpSuT.exe
  2⤵
  PID:1956
- C:\Windows\System\pmIiWad.exe
  C:\Windows\System\pmIiWad.exe
  2⤵
  PID:2444
- C:\Windows\System\HgwCvYg.exe
  C:\Windows\System\HgwCvYg.exe
  2⤵
  PID:6000
- C:\Windows\System\hoQbiZl.exe
  C:\Windows\System\hoQbiZl.exe
  2⤵
  PID:6100
- C:\Windows\System\lesCtFV.exe
  C:\Windows\System\lesCtFV.exe
  2⤵
  PID:5256
- C:\Windows\System\OENobSk.exe
  C:\Windows\System\OENobSk.exe
  2⤵
  PID:5728
- C:\Windows\System\BQGQphc.exe
  C:\Windows\System\BQGQphc.exe
  2⤵
  PID:3384
- C:\Windows\System\DsWOGWw.exe
  C:\Windows\System\DsWOGWw.exe
  2⤵
  PID:5908
- C:\Windows\System\bzXdAOl.exe
  C:\Windows\System\bzXdAOl.exe
  2⤵
  PID:6084
- C:\Windows\System\TdnPsTt.exe
  C:\Windows\System\TdnPsTt.exe
  2⤵
  PID:5840
- C:\Windows\System\hiYOeYH.exe
  C:\Windows\System\hiYOeYH.exe
  2⤵
  PID:5576
- C:\Windows\System\EHNsgtc.exe
  C:\Windows\System\EHNsgtc.exe
  2⤵
  PID:5996
- C:\Windows\System\WNDzFhB.exe
  C:\Windows\System\WNDzFhB.exe
  2⤵
  PID:6172
- C:\Windows\System\jEhtZIQ.exe
  C:\Windows\System\jEhtZIQ.exe
  2⤵
  PID:6200
- C:\Windows\System\QHIwayn.exe
  C:\Windows\System\QHIwayn.exe
  2⤵
  PID:6228
- C:\Windows\System\KXUKbdM.exe
  C:\Windows\System\KXUKbdM.exe
  2⤵
  PID:6256
- C:\Windows\System\AQLrQaC.exe
  C:\Windows\System\AQLrQaC.exe
  2⤵
  PID:6292
- C:\Windows\System\AsaPMkB.exe
  C:\Windows\System\AsaPMkB.exe
  2⤵
  PID:6312
- C:\Windows\System\ypgvuca.exe
  C:\Windows\System\ypgvuca.exe
  2⤵
  PID:6340
- C:\Windows\System\gFtnBHo.exe
  C:\Windows\System\gFtnBHo.exe
  2⤵
  PID:6380
- C:\Windows\System\DrZbGGh.exe
  C:\Windows\System\DrZbGGh.exe
  2⤵
  PID:6416
- C:\Windows\System\QyLlIsH.exe
  C:\Windows\System\QyLlIsH.exe
  2⤵
  PID:6444
- C:\Windows\System\EFFsGyz.exe
  C:\Windows\System\EFFsGyz.exe
  2⤵
  PID:6484
- C:\Windows\System\krYDySs.exe
  C:\Windows\System\krYDySs.exe
  2⤵
  PID:6524
- C:\Windows\System\KcBGSrg.exe
  C:\Windows\System\KcBGSrg.exe
  2⤵
  PID:6556
- C:\Windows\System\aTfyEPX.exe
  C:\Windows\System\aTfyEPX.exe
  2⤵
  PID:6588
- C:\Windows\System\IRSnWDG.exe
  C:\Windows\System\IRSnWDG.exe
  2⤵
  PID:6624
- C:\Windows\System\JjnsAWc.exe
  C:\Windows\System\JjnsAWc.exe
  2⤵
  PID:6656
- C:\Windows\System\OTDrEOg.exe
  C:\Windows\System\OTDrEOg.exe
  2⤵
  PID:6684
- C:\Windows\System\LIOZtVD.exe
  C:\Windows\System\LIOZtVD.exe
  2⤵
  PID:6728
- C:\Windows\System\wZNLOgy.exe
  C:\Windows\System\wZNLOgy.exe
  2⤵
  PID:6752
- C:\Windows\System\QqXxANG.exe
  C:\Windows\System\QqXxANG.exe
  2⤵
  PID:6788
- C:\Windows\System\FyelHDr.exe
  C:\Windows\System\FyelHDr.exe
  2⤵
  PID:6844
- C:\Windows\System\cuYdqDt.exe
  C:\Windows\System\cuYdqDt.exe
  2⤵
  PID:6864
- C:\Windows\System\UIsqIUJ.exe
  C:\Windows\System\UIsqIUJ.exe
  2⤵
  PID:6888
- C:\Windows\System\HsEsFvm.exe
  C:\Windows\System\HsEsFvm.exe
  2⤵
  PID:6920
- C:\Windows\System\PPHkkoF.exe
  C:\Windows\System\PPHkkoF.exe
  2⤵
  PID:6952
- C:\Windows\System\NxrOQss.exe
  C:\Windows\System\NxrOQss.exe
  2⤵
  PID:6984
- C:\Windows\System\tjBfNTh.exe
  C:\Windows\System\tjBfNTh.exe
  2⤵
  PID:7016
- C:\Windows\System\HwHKeuV.exe
  C:\Windows\System\HwHKeuV.exe
  2⤵
  PID:7044
- C:\Windows\System\KQZUBvm.exe
  C:\Windows\System\KQZUBvm.exe
  2⤵
  PID:7080
- C:\Windows\System\SAsbZfH.exe
  C:\Windows\System\SAsbZfH.exe
  2⤵
  PID:7108
- C:\Windows\System\MpesqTT.exe
  C:\Windows\System\MpesqTT.exe
  2⤵
  PID:7136
- C:\Windows\System\fhnCenf.exe
  C:\Windows\System\fhnCenf.exe
  2⤵
  PID:7164
- C:\Windows\System\PcTWiIn.exe
  C:\Windows\System\PcTWiIn.exe
  2⤵
  PID:6196
- C:\Windows\System\TBsHuDY.exe
  C:\Windows\System\TBsHuDY.exe
  2⤵
  PID:6268
- C:\Windows\System\AswtZGE.exe
  C:\Windows\System\AswtZGE.exe
  2⤵
  PID:6324
- C:\Windows\System\kaxodPL.exe
  C:\Windows\System\kaxodPL.exe
  2⤵
  PID:6400
- C:\Windows\System\evFfuff.exe
  C:\Windows\System\evFfuff.exe
  2⤵
  PID:6504
- C:\Windows\System\FrTvCIY.exe
  C:\Windows\System\FrTvCIY.exe
  2⤵
  PID:5776
- C:\Windows\System\TYgWgWB.exe
  C:\Windows\System\TYgWgWB.exe
  2⤵
  PID:6632
- C:\Windows\System\XRfGxox.exe
  C:\Windows\System\XRfGxox.exe
  2⤵
  PID:6652
- C:\Windows\System\wcqpAvK.exe
  C:\Windows\System\wcqpAvK.exe
  2⤵
  PID:6364
- C:\Windows\System\IcELzKA.exe
  C:\Windows\System\IcELzKA.exe
  2⤵
  PID:6608
- C:\Windows\System\izzapph.exe
  C:\Windows\System\izzapph.exe
  2⤵
  PID:6780
- C:\Windows\System\wlDhyvr.exe
  C:\Windows\System\wlDhyvr.exe
  2⤵
  PID:6856
- C:\Windows\System\mApvhee.exe
  C:\Windows\System\mApvhee.exe
  2⤵
  PID:6944
- C:\Windows\System\zBCZvMF.exe
  C:\Windows\System\zBCZvMF.exe
  2⤵
  PID:7004
- C:\Windows\System\LhLbqVM.exe
  C:\Windows\System\LhLbqVM.exe
  2⤵
  PID:7060
- C:\Windows\System\oiHtOAa.exe
  C:\Windows\System\oiHtOAa.exe
  2⤵
  PID:7132
- C:\Windows\System\QtQWcwq.exe
  C:\Windows\System\QtQWcwq.exe
  2⤵
  PID:6224
- C:\Windows\System\TGPTqNP.exe
  C:\Windows\System\TGPTqNP.exe
  2⤵
  PID:5696
- C:\Windows\System\owxmEhy.exe
  C:\Windows\System\owxmEhy.exe
  2⤵
  PID:6548
- C:\Windows\System\nlNprvJ.exe
  C:\Windows\System\nlNprvJ.exe
  2⤵
  PID:6616
- C:\Windows\System\VGsZwAO.exe
  C:\Windows\System\VGsZwAO.exe
  2⤵
  PID:4660
- C:\Windows\System\ElIeHjF.exe
  C:\Windows\System\ElIeHjF.exe
  2⤵
  PID:6360
- C:\Windows\System\NYDIFau.exe
  C:\Windows\System\NYDIFau.exe
  2⤵
  PID:6852
- C:\Windows\System\xynZMSz.exe
  C:\Windows\System\xynZMSz.exe
  2⤵
  PID:6192
- C:\Windows\System\ZcIffIY.exe
  C:\Windows\System\ZcIffIY.exe
  2⤵
  PID:6612
- C:\Windows\System\XlTRBuv.exe
  C:\Windows\System\XlTRBuv.exe
  2⤵
  PID:6744
- C:\Windows\System\DvqGcjw.exe
  C:\Windows\System\DvqGcjw.exe
  2⤵
  PID:6964
- C:\Windows\System\NXdeAzx.exe
  C:\Windows\System\NXdeAzx.exe
  2⤵
  PID:5620
- C:\Windows\System\JjBUfFK.exe
  C:\Windows\System\JjBUfFK.exe
  2⤵
  PID:7176
- C:\Windows\System\jtVOfHC.exe
  C:\Windows\System\jtVOfHC.exe
  2⤵
  PID:7204
- C:\Windows\System\iFiAVou.exe
  C:\Windows\System\iFiAVou.exe
  2⤵
  PID:7232
- C:\Windows\System\xHYKngM.exe
  C:\Windows\System\xHYKngM.exe
  2⤵
  PID:7260
- C:\Windows\System\rmGDQaJ.exe
  C:\Windows\System\rmGDQaJ.exe
  2⤵
  PID:7284
- C:\Windows\System\AxjDvgV.exe
  C:\Windows\System\AxjDvgV.exe
  2⤵
  PID:7316
- C:\Windows\System\OIElroa.exe
  C:\Windows\System\OIElroa.exe
  2⤵
  PID:7344
- C:\Windows\System\qZflENf.exe
  C:\Windows\System\qZflENf.exe
  2⤵
  PID:7368
- C:\Windows\System\xqcVvzN.exe
  C:\Windows\System\xqcVvzN.exe
  2⤵
  PID:7400
- C:\Windows\System\IdCLjom.exe
  C:\Windows\System\IdCLjom.exe
  2⤵
  PID:7440
- C:\Windows\System\exGOAJi.exe
  C:\Windows\System\exGOAJi.exe
  2⤵
  PID:7464
- C:\Windows\System\HEFwCIw.exe
  C:\Windows\System\HEFwCIw.exe
  2⤵
  PID:7492
- C:\Windows\System\aWknYcb.exe
  C:\Windows\System\aWknYcb.exe
  2⤵
  PID:7520
- C:\Windows\System\CCtjXbu.exe
  C:\Windows\System\CCtjXbu.exe
  2⤵
  PID:7556
- C:\Windows\System\XVhdkSo.exe
  C:\Windows\System\XVhdkSo.exe
  2⤵
  PID:7580
- C:\Windows\System\rzyyiOu.exe
  C:\Windows\System\rzyyiOu.exe
  2⤵
  PID:7608
- C:\Windows\System\QQnzPga.exe
  C:\Windows\System\QQnzPga.exe
  2⤵
  PID:7636
- C:\Windows\System\klfSBoO.exe
  C:\Windows\System\klfSBoO.exe
  2⤵
  PID:7664
- C:\Windows\System\brNacXe.exe
  C:\Windows\System\brNacXe.exe
  2⤵
  PID:7708
- C:\Windows\System\nszERbt.exe
  C:\Windows\System\nszERbt.exe
  2⤵
  PID:7748
- C:\Windows\System\wOWOlPl.exe
  C:\Windows\System\wOWOlPl.exe
  2⤵
  PID:7788
- C:\Windows\System\phZNqMh.exe
  C:\Windows\System\phZNqMh.exe
  2⤵
  PID:7820
- C:\Windows\System\XRpUfcp.exe
  C:\Windows\System\XRpUfcp.exe
  2⤵
  PID:7848
- C:\Windows\System\tcGKiHK.exe
  C:\Windows\System\tcGKiHK.exe
  2⤵
  PID:7876
- C:\Windows\System\QwdhNan.exe
  C:\Windows\System\QwdhNan.exe
  2⤵
  PID:7904
- C:\Windows\System\HKLKUNF.exe
  C:\Windows\System\HKLKUNF.exe
  2⤵
  PID:7932
- C:\Windows\System\NVWASQv.exe
  C:\Windows\System\NVWASQv.exe
  2⤵
  PID:7964
- C:\Windows\System\WmQDXdy.exe
  C:\Windows\System\WmQDXdy.exe
  2⤵
  PID:7988
- C:\Windows\System\RcPVBad.exe
  C:\Windows\System\RcPVBad.exe
  2⤵
  PID:8016
- C:\Windows\System\leaXWJN.exe
  C:\Windows\System\leaXWJN.exe
  2⤵
  PID:8048
- C:\Windows\System\HUogSHJ.exe
  C:\Windows\System\HUogSHJ.exe
  2⤵
  PID:8076
- C:\Windows\System\tjUnNkS.exe
  C:\Windows\System\tjUnNkS.exe
  2⤵
  PID:8104
- C:\Windows\System\AKaxyQv.exe
  C:\Windows\System\AKaxyQv.exe
  2⤵
  PID:8140
- C:\Windows\System\cOPtCzW.exe
  C:\Windows\System\cOPtCzW.exe
  2⤵
  PID:8168
- C:\Windows\System\QTFaMjf.exe
  C:\Windows\System\QTFaMjf.exe
  2⤵
  PID:6536
- C:\Windows\System\lDWKrNn.exe
  C:\Windows\System\lDWKrNn.exe
  2⤵
  PID:7224
- C:\Windows\System\jlwzTGH.exe
  C:\Windows\System\jlwzTGH.exe
  2⤵
  PID:7292
- C:\Windows\System\ZgxAiCN.exe
  C:\Windows\System\ZgxAiCN.exe
  2⤵
  PID:7352
- C:\Windows\System\BwxaClx.exe
  C:\Windows\System\BwxaClx.exe
  2⤵
  PID:7428
- C:\Windows\System\ymNFVyE.exe
  C:\Windows\System\ymNFVyE.exe
  2⤵
  PID:7484
- C:\Windows\System\FVbwRYk.exe
  C:\Windows\System\FVbwRYk.exe
  2⤵
  PID:7548
- C:\Windows\System\UQRkpad.exe
  C:\Windows\System\UQRkpad.exe
  2⤵
  PID:5808
- C:\Windows\System\PFcmmMF.exe
  C:\Windows\System\PFcmmMF.exe
  2⤵
  PID:7680
- C:\Windows\System\MLhIOFb.exe
  C:\Windows\System\MLhIOFb.exe
  2⤵
  PID:7740
- C:\Windows\System\JxpgJkF.exe
  C:\Windows\System\JxpgJkF.exe
  2⤵
  PID:7816
- C:\Windows\System\AHzpOVh.exe
  C:\Windows\System\AHzpOVh.exe
  2⤵
  PID:7872
- C:\Windows\System\uNSIUEP.exe
  C:\Windows\System\uNSIUEP.exe
  2⤵
  PID:7928
- C:\Windows\System\WZwxyAg.exe
  C:\Windows\System\WZwxyAg.exe
  2⤵
  PID:8000
- C:\Windows\System\ZNHCkSQ.exe
  C:\Windows\System\ZNHCkSQ.exe
  2⤵
  PID:8068
- C:\Windows\System\XJCxDNB.exe
  C:\Windows\System\XJCxDNB.exe
  2⤵
  PID:8128
- C:\Windows\System\tNTNaxi.exe
  C:\Windows\System\tNTNaxi.exe
  2⤵
  PID:6300
- C:\Windows\System\jguMtcz.exe
  C:\Windows\System\jguMtcz.exe
  2⤵
  PID:7324
- C:\Windows\System\iolLqae.exe
  C:\Windows\System\iolLqae.exe
  2⤵
  PID:7460
- C:\Windows\System\qshygGR.exe
  C:\Windows\System\qshygGR.exe
  2⤵
  PID:7632
- C:\Windows\System\dbCPuGP.exe
  C:\Windows\System\dbCPuGP.exe
  2⤵
  PID:7780
- C:\Windows\System\BiYtwUt.exe
  C:\Windows\System\BiYtwUt.exe
  2⤵
  PID:7916
- C:\Windows\System\fQsydYk.exe
  C:\Windows\System\fQsydYk.exe
  2⤵
  PID:8044
- C:\Windows\System\KuYcBKM.exe
  C:\Windows\System\KuYcBKM.exe
  2⤵
  PID:8164
- C:\Windows\System\lfHjwoX.exe
  C:\Windows\System\lfHjwoX.exe
  2⤵
  PID:7600
- C:\Windows\System\HLgAJAx.exe
  C:\Windows\System\HLgAJAx.exe
  2⤵
  PID:5784
- C:\Windows\System\MfgvmWl.exe
  C:\Windows\System\MfgvmWl.exe
  2⤵
  PID:7392
- C:\Windows\System\VtIarJK.exe
  C:\Windows\System\VtIarJK.exe
  2⤵
  PID:8180
- C:\Windows\System\eSUMHjQ.exe
  C:\Windows\System\eSUMHjQ.exe
  2⤵
  PID:8200
- C:\Windows\System\SukAwWE.exe
  C:\Windows\System\SukAwWE.exe
  2⤵
  PID:8228
- C:\Windows\System\EbKnqtU.exe
  C:\Windows\System\EbKnqtU.exe
  2⤵
  PID:8256
- C:\Windows\System\itQYXSO.exe
  C:\Windows\System\itQYXSO.exe
  2⤵
  PID:8284
- C:\Windows\System\UwRhhHb.exe
  C:\Windows\System\UwRhhHb.exe
  2⤵
  PID:8312
- C:\Windows\System\jnVtBVc.exe
  C:\Windows\System\jnVtBVc.exe
  2⤵
  PID:8356
- C:\Windows\System\UVdJqKQ.exe
  C:\Windows\System\UVdJqKQ.exe
  2⤵
  PID:8396
- C:\Windows\System\ORHpZNy.exe
  C:\Windows\System\ORHpZNy.exe
  2⤵
  PID:8420
- C:\Windows\System\KkDqTUS.exe
  C:\Windows\System\KkDqTUS.exe
  2⤵
  PID:8456
- C:\Windows\System\aFHiHvl.exe
  C:\Windows\System\aFHiHvl.exe
  2⤵
  PID:8516
- C:\Windows\System\nHfOxoQ.exe
  C:\Windows\System\nHfOxoQ.exe
  2⤵
  PID:8552
- C:\Windows\System\fKetHIV.exe
  C:\Windows\System\fKetHIV.exe
  2⤵
  PID:8600
- C:\Windows\System\qjEfDka.exe
  C:\Windows\System\qjEfDka.exe
  2⤵
  PID:8624
- C:\Windows\System\vmBCDmw.exe
  C:\Windows\System\vmBCDmw.exe
  2⤵
  PID:8660
- C:\Windows\System\hVTpcMU.exe
  C:\Windows\System\hVTpcMU.exe
  2⤵
  PID:8704
- C:\Windows\System\ANuVqyB.exe
  C:\Windows\System\ANuVqyB.exe
  2⤵
  PID:8744
- C:\Windows\System\YnXlpEO.exe
  C:\Windows\System\YnXlpEO.exe
  2⤵
  PID:8796
- C:\Windows\System\ZMyTLti.exe
  C:\Windows\System\ZMyTLti.exe
  2⤵
  PID:8844
- C:\Windows\System\ZXpArnx.exe
  C:\Windows\System\ZXpArnx.exe
  2⤵
  PID:8876
- C:\Windows\System\BwglIDs.exe
  C:\Windows\System\BwglIDs.exe
  2⤵
  PID:8908
- C:\Windows\System\HNtoyrR.exe
  C:\Windows\System\HNtoyrR.exe
  2⤵
  PID:8924
- C:\Windows\System\zEBJhWa.exe
  C:\Windows\System\zEBJhWa.exe
  2⤵
  PID:8960
- C:\Windows\System\OJiXoDk.exe
  C:\Windows\System\OJiXoDk.exe
  2⤵
  PID:8992
- C:\Windows\System\RJuOanP.exe
  C:\Windows\System\RJuOanP.exe
  2⤵
  PID:9020
- C:\Windows\System\nIHuAkZ.exe
  C:\Windows\System\nIHuAkZ.exe
  2⤵
  PID:9052
- C:\Windows\System\BAMNJAg.exe
  C:\Windows\System\BAMNJAg.exe
  2⤵
  PID:9080
- C:\Windows\System\tmOqiHM.exe
  C:\Windows\System\tmOqiHM.exe
  2⤵
  PID:9112
- C:\Windows\System\BiNFjuD.exe
  C:\Windows\System\BiNFjuD.exe
  2⤵
  PID:9156
- C:\Windows\System\CoclvHf.exe
  C:\Windows\System\CoclvHf.exe
  2⤵
  PID:9184
- C:\Windows\System\znfZwoK.exe
  C:\Windows\System\znfZwoK.exe
  2⤵
  PID:9212
- C:\Windows\System\tKHHLPn.exe
  C:\Windows\System\tKHHLPn.exe
  2⤵
  PID:8296
- C:\Windows\System\eWINokW.exe
  C:\Windows\System\eWINokW.exe
  2⤵
  PID:8388
- C:\Windows\System\ftBQnlG.exe
  C:\Windows\System\ftBQnlG.exe
  2⤵
  PID:8452
- C:\Windows\System\iLxmCVp.exe
  C:\Windows\System\iLxmCVp.exe
  2⤵
  PID:8548
- C:\Windows\System\IDqJHnR.exe
  C:\Windows\System\IDqJHnR.exe
  2⤵
  PID:8620
- C:\Windows\System\GGGuVdr.exe
  C:\Windows\System\GGGuVdr.exe
  2⤵
  PID:8728
- C:\Windows\System\rholLtq.exe
  C:\Windows\System\rholLtq.exe
  2⤵
  PID:8836
- C:\Windows\System\scLHfcz.exe
  C:\Windows\System\scLHfcz.exe
  2⤵
  PID:8916
- C:\Windows\System\sQGZZwd.exe
  C:\Windows\System\sQGZZwd.exe
  2⤵
  PID:8984
- C:\Windows\System\YupAOKP.exe
  C:\Windows\System\YupAOKP.exe
  2⤵
  PID:9040
- C:\Windows\System\YoxHiJP.exe
  C:\Windows\System\YoxHiJP.exe
  2⤵
  PID:9108
- C:\Windows\System\gUxVnwH.exe
  C:\Windows\System\gUxVnwH.exe
  2⤵
  PID:9208
- C:\Windows\System\rFEKLex.exe
  C:\Windows\System\rFEKLex.exe
  2⤵
  PID:8352
- C:\Windows\System\HvMXODg.exe
  C:\Windows\System\HvMXODg.exe
  2⤵
  PID:8540
- C:\Windows\System\uzBQiZI.exe
  C:\Windows\System\uzBQiZI.exe
  2⤵
  PID:8900
- C:\Windows\System\MhBWmgK.exe
  C:\Windows\System\MhBWmgK.exe
  2⤵
  PID:9032
- C:\Windows\System\yLFBwMb.exe
  C:\Windows\System\yLFBwMb.exe
  2⤵
  PID:8276
- C:\Windows\System\eOVnQlj.exe
  C:\Windows\System\eOVnQlj.exe
  2⤵
  PID:8812
- C:\Windows\System\TZknzcB.exe
  C:\Windows\System\TZknzcB.exe
  2⤵
  PID:9012
- C:\Windows\System\wqasVFI.exe
  C:\Windows\System\wqasVFI.exe
  2⤵
  PID:3784
- C:\Windows\System\XqoUebH.exe
  C:\Windows\System\XqoUebH.exe
  2⤵
  PID:8616
- C:\Windows\System\unPCQMQ.exe
  C:\Windows\System\unPCQMQ.exe
  2⤵
  PID:9240
- C:\Windows\System\uuDKkFu.exe
  C:\Windows\System\uuDKkFu.exe
  2⤵
  PID:9268
- C:\Windows\System\MOUuTtB.exe
  C:\Windows\System\MOUuTtB.exe
  2⤵
  PID:9296
- C:\Windows\System\rMbJREJ.exe
  C:\Windows\System\rMbJREJ.exe
  2⤵
  PID:9324
- C:\Windows\System\OSZwGwA.exe
  C:\Windows\System\OSZwGwA.exe
  2⤵
  PID:9352
- C:\Windows\System\dmqVfrd.exe
  C:\Windows\System\dmqVfrd.exe
  2⤵
  PID:9380
- C:\Windows\System\PEfHytR.exe
  C:\Windows\System\PEfHytR.exe
  2⤵
  PID:9416
- C:\Windows\System\Tmzezpk.exe
  C:\Windows\System\Tmzezpk.exe
  2⤵
  PID:9436
- C:\Windows\System\UzxtulO.exe
  C:\Windows\System\UzxtulO.exe
  2⤵
  PID:9464
- C:\Windows\System\yKMxhlX.exe
  C:\Windows\System\yKMxhlX.exe
  2⤵
  PID:9492
- C:\Windows\System\rsxPPAr.exe
  C:\Windows\System\rsxPPAr.exe
  2⤵
  PID:9520
- C:\Windows\System\mopJPbx.exe
  C:\Windows\System\mopJPbx.exe
  2⤵
  PID:9548
- C:\Windows\System\CMTjoES.exe
  C:\Windows\System\CMTjoES.exe
  2⤵
  PID:9576
- C:\Windows\System\bYQTubu.exe
  C:\Windows\System\bYQTubu.exe
  2⤵
  PID:9596
- C:\Windows\System\bfEAeAW.exe
  C:\Windows\System\bfEAeAW.exe
  2⤵
  PID:9632
- C:\Windows\System\wtJZgWS.exe
  C:\Windows\System\wtJZgWS.exe
  2⤵
  PID:9660
- C:\Windows\System\irUMUwN.exe
  C:\Windows\System\irUMUwN.exe
  2⤵
  PID:9688
- C:\Windows\System\JmUMktz.exe
  C:\Windows\System\JmUMktz.exe
  2⤵
  PID:9716
- C:\Windows\System\vqebDCB.exe
  C:\Windows\System\vqebDCB.exe
  2⤵
  PID:9752
- C:\Windows\System\cYuYZJp.exe
  C:\Windows\System\cYuYZJp.exe
  2⤵
  PID:9772
- C:\Windows\System\WhOsDks.exe
  C:\Windows\System\WhOsDks.exe
  2⤵
  PID:9800
- C:\Windows\System\cvQuDRy.exe
  C:\Windows\System\cvQuDRy.exe
  2⤵
  PID:9828
- C:\Windows\System\aVLpAlG.exe
  C:\Windows\System\aVLpAlG.exe
  2⤵
  PID:9856
- C:\Windows\System\HfeTnin.exe
  C:\Windows\System\HfeTnin.exe
  2⤵
  PID:9884
- C:\Windows\System\CFfpEiD.exe
  C:\Windows\System\CFfpEiD.exe
  2⤵
  PID:9912
- C:\Windows\System\BxPebDM.exe
  C:\Windows\System\BxPebDM.exe
  2⤵
  PID:9940
- C:\Windows\System\mzTobAQ.exe
  C:\Windows\System\mzTobAQ.exe
  2⤵
  PID:9976
- C:\Windows\System\PufZisw.exe
  C:\Windows\System\PufZisw.exe
  2⤵
  PID:10004
- C:\Windows\System\tTxPkmR.exe
  C:\Windows\System\tTxPkmR.exe
  2⤵
  PID:10032
- C:\Windows\System\yNVqZWU.exe
  C:\Windows\System\yNVqZWU.exe
  2⤵
  PID:10060
- C:\Windows\System\zWCvSwB.exe
  C:\Windows\System\zWCvSwB.exe
  2⤵
  PID:10088
- C:\Windows\System\HtBEYio.exe
  C:\Windows\System\HtBEYio.exe
  2⤵
  PID:10116
- C:\Windows\System\CkZZkrI.exe
  C:\Windows\System\CkZZkrI.exe
  2⤵
  PID:10144
- C:\Windows\System\moJTTif.exe
  C:\Windows\System\moJTTif.exe
  2⤵
  PID:10176
- C:\Windows\System\FmetBSg.exe
  C:\Windows\System\FmetBSg.exe
  2⤵
  PID:10204
- C:\Windows\System\vSmjhVu.exe
  C:\Windows\System\vSmjhVu.exe
  2⤵
  PID:10232
- C:\Windows\System\yApmlki.exe
  C:\Windows\System\yApmlki.exe
  2⤵
  PID:9264
- C:\Windows\System\eZQUBHJ.exe
  C:\Windows\System\eZQUBHJ.exe
  2⤵
  PID:9340
- C:\Windows\System\EwEjqQs.exe
  C:\Windows\System\EwEjqQs.exe
  2⤵
  PID:9400
- C:\Windows\System\vPGKbQG.exe
  C:\Windows\System\vPGKbQG.exe
  2⤵
  PID:9460
- C:\Windows\System\nNRvdPA.exe
  C:\Windows\System\nNRvdPA.exe
  2⤵
  PID:9532
- C:\Windows\System\ekIcdau.exe
  C:\Windows\System\ekIcdau.exe
  2⤵
  PID:9572
- C:\Windows\System\yjBUxMH.exe
  C:\Windows\System\yjBUxMH.exe
  2⤵
  PID:9656
- C:\Windows\System\qBAIPIl.exe
  C:\Windows\System\qBAIPIl.exe
  2⤵
  PID:9728
- C:\Windows\System\RFJytgV.exe
  C:\Windows\System\RFJytgV.exe
  2⤵
  PID:9792
- C:\Windows\System\dwZdcEU.exe
  C:\Windows\System\dwZdcEU.exe
  2⤵
  PID:9868
- C:\Windows\System\bgfHldW.exe
  C:\Windows\System\bgfHldW.exe
  2⤵
  PID:9932
- C:\Windows\System\FHoaTzI.exe
  C:\Windows\System\FHoaTzI.exe
  2⤵
  PID:10000
- C:\Windows\System\vGKBhvn.exe
  C:\Windows\System\vGKBhvn.exe
  2⤵
  PID:10056
- C:\Windows\System\mtfbwTf.exe
  C:\Windows\System\mtfbwTf.exe
  2⤵
  PID:10136
- C:\Windows\System\NpmvLch.exe
  C:\Windows\System\NpmvLch.exe
  2⤵
  PID:10196
- C:\Windows\System\UENChYJ.exe
  C:\Windows\System\UENChYJ.exe
  2⤵
  PID:9260
- C:\Windows\System\EjzZZbt.exe
  C:\Windows\System\EjzZZbt.exe
  2⤵
  PID:9428
- C:\Windows\System\BmoEOCq.exe
  C:\Windows\System\BmoEOCq.exe
  2⤵
  PID:9568
- C:\Windows\System\NLJXilK.exe
  C:\Windows\System\NLJXilK.exe
  2⤵
  PID:9708
- C:\Windows\System\mpsTpdv.exe
  C:\Windows\System\mpsTpdv.exe
  2⤵
  PID:9904
- C:\Windows\System\qaMUpbF.exe
  C:\Windows\System\qaMUpbF.exe
  2⤵
  PID:10044
- C:\Windows\System\uabJDqZ.exe
  C:\Windows\System\uabJDqZ.exe
  2⤵
  PID:10188
- C:\Windows\System\JVYMmPp.exe
  C:\Windows\System\JVYMmPp.exe
  2⤵
  PID:9516
- C:\Windows\System\mftIRkk.exe
  C:\Windows\System\mftIRkk.exe
  2⤵
  PID:9852
- C:\Windows\System\NMZGGqd.exe
  C:\Windows\System\NMZGGqd.exe
  2⤵
  PID:9392
- C:\Windows\System\yUNyVmU.exe
  C:\Windows\System\yUNyVmU.exe
  2⤵
  PID:9320
- C:\Windows\System\aVEIIVC.exe
  C:\Windows\System\aVEIIVC.exe
  2⤵
  PID:404
- C:\Windows\System\amnXgpP.exe
  C:\Windows\System\amnXgpP.exe
  2⤵
  PID:10248
- C:\Windows\System\FpctTXG.exe
  C:\Windows\System\FpctTXG.exe
  2⤵
  PID:10276
- C:\Windows\System\HMMMXnJ.exe
  C:\Windows\System\HMMMXnJ.exe
  2⤵
  PID:10304
- C:\Windows\System\WyQZdIP.exe
  C:\Windows\System\WyQZdIP.exe
  2⤵
  PID:10336
- C:\Windows\System\EKWVfUi.exe
  C:\Windows\System\EKWVfUi.exe
  2⤵
  PID:10364
- C:\Windows\System\xrcDjYb.exe
  C:\Windows\System\xrcDjYb.exe
  2⤵
  PID:10392
- C:\Windows\System\irsLXyo.exe
  C:\Windows\System\irsLXyo.exe
  2⤵
  PID:10420
- C:\Windows\System\EMrASBi.exe
  C:\Windows\System\EMrASBi.exe
  2⤵
  PID:10448
- C:\Windows\System\kukrDLU.exe
  C:\Windows\System\kukrDLU.exe
  2⤵
  PID:10480
- C:\Windows\System\iKPfobe.exe
  C:\Windows\System\iKPfobe.exe
  2⤵
  PID:10508
- C:\Windows\System\WSetMaJ.exe
  C:\Windows\System\WSetMaJ.exe
  2⤵
  PID:10536
- C:\Windows\System\AjTJstu.exe
  C:\Windows\System\AjTJstu.exe
  2⤵
  PID:10564
- C:\Windows\System\wNWpGjr.exe
  C:\Windows\System\wNWpGjr.exe
  2⤵
  PID:10592
- C:\Windows\System\TrlxNAL.exe
  C:\Windows\System\TrlxNAL.exe
  2⤵
  PID:10620
- C:\Windows\System\hVYCpxA.exe
  C:\Windows\System\hVYCpxA.exe
  2⤵
  PID:10648
- C:\Windows\System\EQISheH.exe
  C:\Windows\System\EQISheH.exe
  2⤵
  PID:10676
- C:\Windows\System\bXrceRt.exe
  C:\Windows\System\bXrceRt.exe
  2⤵
  PID:10704
- C:\Windows\System\lKFGAuy.exe
  C:\Windows\System\lKFGAuy.exe
  2⤵
  PID:10732
- C:\Windows\System\aUolnrC.exe
  C:\Windows\System\aUolnrC.exe
  2⤵
  PID:10760
- C:\Windows\System\ZJxqtBC.exe
  C:\Windows\System\ZJxqtBC.exe
  2⤵
  PID:10788
- C:\Windows\System\opvOSTV.exe
  C:\Windows\System\opvOSTV.exe
  2⤵
  PID:10816
- C:\Windows\System\wHEbIIa.exe
  C:\Windows\System\wHEbIIa.exe
  2⤵
  PID:10844
- C:\Windows\System\odQnizf.exe
  C:\Windows\System\odQnizf.exe
  2⤵
  PID:10872
- C:\Windows\System\ZTMKutG.exe
  C:\Windows\System\ZTMKutG.exe
  2⤵
  PID:10908
- C:\Windows\System\peDtJNP.exe
  C:\Windows\System\peDtJNP.exe
  2⤵
  PID:10928
- C:\Windows\System\UNNDMkU.exe
  C:\Windows\System\UNNDMkU.exe
  2⤵
  PID:10956
- C:\Windows\System\MxTkZdp.exe
  C:\Windows\System\MxTkZdp.exe
  2⤵
  PID:10984
- C:\Windows\System\tDTBntW.exe
  C:\Windows\System\tDTBntW.exe
  2⤵
  PID:11012
- C:\Windows\System\acQTdDa.exe
  C:\Windows\System\acQTdDa.exe
  2⤵
  PID:11040
- C:\Windows\System\fYSyyAq.exe
  C:\Windows\System\fYSyyAq.exe
  2⤵
  PID:11068
- C:\Windows\System\WmNLCKX.exe
  C:\Windows\System\WmNLCKX.exe
  2⤵
  PID:11096
- C:\Windows\System\dZeYTFm.exe
  C:\Windows\System\dZeYTFm.exe
  2⤵
  PID:11124
- C:\Windows\System\zjjVAPI.exe
  C:\Windows\System\zjjVAPI.exe
  2⤵
  PID:11152
- C:\Windows\System\vqCIitj.exe
  C:\Windows\System\vqCIitj.exe
  2⤵
  PID:11180
- C:\Windows\System\lZKYFYf.exe
  C:\Windows\System\lZKYFYf.exe
  2⤵
  PID:11208
- C:\Windows\System\IEiSRbH.exe
  C:\Windows\System\IEiSRbH.exe
  2⤵
  PID:11236
- C:\Windows\System\Uwvwrfr.exe
  C:\Windows\System\Uwvwrfr.exe
  2⤵
  PID:9848
- C:\Windows\System\BqYrMay.exe
  C:\Windows\System\BqYrMay.exe
  2⤵
  PID:10300
- C:\Windows\System\FuTquOy.exe
  C:\Windows\System\FuTquOy.exe
  2⤵
  PID:10380
- C:\Windows\System\rCsGFQn.exe
  C:\Windows\System\rCsGFQn.exe
  2⤵
  PID:10440
- C:\Windows\System\gLpncHl.exe
  C:\Windows\System\gLpncHl.exe
  2⤵
  PID:10504
- C:\Windows\System\pIFinyb.exe
  C:\Windows\System\pIFinyb.exe
  2⤵
  PID:10576
- C:\Windows\System\qlfNcoz.exe
  C:\Windows\System\qlfNcoz.exe
  2⤵
  PID:10644
- C:\Windows\System\KeZLeKB.exe
  C:\Windows\System\KeZLeKB.exe
  2⤵
  PID:10700
- C:\Windows\System\OVeTdzE.exe
  C:\Windows\System\OVeTdzE.exe
  2⤵
  PID:10772
- C:\Windows\System\NzUAWZU.exe
  C:\Windows\System\NzUAWZU.exe
  2⤵
  PID:10836
- C:\Windows\System\wvkGoQq.exe
  C:\Windows\System\wvkGoQq.exe
  2⤵
  PID:10896
- C:\Windows\System\TnSSJgu.exe
  C:\Windows\System\TnSSJgu.exe
  2⤵
  PID:10968
- C:\Windows\System\MGeDfob.exe
  C:\Windows\System\MGeDfob.exe
  2⤵
  PID:11032
- C:\Windows\System\bYLuQgK.exe
  C:\Windows\System\bYLuQgK.exe
  2⤵
  PID:11092
- C:\Windows\System\tynDmYf.exe
  C:\Windows\System\tynDmYf.exe
  2⤵
  PID:11164
- C:\Windows\System\sxZkChm.exe
  C:\Windows\System\sxZkChm.exe
  2⤵
  PID:11228
- C:\Windows\System\ENslXIE.exe
  C:\Windows\System\ENslXIE.exe
  2⤵
  PID:10296
- C:\Windows\System\zHoWoKv.exe
  C:\Windows\System\zHoWoKv.exe
  2⤵
  PID:10476
- C:\Windows\System\nsRBhRh.exe
  C:\Windows\System\nsRBhRh.exe
  2⤵
  PID:10608
- C:\Windows\System\iXiPDxa.exe
  C:\Windows\System\iXiPDxa.exe
  2⤵
  PID:10752
- C:\Windows\System\eMypCJN.exe
  C:\Windows\System\eMypCJN.exe
  2⤵
  PID:10892
- C:\Windows\System\RuYLVGx.exe
  C:\Windows\System\RuYLVGx.exe
  2⤵
  PID:11204
- C:\Windows\System\kyZvuRq.exe
  C:\Windows\System\kyZvuRq.exe
  2⤵
  PID:10500
- C:\Windows\System\DdWhmIY.exe
  C:\Windows\System\DdWhmIY.exe
  2⤵
  PID:11008
- C:\Windows\System\KLSOzyA.exe
  C:\Windows\System\KLSOzyA.exe
  2⤵
  PID:10952
- C:\Windows\System\WRswsAk.exe
  C:\Windows\System\WRswsAk.exe
  2⤵
  PID:11276
- C:\Windows\System\zqIIzYH.exe
  C:\Windows\System\zqIIzYH.exe
  2⤵
  PID:11312
- C:\Windows\System\LEvHiwH.exe
  C:\Windows\System\LEvHiwH.exe
  2⤵
  PID:11332
- C:\Windows\System\GoZuKlr.exe
  C:\Windows\System\GoZuKlr.exe
  2⤵
  PID:11360
- C:\Windows\System\MZefkZW.exe
  C:\Windows\System\MZefkZW.exe
  2⤵
  PID:11388
- C:\Windows\System\rTxoYNn.exe
  C:\Windows\System\rTxoYNn.exe
  2⤵
  PID:11416
- C:\Windows\System\yFzMWLS.exe
  C:\Windows\System\yFzMWLS.exe
  2⤵
  PID:11444
- C:\Windows\System\hYRAaUC.exe
  C:\Windows\System\hYRAaUC.exe
  2⤵
  PID:11472
- C:\Windows\System\xHVasMn.exe
  C:\Windows\System\xHVasMn.exe
  2⤵
  PID:11500
- C:\Windows\System\tolVkyD.exe
  C:\Windows\System\tolVkyD.exe
  2⤵
  PID:11528
- C:\Windows\System\VMjGooP.exe
  C:\Windows\System\VMjGooP.exe
  2⤵
  PID:11556
- C:\Windows\System\zawnAzw.exe
  C:\Windows\System\zawnAzw.exe
  2⤵
  PID:11584
- C:\Windows\System\fuBArsA.exe
  C:\Windows\System\fuBArsA.exe
  2⤵
  PID:11612
- C:\Windows\System\CkwDhZJ.exe
  C:\Windows\System\CkwDhZJ.exe
  2⤵
  PID:11640
- C:\Windows\System\vmlgMHq.exe
  C:\Windows\System\vmlgMHq.exe
  2⤵
  PID:11668
- C:\Windows\System\CwIrHKo.exe
  C:\Windows\System\CwIrHKo.exe
  2⤵
  PID:11696
- C:\Windows\System\iMyOqFE.exe
  C:\Windows\System\iMyOqFE.exe
  2⤵
  PID:11712
- C:\Windows\System\NaNtyvG.exe
  C:\Windows\System\NaNtyvG.exe
  2⤵
  PID:11728
- C:\Windows\System\MPpauCv.exe
  C:\Windows\System\MPpauCv.exe
  2⤵
  PID:11780
- C:\Windows\System\HPQngNZ.exe
  C:\Windows\System\HPQngNZ.exe
  2⤵
  PID:11808
- C:\Windows\System\raayVea.exe
  C:\Windows\System\raayVea.exe
  2⤵
  PID:11840
- C:\Windows\System\WTdYFLz.exe
  C:\Windows\System\WTdYFLz.exe
  2⤵
  PID:11868
- C:\Windows\System\FieNaRg.exe
  C:\Windows\System\FieNaRg.exe
  2⤵
  PID:11896
- C:\Windows\System\YeQWMoA.exe
  C:\Windows\System\YeQWMoA.exe
  2⤵
  PID:11924
- C:\Windows\System\TJICZBh.exe
  C:\Windows\System\TJICZBh.exe
  2⤵
  PID:11956
- C:\Windows\System\JPHRpqo.exe
  C:\Windows\System\JPHRpqo.exe
  2⤵
  PID:11984
- C:\Windows\System\opRxCVs.exe
  C:\Windows\System\opRxCVs.exe
  2⤵
  PID:12020
- C:\Windows\System\QxGrOSw.exe
  C:\Windows\System\QxGrOSw.exe
  2⤵
  PID:12048
- C:\Windows\System\vCkrtAE.exe
  C:\Windows\System\vCkrtAE.exe
  2⤵
  PID:12084
- C:\Windows\System\LdfbFCw.exe
  C:\Windows\System\LdfbFCw.exe
  2⤵
  PID:12112
- C:\Windows\System\TfOLyOU.exe
  C:\Windows\System\TfOLyOU.exe
  2⤵
  PID:12144
- C:\Windows\System\jrhYiRe.exe
  C:\Windows\System\jrhYiRe.exe
  2⤵
  PID:12184
- C:\Windows\System\bNjdQDT.exe
  C:\Windows\System\bNjdQDT.exe
  2⤵
  PID:12224
- C:\Windows\System\kKrzSHL.exe
  C:\Windows\System\kKrzSHL.exe
  2⤵
  PID:12252
- C:\Windows\System\mpIEdBf.exe
  C:\Windows\System\mpIEdBf.exe
  2⤵
  PID:12280
- C:\Windows\System\Efgujxd.exe
  C:\Windows\System\Efgujxd.exe
  2⤵
  PID:11320
- C:\Windows\System\HEBwpeE.exe
  C:\Windows\System\HEBwpeE.exe
  2⤵
  PID:10728
- C:\Windows\System\bWokhJy.exe
  C:\Windows\System\bWokhJy.exe
  2⤵
  PID:11436
- C:\Windows\System\JZsDklq.exe
  C:\Windows\System\JZsDklq.exe
  2⤵
  PID:11516
- C:\Windows\System\wzpUjtW.exe
  C:\Windows\System\wzpUjtW.exe
  2⤵
  PID:11576
- C:\Windows\System\SglkTZq.exe
  C:\Windows\System\SglkTZq.exe
  2⤵
  PID:11636
- C:\Windows\System\vTJIimr.exe
  C:\Windows\System\vTJIimr.exe
  2⤵
  PID:11692
- C:\Windows\System\axcAtWl.exe
  C:\Windows\System\axcAtWl.exe
  2⤵
  PID:11792
- C:\Windows\System\dOOAgrv.exe
  C:\Windows\System\dOOAgrv.exe
  2⤵
  PID:11828
- C:\Windows\System\SMxwsQF.exe
  C:\Windows\System\SMxwsQF.exe
  2⤵
  PID:11912
- C:\Windows\System\NncMRRj.exe
  C:\Windows\System\NncMRRj.exe
  2⤵
  PID:11952
- C:\Windows\System\oUsSiQz.exe
  C:\Windows\System\oUsSiQz.exe
  2⤵
  PID:12040
- C:\Windows\System\mjhQoSr.exe
  C:\Windows\System\mjhQoSr.exe
  2⤵
  PID:12156
- C:\Windows\System\TwKFaXT.exe
  C:\Windows\System\TwKFaXT.exe
  2⤵
  PID:12176
- C:\Windows\System\JdBXcJB.exe
  C:\Windows\System\JdBXcJB.exe
  2⤵
  PID:12236
- C:\Windows\System\HauDWap.exe
  C:\Windows\System\HauDWap.exe
  2⤵
  PID:11300
- C:\Windows\System\ZEJMWOD.exe
  C:\Windows\System\ZEJMWOD.exe
  2⤵
  PID:11432
- C:\Windows\System\USlmPsL.exe
  C:\Windows\System\USlmPsL.exe
  2⤵
  PID:11684
- C:\Windows\System\rogNaAO.exe
  C:\Windows\System\rogNaAO.exe
  2⤵
  PID:11764
- C:\Windows\System\YUidZoN.exe
  C:\Windows\System\YUidZoN.exe
  2⤵
  PID:11996
- C:\Windows\System\HIIeGXC.exe
  C:\Windows\System\HIIeGXC.exe
  2⤵
  PID:12124
- C:\Windows\System\XCYnfFX.exe
  C:\Windows\System\XCYnfFX.exe
  2⤵
  PID:12208
- C:\Windows\System\TFRKMZA.exe
  C:\Windows\System\TFRKMZA.exe
  2⤵
  PID:12276
- C:\Windows\System\vdYuiJa.exe
  C:\Windows\System\vdYuiJa.exe
  2⤵
  PID:11412
- C:\Windows\System\AKfrIKg.exe
  C:\Windows\System\AKfrIKg.exe
  2⤵
  PID:11944
- C:\Windows\System\jEpEjIg.exe
  C:\Windows\System\jEpEjIg.exe
  2⤵
  PID:12076
- C:\Windows\System\nLTQTQw.exe
  C:\Windows\System\nLTQTQw.exe
  2⤵
  PID:11272
- C:\Windows\System\HwbcBuA.exe
  C:\Windows\System\HwbcBuA.exe
  2⤵
  PID:12060
- C:\Windows\System\eRYKWMO.exe
  C:\Windows\System\eRYKWMO.exe
  2⤵
  PID:12304
- C:\Windows\System\BBiXKDM.exe
  C:\Windows\System\BBiXKDM.exe
  2⤵
  PID:12344
- C:\Windows\System\FwizdwT.exe
  C:\Windows\System\FwizdwT.exe
  2⤵
  PID:12372
- C:\Windows\System\wFvYVmS.exe
  C:\Windows\System\wFvYVmS.exe
  2⤵
  PID:12400
- C:\Windows\System\IupJLZg.exe
  C:\Windows\System\IupJLZg.exe
  2⤵
  PID:12428
- C:\Windows\System\uyJDaRN.exe
  C:\Windows\System\uyJDaRN.exe
  2⤵
  PID:12444
- C:\Windows\System\bnjjrOD.exe
  C:\Windows\System\bnjjrOD.exe
  2⤵
  PID:12484
- C:\Windows\System\wotOLEq.exe
  C:\Windows\System\wotOLEq.exe
  2⤵
  PID:12512
- C:\Windows\System\hMdsWaA.exe
  C:\Windows\System\hMdsWaA.exe
  2⤵
  PID:12528
- C:\Windows\System\OehpJGH.exe
  C:\Windows\System\OehpJGH.exe
  2⤵
  PID:12564
- C:\Windows\System\hncvUvz.exe
  C:\Windows\System\hncvUvz.exe
  2⤵
  PID:12592
- C:\Windows\System\WCMfLyO.exe
  C:\Windows\System\WCMfLyO.exe
  2⤵
  PID:12620
- C:\Windows\System\HMLkYHm.exe
  C:\Windows\System\HMLkYHm.exe
  2⤵
  PID:12660
- C:\Windows\System\EzknQYG.exe
  C:\Windows\System\EzknQYG.exe
  2⤵
  PID:12684
- C:\Windows\System\NWTLTPR.exe
  C:\Windows\System\NWTLTPR.exe
  2⤵
  PID:12704
- C:\Windows\System\QkVIUCK.exe
  C:\Windows\System\QkVIUCK.exe
  2⤵
  PID:12732
- C:\Windows\System\EUTTNQM.exe
  C:\Windows\System\EUTTNQM.exe
  2⤵
  PID:12784
- C:\Windows\System\zVZMiMi.exe
  C:\Windows\System\zVZMiMi.exe
  2⤵
  PID:12820
- C:\Windows\System\jpqsQfB.exe
  C:\Windows\System\jpqsQfB.exe
  2⤵
  PID:12840
- C:\Windows\System\ozLEpyZ.exe
  C:\Windows\System\ozLEpyZ.exe
  2⤵
  PID:12872
- C:\Windows\System\QjDedVt.exe
  C:\Windows\System\QjDedVt.exe
  2⤵
  PID:12896
- C:\Windows\System\VIwVbGk.exe
  C:\Windows\System\VIwVbGk.exe
  2⤵
  PID:12924
- C:\Windows\System\ycSRQbP.exe
  C:\Windows\System\ycSRQbP.exe
  2⤵
  PID:12940
- C:\Windows\System\aifQviL.exe
  C:\Windows\System\aifQviL.exe
  2⤵
  PID:12956
- C:\Windows\System\jNWxYRN.exe
  C:\Windows\System\jNWxYRN.exe
  2⤵
  PID:12980
- C:\Windows\System\MabZOPl.exe
  C:\Windows\System\MabZOPl.exe
  2⤵
  PID:13044
- C:\Windows\System\Lnwyoyy.exe
  C:\Windows\System\Lnwyoyy.exe
  2⤵
  PID:13076
- C:\Windows\System\ThLizMM.exe
  C:\Windows\System\ThLizMM.exe
  2⤵
  PID:13108
- C:\Windows\System\CSJxTUO.exe
  C:\Windows\System\CSJxTUO.exe
  2⤵
  PID:13140
- C:\Windows\System\AMfFLwi.exe
  C:\Windows\System\AMfFLwi.exe
  2⤵
  PID:13168
- C:\Windows\System\FfYBPee.exe
  C:\Windows\System\FfYBPee.exe
  2⤵
  PID:13196
- C:\Windows\System\GaEqxEy.exe
  C:\Windows\System\GaEqxEy.exe
  2⤵
  PID:13224
- C:\Windows\System\hPzzIuK.exe
  C:\Windows\System\hPzzIuK.exe
  2⤵
  PID:13252
- C:\Windows\System\gkmXlrd.exe
  C:\Windows\System\gkmXlrd.exe
  2⤵
  PID:13272
- C:\Windows\System\XVYoRxj.exe
  C:\Windows\System\XVYoRxj.exe
  2⤵
  PID:13304
- C:\Windows\System\LGCitxF.exe
  C:\Windows\System\LGCitxF.exe
  2⤵
  PID:12316
- C:\Windows\System\vHsTqEC.exe
  C:\Windows\System\vHsTqEC.exe
  2⤵
  PID:12364
- C:\Windows\System\vEDLGvU.exe
  C:\Windows\System\vEDLGvU.exe
  2⤵
  PID:12416
- C:\Windows\System\lZequew.exe
  C:\Windows\System\lZequew.exe
  2⤵
  PID:12504
- C:\Windows\System\HChzvAS.exe
  C:\Windows\System\HChzvAS.exe
  2⤵
  PID:12588
- C:\Windows\System\AjjdQFk.exe
  C:\Windows\System\AjjdQFk.exe
  2⤵
  PID:12608
- C:\Windows\System\wdgVWuz.exe
  C:\Windows\System\wdgVWuz.exe
  2⤵
  PID:12720
- C:\Windows\System\CSiXFge.exe
  C:\Windows\System\CSiXFge.exe
  2⤵
  PID:12760
- C:\Windows\System\RBlUXoJ.exe
  C:\Windows\System\RBlUXoJ.exe
  2⤵
  PID:12868
- C:\Windows\System\lwSlEYj.exe
  C:\Windows\System\lwSlEYj.exe
  2⤵
  PID:12948
- C:\Windows\System\mBWUOqS.exe
  C:\Windows\System\mBWUOqS.exe
  2⤵
  PID:13020
- C:\Windows\System\cWttIRe.exe
  C:\Windows\System\cWttIRe.exe
  2⤵
  PID:13016
- C:\Windows\System\zlxpKcZ.exe
  C:\Windows\System\zlxpKcZ.exe
  2⤵
  PID:13152
- C:\Windows\System\VBgXJsU.exe
  C:\Windows\System\VBgXJsU.exe
  2⤵
  PID:13180
- C:\Windows\System\roXviiP.exe
  C:\Windows\System\roXviiP.exe
  2⤵
  PID:13248
- C:\Windows\System\QGlEncc.exe
  C:\Windows\System\QGlEncc.exe
  2⤵
  PID:12296
- C:\Windows\System\TfySKjb.exe
  C:\Windows\System\TfySKjb.exe
  2⤵
  PID:12496
- C:\Windows\System\IxUttGj.exe
  C:\Windows\System\IxUttGj.exe
  2⤵
  PID:12604
- C:\Windows\System\DCTDtYT.exe
  C:\Windows\System\DCTDtYT.exe
  2⤵
  PID:12696
- C:\Windows\System\BjJuQTD.exe
  C:\Windows\System\BjJuQTD.exe
  2⤵
  PID:12952
- C:\Windows\System\qiJSkbk.exe
  C:\Windows\System\qiJSkbk.exe
  2⤵
  PID:13128
- C:\Windows\System\OHgNTdT.exe
  C:\Windows\System\OHgNTdT.exe
  2⤵
  PID:13280
- C:\Windows\System\xJWMNtb.exe
  C:\Windows\System\xJWMNtb.exe
  2⤵
  PID:12468
- C:\Windows\System\hxvvjpp.exe
  C:\Windows\System\hxvvjpp.exe
  2⤵
  PID:12700
- C:\Windows\System\rfKqyjM.exe
  C:\Windows\System\rfKqyjM.exe
  2⤵
  PID:13220
- C:\Windows\System\szLxQoQ.exe
  C:\Windows\System\szLxQoQ.exe
  2⤵
  PID:12888
- C:\Windows\System\oXCXSZd.exe
  C:\Windows\System\oXCXSZd.exe
  2⤵
  PID:13320
- C:\Windows\System\JiSXFaV.exe
  C:\Windows\System\JiSXFaV.exe
  2⤵
  PID:13348
- C:\Windows\System\ZKyqsRJ.exe
  C:\Windows\System\ZKyqsRJ.exe
  2⤵
  PID:13376
- C:\Windows\System\RfaPMES.exe
  C:\Windows\System\RfaPMES.exe
  2⤵
  PID:13400
- C:\Windows\System\xsCKrgU.exe
  C:\Windows\System\xsCKrgU.exe
  2⤵
  PID:13432
- C:\Windows\System\JZmfykU.exe
  C:\Windows\System\JZmfykU.exe
  2⤵
  PID:13460
- C:\Windows\System\ZHbTmbI.exe
  C:\Windows\System\ZHbTmbI.exe
  2⤵
  PID:13480
- C:\Windows\System\cUJUsji.exe
  C:\Windows\System\cUJUsji.exe
  2⤵
  PID:13512
- C:\Windows\System\oIgRGeW.exe
  C:\Windows\System\oIgRGeW.exe
  2⤵
  PID:13544
- C:\Windows\System\PMBoDuS.exe
  C:\Windows\System\PMBoDuS.exe
  2⤵
  PID:13564
- C:\Windows\System\PCJljmG.exe
  C:\Windows\System\PCJljmG.exe
  2⤵
  PID:13600
- C:\Windows\System\xQynFUa.exe
  C:\Windows\System\xQynFUa.exe
  2⤵
  PID:13628
- C:\Windows\System\pYcstxV.exe
  C:\Windows\System\pYcstxV.exe
  2⤵
  PID:13656
- C:\Windows\System\HSmCXtj.exe
  C:\Windows\System\HSmCXtj.exe
  2⤵
  PID:13684
- C:\Windows\System\CohqPov.exe
  C:\Windows\System\CohqPov.exe
  2⤵
  PID:13712
- C:\Windows\System\Sawlbhc.exe
  C:\Windows\System\Sawlbhc.exe
  2⤵
  PID:13732
- C:\Windows\System\khckvrW.exe
  C:\Windows\System\khckvrW.exe
  2⤵
  PID:13768
- C:\Windows\System\sGiJSFX.exe
  C:\Windows\System\sGiJSFX.exe
  2⤵
  PID:13796
- C:\Windows\System\aFkbgiL.exe
  C:\Windows\System\aFkbgiL.exe
  2⤵
  PID:13824
- C:\Windows\System\tZPRctS.exe
  C:\Windows\System\tZPRctS.exe
  2⤵
  PID:13852
- C:\Windows\System\GNnuuAE.exe
  C:\Windows\System\GNnuuAE.exe
  2⤵
  PID:13880
- C:\Windows\System\KbdLhoB.exe
  C:\Windows\System\KbdLhoB.exe
  2⤵
  PID:13908
- C:\Windows\System\kYtNlpa.exe
  C:\Windows\System\kYtNlpa.exe
  2⤵
  PID:13936
- C:\Windows\System\HqtVWDZ.exe
  C:\Windows\System\HqtVWDZ.exe
  2⤵
  PID:13964
- C:\Windows\System\rWqtUha.exe
  C:\Windows\System\rWqtUha.exe
  2⤵
  PID:13992
- C:\Windows\System\SxnoolO.exe
  C:\Windows\System\SxnoolO.exe
  2⤵
  PID:14020
- C:\Windows\System\kuZLDsP.exe
  C:\Windows\System\kuZLDsP.exe
  2⤵
  PID:14048
- C:\Windows\System\OldRysp.exe
  C:\Windows\System\OldRysp.exe
  2⤵
  PID:14064
- C:\Windows\System\iCgImyx.exe
  C:\Windows\System\iCgImyx.exe
  2⤵
  PID:14092
- C:\Windows\System\wbfLLbt.exe
  C:\Windows\System\wbfLLbt.exe
  2⤵
  PID:14120
- C:\Windows\System\JOOGCCE.exe
  C:\Windows\System\JOOGCCE.exe
  2⤵
  PID:14152
- C:\Windows\System\IvtzorE.exe
  C:\Windows\System\IvtzorE.exe
  2⤵
  PID:14176
- C:\Windows\System\WjyqXzS.exe
  C:\Windows\System\WjyqXzS.exe
  2⤵
  PID:14204
- C:\Windows\System\LuGdCaT.exe
  C:\Windows\System\LuGdCaT.exe
  2⤵
  PID:14240
- C:\Windows\System\mDEAkjV.exe
  C:\Windows\System\mDEAkjV.exe
  2⤵
  PID:14264
- C:\Windows\System\mdOPMCr.exe
  C:\Windows\System\mdOPMCr.exe
  2⤵
  PID:14308
- C:\Windows\System\vrnWeTA.exe
  C:\Windows\System\vrnWeTA.exe
  2⤵
  PID:12644
- C:\Windows\System\czkyoIY.exe
  C:\Windows\System\czkyoIY.exe
  2⤵
  PID:13416
- C:\Windows\System\PcUCbIb.exe
  C:\Windows\System\PcUCbIb.exe
  2⤵
  PID:13488
- C:\Windows\System\QtrZdsk.exe
  C:\Windows\System\QtrZdsk.exe
  2⤵
  PID:4036
- C:\Windows\System\HsPsNaX.exe
  C:\Windows\System\HsPsNaX.exe
  2⤵
  PID:13520
- C:\Windows\System\GRBaRtw.exe
  C:\Windows\System\GRBaRtw.exe
  2⤵
  PID:13584
- C:\Windows\System\rZUYVJX.exe
  C:\Windows\System\rZUYVJX.exe
  2⤵
  PID:13640
- C:\Windows\System\gwiZzch.exe
  C:\Windows\System\gwiZzch.exe
  2⤵
  PID:13708
- C:\Windows\System\YUCekno.exe
  C:\Windows\System\YUCekno.exe
  2⤵
  PID:13816
- C:\Windows\System\foRlZOA.exe
  C:\Windows\System\foRlZOA.exe
  2⤵
  PID:13928
- C:\Windows\System\XmXSXRI.exe
  C:\Windows\System\XmXSXRI.exe
  2⤵
  PID:14004
- C:\Windows\System\mZhGfiT.exe
  C:\Windows\System\mZhGfiT.exe
  2⤵
  PID:14188
- C:\Windows\System\nogKdHl.exe
  C:\Windows\System\nogKdHl.exe
  2⤵
  PID:14220
- C:\Windows\System\DWTQtgX.exe
  C:\Windows\System\DWTQtgX.exe
  2⤵
  PID:14300
- C:\Windows\System\kuFgyFB.exe
  C:\Windows\System\kuFgyFB.exe
  2⤵
  PID:4744
- C:\Windows\System\UhMBPBP.exe
  C:\Windows\System\UhMBPBP.exe
  2⤵
  PID:13672
- C:\Windows\System\QsmpiCs.exe
  C:\Windows\System\QsmpiCs.exe
  2⤵
  PID:13616
- C:\Windows\System\gizNmDs.exe
  C:\Windows\System\gizNmDs.exe
  2⤵
  PID:13792
- C:\Windows\System\mgugvEP.exe
  C:\Windows\System\mgugvEP.exe
  2⤵
  PID:14288
- C:\Windows\System\wGNvAOw.exe
  C:\Windows\System\wGNvAOw.exe
  2⤵
  PID:14076
- C:\Windows\System\jTdmYCt.exe
  C:\Windows\System\jTdmYCt.exe
  2⤵
  PID:2240
- C:\Windows\System\CnkQstz.exe
  C:\Windows\System\CnkQstz.exe
  2⤵
  PID:13920
- C:\Windows\System\hXLrasD.exe
  C:\Windows\System\hXLrasD.exe
  2⤵
  PID:13976
- C:\Windows\System\RLhjBie.exe
  C:\Windows\System\RLhjBie.exe
  2⤵
  PID:14356
- C:\Windows\System\oCKdDTj.exe
  C:\Windows\System\oCKdDTj.exe
  2⤵
  PID:14384
- C:\Windows\System\wIoZFbC.exe
  C:\Windows\System\wIoZFbC.exe
  2⤵
  PID:14412
- C:\Windows\System\PnVdglI.exe
  C:\Windows\System\PnVdglI.exe
  2⤵
  PID:14452
- C:\Windows\System\SDtLtLl.exe
  C:\Windows\System\SDtLtLl.exe
  2⤵
  PID:14476
- C:\Windows\System\ZfExPaF.exe
  C:\Windows\System\ZfExPaF.exe
  2⤵
  PID:14500
- C:\Windows\System\TtuIJSF.exe
  C:\Windows\System\TtuIJSF.exe
  2⤵
  PID:14524
- C:\Windows\System\xgsQGlb.exe
  C:\Windows\System\xgsQGlb.exe
  2⤵
  PID:14540
- C:\Windows\System\YHBrqER.exe
  C:\Windows\System\YHBrqER.exe
  2⤵
  PID:14568
- C:\Windows\System\zCBJHJJ.exe
  C:\Windows\System\zCBJHJJ.exe
  2⤵
  PID:14600
- C:\Windows\System\vkCavmV.exe
  C:\Windows\System\vkCavmV.exe
  2⤵
  PID:14636
- C:\Windows\System\ZWAEwLl.exe
  C:\Windows\System\ZWAEwLl.exe
  2⤵
  PID:14676
- C:\Windows\System\CsKkpRc.exe
  C:\Windows\System\CsKkpRc.exe
  2⤵
  PID:14692
- C:\Windows\System\eeHVxuX.exe
  C:\Windows\System\eeHVxuX.exe
  2⤵
  PID:14800
- C:\Windows\System\tzHdCgm.exe
  C:\Windows\System\tzHdCgm.exe
  2⤵
  PID:14816

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14944

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:15304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ABudSwt.exe

Filesize
2.1MB

MD5
15568e1036752bd7a88cbc62cacfdea3

SHA1
efbf4f6481e1cc1fdc03c2ba29e7d334106c8ac3

SHA256
624905dc017980c935390cadd7f57d890a9afe8034f9449a3b87105e00f22c3c

SHA512
47dd2c9f76e7aad99b456cc25f0243e0407425e33dc05ecee80543b74f3c0a35ff0440793ee94cfa766e61f860bf41583c6d0396c569674ad2030f65956fb370

Download Submit
C:\Windows\System\ArDfXVZ.exe

Filesize
2.1MB

MD5
19df36684d5838c1061c8ad60622e153

SHA1
ead7491f471963df208176064d2aacae6d7bdf6b

SHA256
7888d7ea5330e04ff451020120c807a123552b5b0d162646e5cb46a77048cd62

SHA512
0f24b606ebfcbadaeb3accc9840abe5d04b5fd9ef79af0d5dd2dd146778cf10e3df591b40b5b679ddb99cb1d565441f4392c79ad4b29095d29191c0036640330

Download Submit
C:\Windows\System\BQapWNQ.exe

Filesize
2.1MB

MD5
3837c82c94ba44a08b606e155a0cc030

SHA1
be1a6c8fdbf450ca5b31b93abf893f0cb4e81411

SHA256
abdf29ca8fef9c991a7d99d36c276d06a113d36914240e52dac9eecfcbabbdcd

SHA512
101b610fd525c9309e62e979b9f858e4b6b68adbf91b13fd0551797ca038ee668fb240434a176f45e0f71dedb640a69d6e78ece8a0601c0769e313f952ab6a51

Download Submit
C:\Windows\System\CfOYhfc.exe

Filesize
2.1MB

MD5
82d17f297eb58bc869feaa748225f146

SHA1
8768a4bb1ae3f70dd665d2dc483c938930d5de6d

SHA256
f3d739cbbb6475200e4fc1c189801c6c38cf038086f90b25e5bc37d5cfe22732

SHA512
8bb6f9f1a0d2a0e2fe7b2d333a2be48e54c1bead361789e45b6a35291ece429d0eaa9130f51c9fbde31ee206e8ca0fbad7baa6eb0be18864d2706b11e95cfe48

Download Submit
C:\Windows\System\CyaUbaR.exe

Filesize
2.1MB

MD5
5bf23437dd6f36d51b27a7e0f242a253

SHA1
8eaedc8d7da5b7298df52e0c6a240d3abc6546c4

SHA256
aa037dcd214cee97237d1d283b6af5f4cf0728f3c16cf0c257e7aa5759020d11

SHA512
f45daf75591bc6d1dd3ae6665b15df2ef6f231b6ba57f614ac39ece58b5d5376ca63a436f8c6919d4e2f9d2445d524a3dec47983411df1740a70918ee5a9ac49

Download Submit
C:\Windows\System\EGothvR.exe

Filesize
2.1MB

MD5
af109c40c654b8095a98d0031e90cb5e

SHA1
3b2220c82cbc951953756ac11ccccdcecc655f64

SHA256
c39f7cd3049b1fca75eb8bcef27b60636b53762302cc897f7f4a03eee30cd467

SHA512
0b283c91d249cdd6c42e893a52e28fee704a4d158cce87dffa34ad22a5ec9f4086614e6a018ed2c8219934c9d3135dc95690e80a27bb8834c6232f9daa67ed53

Download Submit
C:\Windows\System\GhGYzpb.exe

Filesize
2.1MB

MD5
c3a265f5ea3e4555d2fba178940c0081

SHA1
94f8b256cb33a18817a2c4f2fb251a6af506d75c

SHA256
a11ff0129b9f513d452d5c6a717ce8c769fefc25b82b9ec340cf6191023da25a

SHA512
ca818594f97b1d03fbb78dab00e2e7542f400505ca22af8d9a804901ac2be854e3748f2290ad8f553ba17e28a0cb8b8ea4ab2b074a8b11ec7828d5fd06dcd1ba

Download Submit
C:\Windows\System\HyPHuNx.exe

Filesize
2.1MB

MD5
7bbf7985d92f71679c5146be4a054030

SHA1
c4ac49576f22ee7e76c8cf8c9c9e9f26222eaa20

SHA256
c5c4f388bd3434a999d414c4a28fbf3a5eae1c2fd91745eb1ea3dbf677b56e0b

SHA512
f16dba2c47963d50c1326c8b300b3d18746daf0b30e376d248cb468c42c78211e2dce087425f8a72d9dad8e6d6f6f66bf85daa9854e5a1d71015b9c152affa7a

Download Submit
C:\Windows\System\IfspapM.exe

Filesize
2.1MB

MD5
fde21930a42b105af37fee0c97df670a

SHA1
9cc361ebf8e622d48604cbc3c84b1b80591fdfa8

SHA256
59f96d8359089e0e621f9eeea78e6691cf49d92790a495fccdfb391b123d61a5

SHA512
d3a9bf1815bec47ac9c3d99ab18ce62ce5b4146b686978ccec9ed5b342c603d00e2791fd3cd731fb7b06a2ffb76ee7d60b815aeb1bdc0549173f73b8533dfb30

Download Submit
C:\Windows\System\MPRvJbs.exe

Filesize
2.1MB

MD5
ebe5c5a736b3589fe98078cfbda50bb7

SHA1
2340190d581008ec5fd9706ad1389d05af3d13ee

SHA256
69159f84fdcc13c74b59ac40f4f6378986d81ef4b57e7158b7295d3ea3d0417d

SHA512
6eeffaf11e5b41986708fb601e355a3d86b59898d8f18cc51e85e54e375f4a11704135c71c2894a72a4a464b6b0d64642601a1e6f1824cfe325108837673bb9f

Download Submit
C:\Windows\System\MhOBgYI.exe

Filesize
2.1MB

MD5
489f2bb4a0b680b02a7b676cd80cd493

SHA1
8b265729e4d073733e3dca070d75c8565d52a909

SHA256
8ea7571014eec8598116647d0b563849b5699f2b7b79185249c0807497e91ccb

SHA512
c7c534340ba2d1bbb1dd918f76702407b607296b92e7e2ca202ca3c098269b03b57ac7ba3f8c54385f8b38be2074becf2fbe2d2a1b3b49e5a7638125822e6337

Download Submit
C:\Windows\System\OLoAyfz.exe

Filesize
2.1MB

MD5
47a92485aa1f54e7ebad8af39e733e66

SHA1
489eeca7ce08e47a4233c2cff694a99f0026f8d7

SHA256
157780db972d93cc767a53669905948843ccb1adce208baac6cdf1dd8695f8a9

SHA512
78ccf609e38e27514e94d22e41db95caef9a86abc6a33e2c2d5a4d24362416d9fedbbd6be7c7f843c66b3058effb284778236cc601acc7db062e9c795e850982

Download Submit
C:\Windows\System\QQhKwvo.exe

Filesize
2.1MB

MD5
75b6d04e3192fa2be2da5b05f52c25f6

SHA1
678c0ec06a4fcf86064277612eb682c8550bd05f

SHA256
c805fa4dc608db2abccb5b0a7d6888f725abce58902a75b0254efe91ac06d092

SHA512
100ae8afeb597c91e78c6ea5782f99eac7b6737411ccc49592310ec23dff3caa0d8b45b28f7daf8d4af9ebfea6e2aca81fbf081a2adb43d83f164df3d75bf623

Download Submit
C:\Windows\System\QdxmwXG.exe

Filesize
2.1MB

MD5
ab47be18c5d2c8966a0ec608dc86f4bd

SHA1
a809b4fd2b167d600843d78fc8d34d7a1a68277d

SHA256
1df200d9a5a9e90caa5367c61ee5818d56546344e049a93a15145ad6828ab5f0

SHA512
942505d7dd37e7e5bb09799dd6b467a08262dbca1283e4bef403d0187777740eced6f5e4265023d4816acb76f90ec565efc9ab40df3a0c8dc4a637df0cdb0099

Download Submit
C:\Windows\System\SgzNAxM.exe

Filesize
2.1MB

MD5
ca86f1c7c75bcf1cd2846ce6e0f8b194

SHA1
cf144496ed824a5f3280f3d358204171596a3bc7

SHA256
d16c746dd22147f642b184c304682b344c6b3ea494d7454e64641444ffea772e

SHA512
b73a8d6ce1582d18ebe2265ea3f2b4116bdf96eded3e83868ee9bdc5afbdebd46e5b67caab03b36ae9d48d8d1633aacab8221cdd16eef5ec8ba024258387c11e

Download Submit
C:\Windows\System\UedYIgt.exe

Filesize
2.1MB

MD5
7707f1269da23427a6e03f4f63687621

SHA1
4be242d0da7916c782ddd2173c3652b37ba04ff5

SHA256
9f6a9db3936ee5bc05080009c5a225984eebb669a916e0d778693b5bc538396e

SHA512
d334c70a0ce43c11eda4f45fe277f331f0d4c2383a6124e3d7d73a25f43878c28c19476f70c37e34e4aa6365663433261a04a0239df624a56316581163e96544

Download Submit
C:\Windows\System\ZUYafyg.exe

Filesize
2.1MB

MD5
417651a31b15e264590d39d65aa91382

SHA1
5b17d57634e9cb5718692ec3497b3db675febefc

SHA256
d2fed50dd780469e4deb57331f9bd4bc30d1ca90e19d77727f9e0ec9ddc19317

SHA512
906b7fbd514d657f42e2bd727bd5149d51e000ab91cdfe39aa34f2357e7775ad7e6e2bc51c22e26a835ea774e19eff17271e809badcc1e1bdbb3829f88a8bf1e

Download Submit
C:\Windows\System\ePsVJlw.exe

Filesize
2.1MB

MD5
70735740aacbe06f17fc4fd4baa75a75

SHA1
8b1a61eeeca80c9615dc8d963608e7629b760b5f

SHA256
dd40d2e851bb033400cc2d764d385dc338d033e09aef6902b8e941e37ffdf50c

SHA512
4bc901380db1c7a47220c9d1735a79a7dd4c4df4963b04da511da2b7e5bd93c15b9c6d538770f686af2a64c8bf4cac9dbd7c38d916ad79cf7adda1dc64badb68

Download Submit
C:\Windows\System\epDuUYG.exe

Filesize
2.1MB

MD5
d3f1a202b23ed136306969d0f13f92e5

SHA1
c48d4f15e558f6b7bcc598af019cc1d2d1efaffc

SHA256
8fc34a9e14aba7e773d20a0f168a6bc6f1cdf66eb794d71909906fe9e582e46f

SHA512
6b38a2a9aa1f05137fc0ba998f7807c267778d0b9fcf8ea21fe7578e31ac34feacf1b0de7b384e17de375328d82532a5b866ae7bcd3185400dec5237b456fc9b

Download Submit
C:\Windows\System\gxuiglR.exe

Filesize
2.1MB

MD5
fbf65e04f1fa092f7d682018c1d52996

SHA1
640c3463037983b2e5cf37c504931df1d15dc89b

SHA256
b32386b1155c47dc95c01a0f7375505832e197e8f55b769d84a084e4208cbf6d

SHA512
95a4f5d4a7fca8ab78ff495f048b82759523a5b34f51c8d6f1ead8063b717b3c9313d9736673fe0e04647b0b075d19420cf06cc246e2c1dc3e5a60d3dafd6857

Download Submit
C:\Windows\System\jazrxIR.exe

Filesize
2.1MB

MD5
96196940839a799cd21f1094dd2c5e80

SHA1
ba13532a754f08bed05ec979de31a0b1412d49cf

SHA256
b9aa00d101ec48ca960b3a70bf58b5163453f24d315395c47468e6efeb28900a

SHA512
b3f986fb270c68592abe4417e1152da845ef317806abe75b189780bcbf9b3f2e089f39861d8b674fe999f15358088de4729aa6dd7cb18a75bcf36454471bfdb3

Download Submit
C:\Windows\System\lErtNfl.exe

Filesize
2.1MB

MD5
721c71f7226492a73da283773df4f798

SHA1
0b7eeed63c9283c57ca0a21b169e0aacd29ad435

SHA256
eb1a08636c2bd4d4225f658b768ac760a60bf8d71ba819924dc66862d6467d8b

SHA512
bae36f1662edc5271c6d63ab257735715755e7d090df17c580c24997408489305e95ab95ba00796e11b2ffe3a84fac0ea337f05e8f67c977cb5ff3d0c0ce138c

Download Submit
C:\Windows\System\nOEdtqs.exe

Filesize
2.1MB

MD5
640a4370bfea3eacc07a7c1d0f3958e8

SHA1
b14d17a464a8878f2488827906a0310226c0627b

SHA256
a41a8bc21e7c32ae7b87c0803e5653e42d48707acde0c1d1c123cfa0c5703c21

SHA512
de495cb634d704424ede6d2fdaa08848a5d8a384ab74471b5e2ba61cf1a189a18c44879633ee86c3956ecdad360bc61089696c709e3881a299d608c48dc4a9e8

Download Submit
C:\Windows\System\ouqXxGX.exe

Filesize
2.1MB

MD5
68a2f634506114677061b13a51e779a3

SHA1
2ebc489b51f1fb0a62f9d3c2658f3ba6396d3ac0

SHA256
f49843e3b420df205d537dd5835374fb67e45bb16c61aae2b45d6ab4e2b7ff08

SHA512
fc566dff2bade94f84cb828dee29e9e233f327f8d6d0961b488089a5adfcbff8adc5585a18eb1df62f7444dd9f89d44279bd1cbc8cf89fa2776bf0e2da0f2b21

Download Submit
C:\Windows\System\ouwHVwE.exe

Filesize
2.1MB

MD5
209b47b42d31e3204545b131cb2f9a39

SHA1
a257602ce295c58c66f7e3d6e5e1328674c1ef6a

SHA256
c95a82336e100177ce1fa9291814aaaa151f34e83a1b9216599f02579de0ed9c

SHA512
4cdfd1ae665c8f69f2cff08bd05fc29ba204dc3f66661f338548024d51a5651dfd80d841b1430007987e38e22668534bb7e660f48e1abee2b452e615308d993a

Download Submit
C:\Windows\System\rDorMIA.exe

Filesize
2.1MB

MD5
2e6765bc988058ec3fd15744640e76c1

SHA1
4b218d539c4f26868c7f80baf430b1c17457c3dc

SHA256
d9e0822a24a1399ba460ab85a2270287f1382516272ffa59a77142ce844b45ab

SHA512
860ab96a76006fee38e717bd7c6eae06a3d7fd316f64d3196980fcb83884254484252c754ea3d5617056b9460dd5cbad72904de1680c063649be21930f6b3ced

Download Submit
C:\Windows\System\rGCUOyn.exe

Filesize
2.1MB

MD5
85ef0f05c5fc0f5a15257f84705f56a6

SHA1
8e137c8e3c275ae1bb11c4237191464c0372a1b2

SHA256
65ddb7e988e38b7151718c9bc699816e4c62c09700c860ecec21e61ab3de27dd

SHA512
b8a3185356b96e9801fcdd386bf503c6207305afc83eff531ddb60169553773eebd6ee4b82ac966cafeef117f95a01bdaa8df3a9354316c7af2031634eadd9cc

Download Submit
C:\Windows\System\rzfdKrV.exe

Filesize
2.1MB

MD5
75011932a4079959fabccaf1ebfcef9c

SHA1
917e3b69bc968f4195a8559a670efcdb0f06527e

SHA256
bbce1bc5a07e73b3acc2e74e28fd7cd57a4a5583ed7c7c3034a1c91d75ded680

SHA512
b9117d8382a5e9515d0f4ba9130fe50a05873460b40fec6c961b76f2a4d5fda7f5ba8beebfe7acc401294afef563de247e19f951a9aa72f923d63575db6b2b15

Download Submit
C:\Windows\System\taHkyYS.exe

Filesize
2.1MB

MD5
4632b8f541ec3049b60e59ebfc2da418

SHA1
18350d583a2572c7b9ba49dd6a30203101491af9

SHA256
25bf03e9b18a3d244881ac3026a5e301b08fc91319d6d34537f57825ff123773

SHA512
592ec09d1f609e3dba2de247ef9b549cba8a434d70188af1f42de7db78e9b7fa4da827bc2b2d22eaaab079481b66511349703e38ff1e4289a06b67740ae63c31

Download Submit
C:\Windows\System\wlCxGjm.exe

Filesize
2.1MB

MD5
d0146d08e35f54c3863c90b5ec20ebf3

SHA1
d4068814e7ba61d028edd2b54ebeef46e8d770be

SHA256
dfd5c9e9f2fa03834aa8e343d0552bf758990eb1738f7fcf4b881002f68e62cf

SHA512
38fa8f8b5cd29db6b4874bf0a4de795ee90eb36fab937da54631117932fc9b2703fc575f8706b779c1a122d7b757727a8f0d64c021169bc868d7c774160042a2

Download Submit
C:\Windows\System\wrGPRGd.exe

Filesize
2.1MB

MD5
2f989a21476e82931c27dc1ef23aa644

SHA1
2c7ffdfca6b696509f004d04a05646b2fc81418f

SHA256
c614856e7b286f220ab374724979317f63664254d89726910e2d5f752c46ec12

SHA512
0e90e923949d435afe1f6352a4c6b361c5976f8bba91a4467c7224df0d9cf4866a8c3d61cb208d04b03dfb89523f894b229aee8e7f5f53f2cb1e3fc333423bbc

Download Submit
C:\Windows\System\yPxexvY.exe

Filesize
2.1MB

MD5
6d7f6d0b42cac84b1285a47b2971d487

SHA1
7fd17798edb4564c667b158f5fe0bbb54b3ab9d3

SHA256
638ef8cff35776ba9e58cf6f1545cce8a022ec998c02931ab13e89165c24e79a

SHA512
26fc94a6a6727ed8d078a98cf27a3754a9bd10d401401ef9aa4abd40cdf98b5cc15435edff8d6bf737f803d0b999df1c20d9e9b68cc213710a6f450a889bd1f0

Download Submit
C:\Windows\System\yaaAeqI.exe

Filesize
2.1MB

MD5
0dcbc129a814142958c5d0602805e094

SHA1
62ea103af67c571921211f129f43da7b7c3c2006

SHA256
1abd62cecb6a02527eba615e1679b06ab02d3139eb12cbd56a838ee535066361

SHA512
c7849c521d5f45343944b69aac52b64f7a049629be5fb9d696a0964446c6ac216316d68438c45dc785ac271b7459ba7be64f1f839644a031b5f3c384f911ddf6

Download Submit
memory/1300-24-0x00007FF79D890000-0x00007FF79DBE4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-2116-0x00007FF79D890000-0x00007FF79DBE4000-memory.dmp

Filesize
3.3MB

Download
memory/1524-2133-0x00007FF6AB9F0000-0x00007FF6ABD44000-memory.dmp

Filesize
3.3MB

Download
memory/1524-392-0x00007FF6AB9F0000-0x00007FF6ABD44000-memory.dmp

Filesize
3.3MB

Download
memory/1640-385-0x00007FF6C7E90000-0x00007FF6C81E4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-2136-0x00007FF6C7E90000-0x00007FF6C81E4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-2114-0x00007FF6E80E0000-0x00007FF6E8434000-memory.dmp

Filesize
3.3MB

Download
memory/1700-1941-0x00007FF6E80E0000-0x00007FF6E8434000-memory.dmp

Filesize
3.3MB

Download
memory/1700-17-0x00007FF6E80E0000-0x00007FF6E8434000-memory.dmp

Filesize
3.3MB

Download
memory/2016-388-0x00007FF73C310000-0x00007FF73C664000-memory.dmp

Filesize
3.3MB

Download
memory/2016-2139-0x00007FF73C310000-0x00007FF73C664000-memory.dmp

Filesize
3.3MB

Download
memory/2028-390-0x00007FF7FDAB0000-0x00007FF7FDE04000-memory.dmp

Filesize
3.3MB

Download
memory/2028-2141-0x00007FF7FDAB0000-0x00007FF7FDE04000-memory.dmp

Filesize
3.3MB

Download
memory/2136-382-0x00007FF7F1290000-0x00007FF7F15E4000-memory.dmp

Filesize
3.3MB

Download
memory/2136-2127-0x00007FF7F1290000-0x00007FF7F15E4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-372-0x00007FF79B010000-0x00007FF79B364000-memory.dmp

Filesize
3.3MB

Download
memory/2276-2126-0x00007FF79B010000-0x00007FF79B364000-memory.dmp

Filesize
3.3MB

Download
memory/2332-2125-0x00007FF7F24D0000-0x00007FF7F2824000-memory.dmp

Filesize
3.3MB

Download
memory/2332-393-0x00007FF7F24D0000-0x00007FF7F2824000-memory.dmp

Filesize
3.3MB

Download
memory/2852-2123-0x00007FF7BCE80000-0x00007FF7BD1D4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-46-0x00007FF7BCE80000-0x00007FF7BD1D4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-2112-0x00007FF7BCE80000-0x00007FF7BD1D4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-386-0x00007FF7236C0000-0x00007FF723A14000-memory.dmp

Filesize
3.3MB

Download
memory/3024-2134-0x00007FF7236C0000-0x00007FF723A14000-memory.dmp

Filesize
3.3MB

Download
memory/3388-381-0x00007FF65BD60000-0x00007FF65C0B4000-memory.dmp

Filesize
3.3MB

Download
memory/3388-2132-0x00007FF65BD60000-0x00007FF65C0B4000-memory.dmp

Filesize
3.3MB

Download
memory/3608-2138-0x00007FF7876B0000-0x00007FF787A04000-memory.dmp

Filesize
3.3MB

Download
memory/3608-391-0x00007FF7876B0000-0x00007FF787A04000-memory.dmp

Filesize
3.3MB

Download
memory/3620-32-0x00007FF663D90000-0x00007FF6640E4000-memory.dmp

Filesize
3.3MB

Download
memory/3620-2115-0x00007FF663D90000-0x00007FF6640E4000-memory.dmp

Filesize
3.3MB

Download
memory/3708-363-0x00007FF6C30E0000-0x00007FF6C3434000-memory.dmp

Filesize
3.3MB

Download
memory/3708-2121-0x00007FF6C30E0000-0x00007FF6C3434000-memory.dmp

Filesize
3.3MB

Download
memory/3760-2135-0x00007FF72EA70000-0x00007FF72EDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3760-384-0x00007FF72EA70000-0x00007FF72EDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3904-2124-0x00007FF736110000-0x00007FF736464000-memory.dmp

Filesize
3.3MB

Download
memory/3904-356-0x00007FF736110000-0x00007FF736464000-memory.dmp

Filesize
3.3MB

Download
memory/4196-2110-0x00007FF691300000-0x00007FF691654000-memory.dmp

Filesize
3.3MB

Download
memory/4196-33-0x00007FF691300000-0x00007FF691654000-memory.dmp

Filesize
3.3MB

Download
memory/4196-2119-0x00007FF691300000-0x00007FF691654000-memory.dmp

Filesize
3.3MB

Download
memory/4280-2113-0x00007FF7C7850000-0x00007FF7C7BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4280-352-0x00007FF7C7850000-0x00007FF7C7BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4280-2120-0x00007FF7C7850000-0x00007FF7C7BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4456-364-0x00007FF79C080000-0x00007FF79C3D4000-memory.dmp

Filesize
3.3MB

Download
memory/4456-2122-0x00007FF79C080000-0x00007FF79C3D4000-memory.dmp

Filesize
3.3MB

Download
memory/4476-380-0x00007FF68A410000-0x00007FF68A764000-memory.dmp

Filesize
3.3MB

Download
memory/4476-2131-0x00007FF68A410000-0x00007FF68A764000-memory.dmp

Filesize
3.3MB

Download
memory/4500-2140-0x00007FF622400000-0x00007FF622754000-memory.dmp

Filesize
3.3MB

Download
memory/4500-387-0x00007FF622400000-0x00007FF622754000-memory.dmp

Filesize
3.3MB

Download
memory/4652-2117-0x00007FF722890000-0x00007FF722BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4652-29-0x00007FF722890000-0x00007FF722BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-383-0x00007FF703A90000-0x00007FF703DE4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-2137-0x00007FF703A90000-0x00007FF703DE4000-memory.dmp

Filesize
3.3MB

Download
memory/4804-379-0x00007FF625350000-0x00007FF6256A4000-memory.dmp

Filesize
3.3MB

Download
memory/4804-2130-0x00007FF625350000-0x00007FF6256A4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-0-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp

Filesize
3.3MB

Download
memory/4840-1939-0x00007FF7F46F0000-0x00007FF7F4A44000-memory.dmp

Filesize
3.3MB

Download
memory/4840-1-0x000001BEC4130000-0x000001BEC4140000-memory.dmp

Filesize
64KB

Download
memory/4876-38-0x00007FF7A8300000-0x00007FF7A8654000-memory.dmp

Filesize
3.3MB

Download
memory/4876-2111-0x00007FF7A8300000-0x00007FF7A8654000-memory.dmp

Filesize
3.3MB

Download
memory/4876-2118-0x00007FF7A8300000-0x00007FF7A8654000-memory.dmp

Filesize
3.3MB

Download
memory/5036-378-0x00007FF6331B0000-0x00007FF633504000-memory.dmp

Filesize
3.3MB

Download
memory/5036-2129-0x00007FF6331B0000-0x00007FF633504000-memory.dmp

Filesize
3.3MB

Download
memory/5080-365-0x00007FF721DE0000-0x00007FF722134000-memory.dmp

Filesize
3.3MB

Download
memory/5080-2128-0x00007FF721DE0000-0x00007FF722134000-memory.dmp

Filesize
3.3MB

Download
memory/5088-2142-0x00007FF638D30000-0x00007FF639084000-memory.dmp

Filesize
3.3MB

Download
memory/5088-389-0x00007FF638D30000-0x00007FF639084000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads