xmrig | 894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
Size

2.3MB
MD5

f9199ea7e26c7375d019e0f0c7c158a7
SHA1

b57a381654b2aff007a9120a214e4844995593e0
SHA256

894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb
SHA512

efe849e75332e83e39adc0c8e52ecf5cfca3d1bf9deb5c2bcc9aaed02b769aca4c3b4f6cb1fd9251d4ef6e2d1dd7490cc4b7a3ae5ff6d39d8b1cb64552f41400
SSDEEP

49152:oezaTF8FcNkNdfE0pZ9ozt4wIQOY2UrwHjIvmo:oemTLkNdfE0pZrQf

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3044-0-0x00007FF696540000-0x00007FF696894000-memory.dmp	UPX
behavioral2/files/0x00080000000233e8-5.dat	UPX
behavioral2/files/0x00070000000233ed-8.dat	UPX
behavioral2/memory/1184-13-0x00007FF79C140000-0x00007FF79C494000-memory.dmp	UPX
behavioral2/memory/2344-22-0x00007FF6B7150000-0x00007FF6B74A4000-memory.dmp	UPX
behavioral2/files/0x00070000000233ee-29.dat	UPX
behavioral2/files/0x00070000000233ef-34.dat	UPX
behavioral2/memory/1712-44-0x00007FF7B64B0000-0x00007FF7B6804000-memory.dmp	UPX
behavioral2/memory/4280-45-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f3-50.dat	UPX
behavioral2/memory/4136-52-0x00007FF690B40000-0x00007FF690E94000-memory.dmp	UPX
behavioral2/memory/1056-51-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f2-49.dat	UPX
behavioral2/files/0x00070000000233f1-47.dat	UPX
behavioral2/memory/3708-43-0x00007FF797D60000-0x00007FF7980B4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f0-39.dat	UPX
behavioral2/memory/4540-36-0x00007FF71B600000-0x00007FF71B954000-memory.dmp	UPX
behavioral2/memory/3520-21-0x00007FF6479A0000-0x00007FF647CF4000-memory.dmp	UPX
behavioral2/files/0x00070000000233ec-12.dat	UPX
behavioral2/files/0x00070000000233f4-59.dat	UPX
behavioral2/memory/4472-62-0x00007FF79CA80000-0x00007FF79CDD4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f8-72.dat	UPX
behavioral2/files/0x00070000000233f6-73.dat	UPX
behavioral2/files/0x00070000000233f9-90.dat	UPX
behavioral2/files/0x00070000000233fc-101.dat	UPX
behavioral2/files/0x00070000000233fb-112.dat	UPX
behavioral2/files/0x00070000000233fd-115.dat	UPX
behavioral2/memory/2584-117-0x00007FF6EEA60000-0x00007FF6EEDB4000-memory.dmp	UPX
behavioral2/memory/2760-114-0x00007FF61E3A0000-0x00007FF61E6F4000-memory.dmp	UPX
behavioral2/memory/1344-111-0x00007FF70F650000-0x00007FF70F9A4000-memory.dmp	UPX
behavioral2/memory/1744-110-0x00007FF75B7A0000-0x00007FF75BAF4000-memory.dmp	UPX
behavioral2/memory/1184-107-0x00007FF79C140000-0x00007FF79C494000-memory.dmp	UPX
behavioral2/memory/3044-104-0x00007FF696540000-0x00007FF696894000-memory.dmp	UPX
behavioral2/files/0x00070000000233fa-102.dat	UPX
behavioral2/memory/4888-100-0x00007FF686780000-0x00007FF686AD4000-memory.dmp	UPX
behavioral2/memory/448-94-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp	UPX
behavioral2/memory/3132-87-0x00007FF607540000-0x00007FF607894000-memory.dmp	UPX
behavioral2/memory/3524-84-0x00007FF7BA930000-0x00007FF7BAC84000-memory.dmp	UPX
behavioral2/files/0x00080000000233e9-80.dat	UPX
behavioral2/files/0x00070000000233f7-78.dat	UPX
behavioral2/memory/2036-75-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	UPX
behavioral2/files/0x00070000000233fe-120.dat	UPX
behavioral2/files/0x00070000000233ff-124.dat	UPX
behavioral2/memory/1056-138-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp	UPX
behavioral2/files/0x0007000000023401-151.dat	UPX
behavioral2/files/0x0007000000023405-170.dat	UPX
behavioral2/memory/2252-194-0x00007FF7750F0000-0x00007FF775444000-memory.dmp	UPX
behavioral2/memory/3376-198-0x00007FF6891C0000-0x00007FF689514000-memory.dmp	UPX
behavioral2/memory/3700-200-0x00007FF65D5D0000-0x00007FF65D924000-memory.dmp	UPX
behavioral2/memory/3868-199-0x00007FF6A32B0000-0x00007FF6A3604000-memory.dmp	UPX
behavioral2/memory/4872-197-0x00007FF79B900000-0x00007FF79BC54000-memory.dmp	UPX
behavioral2/memory/2292-195-0x00007FF7602D0000-0x00007FF760624000-memory.dmp	UPX
behavioral2/files/0x000700000002340c-193.dat	UPX
behavioral2/files/0x000700000002340b-192.dat	UPX
behavioral2/files/0x000700000002340a-191.dat	UPX
behavioral2/files/0x0007000000023409-188.dat	UPX
behavioral2/files/0x0007000000023408-178.dat	UPX
behavioral2/files/0x0007000000023407-176.dat	UPX
behavioral2/files/0x0007000000023404-174.dat	UPX
behavioral2/files/0x0007000000023406-172.dat	UPX
behavioral2/memory/4280-164-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp	UPX
behavioral2/memory/4624-162-0x00007FF6F0650000-0x00007FF6F09A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023402-156.dat	UPX
behavioral2/files/0x0007000000023403-155.dat	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3044-0-0x00007FF696540000-0x00007FF696894000-memory.dmp	xmrig
behavioral2/files/0x00080000000233e8-5.dat	xmrig
behavioral2/files/0x00070000000233ed-8.dat	xmrig
behavioral2/memory/1184-13-0x00007FF79C140000-0x00007FF79C494000-memory.dmp	xmrig
behavioral2/memory/2344-22-0x00007FF6B7150000-0x00007FF6B74A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ee-29.dat	xmrig
behavioral2/files/0x00070000000233ef-34.dat	xmrig
behavioral2/memory/1712-44-0x00007FF7B64B0000-0x00007FF7B6804000-memory.dmp	xmrig
behavioral2/memory/4280-45-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f3-50.dat	xmrig
behavioral2/memory/4136-52-0x00007FF690B40000-0x00007FF690E94000-memory.dmp	xmrig
behavioral2/memory/1056-51-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f2-49.dat	xmrig
behavioral2/files/0x00070000000233f1-47.dat	xmrig
behavioral2/memory/3708-43-0x00007FF797D60000-0x00007FF7980B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f0-39.dat	xmrig
behavioral2/memory/4540-36-0x00007FF71B600000-0x00007FF71B954000-memory.dmp	xmrig
behavioral2/memory/3520-21-0x00007FF6479A0000-0x00007FF647CF4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ec-12.dat	xmrig
behavioral2/files/0x00070000000233f4-59.dat	xmrig
behavioral2/memory/4472-62-0x00007FF79CA80000-0x00007FF79CDD4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f8-72.dat	xmrig
behavioral2/files/0x00070000000233f6-73.dat	xmrig
behavioral2/files/0x00070000000233f9-90.dat	xmrig
behavioral2/files/0x00070000000233fc-101.dat	xmrig
behavioral2/files/0x00070000000233fb-112.dat	xmrig
behavioral2/files/0x00070000000233fd-115.dat	xmrig
behavioral2/memory/2584-117-0x00007FF6EEA60000-0x00007FF6EEDB4000-memory.dmp	xmrig
behavioral2/memory/2760-114-0x00007FF61E3A0000-0x00007FF61E6F4000-memory.dmp	xmrig
behavioral2/memory/1344-111-0x00007FF70F650000-0x00007FF70F9A4000-memory.dmp	xmrig
behavioral2/memory/1744-110-0x00007FF75B7A0000-0x00007FF75BAF4000-memory.dmp	xmrig
behavioral2/memory/1184-107-0x00007FF79C140000-0x00007FF79C494000-memory.dmp	xmrig
behavioral2/memory/3044-104-0x00007FF696540000-0x00007FF696894000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fa-102.dat	xmrig
behavioral2/memory/4888-100-0x00007FF686780000-0x00007FF686AD4000-memory.dmp	xmrig
behavioral2/memory/448-94-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp	xmrig
behavioral2/memory/3132-87-0x00007FF607540000-0x00007FF607894000-memory.dmp	xmrig
behavioral2/memory/3524-84-0x00007FF7BA930000-0x00007FF7BAC84000-memory.dmp	xmrig
behavioral2/files/0x00080000000233e9-80.dat	xmrig
behavioral2/files/0x00070000000233f7-78.dat	xmrig
behavioral2/memory/2036-75-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fe-120.dat	xmrig
behavioral2/files/0x00070000000233ff-124.dat	xmrig
behavioral2/memory/1056-138-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023401-151.dat	xmrig
behavioral2/files/0x0007000000023405-170.dat	xmrig
behavioral2/memory/2252-194-0x00007FF7750F0000-0x00007FF775444000-memory.dmp	xmrig
behavioral2/memory/3376-198-0x00007FF6891C0000-0x00007FF689514000-memory.dmp	xmrig
behavioral2/memory/3700-200-0x00007FF65D5D0000-0x00007FF65D924000-memory.dmp	xmrig
behavioral2/memory/3868-199-0x00007FF6A32B0000-0x00007FF6A3604000-memory.dmp	xmrig
behavioral2/memory/4872-197-0x00007FF79B900000-0x00007FF79BC54000-memory.dmp	xmrig
behavioral2/memory/2292-195-0x00007FF7602D0000-0x00007FF760624000-memory.dmp	xmrig
behavioral2/files/0x000700000002340c-193.dat	xmrig
behavioral2/files/0x000700000002340b-192.dat	xmrig
behavioral2/files/0x000700000002340a-191.dat	xmrig
behavioral2/files/0x0007000000023409-188.dat	xmrig
behavioral2/files/0x0007000000023408-178.dat	xmrig
behavioral2/files/0x0007000000023407-176.dat	xmrig
behavioral2/files/0x0007000000023404-174.dat	xmrig
behavioral2/files/0x0007000000023406-172.dat	xmrig
behavioral2/memory/4280-164-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp	xmrig
behavioral2/memory/4624-162-0x00007FF6F0650000-0x00007FF6F09A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023402-156.dat	xmrig
behavioral2/files/0x0007000000023403-155.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1184	hfGepCi.exe
3520	xtpMlch.exe
2344	aacEzRF.exe
4540	fKJOHpz.exe
3708	GrPdJoT.exe
1712	XgWrbiD.exe
1056	yYXqCzG.exe
4280	ROARVbK.exe
4136	oXsuLvi.exe
4472	cLdvIUv.exe
2036	MQePvnt.exe
3524	EnKwYzv.exe
3132	gCWInAG.exe
448	jKiygiA.exe
1744	Iwrukih.exe
4888	PdsaWcd.exe
1344	IkwgmAH.exe
2760	ODfkpPZ.exe
2584	nVDmQyy.exe
1392	lReQgZv.exe
1104	lLSQxiV.exe
4624	SxMEsSq.exe
2252	fPRaIFy.exe
2292	IPrUkQV.exe
4372	vcwhJQM.exe
3868	nafUvpl.exe
3700	JHcaENA.exe
4872	TzbahmT.exe
3376	aRdplRr.exe
1696	QZJrdKf.exe
1180	IFPvVZB.exe
1080	MYIAsqS.exe
5072	eAqQyxH.exe
4720	wkLlxDn.exe
4168	zzsPIYN.exe
2448	qePZOys.exe
1360	lxTvekW.exe
4492	gDOzAgu.exe
4504	tbGsqAD.exe
2924	CQgtuNR.exe
876	cUhtakU.exe
3792	JDIoHLJ.exe
1584	dyLzhwI.exe
1684	QWkQzdw.exe
2348	vXoEePf.exe
3172	BEwYvcD.exe
1376	cgNiAzN.exe
4004	dtagVpl.exe
4676	JqHPydv.exe
2188	UEcmmSv.exe
4856	cunDvCz.exe
2536	ukQmUlc.exe
3724	oPUGsWS.exe
3168	ZaHpEXY.exe
1608	CIqmVeQ.exe
1496	YwGlbHg.exe
1800	sclbMyW.exe
1292	MVGrKPV.exe
2844	XlwgaMc.exe
3248	SuvvCoa.exe
3128	VlXDAir.exe
2720	Jutlfhf.exe
4284	hHEtYaI.exe
2756	qqHvxHD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3044-0-0x00007FF696540000-0x00007FF696894000-memory.dmp	upx
behavioral2/files/0x00080000000233e8-5.dat	upx
behavioral2/files/0x00070000000233ed-8.dat	upx
behavioral2/memory/1184-13-0x00007FF79C140000-0x00007FF79C494000-memory.dmp	upx
behavioral2/memory/2344-22-0x00007FF6B7150000-0x00007FF6B74A4000-memory.dmp	upx
behavioral2/files/0x00070000000233ee-29.dat	upx
behavioral2/files/0x00070000000233ef-34.dat	upx
behavioral2/memory/1712-44-0x00007FF7B64B0000-0x00007FF7B6804000-memory.dmp	upx
behavioral2/memory/4280-45-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp	upx
behavioral2/files/0x00070000000233f3-50.dat	upx
behavioral2/memory/4136-52-0x00007FF690B40000-0x00007FF690E94000-memory.dmp	upx
behavioral2/memory/1056-51-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp	upx
behavioral2/files/0x00070000000233f2-49.dat	upx
behavioral2/files/0x00070000000233f1-47.dat	upx
behavioral2/memory/3708-43-0x00007FF797D60000-0x00007FF7980B4000-memory.dmp	upx
behavioral2/files/0x00070000000233f0-39.dat	upx
behavioral2/memory/4540-36-0x00007FF71B600000-0x00007FF71B954000-memory.dmp	upx
behavioral2/memory/3520-21-0x00007FF6479A0000-0x00007FF647CF4000-memory.dmp	upx
behavioral2/files/0x00070000000233ec-12.dat	upx
behavioral2/files/0x00070000000233f4-59.dat	upx
behavioral2/memory/4472-62-0x00007FF79CA80000-0x00007FF79CDD4000-memory.dmp	upx
behavioral2/files/0x00070000000233f8-72.dat	upx
behavioral2/files/0x00070000000233f6-73.dat	upx
behavioral2/files/0x00070000000233f9-90.dat	upx
behavioral2/files/0x00070000000233fc-101.dat	upx
behavioral2/files/0x00070000000233fb-112.dat	upx
behavioral2/files/0x00070000000233fd-115.dat	upx
behavioral2/memory/2584-117-0x00007FF6EEA60000-0x00007FF6EEDB4000-memory.dmp	upx
behavioral2/memory/2760-114-0x00007FF61E3A0000-0x00007FF61E6F4000-memory.dmp	upx
behavioral2/memory/1344-111-0x00007FF70F650000-0x00007FF70F9A4000-memory.dmp	upx
behavioral2/memory/1744-110-0x00007FF75B7A0000-0x00007FF75BAF4000-memory.dmp	upx
behavioral2/memory/1184-107-0x00007FF79C140000-0x00007FF79C494000-memory.dmp	upx
behavioral2/memory/3044-104-0x00007FF696540000-0x00007FF696894000-memory.dmp	upx
behavioral2/files/0x00070000000233fa-102.dat	upx
behavioral2/memory/4888-100-0x00007FF686780000-0x00007FF686AD4000-memory.dmp	upx
behavioral2/memory/448-94-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp	upx
behavioral2/memory/3132-87-0x00007FF607540000-0x00007FF607894000-memory.dmp	upx
behavioral2/memory/3524-84-0x00007FF7BA930000-0x00007FF7BAC84000-memory.dmp	upx
behavioral2/files/0x00080000000233e9-80.dat	upx
behavioral2/files/0x00070000000233f7-78.dat	upx
behavioral2/memory/2036-75-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	upx
behavioral2/files/0x00070000000233fe-120.dat	upx
behavioral2/files/0x00070000000233ff-124.dat	upx
behavioral2/memory/1056-138-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp	upx
behavioral2/files/0x0007000000023401-151.dat	upx
behavioral2/files/0x0007000000023405-170.dat	upx
behavioral2/memory/2252-194-0x00007FF7750F0000-0x00007FF775444000-memory.dmp	upx
behavioral2/memory/3376-198-0x00007FF6891C0000-0x00007FF689514000-memory.dmp	upx
behavioral2/memory/3700-200-0x00007FF65D5D0000-0x00007FF65D924000-memory.dmp	upx
behavioral2/memory/3868-199-0x00007FF6A32B0000-0x00007FF6A3604000-memory.dmp	upx
behavioral2/memory/4872-197-0x00007FF79B900000-0x00007FF79BC54000-memory.dmp	upx
behavioral2/memory/2292-195-0x00007FF7602D0000-0x00007FF760624000-memory.dmp	upx
behavioral2/files/0x000700000002340c-193.dat	upx
behavioral2/files/0x000700000002340b-192.dat	upx
behavioral2/files/0x000700000002340a-191.dat	upx
behavioral2/files/0x0007000000023409-188.dat	upx
behavioral2/files/0x0007000000023408-178.dat	upx
behavioral2/files/0x0007000000023407-176.dat	upx
behavioral2/files/0x0007000000023404-174.dat	upx
behavioral2/files/0x0007000000023406-172.dat	upx
behavioral2/memory/4280-164-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp	upx
behavioral2/memory/4624-162-0x00007FF6F0650000-0x00007FF6F09A4000-memory.dmp	upx
behavioral2/files/0x0007000000023402-156.dat	upx
behavioral2/files/0x0007000000023403-155.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\CQqCMdb.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\KCmdVtM.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\mGEljbR.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\cmODbBe.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\OPWgXjl.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\xOQrMWW.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\ukQmUlc.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\aAMtbLF.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\tqtTTnN.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\lYjRfGb.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\CIqmVeQ.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\rjGDSxs.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\JLyZJXk.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\yZxAYKT.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\jKiygiA.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\wuejLEe.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\zyLJrxx.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\sclbMyW.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\QsDmKYq.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\TbYZUkP.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\nthqJwI.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\LWDKObl.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\ctwlPDR.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\nwCeLFH.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\ZLehYkU.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\TKlCazK.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\BEkEFzL.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\jaeUlSq.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\XPuFOAy.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\ktXSCUB.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\moJjjnd.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\KtERteN.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\DQwhfLl.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\NMJdwDM.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\MayTqTv.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\eAqQyxH.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\uSsevyo.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\aacEzRF.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\UyMUjge.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\SukVplH.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\scyIzht.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\SxoWLZe.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\FaqdcSb.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\ZNlZpUt.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\TpxlSQD.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\YluwpJH.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\tCdLcYk.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\WXPvkbD.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\CXXzNSe.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\rFfmKSE.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\ZtwUCBs.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\pwxzCrK.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\wekizSL.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\MXHhhWR.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\fFxwpXU.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\ZaHpEXY.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\TTmEfJB.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\EcDHYRH.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\AFDGZII.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\JNbptCo.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\jSTFuLH.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\BqQOGBF.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\rumVKhR.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
File created	C:\Windows\System\OIrwTrh.exe	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15184	dwm.exe
Token: SeChangeNotifyPrivilege	15184	dwm.exe
Token: 33	15184	dwm.exe
Token: SeIncBasePriorityPrivilege	15184	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1184	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	84
PID 3044 wrote to memory of 1184	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	84
PID 3044 wrote to memory of 3520	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	85
PID 3044 wrote to memory of 3520	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	85
PID 3044 wrote to memory of 2344	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	86
PID 3044 wrote to memory of 2344	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	86
PID 3044 wrote to memory of 4540	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	87
PID 3044 wrote to memory of 4540	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	87
PID 3044 wrote to memory of 3708	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	88
PID 3044 wrote to memory of 3708	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	88
PID 3044 wrote to memory of 1712	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	89
PID 3044 wrote to memory of 1712	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	89
PID 3044 wrote to memory of 1056	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	90
PID 3044 wrote to memory of 1056	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	90
PID 3044 wrote to memory of 4280	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	91
PID 3044 wrote to memory of 4280	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	91
PID 3044 wrote to memory of 4136	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	92
PID 3044 wrote to memory of 4136	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	92
PID 3044 wrote to memory of 4472	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	93
PID 3044 wrote to memory of 4472	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	93
PID 3044 wrote to memory of 2036	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	94
PID 3044 wrote to memory of 2036	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	94
PID 3044 wrote to memory of 3524	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	95
PID 3044 wrote to memory of 3524	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	95
PID 3044 wrote to memory of 448	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	96
PID 3044 wrote to memory of 448	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	96
PID 3044 wrote to memory of 3132	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	97
PID 3044 wrote to memory of 3132	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	97
PID 3044 wrote to memory of 1744	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	98
PID 3044 wrote to memory of 1744	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	98
PID 3044 wrote to memory of 4888	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	99
PID 3044 wrote to memory of 4888	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	99
PID 3044 wrote to memory of 1344	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	100
PID 3044 wrote to memory of 1344	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	100
PID 3044 wrote to memory of 2760	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	101
PID 3044 wrote to memory of 2760	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	101
PID 3044 wrote to memory of 2584	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	102
PID 3044 wrote to memory of 2584	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	102
PID 3044 wrote to memory of 1392	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	103
PID 3044 wrote to memory of 1392	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	103
PID 3044 wrote to memory of 1104	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	104
PID 3044 wrote to memory of 1104	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	104
PID 3044 wrote to memory of 4624	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	105
PID 3044 wrote to memory of 4624	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	105
PID 3044 wrote to memory of 2252	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	106
PID 3044 wrote to memory of 2252	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	106
PID 3044 wrote to memory of 2292	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	107
PID 3044 wrote to memory of 2292	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	107
PID 3044 wrote to memory of 4372	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	108
PID 3044 wrote to memory of 4372	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	108
PID 3044 wrote to memory of 4872	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	109
PID 3044 wrote to memory of 4872	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	109
PID 3044 wrote to memory of 3868	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	110
PID 3044 wrote to memory of 3868	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	110
PID 3044 wrote to memory of 3700	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	111
PID 3044 wrote to memory of 3700	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	111
PID 3044 wrote to memory of 3376	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	112
PID 3044 wrote to memory of 3376	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	112
PID 3044 wrote to memory of 1696	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	113
PID 3044 wrote to memory of 1696	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	113
PID 3044 wrote to memory of 1180	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	114
PID 3044 wrote to memory of 1180	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	114
PID 3044 wrote to memory of 1080	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	116
PID 3044 wrote to memory of 1080	3044	894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe	116

C:\Users\Admin\AppData\Local\Temp\894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe
"C:\Users\Admin\AppData\Local\Temp\894d6e93c43b5059141056ac878b2e0a120b8f8aca52db9eeda9b412b902dbcb.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System\hfGepCi.exe
  C:\Windows\System\hfGepCi.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\xtpMlch.exe
  C:\Windows\System\xtpMlch.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\aacEzRF.exe
  C:\Windows\System\aacEzRF.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\fKJOHpz.exe
  C:\Windows\System\fKJOHpz.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\GrPdJoT.exe
  C:\Windows\System\GrPdJoT.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\XgWrbiD.exe
  C:\Windows\System\XgWrbiD.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\yYXqCzG.exe
  C:\Windows\System\yYXqCzG.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\ROARVbK.exe
  C:\Windows\System\ROARVbK.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\oXsuLvi.exe
  C:\Windows\System\oXsuLvi.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System\cLdvIUv.exe
  C:\Windows\System\cLdvIUv.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\MQePvnt.exe
  C:\Windows\System\MQePvnt.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\EnKwYzv.exe
  C:\Windows\System\EnKwYzv.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\jKiygiA.exe
  C:\Windows\System\jKiygiA.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\gCWInAG.exe
  C:\Windows\System\gCWInAG.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\Iwrukih.exe
  C:\Windows\System\Iwrukih.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\PdsaWcd.exe
  C:\Windows\System\PdsaWcd.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\IkwgmAH.exe
  C:\Windows\System\IkwgmAH.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\ODfkpPZ.exe
  C:\Windows\System\ODfkpPZ.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\nVDmQyy.exe
  C:\Windows\System\nVDmQyy.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\lReQgZv.exe
  C:\Windows\System\lReQgZv.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\lLSQxiV.exe
  C:\Windows\System\lLSQxiV.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\SxMEsSq.exe
  C:\Windows\System\SxMEsSq.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\fPRaIFy.exe
  C:\Windows\System\fPRaIFy.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\IPrUkQV.exe
  C:\Windows\System\IPrUkQV.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\vcwhJQM.exe
  C:\Windows\System\vcwhJQM.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\TzbahmT.exe
  C:\Windows\System\TzbahmT.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\nafUvpl.exe
  C:\Windows\System\nafUvpl.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\JHcaENA.exe
  C:\Windows\System\JHcaENA.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\aRdplRr.exe
  C:\Windows\System\aRdplRr.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\QZJrdKf.exe
  C:\Windows\System\QZJrdKf.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\IFPvVZB.exe
  C:\Windows\System\IFPvVZB.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\MYIAsqS.exe
  C:\Windows\System\MYIAsqS.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\eAqQyxH.exe
  C:\Windows\System\eAqQyxH.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\wkLlxDn.exe
  C:\Windows\System\wkLlxDn.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\zzsPIYN.exe
  C:\Windows\System\zzsPIYN.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\qePZOys.exe
  C:\Windows\System\qePZOys.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\lxTvekW.exe
  C:\Windows\System\lxTvekW.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\gDOzAgu.exe
  C:\Windows\System\gDOzAgu.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\tbGsqAD.exe
  C:\Windows\System\tbGsqAD.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\CQgtuNR.exe
  C:\Windows\System\CQgtuNR.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\cUhtakU.exe
  C:\Windows\System\cUhtakU.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\JDIoHLJ.exe
  C:\Windows\System\JDIoHLJ.exe
  2⤵
  - Executes dropped EXE
  PID:3792
- C:\Windows\System\dyLzhwI.exe
  C:\Windows\System\dyLzhwI.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\QWkQzdw.exe
  C:\Windows\System\QWkQzdw.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\vXoEePf.exe
  C:\Windows\System\vXoEePf.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\BEwYvcD.exe
  C:\Windows\System\BEwYvcD.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\cgNiAzN.exe
  C:\Windows\System\cgNiAzN.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\dtagVpl.exe
  C:\Windows\System\dtagVpl.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\JqHPydv.exe
  C:\Windows\System\JqHPydv.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\UEcmmSv.exe
  C:\Windows\System\UEcmmSv.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\cunDvCz.exe
  C:\Windows\System\cunDvCz.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\ukQmUlc.exe
  C:\Windows\System\ukQmUlc.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\oPUGsWS.exe
  C:\Windows\System\oPUGsWS.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\ZaHpEXY.exe
  C:\Windows\System\ZaHpEXY.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\CIqmVeQ.exe
  C:\Windows\System\CIqmVeQ.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\YwGlbHg.exe
  C:\Windows\System\YwGlbHg.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\sclbMyW.exe
  C:\Windows\System\sclbMyW.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\MVGrKPV.exe
  C:\Windows\System\MVGrKPV.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\XlwgaMc.exe
  C:\Windows\System\XlwgaMc.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\SuvvCoa.exe
  C:\Windows\System\SuvvCoa.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\VlXDAir.exe
  C:\Windows\System\VlXDAir.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\Jutlfhf.exe
  C:\Windows\System\Jutlfhf.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\hHEtYaI.exe
  C:\Windows\System\hHEtYaI.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\qqHvxHD.exe
  C:\Windows\System\qqHvxHD.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\pURyPKM.exe
  C:\Windows\System\pURyPKM.exe
  2⤵
  PID:3144
- C:\Windows\System\WlZYFYS.exe
  C:\Windows\System\WlZYFYS.exe
  2⤵
  PID:1996
- C:\Windows\System\njkBsTF.exe
  C:\Windows\System\njkBsTF.exe
  2⤵
  PID:5036
- C:\Windows\System\kfoEMdh.exe
  C:\Windows\System\kfoEMdh.exe
  2⤵
  PID:4244
- C:\Windows\System\GYTrhly.exe
  C:\Windows\System\GYTrhly.exe
  2⤵
  PID:4528
- C:\Windows\System\AyhGwBp.exe
  C:\Windows\System\AyhGwBp.exe
  2⤵
  PID:2268
- C:\Windows\System\CdkJgHS.exe
  C:\Windows\System\CdkJgHS.exe
  2⤵
  PID:392
- C:\Windows\System\JLyZJXk.exe
  C:\Windows\System\JLyZJXk.exe
  2⤵
  PID:4404
- C:\Windows\System\HhqNVxo.exe
  C:\Windows\System\HhqNVxo.exe
  2⤵
  PID:3212
- C:\Windows\System\aAMtbLF.exe
  C:\Windows\System\aAMtbLF.exe
  2⤵
  PID:980
- C:\Windows\System\wijtRMi.exe
  C:\Windows\System\wijtRMi.exe
  2⤵
  PID:1404
- C:\Windows\System\VzlIAhN.exe
  C:\Windows\System\VzlIAhN.exe
  2⤵
  PID:5100
- C:\Windows\System\VLLJEtb.exe
  C:\Windows\System\VLLJEtb.exe
  2⤵
  PID:2652
- C:\Windows\System\LQvtDjK.exe
  C:\Windows\System\LQvtDjK.exe
  2⤵
  PID:4172
- C:\Windows\System\JTdlJti.exe
  C:\Windows\System\JTdlJti.exe
  2⤵
  PID:1736
- C:\Windows\System\vFReRwm.exe
  C:\Windows\System\vFReRwm.exe
  2⤵
  PID:4072
- C:\Windows\System\fuTlrzS.exe
  C:\Windows\System\fuTlrzS.exe
  2⤵
  PID:2076
- C:\Windows\System\sKMBiBA.exe
  C:\Windows\System\sKMBiBA.exe
  2⤵
  PID:4272
- C:\Windows\System\usShPMe.exe
  C:\Windows\System\usShPMe.exe
  2⤵
  PID:2128
- C:\Windows\System\YxImAOQ.exe
  C:\Windows\System\YxImAOQ.exe
  2⤵
  PID:3048
- C:\Windows\System\YyXNsMy.exe
  C:\Windows\System\YyXNsMy.exe
  2⤵
  PID:4728
- C:\Windows\System\kAokskR.exe
  C:\Windows\System\kAokskR.exe
  2⤵
  PID:4740
- C:\Windows\System\kaDLjhY.exe
  C:\Windows\System\kaDLjhY.exe
  2⤵
  PID:5144
- C:\Windows\System\DgKIRaA.exe
  C:\Windows\System\DgKIRaA.exe
  2⤵
  PID:5172
- C:\Windows\System\mPQudmg.exe
  C:\Windows\System\mPQudmg.exe
  2⤵
  PID:5200
- C:\Windows\System\DIplWAr.exe
  C:\Windows\System\DIplWAr.exe
  2⤵
  PID:5224
- C:\Windows\System\MoSLKcd.exe
  C:\Windows\System\MoSLKcd.exe
  2⤵
  PID:5272
- C:\Windows\System\LCylhTt.exe
  C:\Windows\System\LCylhTt.exe
  2⤵
  PID:5300
- C:\Windows\System\klTbpiJ.exe
  C:\Windows\System\klTbpiJ.exe
  2⤵
  PID:5336
- C:\Windows\System\spgWPBK.exe
  C:\Windows\System\spgWPBK.exe
  2⤵
  PID:5356
- C:\Windows\System\otyUaID.exe
  C:\Windows\System\otyUaID.exe
  2⤵
  PID:5388
- C:\Windows\System\LGunavA.exe
  C:\Windows\System\LGunavA.exe
  2⤵
  PID:5424
- C:\Windows\System\zdohOCq.exe
  C:\Windows\System\zdohOCq.exe
  2⤵
  PID:5444
- C:\Windows\System\EcDHYRH.exe
  C:\Windows\System\EcDHYRH.exe
  2⤵
  PID:5468
- C:\Windows\System\udEdUIK.exe
  C:\Windows\System\udEdUIK.exe
  2⤵
  PID:5508
- C:\Windows\System\UfVERfa.exe
  C:\Windows\System\UfVERfa.exe
  2⤵
  PID:5548
- C:\Windows\System\plvZXtq.exe
  C:\Windows\System\plvZXtq.exe
  2⤵
  PID:5580
- C:\Windows\System\nmUqXAh.exe
  C:\Windows\System\nmUqXAh.exe
  2⤵
  PID:5616
- C:\Windows\System\siElIvV.exe
  C:\Windows\System\siElIvV.exe
  2⤵
  PID:5648
- C:\Windows\System\oXLHNPh.exe
  C:\Windows\System\oXLHNPh.exe
  2⤵
  PID:5680
- C:\Windows\System\pbtKdJB.exe
  C:\Windows\System\pbtKdJB.exe
  2⤵
  PID:5708
- C:\Windows\System\IHiSURe.exe
  C:\Windows\System\IHiSURe.exe
  2⤵
  PID:5732
- C:\Windows\System\BfLQTot.exe
  C:\Windows\System\BfLQTot.exe
  2⤵
  PID:5792
- C:\Windows\System\scyIzht.exe
  C:\Windows\System\scyIzht.exe
  2⤵
  PID:5836
- C:\Windows\System\almIhzE.exe
  C:\Windows\System\almIhzE.exe
  2⤵
  PID:5872
- C:\Windows\System\oYDnnWn.exe
  C:\Windows\System\oYDnnWn.exe
  2⤵
  PID:5904
- C:\Windows\System\CjrCngW.exe
  C:\Windows\System\CjrCngW.exe
  2⤵
  PID:5932
- C:\Windows\System\FouXVpC.exe
  C:\Windows\System\FouXVpC.exe
  2⤵
  PID:5960
- C:\Windows\System\mNSqeuA.exe
  C:\Windows\System\mNSqeuA.exe
  2⤵
  PID:5988
- C:\Windows\System\wMisSGI.exe
  C:\Windows\System\wMisSGI.exe
  2⤵
  PID:6020
- C:\Windows\System\qSjrWKg.exe
  C:\Windows\System\qSjrWKg.exe
  2⤵
  PID:6048
- C:\Windows\System\CYWFhUK.exe
  C:\Windows\System\CYWFhUK.exe
  2⤵
  PID:6076
- C:\Windows\System\UZQDJsD.exe
  C:\Windows\System\UZQDJsD.exe
  2⤵
  PID:6108
- C:\Windows\System\rFfmKSE.exe
  C:\Windows\System\rFfmKSE.exe
  2⤵
  PID:6136
- C:\Windows\System\SFiJIVx.exe
  C:\Windows\System\SFiJIVx.exe
  2⤵
  PID:5132
- C:\Windows\System\CiDCyPG.exe
  C:\Windows\System\CiDCyPG.exe
  2⤵
  PID:5220
- C:\Windows\System\KOyDALp.exe
  C:\Windows\System\KOyDALp.exe
  2⤵
  PID:5288
- C:\Windows\System\QxvFMkJ.exe
  C:\Windows\System\QxvFMkJ.exe
  2⤵
  PID:5368
- C:\Windows\System\dHOGqjI.exe
  C:\Windows\System\dHOGqjI.exe
  2⤵
  PID:5416
- C:\Windows\System\TTmEfJB.exe
  C:\Windows\System\TTmEfJB.exe
  2⤵
  PID:5492
- C:\Windows\System\wuejLEe.exe
  C:\Windows\System\wuejLEe.exe
  2⤵
  PID:5572
- C:\Windows\System\cvFWprB.exe
  C:\Windows\System\cvFWprB.exe
  2⤵
  PID:5672
- C:\Windows\System\azrWbFv.exe
  C:\Windows\System\azrWbFv.exe
  2⤵
  PID:5728
- C:\Windows\System\awUZpsR.exe
  C:\Windows\System\awUZpsR.exe
  2⤵
  PID:5816
- C:\Windows\System\PmnghMo.exe
  C:\Windows\System\PmnghMo.exe
  2⤵
  PID:5896
- C:\Windows\System\MSOAvIE.exe
  C:\Windows\System\MSOAvIE.exe
  2⤵
  PID:5984
- C:\Windows\System\VWRhfGJ.exe
  C:\Windows\System\VWRhfGJ.exe
  2⤵
  PID:6096
- C:\Windows\System\jwLIKkw.exe
  C:\Windows\System\jwLIKkw.exe
  2⤵
  PID:5156
- C:\Windows\System\HDypfuJ.exe
  C:\Windows\System\HDypfuJ.exe
  2⤵
  PID:5352
- C:\Windows\System\JVQKFtZ.exe
  C:\Windows\System\JVQKFtZ.exe
  2⤵
  PID:5520
- C:\Windows\System\ICMxSFT.exe
  C:\Windows\System\ICMxSFT.exe
  2⤵
  PID:5780
- C:\Windows\System\BWetfrR.exe
  C:\Windows\System\BWetfrR.exe
  2⤵
  PID:3492
- C:\Windows\System\IDEFotr.exe
  C:\Windows\System\IDEFotr.exe
  2⤵
  PID:5776
- C:\Windows\System\luhDRem.exe
  C:\Windows\System\luhDRem.exe
  2⤵
  PID:5952
- C:\Windows\System\MCqaxBH.exe
  C:\Windows\System\MCqaxBH.exe
  2⤵
  PID:5252
- C:\Windows\System\ZUteEwZ.exe
  C:\Windows\System\ZUteEwZ.exe
  2⤵
  PID:5772
- C:\Windows\System\TKlCazK.exe
  C:\Windows\System\TKlCazK.exe
  2⤵
  PID:5924
- C:\Windows\System\ddceoMo.exe
  C:\Windows\System\ddceoMo.exe
  2⤵
  PID:1828
- C:\Windows\System\QuCKSfN.exe
  C:\Windows\System\QuCKSfN.exe
  2⤵
  PID:5972
- C:\Windows\System\MnwZeQj.exe
  C:\Windows\System\MnwZeQj.exe
  2⤵
  PID:6128
- C:\Windows\System\JlHkFNk.exe
  C:\Windows\System\JlHkFNk.exe
  2⤵
  PID:6168
- C:\Windows\System\OLzQtrc.exe
  C:\Windows\System\OLzQtrc.exe
  2⤵
  PID:6196
- C:\Windows\System\qgPSKbp.exe
  C:\Windows\System\qgPSKbp.exe
  2⤵
  PID:6224
- C:\Windows\System\JFOqIWG.exe
  C:\Windows\System\JFOqIWG.exe
  2⤵
  PID:6248
- C:\Windows\System\IQCpPOq.exe
  C:\Windows\System\IQCpPOq.exe
  2⤵
  PID:6276
- C:\Windows\System\QsDmKYq.exe
  C:\Windows\System\QsDmKYq.exe
  2⤵
  PID:6312
- C:\Windows\System\TpxlSQD.exe
  C:\Windows\System\TpxlSQD.exe
  2⤵
  PID:6336
- C:\Windows\System\AqYMgMA.exe
  C:\Windows\System\AqYMgMA.exe
  2⤵
  PID:6360
- C:\Windows\System\gzQUJyS.exe
  C:\Windows\System\gzQUJyS.exe
  2⤵
  PID:6392
- C:\Windows\System\bwgjFFr.exe
  C:\Windows\System\bwgjFFr.exe
  2⤵
  PID:6424
- C:\Windows\System\RpLMnUw.exe
  C:\Windows\System\RpLMnUw.exe
  2⤵
  PID:6448
- C:\Windows\System\PoLJOWb.exe
  C:\Windows\System\PoLJOWb.exe
  2⤵
  PID:6480
- C:\Windows\System\CznosKK.exe
  C:\Windows\System\CznosKK.exe
  2⤵
  PID:6508
- C:\Windows\System\GwSqhvj.exe
  C:\Windows\System\GwSqhvj.exe
  2⤵
  PID:6532
- C:\Windows\System\bNclfxr.exe
  C:\Windows\System\bNclfxr.exe
  2⤵
  PID:6560
- C:\Windows\System\zzZIHsm.exe
  C:\Windows\System\zzZIHsm.exe
  2⤵
  PID:6588
- C:\Windows\System\fuaHmRe.exe
  C:\Windows\System\fuaHmRe.exe
  2⤵
  PID:6616
- C:\Windows\System\wzRceYe.exe
  C:\Windows\System\wzRceYe.exe
  2⤵
  PID:6644
- C:\Windows\System\rNHHmQQ.exe
  C:\Windows\System\rNHHmQQ.exe
  2⤵
  PID:6672
- C:\Windows\System\xMotlnG.exe
  C:\Windows\System\xMotlnG.exe
  2⤵
  PID:6688
- C:\Windows\System\uSsevyo.exe
  C:\Windows\System\uSsevyo.exe
  2⤵
  PID:6708
- C:\Windows\System\NozDyul.exe
  C:\Windows\System\NozDyul.exe
  2⤵
  PID:6728
- C:\Windows\System\eReUngF.exe
  C:\Windows\System\eReUngF.exe
  2⤵
  PID:6764
- C:\Windows\System\LbAQXVY.exe
  C:\Windows\System\LbAQXVY.exe
  2⤵
  PID:6800
- C:\Windows\System\WTMBcYv.exe
  C:\Windows\System\WTMBcYv.exe
  2⤵
  PID:6852
- C:\Windows\System\LdGfHYP.exe
  C:\Windows\System\LdGfHYP.exe
  2⤵
  PID:6872
- C:\Windows\System\FyoJtpp.exe
  C:\Windows\System\FyoJtpp.exe
  2⤵
  PID:6904
- C:\Windows\System\frHYzMY.exe
  C:\Windows\System\frHYzMY.exe
  2⤵
  PID:6932
- C:\Windows\System\GJRnKUF.exe
  C:\Windows\System\GJRnKUF.exe
  2⤵
  PID:6964
- C:\Windows\System\RANvAus.exe
  C:\Windows\System\RANvAus.exe
  2⤵
  PID:6992
- C:\Windows\System\eicbCGi.exe
  C:\Windows\System\eicbCGi.exe
  2⤵
  PID:7008
- C:\Windows\System\WinSHmG.exe
  C:\Windows\System\WinSHmG.exe
  2⤵
  PID:7032
- C:\Windows\System\NLllSNa.exe
  C:\Windows\System\NLllSNa.exe
  2⤵
  PID:7068
- C:\Windows\System\FaNNZSi.exe
  C:\Windows\System\FaNNZSi.exe
  2⤵
  PID:7104
- C:\Windows\System\IXFOrup.exe
  C:\Windows\System\IXFOrup.exe
  2⤵
  PID:7124
- C:\Windows\System\pIXRLdF.exe
  C:\Windows\System\pIXRLdF.exe
  2⤵
  PID:7148
- C:\Windows\System\EtJmxiy.exe
  C:\Windows\System\EtJmxiy.exe
  2⤵
  PID:6160
- C:\Windows\System\tsCIKPS.exe
  C:\Windows\System\tsCIKPS.exe
  2⤵
  PID:6236
- C:\Windows\System\sOWKkub.exe
  C:\Windows\System\sOWKkub.exe
  2⤵
  PID:6296
- C:\Windows\System\BlZAhXH.exe
  C:\Windows\System\BlZAhXH.exe
  2⤵
  PID:6356
- C:\Windows\System\rHckIWi.exe
  C:\Windows\System\rHckIWi.exe
  2⤵
  PID:6440
- C:\Windows\System\ssBnMqZ.exe
  C:\Windows\System\ssBnMqZ.exe
  2⤵
  PID:6500
- C:\Windows\System\OaiXdXH.exe
  C:\Windows\System\OaiXdXH.exe
  2⤵
  PID:6584
- C:\Windows\System\eftLFvO.exe
  C:\Windows\System\eftLFvO.exe
  2⤵
  PID:6656
- C:\Windows\System\xNveJvJ.exe
  C:\Windows\System\xNveJvJ.exe
  2⤵
  PID:6756
- C:\Windows\System\CxOZrgU.exe
  C:\Windows\System\CxOZrgU.exe
  2⤵
  PID:6780
- C:\Windows\System\KDNZqzs.exe
  C:\Windows\System\KDNZqzs.exe
  2⤵
  PID:6864
- C:\Windows\System\uUWGrdf.exe
  C:\Windows\System\uUWGrdf.exe
  2⤵
  PID:6952
- C:\Windows\System\cfRWblV.exe
  C:\Windows\System\cfRWblV.exe
  2⤵
  PID:7052
- C:\Windows\System\LWdTgcV.exe
  C:\Windows\System\LWdTgcV.exe
  2⤵
  PID:7140
- C:\Windows\System\fDdAZkQ.exe
  C:\Windows\System\fDdAZkQ.exe
  2⤵
  PID:6260
- C:\Windows\System\NxldkMA.exe
  C:\Windows\System\NxldkMA.exe
  2⤵
  PID:6408
- C:\Windows\System\kHuxtDk.exe
  C:\Windows\System\kHuxtDk.exe
  2⤵
  PID:6580
- C:\Windows\System\kjSsWoK.exe
  C:\Windows\System\kjSsWoK.exe
  2⤵
  PID:6720
- C:\Windows\System\hnASdxe.exe
  C:\Windows\System\hnASdxe.exe
  2⤵
  PID:6696
- C:\Windows\System\NwsAcfu.exe
  C:\Windows\System\NwsAcfu.exe
  2⤵
  PID:7132
- C:\Windows\System\zUBKYqs.exe
  C:\Windows\System\zUBKYqs.exe
  2⤵
  PID:6528
- C:\Windows\System\dvnrJpH.exe
  C:\Windows\System\dvnrJpH.exe
  2⤵
  PID:6860
- C:\Windows\System\FYuazxn.exe
  C:\Windows\System\FYuazxn.exe
  2⤵
  PID:6328
- C:\Windows\System\LpAJtxn.exe
  C:\Windows\System\LpAJtxn.exe
  2⤵
  PID:6204
- C:\Windows\System\lzNbWKt.exe
  C:\Windows\System\lzNbWKt.exe
  2⤵
  PID:7184
- C:\Windows\System\SfcVFMo.exe
  C:\Windows\System\SfcVFMo.exe
  2⤵
  PID:7212
- C:\Windows\System\uVDDfid.exe
  C:\Windows\System\uVDDfid.exe
  2⤵
  PID:7244
- C:\Windows\System\VHQHZJj.exe
  C:\Windows\System\VHQHZJj.exe
  2⤵
  PID:7272
- C:\Windows\System\aXGokZL.exe
  C:\Windows\System\aXGokZL.exe
  2⤵
  PID:7300
- C:\Windows\System\hePzHBv.exe
  C:\Windows\System\hePzHBv.exe
  2⤵
  PID:7328
- C:\Windows\System\rjGDSxs.exe
  C:\Windows\System\rjGDSxs.exe
  2⤵
  PID:7356
- C:\Windows\System\tmDiQwy.exe
  C:\Windows\System\tmDiQwy.exe
  2⤵
  PID:7384
- C:\Windows\System\UzqAfgd.exe
  C:\Windows\System\UzqAfgd.exe
  2⤵
  PID:7412
- C:\Windows\System\OPWgXjl.exe
  C:\Windows\System\OPWgXjl.exe
  2⤵
  PID:7440
- C:\Windows\System\NEfVaYk.exe
  C:\Windows\System\NEfVaYk.exe
  2⤵
  PID:7468
- C:\Windows\System\hrjWyKX.exe
  C:\Windows\System\hrjWyKX.exe
  2⤵
  PID:7500
- C:\Windows\System\AXTDtkt.exe
  C:\Windows\System\AXTDtkt.exe
  2⤵
  PID:7524
- C:\Windows\System\HVBIjnn.exe
  C:\Windows\System\HVBIjnn.exe
  2⤵
  PID:7552
- C:\Windows\System\PjWtckz.exe
  C:\Windows\System\PjWtckz.exe
  2⤵
  PID:7580
- C:\Windows\System\qjECIcD.exe
  C:\Windows\System\qjECIcD.exe
  2⤵
  PID:7608
- C:\Windows\System\BEkEFzL.exe
  C:\Windows\System\BEkEFzL.exe
  2⤵
  PID:7636
- C:\Windows\System\AEgDTzR.exe
  C:\Windows\System\AEgDTzR.exe
  2⤵
  PID:7664
- C:\Windows\System\spicpId.exe
  C:\Windows\System\spicpId.exe
  2⤵
  PID:7692
- C:\Windows\System\fSKdqqf.exe
  C:\Windows\System\fSKdqqf.exe
  2⤵
  PID:7740
- C:\Windows\System\JYcmLvJ.exe
  C:\Windows\System\JYcmLvJ.exe
  2⤵
  PID:7768
- C:\Windows\System\JvxIKuh.exe
  C:\Windows\System\JvxIKuh.exe
  2⤵
  PID:7796
- C:\Windows\System\PjPPkBN.exe
  C:\Windows\System\PjPPkBN.exe
  2⤵
  PID:7824
- C:\Windows\System\MuCmyAT.exe
  C:\Windows\System\MuCmyAT.exe
  2⤵
  PID:7852
- C:\Windows\System\YqLOdsr.exe
  C:\Windows\System\YqLOdsr.exe
  2⤵
  PID:7880
- C:\Windows\System\hnxFiRH.exe
  C:\Windows\System\hnxFiRH.exe
  2⤵
  PID:7908
- C:\Windows\System\egYIKTy.exe
  C:\Windows\System\egYIKTy.exe
  2⤵
  PID:7940
- C:\Windows\System\epaEEbn.exe
  C:\Windows\System\epaEEbn.exe
  2⤵
  PID:7964
- C:\Windows\System\UzbIkJb.exe
  C:\Windows\System\UzbIkJb.exe
  2⤵
  PID:7992
- C:\Windows\System\rdPHkvA.exe
  C:\Windows\System\rdPHkvA.exe
  2⤵
  PID:8020
- C:\Windows\System\PYPQYqh.exe
  C:\Windows\System\PYPQYqh.exe
  2⤵
  PID:8048
- C:\Windows\System\QGPBEAx.exe
  C:\Windows\System\QGPBEAx.exe
  2⤵
  PID:8076
- C:\Windows\System\XPuFOAy.exe
  C:\Windows\System\XPuFOAy.exe
  2⤵
  PID:8104
- C:\Windows\System\pzsECgy.exe
  C:\Windows\System\pzsECgy.exe
  2⤵
  PID:8132
- C:\Windows\System\xGYBaLz.exe
  C:\Windows\System\xGYBaLz.exe
  2⤵
  PID:8176
- C:\Windows\System\Pxrngem.exe
  C:\Windows\System\Pxrngem.exe
  2⤵
  PID:7208
- C:\Windows\System\viYVXuK.exe
  C:\Windows\System\viYVXuK.exe
  2⤵
  PID:7256
- C:\Windows\System\qSjROPi.exe
  C:\Windows\System\qSjROPi.exe
  2⤵
  PID:7324
- C:\Windows\System\fXpEPLa.exe
  C:\Windows\System\fXpEPLa.exe
  2⤵
  PID:7396
- C:\Windows\System\KtAOaMW.exe
  C:\Windows\System\KtAOaMW.exe
  2⤵
  PID:7460
- C:\Windows\System\EclhvQq.exe
  C:\Windows\System\EclhvQq.exe
  2⤵
  PID:7540
- C:\Windows\System\pwxzCrK.exe
  C:\Windows\System\pwxzCrK.exe
  2⤵
  PID:7600
- C:\Windows\System\FHZcYSz.exe
  C:\Windows\System\FHZcYSz.exe
  2⤵
  PID:7660
- C:\Windows\System\oXBAiro.exe
  C:\Windows\System\oXBAiro.exe
  2⤵
  PID:7752
- C:\Windows\System\jNlipEw.exe
  C:\Windows\System\jNlipEw.exe
  2⤵
  PID:7820
- C:\Windows\System\lQoAMIx.exe
  C:\Windows\System\lQoAMIx.exe
  2⤵
  PID:7892
- C:\Windows\System\gMnHTvm.exe
  C:\Windows\System\gMnHTvm.exe
  2⤵
  PID:7960
- C:\Windows\System\dIgLncF.exe
  C:\Windows\System\dIgLncF.exe
  2⤵
  PID:8032
- C:\Windows\System\eTpouOM.exe
  C:\Windows\System\eTpouOM.exe
  2⤵
  PID:8092
- C:\Windows\System\LjasqXB.exe
  C:\Windows\System\LjasqXB.exe
  2⤵
  PID:8188
- C:\Windows\System\BjzwSHq.exe
  C:\Windows\System\BjzwSHq.exe
  2⤵
  PID:7268
- C:\Windows\System\qSKaUDk.exe
  C:\Windows\System\qSKaUDk.exe
  2⤵
  PID:7428
- C:\Windows\System\MJjKrvU.exe
  C:\Windows\System\MJjKrvU.exe
  2⤵
  PID:7576
- C:\Windows\System\uPqBUIa.exe
  C:\Windows\System\uPqBUIa.exe
  2⤵
  PID:7736
- C:\Windows\System\mSRyuPq.exe
  C:\Windows\System\mSRyuPq.exe
  2⤵
  PID:7876
- C:\Windows\System\WiXnXSf.exe
  C:\Windows\System\WiXnXSf.exe
  2⤵
  PID:8060
- C:\Windows\System\uiwxIIu.exe
  C:\Windows\System\uiwxIIu.exe
  2⤵
  PID:8144
- C:\Windows\System\lOrGchB.exe
  C:\Windows\System\lOrGchB.exe
  2⤵
  PID:7656
- C:\Windows\System\Ngfxhja.exe
  C:\Windows\System\Ngfxhja.exe
  2⤵
  PID:8012
- C:\Windows\System\bjTCozX.exe
  C:\Windows\System\bjTCozX.exe
  2⤵
  PID:7564
- C:\Windows\System\FyqAgmv.exe
  C:\Windows\System\FyqAgmv.exe
  2⤵
  PID:8196
- C:\Windows\System\FTbnsAb.exe
  C:\Windows\System\FTbnsAb.exe
  2⤵
  PID:8224
- C:\Windows\System\ucMFsuD.exe
  C:\Windows\System\ucMFsuD.exe
  2⤵
  PID:8252
- C:\Windows\System\ceCpGAm.exe
  C:\Windows\System\ceCpGAm.exe
  2⤵
  PID:8284
- C:\Windows\System\AFDGZII.exe
  C:\Windows\System\AFDGZII.exe
  2⤵
  PID:8308
- C:\Windows\System\Jlolnxa.exe
  C:\Windows\System\Jlolnxa.exe
  2⤵
  PID:8336
- C:\Windows\System\qMkmGQv.exe
  C:\Windows\System\qMkmGQv.exe
  2⤵
  PID:8364
- C:\Windows\System\WuSAEVf.exe
  C:\Windows\System\WuSAEVf.exe
  2⤵
  PID:8396
- C:\Windows\System\ZKQJorr.exe
  C:\Windows\System\ZKQJorr.exe
  2⤵
  PID:8420
- C:\Windows\System\IDRMLvV.exe
  C:\Windows\System\IDRMLvV.exe
  2⤵
  PID:8440
- C:\Windows\System\EMGXtQv.exe
  C:\Windows\System\EMGXtQv.exe
  2⤵
  PID:8476
- C:\Windows\System\jafftgc.exe
  C:\Windows\System\jafftgc.exe
  2⤵
  PID:8520
- C:\Windows\System\BYwefHs.exe
  C:\Windows\System\BYwefHs.exe
  2⤵
  PID:8564
- C:\Windows\System\sXhQSjB.exe
  C:\Windows\System\sXhQSjB.exe
  2⤵
  PID:8580
- C:\Windows\System\VzwpvTz.exe
  C:\Windows\System\VzwpvTz.exe
  2⤵
  PID:8596
- C:\Windows\System\CGbAGpK.exe
  C:\Windows\System\CGbAGpK.exe
  2⤵
  PID:8636
- C:\Windows\System\HfRDPlu.exe
  C:\Windows\System\HfRDPlu.exe
  2⤵
  PID:8664
- C:\Windows\System\JFPtXpu.exe
  C:\Windows\System\JFPtXpu.exe
  2⤵
  PID:8692
- C:\Windows\System\SMiVPIS.exe
  C:\Windows\System\SMiVPIS.exe
  2⤵
  PID:8724
- C:\Windows\System\PyUkucF.exe
  C:\Windows\System\PyUkucF.exe
  2⤵
  PID:8748
- C:\Windows\System\QOjEBfX.exe
  C:\Windows\System\QOjEBfX.exe
  2⤵
  PID:8776
- C:\Windows\System\UgOtDRB.exe
  C:\Windows\System\UgOtDRB.exe
  2⤵
  PID:8804
- C:\Windows\System\cungHZQ.exe
  C:\Windows\System\cungHZQ.exe
  2⤵
  PID:8832
- C:\Windows\System\sLtRczs.exe
  C:\Windows\System\sLtRczs.exe
  2⤵
  PID:8860
- C:\Windows\System\auyulGZ.exe
  C:\Windows\System\auyulGZ.exe
  2⤵
  PID:8892
- C:\Windows\System\auCAtwX.exe
  C:\Windows\System\auCAtwX.exe
  2⤵
  PID:8928
- C:\Windows\System\RnETUGV.exe
  C:\Windows\System\RnETUGV.exe
  2⤵
  PID:8944
- C:\Windows\System\izXJTvi.exe
  C:\Windows\System\izXJTvi.exe
  2⤵
  PID:8984
- C:\Windows\System\CQDVeBB.exe
  C:\Windows\System\CQDVeBB.exe
  2⤵
  PID:9012
- C:\Windows\System\MlSIKzL.exe
  C:\Windows\System\MlSIKzL.exe
  2⤵
  PID:9048
- C:\Windows\System\SXdpaEp.exe
  C:\Windows\System\SXdpaEp.exe
  2⤵
  PID:9092
- C:\Windows\System\BmeUbem.exe
  C:\Windows\System\BmeUbem.exe
  2⤵
  PID:9124
- C:\Windows\System\iLmBUck.exe
  C:\Windows\System\iLmBUck.exe
  2⤵
  PID:9140
- C:\Windows\System\rUeqkOI.exe
  C:\Windows\System\rUeqkOI.exe
  2⤵
  PID:9172
- C:\Windows\System\cncvfHp.exe
  C:\Windows\System\cncvfHp.exe
  2⤵
  PID:9196
- C:\Windows\System\FlwgWmX.exe
  C:\Windows\System\FlwgWmX.exe
  2⤵
  PID:8208
- C:\Windows\System\lrkSdBy.exe
  C:\Windows\System\lrkSdBy.exe
  2⤵
  PID:8292
- C:\Windows\System\IPdnIBe.exe
  C:\Windows\System\IPdnIBe.exe
  2⤵
  PID:8380
- C:\Windows\System\rNNxHph.exe
  C:\Windows\System\rNNxHph.exe
  2⤵
  PID:8460
- C:\Windows\System\RWMUUfe.exe
  C:\Windows\System\RWMUUfe.exe
  2⤵
  PID:8556
- C:\Windows\System\UMyrhhT.exe
  C:\Windows\System\UMyrhhT.exe
  2⤵
  PID:8428
- C:\Windows\System\Isxcmfz.exe
  C:\Windows\System\Isxcmfz.exe
  2⤵
  PID:8648
- C:\Windows\System\WtyiqAK.exe
  C:\Windows\System\WtyiqAK.exe
  2⤵
  PID:8684
- C:\Windows\System\ZtwUCBs.exe
  C:\Windows\System\ZtwUCBs.exe
  2⤵
  PID:8768
- C:\Windows\System\moJjjnd.exe
  C:\Windows\System\moJjjnd.exe
  2⤵
  PID:8876
- C:\Windows\System\fYfrjIj.exe
  C:\Windows\System\fYfrjIj.exe
  2⤵
  PID:8992
- C:\Windows\System\tIsAlfF.exe
  C:\Windows\System\tIsAlfF.exe
  2⤵
  PID:9084
- C:\Windows\System\MDevWHQ.exe
  C:\Windows\System\MDevWHQ.exe
  2⤵
  PID:7632
- C:\Windows\System\pvBonDU.exe
  C:\Windows\System\pvBonDU.exe
  2⤵
  PID:9212
- C:\Windows\System\TDVoRKM.exe
  C:\Windows\System\TDVoRKM.exe
  2⤵
  PID:8332
- C:\Windows\System\vYefzDx.exe
  C:\Windows\System\vYefzDx.exe
  2⤵
  PID:8576
- C:\Windows\System\pFikeLd.exe
  C:\Windows\System\pFikeLd.exe
  2⤵
  PID:8448
- C:\Windows\System\LexBlYG.exe
  C:\Windows\System\LexBlYG.exe
  2⤵
  PID:8956
- C:\Windows\System\SRdJtYg.exe
  C:\Windows\System\SRdJtYg.exe
  2⤵
  PID:9116
- C:\Windows\System\iAIdvFW.exe
  C:\Windows\System\iAIdvFW.exe
  2⤵
  PID:8276
- C:\Windows\System\bqjeXwM.exe
  C:\Windows\System\bqjeXwM.exe
  2⤵
  PID:8852
- C:\Windows\System\qHgTroR.exe
  C:\Windows\System\qHgTroR.exe
  2⤵
  PID:9104
- C:\Windows\System\ybcqSti.exe
  C:\Windows\System\ybcqSti.exe
  2⤵
  PID:8968
- C:\Windows\System\iLQbdGN.exe
  C:\Windows\System\iLQbdGN.exe
  2⤵
  PID:8624
- C:\Windows\System\ikUbLHW.exe
  C:\Windows\System\ikUbLHW.exe
  2⤵
  PID:9236
- C:\Windows\System\sjjzLiE.exe
  C:\Windows\System\sjjzLiE.exe
  2⤵
  PID:9264
- C:\Windows\System\CBVCjoS.exe
  C:\Windows\System\CBVCjoS.exe
  2⤵
  PID:9300
- C:\Windows\System\sNGkVzE.exe
  C:\Windows\System\sNGkVzE.exe
  2⤵
  PID:9320
- C:\Windows\System\xNETDnc.exe
  C:\Windows\System\xNETDnc.exe
  2⤵
  PID:9360
- C:\Windows\System\eQezBgP.exe
  C:\Windows\System\eQezBgP.exe
  2⤵
  PID:9376
- C:\Windows\System\WsxNZrX.exe
  C:\Windows\System\WsxNZrX.exe
  2⤵
  PID:9404
- C:\Windows\System\UTDbonb.exe
  C:\Windows\System\UTDbonb.exe
  2⤵
  PID:9420
- C:\Windows\System\jfsqwuT.exe
  C:\Windows\System\jfsqwuT.exe
  2⤵
  PID:9452
- C:\Windows\System\ArGZrvi.exe
  C:\Windows\System\ArGZrvi.exe
  2⤵
  PID:9476
- C:\Windows\System\fPPSSEV.exe
  C:\Windows\System\fPPSSEV.exe
  2⤵
  PID:9504
- C:\Windows\System\VUkmFHO.exe
  C:\Windows\System\VUkmFHO.exe
  2⤵
  PID:9536
- C:\Windows\System\VeSkdSb.exe
  C:\Windows\System\VeSkdSb.exe
  2⤵
  PID:9556
- C:\Windows\System\TVmjkjN.exe
  C:\Windows\System\TVmjkjN.exe
  2⤵
  PID:9612
- C:\Windows\System\gmMFaWf.exe
  C:\Windows\System\gmMFaWf.exe
  2⤵
  PID:9628
- C:\Windows\System\mGEljbR.exe
  C:\Windows\System\mGEljbR.exe
  2⤵
  PID:9644
- C:\Windows\System\wekizSL.exe
  C:\Windows\System\wekizSL.exe
  2⤵
  PID:9676
- C:\Windows\System\zUkAVRv.exe
  C:\Windows\System\zUkAVRv.exe
  2⤵
  PID:9700
- C:\Windows\System\onblRGn.exe
  C:\Windows\System\onblRGn.exe
  2⤵
  PID:9736
- C:\Windows\System\tCdLcYk.exe
  C:\Windows\System\tCdLcYk.exe
  2⤵
  PID:9756
- C:\Windows\System\knCpVLM.exe
  C:\Windows\System\knCpVLM.exe
  2⤵
  PID:9784
- C:\Windows\System\crQJBbF.exe
  C:\Windows\System\crQJBbF.exe
  2⤵
  PID:9820
- C:\Windows\System\bfPQGcR.exe
  C:\Windows\System\bfPQGcR.exe
  2⤵
  PID:9852
- C:\Windows\System\VbkcYol.exe
  C:\Windows\System\VbkcYol.exe
  2⤵
  PID:9884
- C:\Windows\System\fGsseCY.exe
  C:\Windows\System\fGsseCY.exe
  2⤵
  PID:9920
- C:\Windows\System\QDgrXUH.exe
  C:\Windows\System\QDgrXUH.exe
  2⤵
  PID:9940
- C:\Windows\System\yQcwyBm.exe
  C:\Windows\System\yQcwyBm.exe
  2⤵
  PID:9960
- C:\Windows\System\PyABGsR.exe
  C:\Windows\System\PyABGsR.exe
  2⤵
  PID:9988
- C:\Windows\System\deBoApR.exe
  C:\Windows\System\deBoApR.exe
  2⤵
  PID:10004
- C:\Windows\System\FHTUjwq.exe
  C:\Windows\System\FHTUjwq.exe
  2⤵
  PID:10036
- C:\Windows\System\JXNDLrF.exe
  C:\Windows\System\JXNDLrF.exe
  2⤵
  PID:10096
- C:\Windows\System\XecdieZ.exe
  C:\Windows\System\XecdieZ.exe
  2⤵
  PID:10112
- C:\Windows\System\noZxNNf.exe
  C:\Windows\System\noZxNNf.exe
  2⤵
  PID:10152
- C:\Windows\System\lwRLaLX.exe
  C:\Windows\System\lwRLaLX.exe
  2⤵
  PID:10172
- C:\Windows\System\OIrwTrh.exe
  C:\Windows\System\OIrwTrh.exe
  2⤵
  PID:10200
- C:\Windows\System\TqObyTG.exe
  C:\Windows\System\TqObyTG.exe
  2⤵
  PID:10228
- C:\Windows\System\ewMuAYM.exe
  C:\Windows\System\ewMuAYM.exe
  2⤵
  PID:9220
- C:\Windows\System\GzczhJb.exe
  C:\Windows\System\GzczhJb.exe
  2⤵
  PID:9284
- C:\Windows\System\cIykXJA.exe
  C:\Windows\System\cIykXJA.exe
  2⤵
  PID:9352
- C:\Windows\System\vIuxIko.exe
  C:\Windows\System\vIuxIko.exe
  2⤵
  PID:9460
- C:\Windows\System\fAkAIja.exe
  C:\Windows\System\fAkAIja.exe
  2⤵
  PID:9496
- C:\Windows\System\TxInayS.exe
  C:\Windows\System\TxInayS.exe
  2⤵
  PID:9520
- C:\Windows\System\hHnyXLA.exe
  C:\Windows\System\hHnyXLA.exe
  2⤵
  PID:9624
- C:\Windows\System\rVpNMKe.exe
  C:\Windows\System\rVpNMKe.exe
  2⤵
  PID:9720
- C:\Windows\System\cmWcSPS.exe
  C:\Windows\System\cmWcSPS.exe
  2⤵
  PID:9768
- C:\Windows\System\PXMKIGm.exe
  C:\Windows\System\PXMKIGm.exe
  2⤵
  PID:9804
- C:\Windows\System\uVGvIYX.exe
  C:\Windows\System\uVGvIYX.exe
  2⤵
  PID:9908
- C:\Windows\System\jVVeTdf.exe
  C:\Windows\System\jVVeTdf.exe
  2⤵
  PID:9968
- C:\Windows\System\kppbOoY.exe
  C:\Windows\System\kppbOoY.exe
  2⤵
  PID:10028
- C:\Windows\System\sLMIHNj.exe
  C:\Windows\System\sLMIHNj.exe
  2⤵
  PID:10080
- C:\Windows\System\FcJVMYu.exe
  C:\Windows\System\FcJVMYu.exe
  2⤵
  PID:10128
- C:\Windows\System\cVDgDnQ.exe
  C:\Windows\System\cVDgDnQ.exe
  2⤵
  PID:10184
- C:\Windows\System\UWFlsYo.exe
  C:\Windows\System\UWFlsYo.exe
  2⤵
  PID:9344
- C:\Windows\System\CJNJBdB.exe
  C:\Windows\System\CJNJBdB.exe
  2⤵
  PID:9412
- C:\Windows\System\ZwgvOFy.exe
  C:\Windows\System\ZwgvOFy.exe
  2⤵
  PID:9668
- C:\Windows\System\jSTFuLH.exe
  C:\Windows\System\jSTFuLH.exe
  2⤵
  PID:9752
- C:\Windows\System\hrUWtIQ.exe
  C:\Windows\System\hrUWtIQ.exe
  2⤵
  PID:9948
- C:\Windows\System\yQSJzzU.exe
  C:\Windows\System\yQSJzzU.exe
  2⤵
  PID:4188
- C:\Windows\System\cjhrpvI.exe
  C:\Windows\System\cjhrpvI.exe
  2⤵
  PID:9260
- C:\Windows\System\GMNCRKM.exe
  C:\Windows\System\GMNCRKM.exe
  2⤵
  PID:9552
- C:\Windows\System\pwCkFaR.exe
  C:\Windows\System\pwCkFaR.exe
  2⤵
  PID:10016
- C:\Windows\System\fgNVPWU.exe
  C:\Windows\System\fgNVPWU.exe
  2⤵
  PID:9392
- C:\Windows\System\SxoWLZe.exe
  C:\Windows\System\SxoWLZe.exe
  2⤵
  PID:10056
- C:\Windows\System\vDQnfEv.exe
  C:\Windows\System\vDQnfEv.exe
  2⤵
  PID:10260
- C:\Windows\System\sthzPWI.exe
  C:\Windows\System\sthzPWI.exe
  2⤵
  PID:10288
- C:\Windows\System\fHcdwIW.exe
  C:\Windows\System\fHcdwIW.exe
  2⤵
  PID:10324
- C:\Windows\System\BryGbBo.exe
  C:\Windows\System\BryGbBo.exe
  2⤵
  PID:10352
- C:\Windows\System\RKtpFpc.exe
  C:\Windows\System\RKtpFpc.exe
  2⤵
  PID:10380
- C:\Windows\System\DISrocA.exe
  C:\Windows\System\DISrocA.exe
  2⤵
  PID:10408
- C:\Windows\System\SmOXuFt.exe
  C:\Windows\System\SmOXuFt.exe
  2⤵
  PID:10436
- C:\Windows\System\nfYDlaH.exe
  C:\Windows\System\nfYDlaH.exe
  2⤵
  PID:10464
- C:\Windows\System\jXwwbAa.exe
  C:\Windows\System\jXwwbAa.exe
  2⤵
  PID:10492
- C:\Windows\System\RoyNTmF.exe
  C:\Windows\System\RoyNTmF.exe
  2⤵
  PID:10520
- C:\Windows\System\BaXXsqY.exe
  C:\Windows\System\BaXXsqY.exe
  2⤵
  PID:10548
- C:\Windows\System\DVrQdSh.exe
  C:\Windows\System\DVrQdSh.exe
  2⤵
  PID:10576
- C:\Windows\System\nnkDUJr.exe
  C:\Windows\System\nnkDUJr.exe
  2⤵
  PID:10608
- C:\Windows\System\glMLMPC.exe
  C:\Windows\System\glMLMPC.exe
  2⤵
  PID:10636
- C:\Windows\System\skIaVZB.exe
  C:\Windows\System\skIaVZB.exe
  2⤵
  PID:10664
- C:\Windows\System\FIddgwx.exe
  C:\Windows\System\FIddgwx.exe
  2⤵
  PID:10696
- C:\Windows\System\oLzvkiH.exe
  C:\Windows\System\oLzvkiH.exe
  2⤵
  PID:10724
- C:\Windows\System\cbHaiSw.exe
  C:\Windows\System\cbHaiSw.exe
  2⤵
  PID:10752
- C:\Windows\System\lCBwdgO.exe
  C:\Windows\System\lCBwdgO.exe
  2⤵
  PID:10780
- C:\Windows\System\OadbYyv.exe
  C:\Windows\System\OadbYyv.exe
  2⤵
  PID:10808
- C:\Windows\System\aiyqCeW.exe
  C:\Windows\System\aiyqCeW.exe
  2⤵
  PID:10836
- C:\Windows\System\XCplbuC.exe
  C:\Windows\System\XCplbuC.exe
  2⤵
  PID:10864
- C:\Windows\System\EnCcfgp.exe
  C:\Windows\System\EnCcfgp.exe
  2⤵
  PID:10892
- C:\Windows\System\VPRPcew.exe
  C:\Windows\System\VPRPcew.exe
  2⤵
  PID:10920
- C:\Windows\System\NwDaAQb.exe
  C:\Windows\System\NwDaAQb.exe
  2⤵
  PID:10948
- C:\Windows\System\KtERteN.exe
  C:\Windows\System\KtERteN.exe
  2⤵
  PID:10976
- C:\Windows\System\YluwpJH.exe
  C:\Windows\System\YluwpJH.exe
  2⤵
  PID:11004
- C:\Windows\System\DohcjvJ.exe
  C:\Windows\System\DohcjvJ.exe
  2⤵
  PID:11032
- C:\Windows\System\ALdgyeL.exe
  C:\Windows\System\ALdgyeL.exe
  2⤵
  PID:11060
- C:\Windows\System\HXPisnB.exe
  C:\Windows\System\HXPisnB.exe
  2⤵
  PID:11088
- C:\Windows\System\ktXSCUB.exe
  C:\Windows\System\ktXSCUB.exe
  2⤵
  PID:11104
- C:\Windows\System\buGwXpn.exe
  C:\Windows\System\buGwXpn.exe
  2⤵
  PID:11124
- C:\Windows\System\tqtTTnN.exe
  C:\Windows\System\tqtTTnN.exe
  2⤵
  PID:11144
- C:\Windows\System\bGxCkxJ.exe
  C:\Windows\System\bGxCkxJ.exe
  2⤵
  PID:11200
- C:\Windows\System\wPVxMxo.exe
  C:\Windows\System\wPVxMxo.exe
  2⤵
  PID:11240
- C:\Windows\System\mnsllVU.exe
  C:\Windows\System\mnsllVU.exe
  2⤵
  PID:11256
- C:\Windows\System\UVOeHgl.exe
  C:\Windows\System\UVOeHgl.exe
  2⤵
  PID:10320
- C:\Windows\System\WJvwBjy.exe
  C:\Windows\System\WJvwBjy.exe
  2⤵
  PID:10396
- C:\Windows\System\RzmNfIg.exe
  C:\Windows\System\RzmNfIg.exe
  2⤵
  PID:10460
- C:\Windows\System\iCsWMJz.exe
  C:\Windows\System\iCsWMJz.exe
  2⤵
  PID:10512
- C:\Windows\System\CQqCMdb.exe
  C:\Windows\System\CQqCMdb.exe
  2⤵
  PID:10592
- C:\Windows\System\lYjRfGb.exe
  C:\Windows\System\lYjRfGb.exe
  2⤵
  PID:10648
- C:\Windows\System\OpSyebS.exe
  C:\Windows\System\OpSyebS.exe
  2⤵
  PID:10688
- C:\Windows\System\hHbHDcU.exe
  C:\Windows\System\hHbHDcU.exe
  2⤵
  PID:10776
- C:\Windows\System\CMlHSFk.exe
  C:\Windows\System\CMlHSFk.exe
  2⤵
  PID:10820
- C:\Windows\System\jAaOjoJ.exe
  C:\Windows\System\jAaOjoJ.exe
  2⤵
  PID:10936
- C:\Windows\System\diOxLJL.exe
  C:\Windows\System\diOxLJL.exe
  2⤵
  PID:10968
- C:\Windows\System\xbEwFIq.exe
  C:\Windows\System\xbEwFIq.exe
  2⤵
  PID:11052
- C:\Windows\System\PTRKrBG.exe
  C:\Windows\System\PTRKrBG.exe
  2⤵
  PID:11116
- C:\Windows\System\ZaITbxW.exe
  C:\Windows\System\ZaITbxW.exe
  2⤵
  PID:11192
- C:\Windows\System\iAosQYi.exe
  C:\Windows\System\iAosQYi.exe
  2⤵
  PID:11236
- C:\Windows\System\UvrLaVe.exe
  C:\Windows\System\UvrLaVe.exe
  2⤵
  PID:10316
- C:\Windows\System\dHiFVVV.exe
  C:\Windows\System\dHiFVVV.exe
  2⤵
  PID:10392
- C:\Windows\System\pCWrVso.exe
  C:\Windows\System\pCWrVso.exe
  2⤵
  PID:10540
- C:\Windows\System\dolCwRM.exe
  C:\Windows\System\dolCwRM.exe
  2⤵
  PID:10736
- C:\Windows\System\Mbhxtnd.exe
  C:\Windows\System\Mbhxtnd.exe
  2⤵
  PID:10904
- C:\Windows\System\DaNbbzJ.exe
  C:\Windows\System\DaNbbzJ.exe
  2⤵
  PID:10996
- C:\Windows\System\TwFdWUH.exe
  C:\Windows\System\TwFdWUH.exe
  2⤵
  PID:11136
- C:\Windows\System\poZAsal.exe
  C:\Windows\System\poZAsal.exe
  2⤵
  PID:10308
- C:\Windows\System\wNsuWsC.exe
  C:\Windows\System\wNsuWsC.exe
  2⤵
  PID:10744
- C:\Windows\System\htxxTkL.exe
  C:\Windows\System\htxxTkL.exe
  2⤵
  PID:11072
- C:\Windows\System\nUnaxoB.exe
  C:\Windows\System\nUnaxoB.exe
  2⤵
  PID:10568
- C:\Windows\System\rmCgJjg.exe
  C:\Windows\System\rmCgJjg.exe
  2⤵
  PID:11112
- C:\Windows\System\oltJHqt.exe
  C:\Windows\System\oltJHqt.exe
  2⤵
  PID:11280
- C:\Windows\System\sAqinDA.exe
  C:\Windows\System\sAqinDA.exe
  2⤵
  PID:11320
- C:\Windows\System\wTyhEqP.exe
  C:\Windows\System\wTyhEqP.exe
  2⤵
  PID:11348
- C:\Windows\System\nwCeLFH.exe
  C:\Windows\System\nwCeLFH.exe
  2⤵
  PID:11376
- C:\Windows\System\OSyAXQE.exe
  C:\Windows\System\OSyAXQE.exe
  2⤵
  PID:11416
- C:\Windows\System\EjHGfVp.exe
  C:\Windows\System\EjHGfVp.exe
  2⤵
  PID:11432
- C:\Windows\System\ryuiHEz.exe
  C:\Windows\System\ryuiHEz.exe
  2⤵
  PID:11460
- C:\Windows\System\EJqdYjA.exe
  C:\Windows\System\EJqdYjA.exe
  2⤵
  PID:11488
- C:\Windows\System\dJxcUNy.exe
  C:\Windows\System\dJxcUNy.exe
  2⤵
  PID:11512
- C:\Windows\System\SKnJIRJ.exe
  C:\Windows\System\SKnJIRJ.exe
  2⤵
  PID:11532
- C:\Windows\System\iiXIWsh.exe
  C:\Windows\System\iiXIWsh.exe
  2⤵
  PID:11560
- C:\Windows\System\eThIXVN.exe
  C:\Windows\System\eThIXVN.exe
  2⤵
  PID:11588
- C:\Windows\System\iLFLtuU.exe
  C:\Windows\System\iLFLtuU.exe
  2⤵
  PID:11620
- C:\Windows\System\TrPREpy.exe
  C:\Windows\System\TrPREpy.exe
  2⤵
  PID:11644
- C:\Windows\System\LWDKObl.exe
  C:\Windows\System\LWDKObl.exe
  2⤵
  PID:11692
- C:\Windows\System\DLJXeKn.exe
  C:\Windows\System\DLJXeKn.exe
  2⤵
  PID:11716
- C:\Windows\System\KPokgrL.exe
  C:\Windows\System\KPokgrL.exe
  2⤵
  PID:11732
- C:\Windows\System\DzhsjlE.exe
  C:\Windows\System\DzhsjlE.exe
  2⤵
  PID:11760
- C:\Windows\System\uPjHpgS.exe
  C:\Windows\System\uPjHpgS.exe
  2⤵
  PID:11804
- C:\Windows\System\cuAcsTw.exe
  C:\Windows\System\cuAcsTw.exe
  2⤵
  PID:11832
- C:\Windows\System\bqeeNhA.exe
  C:\Windows\System\bqeeNhA.exe
  2⤵
  PID:11896
- C:\Windows\System\TFeaErh.exe
  C:\Windows\System\TFeaErh.exe
  2⤵
  PID:11920
- C:\Windows\System\aYPYLkL.exe
  C:\Windows\System\aYPYLkL.exe
  2⤵
  PID:11948
- C:\Windows\System\nfbHOLP.exe
  C:\Windows\System\nfbHOLP.exe
  2⤵
  PID:11980
- C:\Windows\System\QlopMAu.exe
  C:\Windows\System\QlopMAu.exe
  2⤵
  PID:12012
- C:\Windows\System\pPVDnUI.exe
  C:\Windows\System\pPVDnUI.exe
  2⤵
  PID:12056
- C:\Windows\System\jUbCaxT.exe
  C:\Windows\System\jUbCaxT.exe
  2⤵
  PID:12076
- C:\Windows\System\qWuJgGO.exe
  C:\Windows\System\qWuJgGO.exe
  2⤵
  PID:12112
- C:\Windows\System\bNxSATu.exe
  C:\Windows\System\bNxSATu.exe
  2⤵
  PID:12132
- C:\Windows\System\EbWLiRE.exe
  C:\Windows\System\EbWLiRE.exe
  2⤵
  PID:12152
- C:\Windows\System\ajOzapV.exe
  C:\Windows\System\ajOzapV.exe
  2⤵
  PID:12176
- C:\Windows\System\UfoGCxC.exe
  C:\Windows\System\UfoGCxC.exe
  2⤵
  PID:12192
- C:\Windows\System\rjUVCUJ.exe
  C:\Windows\System\rjUVCUJ.exe
  2⤵
  PID:12272
- C:\Windows\System\RZDMTkc.exe
  C:\Windows\System\RZDMTkc.exe
  2⤵
  PID:4648
- C:\Windows\System\MwOwnPx.exe
  C:\Windows\System\MwOwnPx.exe
  2⤵
  PID:11292
- C:\Windows\System\MXHhhWR.exe
  C:\Windows\System\MXHhhWR.exe
  2⤵
  PID:11412
- C:\Windows\System\VuIAUKI.exe
  C:\Windows\System\VuIAUKI.exe
  2⤵
  PID:11444
- C:\Windows\System\vtqGRwh.exe
  C:\Windows\System\vtqGRwh.exe
  2⤵
  PID:11528
- C:\Windows\System\ogcJMpc.exe
  C:\Windows\System\ogcJMpc.exe
  2⤵
  PID:11548
- C:\Windows\System\GjnyBSa.exe
  C:\Windows\System\GjnyBSa.exe
  2⤵
  PID:11660
- C:\Windows\System\IrMGMgC.exe
  C:\Windows\System\IrMGMgC.exe
  2⤵
  PID:11664
- C:\Windows\System\hFTqWye.exe
  C:\Windows\System\hFTqWye.exe
  2⤵
  PID:11788
- C:\Windows\System\lHqTzPq.exe
  C:\Windows\System\lHqTzPq.exe
  2⤵
  PID:11800
- C:\Windows\System\xcxNswZ.exe
  C:\Windows\System\xcxNswZ.exe
  2⤵
  PID:11916
- C:\Windows\System\DQwhfLl.exe
  C:\Windows\System\DQwhfLl.exe
  2⤵
  PID:12032
- C:\Windows\System\EQYBgWn.exe
  C:\Windows\System\EQYBgWn.exe
  2⤵
  PID:12096
- C:\Windows\System\rkcECVr.exe
  C:\Windows\System\rkcECVr.exe
  2⤵
  PID:12128
- C:\Windows\System\VJrKqHd.exe
  C:\Windows\System\VJrKqHd.exe
  2⤵
  PID:12164
- C:\Windows\System\xUbVcZq.exe
  C:\Windows\System\xUbVcZq.exe
  2⤵
  PID:12236
- C:\Windows\System\BTnktjJ.exe
  C:\Windows\System\BTnktjJ.exe
  2⤵
  PID:11388
- C:\Windows\System\YXMwcwd.exe
  C:\Windows\System\YXMwcwd.exe
  2⤵
  PID:1568
- C:\Windows\System\xfagtbs.exe
  C:\Windows\System\xfagtbs.exe
  2⤵
  PID:11552
- C:\Windows\System\rgUXkVM.exe
  C:\Windows\System\rgUXkVM.exe
  2⤵
  PID:11712
- C:\Windows\System\IIkgwNb.exe
  C:\Windows\System\IIkgwNb.exe
  2⤵
  PID:11996
- C:\Windows\System\TIMTpdT.exe
  C:\Windows\System\TIMTpdT.exe
  2⤵
  PID:12184
- C:\Windows\System\bmEgDLh.exe
  C:\Windows\System\bmEgDLh.exe
  2⤵
  PID:12220
- C:\Windows\System\PYrabeX.exe
  C:\Windows\System\PYrabeX.exe
  2⤵
  PID:11824
- C:\Windows\System\YAJETXy.exe
  C:\Windows\System\YAJETXy.exe
  2⤵
  PID:11876
- C:\Windows\System\wiqdypg.exe
  C:\Windows\System\wiqdypg.exe
  2⤵
  PID:12232
- C:\Windows\System\cmODbBe.exe
  C:\Windows\System\cmODbBe.exe
  2⤵
  PID:11140
- C:\Windows\System\PnaSMIF.exe
  C:\Windows\System\PnaSMIF.exe
  2⤵
  PID:12296
- C:\Windows\System\KCmdVtM.exe
  C:\Windows\System\KCmdVtM.exe
  2⤵
  PID:12324
- C:\Windows\System\jvdTJKI.exe
  C:\Windows\System\jvdTJKI.exe
  2⤵
  PID:12352
- C:\Windows\System\dhGIqKN.exe
  C:\Windows\System\dhGIqKN.exe
  2⤵
  PID:12372
- C:\Windows\System\xvUUhfh.exe
  C:\Windows\System\xvUUhfh.exe
  2⤵
  PID:12396
- C:\Windows\System\lwJVrmd.exe
  C:\Windows\System\lwJVrmd.exe
  2⤵
  PID:12412
- C:\Windows\System\fkKfpRw.exe
  C:\Windows\System\fkKfpRw.exe
  2⤵
  PID:12440
- C:\Windows\System\MjKShjI.exe
  C:\Windows\System\MjKShjI.exe
  2⤵
  PID:12484
- C:\Windows\System\SOuPIGB.exe
  C:\Windows\System\SOuPIGB.exe
  2⤵
  PID:12500
- C:\Windows\System\nZdphko.exe
  C:\Windows\System\nZdphko.exe
  2⤵
  PID:12544
- C:\Windows\System\SukVplH.exe
  C:\Windows\System\SukVplH.exe
  2⤵
  PID:12564
- C:\Windows\System\EvBXvAB.exe
  C:\Windows\System\EvBXvAB.exe
  2⤵
  PID:12588
- C:\Windows\System\oNcQpNV.exe
  C:\Windows\System\oNcQpNV.exe
  2⤵
  PID:12620
- C:\Windows\System\CvLIXHX.exe
  C:\Windows\System\CvLIXHX.exe
  2⤵
  PID:12660
- C:\Windows\System\NrQxGLL.exe
  C:\Windows\System\NrQxGLL.exe
  2⤵
  PID:12680
- C:\Windows\System\nThthEm.exe
  C:\Windows\System\nThthEm.exe
  2⤵
  PID:12712
- C:\Windows\System\kOcriAg.exe
  C:\Windows\System\kOcriAg.exe
  2⤵
  PID:12736
- C:\Windows\System\Kfyslvq.exe
  C:\Windows\System\Kfyslvq.exe
  2⤵
  PID:12772
- C:\Windows\System\fJDHvwT.exe
  C:\Windows\System\fJDHvwT.exe
  2⤵
  PID:12796
- C:\Windows\System\RWSwMom.exe
  C:\Windows\System\RWSwMom.exe
  2⤵
  PID:12816
- C:\Windows\System\cJpizOk.exe
  C:\Windows\System\cJpizOk.exe
  2⤵
  PID:12836
- C:\Windows\System\XIbpVcB.exe
  C:\Windows\System\XIbpVcB.exe
  2⤵
  PID:12864
- C:\Windows\System\bQuEQFS.exe
  C:\Windows\System\bQuEQFS.exe
  2⤵
  PID:12884
- C:\Windows\System\bwZTWyJ.exe
  C:\Windows\System\bwZTWyJ.exe
  2⤵
  PID:12908
- C:\Windows\System\nXgSdKn.exe
  C:\Windows\System\nXgSdKn.exe
  2⤵
  PID:12952
- C:\Windows\System\CVmbzya.exe
  C:\Windows\System\CVmbzya.exe
  2⤵
  PID:12980
- C:\Windows\System\SPuSGfQ.exe
  C:\Windows\System\SPuSGfQ.exe
  2⤵
  PID:13016
- C:\Windows\System\RkkICoq.exe
  C:\Windows\System\RkkICoq.exe
  2⤵
  PID:13052
- C:\Windows\System\AlhRvTo.exe
  C:\Windows\System\AlhRvTo.exe
  2⤵
  PID:13072
- C:\Windows\System\SwDoYUG.exe
  C:\Windows\System\SwDoYUG.exe
  2⤵
  PID:13092
- C:\Windows\System\zQednBb.exe
  C:\Windows\System\zQednBb.exe
  2⤵
  PID:13128
- C:\Windows\System\ctwlPDR.exe
  C:\Windows\System\ctwlPDR.exe
  2⤵
  PID:13160
- C:\Windows\System\hFGMShU.exe
  C:\Windows\System\hFGMShU.exe
  2⤵
  PID:13192
- C:\Windows\System\zIWIXTR.exe
  C:\Windows\System\zIWIXTR.exe
  2⤵
  PID:13212
- C:\Windows\System\ZoDcaHc.exe
  C:\Windows\System\ZoDcaHc.exe
  2⤵
  PID:13260
- C:\Windows\System\sygrKtR.exe
  C:\Windows\System\sygrKtR.exe
  2⤵
  PID:13288
- C:\Windows\System\zeQBwvK.exe
  C:\Windows\System\zeQBwvK.exe
  2⤵
  PID:12292
- C:\Windows\System\lCDUSKb.exe
  C:\Windows\System\lCDUSKb.exe
  2⤵
  PID:12360
- C:\Windows\System\lJunPbb.exe
  C:\Windows\System\lJunPbb.exe
  2⤵
  PID:12432
- C:\Windows\System\lehVkwG.exe
  C:\Windows\System\lehVkwG.exe
  2⤵
  PID:12460
- C:\Windows\System\WlwjDgi.exe
  C:\Windows\System\WlwjDgi.exe
  2⤵
  PID:12552
- C:\Windows\System\YgOXnmi.exe
  C:\Windows\System\YgOXnmi.exe
  2⤵
  PID:12556
- C:\Windows\System\udKhBQl.exe
  C:\Windows\System\udKhBQl.exe
  2⤵
  PID:12672
- C:\Windows\System\aoIHAhu.exe
  C:\Windows\System\aoIHAhu.exe
  2⤵
  PID:12728
- C:\Windows\System\fetuPkJ.exe
  C:\Windows\System\fetuPkJ.exe
  2⤵
  PID:12748
- C:\Windows\System\VpfxrwU.exe
  C:\Windows\System\VpfxrwU.exe
  2⤵
  PID:12832
- C:\Windows\System\LDhybKL.exe
  C:\Windows\System\LDhybKL.exe
  2⤵
  PID:12948
- C:\Windows\System\BIOrldE.exe
  C:\Windows\System\BIOrldE.exe
  2⤵
  PID:12976
- C:\Windows\System\YAMvMsI.exe
  C:\Windows\System\YAMvMsI.exe
  2⤵
  PID:13036
- C:\Windows\System\soTBXxU.exe
  C:\Windows\System\soTBXxU.exe
  2⤵
  PID:4576
- C:\Windows\System\kiUmNyO.exe
  C:\Windows\System\kiUmNyO.exe
  2⤵
  PID:13180
- C:\Windows\System\dUkUziJ.exe
  C:\Windows\System\dUkUziJ.exe
  2⤵
  PID:4176
- C:\Windows\System\RPFJvql.exe
  C:\Windows\System\RPFJvql.exe
  2⤵
  PID:3628
- C:\Windows\System\bRCuCkw.exe
  C:\Windows\System\bRCuCkw.exe
  2⤵
  PID:13276
- C:\Windows\System\fYTXmuG.exe
  C:\Windows\System\fYTXmuG.exe
  2⤵
  PID:12348
- C:\Windows\System\VsxKomZ.exe
  C:\Windows\System\VsxKomZ.exe
  2⤵
  PID:1460
- C:\Windows\System\EsBkono.exe
  C:\Windows\System\EsBkono.exe
  2⤵
  PID:12560
- C:\Windows\System\bSlQbjz.exe
  C:\Windows\System\bSlQbjz.exe
  2⤵
  PID:12752
- C:\Windows\System\NBIPnKy.exe
  C:\Windows\System\NBIPnKy.exe
  2⤵
  PID:12856
- C:\Windows\System\kYPsrrL.exe
  C:\Windows\System\kYPsrrL.exe
  2⤵
  PID:12940
- C:\Windows\System\LzqCnwk.exe
  C:\Windows\System\LzqCnwk.exe
  2⤵
  PID:13112
- C:\Windows\System\dMrceID.exe
  C:\Windows\System\dMrceID.exe
  2⤵
  PID:1124
- C:\Windows\System\jXneMFD.exe
  C:\Windows\System\jXneMFD.exe
  2⤵
  PID:12380
- C:\Windows\System\QeogxVn.exe
  C:\Windows\System\QeogxVn.exe
  2⤵
  PID:12644
- C:\Windows\System\ZiQTmZe.exe
  C:\Windows\System\ZiQTmZe.exe
  2⤵
  PID:12968
- C:\Windows\System\eHpSxfj.exe
  C:\Windows\System\eHpSxfj.exe
  2⤵
  PID:13308
- C:\Windows\System\WHtOiYg.exe
  C:\Windows\System\WHtOiYg.exe
  2⤵
  PID:13108
- C:\Windows\System\hDlKNnI.exe
  C:\Windows\System\hDlKNnI.exe
  2⤵
  PID:12900
- C:\Windows\System\IHddGMP.exe
  C:\Windows\System\IHddGMP.exe
  2⤵
  PID:13336
- C:\Windows\System\nemuEmi.exe
  C:\Windows\System\nemuEmi.exe
  2⤵
  PID:13368
- C:\Windows\System\tKevPyi.exe
  C:\Windows\System\tKevPyi.exe
  2⤵
  PID:13396
- C:\Windows\System\VtQZmBI.exe
  C:\Windows\System\VtQZmBI.exe
  2⤵
  PID:13420
- C:\Windows\System\NxuvVNw.exe
  C:\Windows\System\NxuvVNw.exe
  2⤵
  PID:13436
- C:\Windows\System\kXGBvlE.exe
  C:\Windows\System\kXGBvlE.exe
  2⤵
  PID:13476
- C:\Windows\System\DILGeuS.exe
  C:\Windows\System\DILGeuS.exe
  2⤵
  PID:13504
- C:\Windows\System\UeQrCGE.exe
  C:\Windows\System\UeQrCGE.exe
  2⤵
  PID:13528
- C:\Windows\System\zGwbxRH.exe
  C:\Windows\System\zGwbxRH.exe
  2⤵
  PID:13556
- C:\Windows\System\TJpbKcR.exe
  C:\Windows\System\TJpbKcR.exe
  2⤵
  PID:13584
- C:\Windows\System\ntNiCSW.exe
  C:\Windows\System\ntNiCSW.exe
  2⤵
  PID:13612
- C:\Windows\System\CUbsNML.exe
  C:\Windows\System\CUbsNML.exe
  2⤵
  PID:13640
- C:\Windows\System\womdvwR.exe
  C:\Windows\System\womdvwR.exe
  2⤵
  PID:13672
- C:\Windows\System\nPtJvbo.exe
  C:\Windows\System\nPtJvbo.exe
  2⤵
  PID:13696
- C:\Windows\System\EqWkniu.exe
  C:\Windows\System\EqWkniu.exe
  2⤵
  PID:13728
- C:\Windows\System\VJDfztS.exe
  C:\Windows\System\VJDfztS.exe
  2⤵
  PID:13764
- C:\Windows\System\PlvYYdI.exe
  C:\Windows\System\PlvYYdI.exe
  2⤵
  PID:13796
- C:\Windows\System\QzQARfm.exe
  C:\Windows\System\QzQARfm.exe
  2⤵
  PID:13828
- C:\Windows\System\fFxwpXU.exe
  C:\Windows\System\fFxwpXU.exe
  2⤵
  PID:13844
- C:\Windows\System\HAPVPZj.exe
  C:\Windows\System\HAPVPZj.exe
  2⤵
  PID:13860
- C:\Windows\System\yTQYPZk.exe
  C:\Windows\System\yTQYPZk.exe
  2⤵
  PID:13900
- C:\Windows\System\LwdNPkZ.exe
  C:\Windows\System\LwdNPkZ.exe
  2⤵
  PID:13928
- C:\Windows\System\HlHvnad.exe
  C:\Windows\System\HlHvnad.exe
  2⤵
  PID:13968
- C:\Windows\System\lEpWLDP.exe
  C:\Windows\System\lEpWLDP.exe
  2⤵
  PID:13984
- C:\Windows\System\MnHtFCJ.exe
  C:\Windows\System\MnHtFCJ.exe
  2⤵
  PID:14012
- C:\Windows\System\cYMHstP.exe
  C:\Windows\System\cYMHstP.exe
  2⤵
  PID:14040
- C:\Windows\System\qPRFMYF.exe
  C:\Windows\System\qPRFMYF.exe
  2⤵
  PID:14068
- C:\Windows\System\eSHQsdw.exe
  C:\Windows\System\eSHQsdw.exe
  2⤵
  PID:14104
- C:\Windows\System\SSSoUew.exe
  C:\Windows\System\SSSoUew.exe
  2⤵
  PID:14124
- C:\Windows\System\EpdJtGh.exe
  C:\Windows\System\EpdJtGh.exe
  2⤵
  PID:14152
- C:\Windows\System\pIKzFlT.exe
  C:\Windows\System\pIKzFlT.exe
  2⤵
  PID:14176
- C:\Windows\System\qQPZjIB.exe
  C:\Windows\System\qQPZjIB.exe
  2⤵
  PID:14200
- C:\Windows\System\ErKIUqO.exe
  C:\Windows\System\ErKIUqO.exe
  2⤵
  PID:14248
- C:\Windows\System\NNNnbDm.exe
  C:\Windows\System\NNNnbDm.exe
  2⤵
  PID:14264
- C:\Windows\System\ALyTPZC.exe
  C:\Windows\System\ALyTPZC.exe
  2⤵
  PID:14284
- C:\Windows\System\OeekTSC.exe
  C:\Windows\System\OeekTSC.exe
  2⤵
  PID:14312
- C:\Windows\System\WcYIeNG.exe
  C:\Windows\System\WcYIeNG.exe
  2⤵
  PID:12700
- C:\Windows\System\BMluelO.exe
  C:\Windows\System\BMluelO.exe
  2⤵
  PID:13392
- C:\Windows\System\BIuctTd.exe
  C:\Windows\System\BIuctTd.exe
  2⤵
  PID:13468
- C:\Windows\System\NMJdwDM.exe
  C:\Windows\System\NMJdwDM.exe
  2⤵
  PID:13544
- C:\Windows\System\TbYZUkP.exe
  C:\Windows\System\TbYZUkP.exe
  2⤵
  PID:13624
- C:\Windows\System\mvbjndS.exe
  C:\Windows\System\mvbjndS.exe
  2⤵
  PID:13660
- C:\Windows\System\RGjWovp.exe
  C:\Windows\System\RGjWovp.exe
  2⤵
  PID:13752
- C:\Windows\System\abggBbW.exe
  C:\Windows\System\abggBbW.exe
  2⤵
  PID:13792
- C:\Windows\System\QtAPOfU.exe
  C:\Windows\System\QtAPOfU.exe
  2⤵
  PID:2764
- C:\Windows\System\bwdKrSL.exe
  C:\Windows\System\bwdKrSL.exe
  2⤵
  PID:13944
- C:\Windows\System\hCBCBbb.exe
  C:\Windows\System\hCBCBbb.exe
  2⤵
  PID:13996
- C:\Windows\System\iIcAYoe.exe
  C:\Windows\System\iIcAYoe.exe
  2⤵
  PID:14060
- C:\Windows\System\WXPvkbD.exe
  C:\Windows\System\WXPvkbD.exe
  2⤵
  PID:14116
- C:\Windows\System\SiwDCZf.exe
  C:\Windows\System\SiwDCZf.exe
  2⤵
  PID:14148
- C:\Windows\System\vlZmZSd.exe
  C:\Windows\System\vlZmZSd.exe
  2⤵
  PID:14236
- C:\Windows\System\mnOIWxm.exe
  C:\Windows\System\mnOIWxm.exe
  2⤵
  PID:14256
- C:\Windows\System\YcGmvHJ.exe
  C:\Windows\System\YcGmvHJ.exe
  2⤵
  PID:14272
- C:\Windows\System\jgawvHx.exe
  C:\Windows\System\jgawvHx.exe
  2⤵
  PID:12788
- C:\Windows\System\QjqWwjN.exe
  C:\Windows\System\QjqWwjN.exe
  2⤵
  PID:13512
- C:\Windows\System\PnqYYlr.exe
  C:\Windows\System\PnqYYlr.exe
  2⤵
  PID:13708
- C:\Windows\System\cZYqGza.exe
  C:\Windows\System\cZYqGza.exe
  2⤵
  PID:13876
- C:\Windows\System\nDynzoE.exe
  C:\Windows\System\nDynzoE.exe
  2⤵
  PID:14056
- C:\Windows\System\JNbptCo.exe
  C:\Windows\System\JNbptCo.exe
  2⤵
  PID:14188
- C:\Windows\System\VocFFQz.exe
  C:\Windows\System\VocFFQz.exe
  2⤵
  PID:14300
- C:\Windows\System\FEOVUht.exe
  C:\Windows\System\FEOVUht.exe
  2⤵
  PID:13488
- C:\Windows\System\gwRFIML.exe
  C:\Windows\System\gwRFIML.exe
  2⤵
  PID:14032
- C:\Windows\System\KSShbey.exe
  C:\Windows\System\KSShbey.exe
  2⤵
  PID:13444
- C:\Windows\System\FtZkYmt.exe
  C:\Windows\System\FtZkYmt.exe
  2⤵
  PID:13496
- C:\Windows\System\zGnaWNa.exe
  C:\Windows\System\zGnaWNa.exe
  2⤵
  PID:4268
- C:\Windows\System\mmdvRpr.exe
  C:\Windows\System\mmdvRpr.exe
  2⤵
  PID:14364
- C:\Windows\System\uotkueS.exe
  C:\Windows\System\uotkueS.exe
  2⤵
  PID:14384
- C:\Windows\System\qxPAGQI.exe
  C:\Windows\System\qxPAGQI.exe
  2⤵
  PID:14432
- C:\Windows\System\SAOknHd.exe
  C:\Windows\System\SAOknHd.exe
  2⤵
  PID:14448
- C:\Windows\System\Dozqnna.exe
  C:\Windows\System\Dozqnna.exe
  2⤵
  PID:14468
- C:\Windows\System\QkEDmnA.exe
  C:\Windows\System\QkEDmnA.exe
  2⤵
  PID:14500
- C:\Windows\System\uAPkqjU.exe
  C:\Windows\System\uAPkqjU.exe
  2⤵
  PID:14532
- C:\Windows\System\bOxWUES.exe
  C:\Windows\System\bOxWUES.exe
  2⤵
  PID:14560
- C:\Windows\System\oitxjuf.exe
  C:\Windows\System\oitxjuf.exe
  2⤵
  PID:14592
- C:\Windows\System\ULJdzWz.exe
  C:\Windows\System\ULJdzWz.exe
  2⤵
  PID:14616
- C:\Windows\System\pMODEnP.exe
  C:\Windows\System\pMODEnP.exe
  2⤵
  PID:14656
- C:\Windows\System\TLnvBWE.exe
  C:\Windows\System\TLnvBWE.exe
  2⤵
  PID:14684
- C:\Windows\System\TLHiRKM.exe
  C:\Windows\System\TLHiRKM.exe
  2⤵
  PID:14712
- C:\Windows\System\qJNwxbH.exe
  C:\Windows\System\qJNwxbH.exe
  2⤵
  PID:14728
- C:\Windows\System\cxfvOYV.exe
  C:\Windows\System\cxfvOYV.exe
  2⤵
  PID:14744
- C:\Windows\System\KrCIMQZ.exe
  C:\Windows\System\KrCIMQZ.exe
  2⤵
  PID:14764
- C:\Windows\System\RBSjgyf.exe
  C:\Windows\System\RBSjgyf.exe
  2⤵
  PID:14824
- C:\Windows\System\VuTImIo.exe
  C:\Windows\System\VuTImIo.exe
  2⤵
  PID:14848
- C:\Windows\System\sWfeCsY.exe
  C:\Windows\System\sWfeCsY.exe
  2⤵
  PID:14868
- C:\Windows\System\vHVyZKC.exe
  C:\Windows\System\vHVyZKC.exe
  2⤵
  PID:14892
- C:\Windows\System\DQwtITO.exe
  C:\Windows\System\DQwtITO.exe
  2⤵
  PID:14936
- C:\Windows\System\wllgMBG.exe
  C:\Windows\System\wllgMBG.exe
  2⤵
  PID:14956
- C:\Windows\System\PpapkMu.exe
  C:\Windows\System\PpapkMu.exe
  2⤵
  PID:14992
- C:\Windows\System\JYIclgq.exe
  C:\Windows\System\JYIclgq.exe
  2⤵
  PID:15020
- C:\Windows\System\ipyiLyj.exe
  C:\Windows\System\ipyiLyj.exe
  2⤵
  PID:15048
- C:\Windows\System\jHvOnAA.exe
  C:\Windows\System\jHvOnAA.exe
  2⤵
  PID:15068
- C:\Windows\System\xOQrMWW.exe
  C:\Windows\System\xOQrMWW.exe
  2⤵
  PID:15104
- C:\Windows\System\yyFRDtm.exe
  C:\Windows\System\yyFRDtm.exe
  2⤵
  PID:15132
- C:\Windows\System\UyMUjge.exe
  C:\Windows\System\UyMUjge.exe
  2⤵
  PID:15160
- C:\Windows\System\KZKyfHe.exe
  C:\Windows\System\KZKyfHe.exe
  2⤵
  PID:15188
- C:\Windows\System\iiuwgku.exe
  C:\Windows\System\iiuwgku.exe
  2⤵
  PID:15216
- C:\Windows\System\lPNODlG.exe
  C:\Windows\System\lPNODlG.exe
  2⤵
  PID:15240
- C:\Windows\System\mKcZWIQ.exe
  C:\Windows\System\mKcZWIQ.exe
  2⤵
  PID:15272
- C:\Windows\System\ZNlZpUt.exe
  C:\Windows\System\ZNlZpUt.exe
  2⤵
  PID:15036
- C:\Windows\System\OUjGCMS.exe
  C:\Windows\System\OUjGCMS.exe
  2⤵
  PID:15124
- C:\Windows\System\RxwdDCm.exe
  C:\Windows\System\RxwdDCm.exe
  2⤵
  PID:15144
- C:\Windows\System\hfqLFwr.exe
  C:\Windows\System\hfqLFwr.exe
  2⤵
  PID:15232
- C:\Windows\System\CQqdYDm.exe
  C:\Windows\System\CQqdYDm.exe
  2⤵
  PID:11956
- C:\Windows\System\fKGvDSC.exe
  C:\Windows\System\fKGvDSC.exe
  2⤵
  PID:14428
- C:\Windows\System\teDtTIL.exe
  C:\Windows\System\teDtTIL.exe
  2⤵
  PID:9024
- C:\Windows\System\CNeKSiY.exe
  C:\Windows\System\CNeKSiY.exe
  2⤵
  PID:10348
- C:\Windows\System\wqrJket.exe
  C:\Windows\System\wqrJket.exe
  2⤵
  PID:14572
- C:\Windows\System\hzkwyGp.exe
  C:\Windows\System\hzkwyGp.exe
  2⤵
  PID:15016
- C:\Windows\System\hOaLgRf.exe
  C:\Windows\System\hOaLgRf.exe
  2⤵
  PID:4488
- C:\Windows\System\HcMnrUu.exe
  C:\Windows\System\HcMnrUu.exe
  2⤵
  PID:8912
- C:\Windows\System\GlmYCXX.exe
  C:\Windows\System\GlmYCXX.exe
  2⤵
  PID:564
- C:\Windows\System\bWWFUFW.exe
  C:\Windows\System\bWWFUFW.exe
  2⤵
  PID:752

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15184

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EnKwYzv.exe

Filesize
2.3MB

MD5
5c11f15a8d04e32480f23d0c2df05508

SHA1
5ca7e2b210f701092731418b276e3e3074f1a9af

SHA256
7b77035348157f231dd3dc0391c5e34764f24d02977fa9c0b1c865321a19ac26

SHA512
d111e2974923f9ba220c9b56747aabb84822c7bcc56858b02c869839923b0e534b26e64ad6969a1d68fb9f25a564aa678201d2eb48f0aa1a3115737e070b4372

Download Submit
C:\Windows\System\GrPdJoT.exe

Filesize
2.3MB

MD5
17e180802dcbe6f23fd1b6bccf25dc7e

SHA1
901c122963458067410e4f5a9afbf0e67547e9c9

SHA256
6fe88dce604d3abf7bb6bff1644c3ce490387e37262021fd20496eab9c654663

SHA512
c5ee99774fc7d5d4a5245cc90fce8cb123f78595e469249e1191ad6cf5c4e3dfd4ae1ea52d46048e944308fb86ade408d7a7d13f1013a7de2f246a41fecd0cad

Download Submit
C:\Windows\System\IFPvVZB.exe

Filesize
2.3MB

MD5
696ffc9fff3a4e99feb61f14b7a2c44a

SHA1
259e35465bba8c779ff1835361342755dfbca3be

SHA256
0f1c5a399a2753b86b830303f201bc6e21aa5e01e218f5aeee64ad2cfa969d19

SHA512
9092fe22f0eeb988d1108974ddd9b1cbba3b6d487af3bf014220b125001d8b6e581140e35d91ae5f39ca3bbbf351e35744738e7ec2cbae3d7379f79f0b83e5fd

Download Submit
C:\Windows\System\IPrUkQV.exe

Filesize
2.3MB

MD5
112a352671ef7e5633eeb897bc82901b

SHA1
e13e889a20ee43a7ab718861ba2951bd8a4801a4

SHA256
75245ee0f6d7d278de58037c5d65b7c489dcb34841ec130d9a74922f5e895927

SHA512
7503afefd2f8a770e2f78a38981efc74a605d5287cd5e641be61f548df0aef6e27dc9d95dc990c97b2a74f3b1bbfa989918bb233eea388e9032dfd8ca14eb83b

Download Submit
C:\Windows\System\IkwgmAH.exe

Filesize
2.3MB

MD5
ef14de396cbbb998ef76e8e773565c1e

SHA1
c0b7d896666a367d4d4ce2b03b48e2c55dfff47d

SHA256
99e70fe329d7d9d3bd03ea0835d0d0b5679d0024282ae5b320d8bc8c2ac23917

SHA512
6c7631b44b76463112b5d645176636ba4def07f2d6349f821e56d623df41ecfca7271d4815c5cfa1b5ac4a22c68db1c1b84c523b8a0c9888090be5dcbd5f3f10

Download Submit
C:\Windows\System\Iwrukih.exe

Filesize
2.3MB

MD5
a59cea79d95f28a4e32b1f0db9d60b38

SHA1
b173f040870effcee2cb427a693ee0bcc00a7d48

SHA256
e23e00ad990562569db70df1df24fbcb0e602c327cb059ec832d248f00d4848e

SHA512
2c4ada5637d5d843277e8d235fa25d6a6ccfc0bf1242e38c37eae5cbdfd525be7438b5a77d094edd3a1a0830c2a39baf7ba097625f6ba53ccb87ff1f5f167bad

Download Submit
C:\Windows\System\JHcaENA.exe

Filesize
2.3MB

MD5
43bd7e0c051a48c50a714cb06bbccc1e

SHA1
f914b7125ce6e6330aac309ba19f78585d89c50c

SHA256
655d23703ea70d25df1af6627d2fb0a37ce7100b36a05068fefa535d1482055b

SHA512
714b07a92927450862aed10a61024dc1fb64ac825f7a413d9b786f05f022bc1a44a0dd4b3f8fe501d4a44b3b655e919bdd47907ebd2c75affbee1268dc7345de

Download Submit
C:\Windows\System\MQePvnt.exe

Filesize
2.3MB

MD5
2d596153a6847eebcdc5321877ab18f1

SHA1
77074ae824148e875b055b0573401023e4951287

SHA256
2a6c3024706fe3a1293b1479a99c88a326d4774fb08173a4482c1708f1fae371

SHA512
1988bba25cca70e5e8da71117709162dcebe5e0962aca4523d6475ed7bc2b26c43760f157fb09771c4f42bede771a00f07f4b95fd009c9e8418364beee6b5da9

Download Submit
C:\Windows\System\MYIAsqS.exe

Filesize
2.3MB

MD5
8fc1c813952d1ba02e870b09183624f8

SHA1
0a67a54cb18a1b1a3fd2e386c495de0f06e43006

SHA256
89922d6e95e5bea7831c2c3ae19728de1b52cf848d818e09de8564c660c0d7f0

SHA512
28f40e6616551e37b66bda45b4ecf493ddd1daf9ef69b5e00b8d0b6451b5c8f446b7223906df3dae5f7b12b50b5c4b2984b0a71c62e8c18810966722a31b0c05

Download Submit
C:\Windows\System\ODfkpPZ.exe

Filesize
2.3MB

MD5
c770fa02348582c91a2be865c3bbbfee

SHA1
3b8e674809ad52130b4328c201419a2921e2d70b

SHA256
4e5534d0c2a2691e7320b23969be37750c10938017a57a1591dc40704ed8b609

SHA512
9a37e020a83660eed9502191d2f3ef2431cef5e7ec36fcc7b5b5701f1eb70942a275d963d3e97dbab885a02fd453e9a1a4deae376f89b380c51cd7def3a8becd

Download Submit
C:\Windows\System\PdsaWcd.exe

Filesize
2.3MB

MD5
dd3952915b527e7f64c4fbed07c77251

SHA1
b92b7446386dbac6ccbbdf6bff263f65c1ca1765

SHA256
0cc3616047b97bbb3276ebb8818d382d1d7d8789c2370297a1722418e81badef

SHA512
be0a288c1e1ac26056c1e116891110d505a337ca60258c6dc941d1f4617bb274d78460efedc650df1a0c66957c563a3b58bae7f796d53997ebde5638fada3c55

Download Submit
C:\Windows\System\QZJrdKf.exe

Filesize
2.3MB

MD5
8463ab5422d27b03ea5964412665591b

SHA1
33993e886ffead251b05800682a17be5372fce74

SHA256
c4bd4bf84b9e994d937d648e91d83c7fc684958c597fb58c4491ef3e1e7656ee

SHA512
136b9c31316bb59418853abd22e1ee942b11b3a5d71e65e6aeb6d1add8023e4d78ce12ecc6880ee556df62432070c843cec87e21ce2600519be2a4085f4fc9d7

Download Submit
C:\Windows\System\ROARVbK.exe

Filesize
2.3MB

MD5
43de07e0e7c356cb5436803876459ffb

SHA1
050756435e66c796d6ae7b6024740cae5bbc2a8b

SHA256
f60fb7313f36ef4728b05df56be4748fea42220b5029afd406613f4815737f36

SHA512
ebed25ee560608d1a9f98e783cbea2a3ff242fc338ee72202af1cc774f5cd41c2840f28d59caea39e2d3bb5559e4ae7052c995bcb7b999987bf6fbdbe26774f9

Download Submit
C:\Windows\System\SxMEsSq.exe

Filesize
2.3MB

MD5
a4104a53e9f576a6eb8292a1fc5484eb

SHA1
7782eb45332a680dc5b538b5a302d343e1ad1017

SHA256
12ee0459e3f37c77f706d6e283635b0d62c79c2d1d48116b963abb711e052969

SHA512
bb12355b0a203b35b7fa34b9b235881a5041d3022c0b444fac9c23a360fc3363b771fbe6fbfa04e90b63430f4438beb4d7f40758bffcd7899164ab77beedfdd5

Download Submit
C:\Windows\System\TzbahmT.exe

Filesize
2.3MB

MD5
84bfb32a2bd5b4a8bafb3f7cad3b824b

SHA1
5364bbf61d9fdc3d3cb72734e99c92090587eb61

SHA256
495a92ba2b11052f6fab67765f9b087f1d38f86e105e247983aaa3521ab5f8db

SHA512
4b86b95adbffa200bc97d6e00b78801dd02933dba4673aeaa67180c6e26b767f4424dfb9e3b1cdf83c55fbb98ff2b189d221e47fee06d23cb3d8303a3f8ad9a0

Download Submit
C:\Windows\System\XgWrbiD.exe

Filesize
2.3MB

MD5
32cfdf0946a257c0fadcdba5fa785d34

SHA1
a8498bb1c8e692c9c48a723b4bd0c1eadb019752

SHA256
e28b828b11b65d489e31380b6edba6fd1a637e8d2f84cf51be03a67a0ad1c6b4

SHA512
68a1e0e2dc21a9295d21627e6f142d2e9c19722216f4c3b8f24d04c6798a290758e56c5e606322dd1268458d5d6f5588ae0a363bbd6710614628eed0599b59ef

Download Submit
C:\Windows\System\aRdplRr.exe

Filesize
2.3MB

MD5
c6633f4edd524580dd60be992309c27c

SHA1
7713d836894a1fb2531a1beef714434f99345046

SHA256
e5310f8a81135d4c92e9956528edc16e17c5b219624feff3f5dd7809aa35bdcc

SHA512
339256ee58f450c251c75818d35bc6c78611a9b038785a3a7f4a9a6f16a7ef2e5376b5efaeca45e2eb81a28cc64805446ddad7c603525598041c5e0958190ae1

Download Submit
C:\Windows\System\aacEzRF.exe

Filesize
2.3MB

MD5
e150fbc173085a030fb738f74d4c6d1d

SHA1
da01fa90e70cee19207fe90eb57cd9c8fbf0e492

SHA256
74ba4db81a235d4d0a783e5abbce1d293cd97e0ec2725aab73c4e557f48b0b94

SHA512
548a4b30914ef2fdf8220127dd1127f3223c26ee5541e941c98662004e11b3a71d2b2b79ca0ab95f35d99d2b3b41a4b1cac7d78c77298c0dea82562304c68196

Download Submit
C:\Windows\System\cLdvIUv.exe

Filesize
2.3MB

MD5
2ce1966dfd11ab0dba6ae83a475096d3

SHA1
8135fc90179379b734ee98e7ed8725740170bb3a

SHA256
ac7d1e4c2be3e1eacef9afe9b0a19989d49ae23bfec83d5497b6f8d1fcc6d0de

SHA512
e07a254ec6e01cb35d458128d10f5721159e93ad5b4ca52604040faaccff220113ef638f6a5109704acb1f5bafae4aa78239c8769d64f7a05597564d2b9f68c5

Download Submit
C:\Windows\System\eAqQyxH.exe

Filesize
2.3MB

MD5
dd07549432b5ef7901fba997cdfefd17

SHA1
b4f3e44d46e32d0340db3b01a7635927ddded983

SHA256
03165f92c770168c382ce316ee1ab6e08d8d6de95f946c133a1e057855d3da89

SHA512
ab36e8644fd3f9db2fb974444330288ee388ffae2d6d6dff66cd3130025b316cd8d88c01ca00cdb5d5fc0bc575ffcbd9056045eb039ced9793ac3cfdba10a3fe

Download Submit
C:\Windows\System\fKJOHpz.exe

Filesize
2.3MB

MD5
79393020f34fd2491de08ba5ddbb2bf9

SHA1
8c0e8a046035a3a2bddfda18ddfea797fb4c4d0a

SHA256
f71cfc84ee564bcff5b1d54bc6d2a2f6ad05e84c10ed1bd1e119b26a6fe4aece

SHA512
00d85fe2f15e7e9825fe3dc487eb21ad9e1f40fd4bb04e073f52d46dc7be65afb1096da912e469058f10b37a134309dfc538b320ce6594a4e23691b9a27a9afe

Download Submit
C:\Windows\System\fPRaIFy.exe

Filesize
2.3MB

MD5
c613820c89cc9868769a758eac71be33

SHA1
1aeb4ffaf00bb3165764868e85ff67802467b1a1

SHA256
2e5c45b2bf38a7028df3eb66b32f2a9c009b6264d1f5b6806085730eb128dd1a

SHA512
bc50eeb09910d6383733fea2a10cdf11b1cd40454610358d71b1de618afe2e37d432aec738880a34c9c78f6434024d5dad6050b7497d5fb5ed9d22f032bf014b

Download Submit
C:\Windows\System\gCWInAG.exe

Filesize
2.3MB

MD5
79c3fd1c5aad7323a5df39ab6600404f

SHA1
db287d2640a05ef7a9298b1fea8c92cf7185846c

SHA256
e72cfb142c2f05f03dd4e7725e1bd33ab18fb26ec5e8d17c0fc67a954ec321e9

SHA512
ed63f9840097bac506f4fdeb755f9f5631e2e81bd4800274daccbd1440b91fc8ebb0dc50c966a10772f8843f21a8916b09d37c70de8e1eb0a9a5fbb182eaa6de

Download Submit
C:\Windows\System\hfGepCi.exe

Filesize
2.3MB

MD5
8e11512f148e2555aa1a173afc1f0781

SHA1
2503ce31aba67dc0c1d3c221f8b02614d672836c

SHA256
13f9c3d34667cf6bf94b6262d0c8d494db7a9bd46c6437d593d2528fd155031d

SHA512
d832c9b36c09c1950de2798fe4a1f07df9e27ebb1572098283a0ccfd95ec62c184166dfdc062b57755cc0aea84fd7f57a09baba3e5e05bf8e1bb3652193e4ae3

Download Submit
C:\Windows\System\jKiygiA.exe

Filesize
2.3MB

MD5
a9f8527fa17a02875e4db14cd847b618

SHA1
b558010188496b51fef918acc42476c41fe35094

SHA256
fe75764e19de47d87a527d17654ae505eb8be341510379a1d876d316380c03c9

SHA512
6251748445ad91beb00e3417a349b20712ee1443fbf1b4742bac3ee10808e87c6cacf85633bc64598774748b54732bcf732cca99b2e738668d2413f90dbc3998

Download Submit
C:\Windows\System\lLSQxiV.exe

Filesize
2.3MB

MD5
9dc24876d4dbacf43425a0bced262410

SHA1
ac665230f4a90b20d7366f6dd12e9c2034f5b3c8

SHA256
14c8244105ed3d8eae45ea385f6d337e537074231d605cbfd9169ea2e65f36e0

SHA512
4384cbcd18b6f3997f21154c6cab1a7bad465c4ec8802890156dffdd515f8cd3cad80edeacfd04b42ca6b40256ed2259f7f6f091a18cde54623d5a1496bbc9fd

Download Submit
C:\Windows\System\lReQgZv.exe

Filesize
2.3MB

MD5
914121f07a45ee5b2fbdc508ee65372b

SHA1
362388f8c98b64e41f445f8a3a66ba8541533053

SHA256
298dca6e4eb16b7d28635df9d24053cfd4c6192628427a27c673712532e7dcfa

SHA512
81c5ebfa46acfc0583133d880cb5e7f2a850a6f91b486f40987cd2dc6e1608c644e759254cb18bae4d73d25f8022885aa781421184b82805abd5c25944b3c45e

Download Submit
C:\Windows\System\nVDmQyy.exe

Filesize
2.3MB

MD5
bf6ea8fe61fd7f8faad5c3263e549601

SHA1
770f7bb3af22e59ae31cc426c057b3c51b5421b0

SHA256
3b5bf19aa76404591175c17b8ad263bdecbd7f0802d83dab5cf32e261bd272d3

SHA512
922c310e654704021e7658cf5e50cbd1a92fe3e030a5418a500f05a48016515079244860ff6eae45b8edffef9df6badda2f217a5b38203b1e26d1e679239a4d2

Download Submit
C:\Windows\System\nafUvpl.exe

Filesize
2.3MB

MD5
22bf0ff650d49072e44185b4a51d5a23

SHA1
9d80381dda9ad21e46df1b31cbefe52a3a2f368e

SHA256
35eeee8920e4a91a8213e27c8cfbf395c920eec896d1af364a0ddd676d35569d

SHA512
e814d73072b26d472c1f28d6a537f1d2ece545a4638adf2bfb0f8c61875f04cf11fec51b350c6a6e5485395e6545d88627a7e0f9c85ee0506bd590e57277bfbf

Download Submit
C:\Windows\System\oXsuLvi.exe

Filesize
2.3MB

MD5
9deeebbbec933cbc9e1539a633979466

SHA1
5a51a0a8823d1be0ec6a0a882792337083af24c7

SHA256
0d497c9d1c1f7d3b38e2bdf4c3bfe4353fe222bf4e591f285c1e82c10f0f2281

SHA512
f073dbeae4af3a0d4debb088b48fd4d703abeb431879d6bf802734c3155864be537fda058ea035af6ed5320cbc41e5040a98781276c91cbb137f6db9b5129281

Download Submit
C:\Windows\System\vcwhJQM.exe

Filesize
2.3MB

MD5
102a33ebf33a10d9f9c86b463bde2022

SHA1
3aab8ff17289bc0c20f6bba85d1994a2e8545cd2

SHA256
34949eed84ef9c50d0a6a53854745157992a637673402e5fc11b2709bd34dd58

SHA512
0159cedc65ec6f6164a6e7e7b4baf1ee86c0274b18df3e40bbb012642522ce01f16281e8503deb9498fd56bdb836c5c462483421216be5551b12feb053ba73bf

Download Submit
C:\Windows\System\wkLlxDn.exe

Filesize
2.3MB

MD5
87cf2f86cea37e60d73d750fde6bd78e

SHA1
eda1b53a36a54868f3a06540caff1f244ef66631

SHA256
fdf297be4e4e30a02e179ed641aefc449dda9fff4025eb521f4e9412a5b1a14e

SHA512
b9c4a315ded0c4e296f7742ea8231f9ea140ad384eb04c130e73bb0caa8dda3cd8f1a0b37b66eb5b6c3283fe4d554d6b2fb45a136519fa6274216a93e9b72364

Download Submit
C:\Windows\System\xtpMlch.exe

Filesize
2.3MB

MD5
3f611e13413bf326e767afc30db2b6f0

SHA1
258ae2b2e03fdef4e8048f5012c40c1f9e555b96

SHA256
00d14766116266b2a34ad0bbb0e72d551ebd01436387ff86d967396640a75f1c

SHA512
9ee5c20a845c6d01fd78c1f83b0166fbc236a6760e0060213a8bde3e3eb86c046ebcd70d4fc0b510fd2913ac5df759d2ca1b7b4170a26ddc5aaf1e53f9c0d7ae

Download Submit
C:\Windows\System\yYXqCzG.exe

Filesize
2.3MB

MD5
36077b673a3376306e641cfffdbd529b

SHA1
52540d289ebdc104c356256020240956cf587700

SHA256
19b7e96a0e188ea8154885dd70c52d7b15a3deac04e9ed48fce919d82bfa7893

SHA512
069e2958823345517ca3685cac6dda718af33d36ccd23db8f36f165ae2f489d04acfe29b58f1a8074f86f76e71ae98230034fe1801963eacca14e9e660396539

Download Submit
memory/448-94-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp

Filesize
3.3MB

Download
memory/448-2364-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp

Filesize
3.3MB

Download
memory/1056-2361-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1056-51-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1056-138-0x00007FF676B90000-0x00007FF676EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1104-2372-0x00007FF67E620000-0x00007FF67E974000-memory.dmp

Filesize
3.3MB

Download
memory/1104-143-0x00007FF67E620000-0x00007FF67E974000-memory.dmp

Filesize
3.3MB

Download
memory/1184-13-0x00007FF79C140000-0x00007FF79C494000-memory.dmp

Filesize
3.3MB

Download
memory/1184-107-0x00007FF79C140000-0x00007FF79C494000-memory.dmp

Filesize
3.3MB

Download
memory/1184-2355-0x00007FF79C140000-0x00007FF79C494000-memory.dmp

Filesize
3.3MB

Download
memory/1344-2367-0x00007FF70F650000-0x00007FF70F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1344-2192-0x00007FF70F650000-0x00007FF70F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1344-111-0x00007FF70F650000-0x00007FF70F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1392-2373-0x00007FF760880000-0x00007FF760BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1392-2350-0x00007FF760880000-0x00007FF760BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1392-123-0x00007FF760880000-0x00007FF760BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1712-2356-0x00007FF7B64B0000-0x00007FF7B6804000-memory.dmp

Filesize
3.3MB

Download
memory/1712-44-0x00007FF7B64B0000-0x00007FF7B6804000-memory.dmp

Filesize
3.3MB

Download
memory/1744-2369-0x00007FF75B7A0000-0x00007FF75BAF4000-memory.dmp

Filesize
3.3MB

Download
memory/1744-110-0x00007FF75B7A0000-0x00007FF75BAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2036-2365-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp

Filesize
3.3MB

Download
memory/2036-75-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp

Filesize
3.3MB

Download
memory/2036-919-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp

Filesize
3.3MB

Download
memory/2252-2375-0x00007FF7750F0000-0x00007FF775444000-memory.dmp

Filesize
3.3MB

Download
memory/2252-194-0x00007FF7750F0000-0x00007FF775444000-memory.dmp

Filesize
3.3MB

Download
memory/2292-195-0x00007FF7602D0000-0x00007FF760624000-memory.dmp

Filesize
3.3MB

Download
memory/2292-2377-0x00007FF7602D0000-0x00007FF760624000-memory.dmp

Filesize
3.3MB

Download
memory/2344-22-0x00007FF6B7150000-0x00007FF6B74A4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-2354-0x00007FF6B7150000-0x00007FF6B74A4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-117-0x00007FF6EEA60000-0x00007FF6EEDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-2366-0x00007FF6EEA60000-0x00007FF6EEDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-114-0x00007FF61E3A0000-0x00007FF61E6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-2371-0x00007FF61E3A0000-0x00007FF61E6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-2193-0x00007FF61E3A0000-0x00007FF61E6F4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-0-0x00007FF696540000-0x00007FF696894000-memory.dmp

Filesize
3.3MB

Download
memory/3044-104-0x00007FF696540000-0x00007FF696894000-memory.dmp

Filesize
3.3MB

Download
memory/3044-1-0x000002A962F70000-0x000002A962F80000-memory.dmp

Filesize
64KB

Download
memory/3132-87-0x00007FF607540000-0x00007FF607894000-memory.dmp

Filesize
3.3MB

Download
memory/3132-2370-0x00007FF607540000-0x00007FF607894000-memory.dmp

Filesize
3.3MB

Download
memory/3132-1349-0x00007FF607540000-0x00007FF607894000-memory.dmp

Filesize
3.3MB

Download
memory/3376-198-0x00007FF6891C0000-0x00007FF689514000-memory.dmp

Filesize
3.3MB

Download
memory/3376-2378-0x00007FF6891C0000-0x00007FF689514000-memory.dmp

Filesize
3.3MB

Download
memory/3520-2353-0x00007FF6479A0000-0x00007FF647CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3520-21-0x00007FF6479A0000-0x00007FF647CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3524-2363-0x00007FF7BA930000-0x00007FF7BAC84000-memory.dmp

Filesize
3.3MB

Download
memory/3524-84-0x00007FF7BA930000-0x00007FF7BAC84000-memory.dmp

Filesize
3.3MB

Download
memory/3700-2380-0x00007FF65D5D0000-0x00007FF65D924000-memory.dmp

Filesize
3.3MB

Download
memory/3700-200-0x00007FF65D5D0000-0x00007FF65D924000-memory.dmp

Filesize
3.3MB

Download
memory/3708-43-0x00007FF797D60000-0x00007FF7980B4000-memory.dmp

Filesize
3.3MB

Download
memory/3708-2357-0x00007FF797D60000-0x00007FF7980B4000-memory.dmp

Filesize
3.3MB

Download
memory/3868-2381-0x00007FF6A32B0000-0x00007FF6A3604000-memory.dmp

Filesize
3.3MB

Download
memory/3868-199-0x00007FF6A32B0000-0x00007FF6A3604000-memory.dmp

Filesize
3.3MB

Download
memory/4136-52-0x00007FF690B40000-0x00007FF690E94000-memory.dmp

Filesize
3.3MB

Download
memory/4136-587-0x00007FF690B40000-0x00007FF690E94000-memory.dmp

Filesize
3.3MB

Download
memory/4136-2359-0x00007FF690B40000-0x00007FF690E94000-memory.dmp

Filesize
3.3MB

Download
memory/4280-164-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4280-45-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4280-2360-0x00007FF62FC60000-0x00007FF62FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-146-0x00007FF744200000-0x00007FF744554000-memory.dmp

Filesize
3.3MB

Download
memory/4372-2376-0x00007FF744200000-0x00007FF744554000-memory.dmp

Filesize
3.3MB

Download
memory/4372-2351-0x00007FF744200000-0x00007FF744554000-memory.dmp

Filesize
3.3MB

Download
memory/4472-62-0x00007FF79CA80000-0x00007FF79CDD4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-916-0x00007FF79CA80000-0x00007FF79CDD4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-2362-0x00007FF79CA80000-0x00007FF79CDD4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-36-0x00007FF71B600000-0x00007FF71B954000-memory.dmp

Filesize
3.3MB

Download
memory/4540-2358-0x00007FF71B600000-0x00007FF71B954000-memory.dmp

Filesize
3.3MB

Download
memory/4624-162-0x00007FF6F0650000-0x00007FF6F09A4000-memory.dmp

Filesize
3.3MB

Download
memory/4624-2374-0x00007FF6F0650000-0x00007FF6F09A4000-memory.dmp

Filesize
3.3MB

Download
memory/4624-2352-0x00007FF6F0650000-0x00007FF6F09A4000-memory.dmp

Filesize
3.3MB

Download
memory/4872-197-0x00007FF79B900000-0x00007FF79BC54000-memory.dmp

Filesize
3.3MB

Download
memory/4872-2379-0x00007FF79B900000-0x00007FF79BC54000-memory.dmp

Filesize
3.3MB

Download
memory/4888-100-0x00007FF686780000-0x00007FF686AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4888-2368-0x00007FF686780000-0x00007FF686AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4888-1354-0x00007FF686780000-0x00007FF686AD4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads