xmrig | 93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
Size

2.8MB
MD5

695e2e1dd27ea9ff8083752c110f2ee8
SHA1

252d93770e36c38e1ce6ec6e9652914f9a15bd00
SHA256

93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468
SHA512

805b42b4f378c1fbb1762c56ebee2278538fcc415bf38c4db75d7238b6d4010a636cf498a08c43307b1e276908cab043db526cd0b52de87f4478497ed7a35fc2
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkHC0IEFToflErS:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2RT

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2424-0-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\egsDKbJ.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\VkZfFDK.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\DytsZrc.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\DvjPTqV.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\kIjJfpo.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3448-68-0x00007FF68AEE0000-0x00007FF68B2D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\XqLvGXa.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\RaApCni.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4928-89-0x00007FF6EF100000-0x00007FF6EF4F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2432-92-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3160-93-0x00007FF615190000-0x00007FF615586000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1432-91-0x00007FF602650000-0x00007FF602A46000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4564-90-0x00007FF779B50000-0x00007FF779F46000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2604-85-0x00007FF77C5B0000-0x00007FF77C9A6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1072-80-0x00007FF6C0370000-0x00007FF6C0766000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4912-77-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\aEbyxbc.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\kHEQUld.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\YLchyPY.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2788-61-0x00007FF722BA0000-0x00007FF722F96000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2040-55-0x00007FF717000000-0x00007FF7173F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2972-49-0x00007FF788C60000-0x00007FF789056000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3412-45-0x00007FF738C00000-0x00007FF738FF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\jkFvQJt.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\zUirCvd.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\astLpiU.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\HBwYzHP.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/640-119-0x00007FF7794F0000-0x00007FF7798E6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\eOnTnCu.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3524-143-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\DsjIVhy.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\FbbsOgK.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\IXVTDDT.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\nLfVDhl.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\qRCVWqh.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1876-170-0x00007FF6D3880000-0x00007FF6D3C76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1660-169-0x00007FF66ED10000-0x00007FF66F106000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4620-167-0x00007FF7D7220000-0x00007FF7D7616000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\zbMItyJ.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\MlQBKQy.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\mWhloCu.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\wdHwIOq.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\uZuqROm.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\NbrxIat.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\gEYZgPD.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2764-160-0x00007FF667D40000-0x00007FF668136000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/876-152-0x00007FF614B00000-0x00007FF614EF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/492-144-0x00007FF60B9F0000-0x00007FF60BDE6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1696-132-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\ZCVMYJG.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\AwoxGAm.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\PmFWZhH.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\vOPjjEZ.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\jdLSczy.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4204-112-0x00007FF7E2870000-0x00007FF7E2C66000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4848-108-0x00007FF72BC20000-0x00007FF72C016000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
C:\Windows\System\PvuAXVv.exe	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2424-1437-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1696-2571-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4912-5282-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2432-5334-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3160-5337-0x00007FF615190000-0x00007FF615586000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3524-5812-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2424-0-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	UPX
C:\Windows\System\egsDKbJ.exe	UPX
C:\Windows\System\VkZfFDK.exe	UPX
C:\Windows\System\DytsZrc.exe	UPX
C:\Windows\System\DvjPTqV.exe	UPX
C:\Windows\System\kIjJfpo.exe	UPX
behavioral2/memory/3448-68-0x00007FF68AEE0000-0x00007FF68B2D6000-memory.dmp	UPX
C:\Windows\System\XqLvGXa.exe	UPX
C:\Windows\System\RaApCni.exe	UPX
behavioral2/memory/4928-89-0x00007FF6EF100000-0x00007FF6EF4F6000-memory.dmp	UPX
behavioral2/memory/2432-92-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	UPX
behavioral2/memory/3160-93-0x00007FF615190000-0x00007FF615586000-memory.dmp	UPX
behavioral2/memory/1432-91-0x00007FF602650000-0x00007FF602A46000-memory.dmp	UPX
behavioral2/memory/4564-90-0x00007FF779B50000-0x00007FF779F46000-memory.dmp	UPX
behavioral2/memory/2604-85-0x00007FF77C5B0000-0x00007FF77C9A6000-memory.dmp	UPX
behavioral2/memory/1072-80-0x00007FF6C0370000-0x00007FF6C0766000-memory.dmp	UPX
behavioral2/memory/4912-77-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	UPX
C:\Windows\System\aEbyxbc.exe	UPX
C:\Windows\System\kHEQUld.exe	UPX
C:\Windows\System\YLchyPY.exe	UPX
behavioral2/memory/2788-61-0x00007FF722BA0000-0x00007FF722F96000-memory.dmp	UPX
behavioral2/memory/2040-55-0x00007FF717000000-0x00007FF7173F6000-memory.dmp	UPX
behavioral2/memory/2972-49-0x00007FF788C60000-0x00007FF789056000-memory.dmp	UPX
behavioral2/memory/3412-45-0x00007FF738C00000-0x00007FF738FF6000-memory.dmp	UPX
C:\Windows\System\jkFvQJt.exe	UPX
C:\Windows\System\zUirCvd.exe	UPX
C:\Windows\System\astLpiU.exe	UPX
C:\Windows\System\HBwYzHP.exe	UPX
behavioral2/memory/640-119-0x00007FF7794F0000-0x00007FF7798E6000-memory.dmp	UPX
C:\Windows\System\eOnTnCu.exe	UPX
behavioral2/memory/3524-143-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	UPX
C:\Windows\System\DsjIVhy.exe	UPX
C:\Windows\System\FbbsOgK.exe	UPX
C:\Windows\System\IXVTDDT.exe	UPX
C:\Windows\System\nLfVDhl.exe	UPX
C:\Windows\System\qRCVWqh.exe	UPX
behavioral2/memory/1876-170-0x00007FF6D3880000-0x00007FF6D3C76000-memory.dmp	UPX
behavioral2/memory/1660-169-0x00007FF66ED10000-0x00007FF66F106000-memory.dmp	UPX
behavioral2/memory/4620-167-0x00007FF7D7220000-0x00007FF7D7616000-memory.dmp	UPX
C:\Windows\System\zbMItyJ.exe	UPX
C:\Windows\System\MlQBKQy.exe	UPX
C:\Windows\System\mWhloCu.exe	UPX
C:\Windows\System\wdHwIOq.exe	UPX
C:\Windows\System\uZuqROm.exe	UPX
C:\Windows\System\NbrxIat.exe	UPX
C:\Windows\System\gEYZgPD.exe	UPX
behavioral2/memory/2764-160-0x00007FF667D40000-0x00007FF668136000-memory.dmp	UPX
behavioral2/memory/876-152-0x00007FF614B00000-0x00007FF614EF6000-memory.dmp	UPX
behavioral2/memory/492-144-0x00007FF60B9F0000-0x00007FF60BDE6000-memory.dmp	UPX
behavioral2/memory/1696-132-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	UPX
C:\Windows\System\ZCVMYJG.exe	UPX
C:\Windows\System\AwoxGAm.exe	UPX
C:\Windows\System\PmFWZhH.exe	UPX
C:\Windows\System\vOPjjEZ.exe	UPX
C:\Windows\System\jdLSczy.exe	UPX
behavioral2/memory/4204-112-0x00007FF7E2870000-0x00007FF7E2C66000-memory.dmp	UPX
behavioral2/memory/4848-108-0x00007FF72BC20000-0x00007FF72C016000-memory.dmp	UPX
C:\Windows\System\PvuAXVv.exe	UPX
behavioral2/memory/2424-1437-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	UPX
behavioral2/memory/1696-2571-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	UPX
behavioral2/memory/4912-5282-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	UPX
behavioral2/memory/2432-5334-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	UPX
behavioral2/memory/3160-5337-0x00007FF615190000-0x00007FF615586000-memory.dmp	UPX
behavioral2/memory/3524-5812-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2424-0-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	xmrig
C:\Windows\System\egsDKbJ.exe	xmrig
C:\Windows\System\VkZfFDK.exe	xmrig
C:\Windows\System\DytsZrc.exe	xmrig
C:\Windows\System\DvjPTqV.exe	xmrig
C:\Windows\System\kIjJfpo.exe	xmrig
behavioral2/memory/3448-68-0x00007FF68AEE0000-0x00007FF68B2D6000-memory.dmp	xmrig
C:\Windows\System\XqLvGXa.exe	xmrig
C:\Windows\System\RaApCni.exe	xmrig
behavioral2/memory/4928-89-0x00007FF6EF100000-0x00007FF6EF4F6000-memory.dmp	xmrig
behavioral2/memory/2432-92-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	xmrig
behavioral2/memory/3160-93-0x00007FF615190000-0x00007FF615586000-memory.dmp	xmrig
behavioral2/memory/1432-91-0x00007FF602650000-0x00007FF602A46000-memory.dmp	xmrig
behavioral2/memory/4564-90-0x00007FF779B50000-0x00007FF779F46000-memory.dmp	xmrig
behavioral2/memory/2604-85-0x00007FF77C5B0000-0x00007FF77C9A6000-memory.dmp	xmrig
behavioral2/memory/1072-80-0x00007FF6C0370000-0x00007FF6C0766000-memory.dmp	xmrig
behavioral2/memory/4912-77-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	xmrig
C:\Windows\System\aEbyxbc.exe	xmrig
C:\Windows\System\kHEQUld.exe	xmrig
C:\Windows\System\YLchyPY.exe	xmrig
behavioral2/memory/2788-61-0x00007FF722BA0000-0x00007FF722F96000-memory.dmp	xmrig
behavioral2/memory/2040-55-0x00007FF717000000-0x00007FF7173F6000-memory.dmp	xmrig
behavioral2/memory/2972-49-0x00007FF788C60000-0x00007FF789056000-memory.dmp	xmrig
behavioral2/memory/3412-45-0x00007FF738C00000-0x00007FF738FF6000-memory.dmp	xmrig
C:\Windows\System\jkFvQJt.exe	xmrig
C:\Windows\System\zUirCvd.exe	xmrig
C:\Windows\System\astLpiU.exe	xmrig
C:\Windows\System\HBwYzHP.exe	xmrig
behavioral2/memory/640-119-0x00007FF7794F0000-0x00007FF7798E6000-memory.dmp	xmrig
C:\Windows\System\eOnTnCu.exe	xmrig
behavioral2/memory/3524-143-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	xmrig
C:\Windows\System\DsjIVhy.exe	xmrig
C:\Windows\System\FbbsOgK.exe	xmrig
C:\Windows\System\IXVTDDT.exe	xmrig
C:\Windows\System\nLfVDhl.exe	xmrig
C:\Windows\System\qRCVWqh.exe	xmrig
behavioral2/memory/1876-170-0x00007FF6D3880000-0x00007FF6D3C76000-memory.dmp	xmrig
behavioral2/memory/1660-169-0x00007FF66ED10000-0x00007FF66F106000-memory.dmp	xmrig
behavioral2/memory/4620-167-0x00007FF7D7220000-0x00007FF7D7616000-memory.dmp	xmrig
C:\Windows\System\zbMItyJ.exe	xmrig
C:\Windows\System\MlQBKQy.exe	xmrig
C:\Windows\System\mWhloCu.exe	xmrig
C:\Windows\System\wdHwIOq.exe	xmrig
C:\Windows\System\uZuqROm.exe	xmrig
C:\Windows\System\NbrxIat.exe	xmrig
C:\Windows\System\gEYZgPD.exe	xmrig
behavioral2/memory/2764-160-0x00007FF667D40000-0x00007FF668136000-memory.dmp	xmrig
behavioral2/memory/876-152-0x00007FF614B00000-0x00007FF614EF6000-memory.dmp	xmrig
behavioral2/memory/492-144-0x00007FF60B9F0000-0x00007FF60BDE6000-memory.dmp	xmrig
behavioral2/memory/1696-132-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	xmrig
C:\Windows\System\ZCVMYJG.exe	xmrig
C:\Windows\System\AwoxGAm.exe	xmrig
C:\Windows\System\PmFWZhH.exe	xmrig
C:\Windows\System\vOPjjEZ.exe	xmrig
C:\Windows\System\jdLSczy.exe	xmrig
behavioral2/memory/4204-112-0x00007FF7E2870000-0x00007FF7E2C66000-memory.dmp	xmrig
behavioral2/memory/4848-108-0x00007FF72BC20000-0x00007FF72C016000-memory.dmp	xmrig
C:\Windows\System\PvuAXVv.exe	xmrig
behavioral2/memory/2424-1437-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	xmrig
behavioral2/memory/1696-2571-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	xmrig
behavioral2/memory/4912-5282-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	xmrig
behavioral2/memory/2432-5334-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	xmrig
behavioral2/memory/3160-5337-0x00007FF615190000-0x00007FF615586000-memory.dmp	xmrig
behavioral2/memory/3524-5812-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

4 5056 powershell.exe
7 5056 powershell.exe
15 5056 powershell.exe
16 5056 powershell.exe
18 5056 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

5056 powershell.exe

flow	pid	process
4	5056	powershell.exe
7	5056	powershell.exe
15	5056	powershell.exe
16	5056	powershell.exe
18	5056	powershell.exe

pid	process
5056	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

egsDKbJ.exeastLpiU.exezUirCvd.exeVkZfFDK.exejkFvQJt.exeDytsZrc.exeDvjPTqV.exeYLchyPY.exekIjJfpo.exekHEQUld.exeaEbyxbc.exeXqLvGXa.exeRaApCni.exePvuAXVv.exeHBwYzHP.exeZCVMYJG.exejdLSczy.exevOPjjEZ.exeAwoxGAm.exePmFWZhH.exeDsjIVhy.exeeOnTnCu.exezbMItyJ.exeMlQBKQy.exeIXVTDDT.exeFbbsOgK.exeqRCVWqh.exenLfVDhl.exemWhloCu.exegEYZgPD.exeuZuqROm.exeNbrxIat.exewdHwIOq.exewikCwDx.exepwAuKiY.exeuuutHdE.exeqltWUmC.exeGkTffSL.exeIMqHSfE.exeVLjaELH.exeegUCHtn.exeZfXzrZU.exezVpCPTz.exeluWfMeA.exepmAagTw.execIYPehm.exeizIaTMP.exeGOmIqae.exerjiKXNl.exegrbENAX.exeCcCTpPn.exenqRmlrG.exeBXoKiYG.exedtIDPLU.exeCyVNUCq.exeDLWyxrH.exeKqdbywi.exehTFRZVc.exeeKXzuET.exeJOtsMNt.exegsDDvFT.exezmzZDOH.exeJUhIzBt.exekVabDXR.exe

pid	process
3412	egsDKbJ.exe
2972	astLpiU.exe
2040	zUirCvd.exe
2788	VkZfFDK.exe
3448	jkFvQJt.exe
4912	DytsZrc.exe
4928	DvjPTqV.exe
1072	YLchyPY.exe
4564	kIjJfpo.exe
1432	kHEQUld.exe
2604	aEbyxbc.exe
2432	XqLvGXa.exe
3160	RaApCni.exe
4848	PvuAXVv.exe
4204	HBwYzHP.exe
876	ZCVMYJG.exe
640	jdLSczy.exe
1696	vOPjjEZ.exe
2764	AwoxGAm.exe
3524	PmFWZhH.exe
4620	DsjIVhy.exe
492	eOnTnCu.exe
1660	zbMItyJ.exe
1876	MlQBKQy.exe
3568	IXVTDDT.exe
2440	FbbsOgK.exe
1420	qRCVWqh.exe
208	nLfVDhl.exe
3128	mWhloCu.exe
2400	gEYZgPD.exe
4380	uZuqROm.exe
1532	NbrxIat.exe
2544	wdHwIOq.exe
1252	wikCwDx.exe
4328	pwAuKiY.exe
2028	uuutHdE.exe
2192	qltWUmC.exe
1924	GkTffSL.exe
4960	IMqHSfE.exe
2112	VLjaELH.exe
5024	egUCHtn.exe
760	ZfXzrZU.exe
4884	zVpCPTz.exe
4664	luWfMeA.exe
1224	pmAagTw.exe
4920	cIYPehm.exe
4792	izIaTMP.exe
812	GOmIqae.exe
4648	rjiKXNl.exe
2988	grbENAX.exe
3444	CcCTpPn.exe
4636	nqRmlrG.exe
1792	BXoKiYG.exe
2168	dtIDPLU.exe
3592	CyVNUCq.exe
4452	DLWyxrH.exe
4544	Kqdbywi.exe
4240	hTFRZVc.exe
1376	eKXzuET.exe
636	JOtsMNt.exe
3952	gsDDvFT.exe
1508	zmzZDOH.exe
1796	JUhIzBt.exe
3392	kVabDXR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2424-0-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	upx
C:\Windows\System\egsDKbJ.exe	upx
C:\Windows\System\VkZfFDK.exe	upx
C:\Windows\System\DytsZrc.exe	upx
C:\Windows\System\DvjPTqV.exe	upx
C:\Windows\System\kIjJfpo.exe	upx
behavioral2/memory/3448-68-0x00007FF68AEE0000-0x00007FF68B2D6000-memory.dmp	upx
C:\Windows\System\XqLvGXa.exe	upx
C:\Windows\System\RaApCni.exe	upx
behavioral2/memory/4928-89-0x00007FF6EF100000-0x00007FF6EF4F6000-memory.dmp	upx
behavioral2/memory/2432-92-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	upx
behavioral2/memory/3160-93-0x00007FF615190000-0x00007FF615586000-memory.dmp	upx
behavioral2/memory/1432-91-0x00007FF602650000-0x00007FF602A46000-memory.dmp	upx
behavioral2/memory/4564-90-0x00007FF779B50000-0x00007FF779F46000-memory.dmp	upx
behavioral2/memory/2604-85-0x00007FF77C5B0000-0x00007FF77C9A6000-memory.dmp	upx
behavioral2/memory/1072-80-0x00007FF6C0370000-0x00007FF6C0766000-memory.dmp	upx
behavioral2/memory/4912-77-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	upx
C:\Windows\System\aEbyxbc.exe	upx
C:\Windows\System\kHEQUld.exe	upx
C:\Windows\System\YLchyPY.exe	upx
behavioral2/memory/2788-61-0x00007FF722BA0000-0x00007FF722F96000-memory.dmp	upx
behavioral2/memory/2040-55-0x00007FF717000000-0x00007FF7173F6000-memory.dmp	upx
behavioral2/memory/2972-49-0x00007FF788C60000-0x00007FF789056000-memory.dmp	upx
behavioral2/memory/3412-45-0x00007FF738C00000-0x00007FF738FF6000-memory.dmp	upx
C:\Windows\System\jkFvQJt.exe	upx
C:\Windows\System\zUirCvd.exe	upx
C:\Windows\System\astLpiU.exe	upx
C:\Windows\System\HBwYzHP.exe	upx
behavioral2/memory/640-119-0x00007FF7794F0000-0x00007FF7798E6000-memory.dmp	upx
C:\Windows\System\eOnTnCu.exe	upx
behavioral2/memory/3524-143-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	upx
C:\Windows\System\DsjIVhy.exe	upx
C:\Windows\System\FbbsOgK.exe	upx
C:\Windows\System\IXVTDDT.exe	upx
C:\Windows\System\nLfVDhl.exe	upx
C:\Windows\System\qRCVWqh.exe	upx
behavioral2/memory/1876-170-0x00007FF6D3880000-0x00007FF6D3C76000-memory.dmp	upx
behavioral2/memory/1660-169-0x00007FF66ED10000-0x00007FF66F106000-memory.dmp	upx
behavioral2/memory/4620-167-0x00007FF7D7220000-0x00007FF7D7616000-memory.dmp	upx
C:\Windows\System\zbMItyJ.exe	upx
C:\Windows\System\MlQBKQy.exe	upx
C:\Windows\System\mWhloCu.exe	upx
C:\Windows\System\wdHwIOq.exe	upx
C:\Windows\System\uZuqROm.exe	upx
C:\Windows\System\NbrxIat.exe	upx
C:\Windows\System\gEYZgPD.exe	upx
behavioral2/memory/2764-160-0x00007FF667D40000-0x00007FF668136000-memory.dmp	upx
behavioral2/memory/876-152-0x00007FF614B00000-0x00007FF614EF6000-memory.dmp	upx
behavioral2/memory/492-144-0x00007FF60B9F0000-0x00007FF60BDE6000-memory.dmp	upx
behavioral2/memory/1696-132-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	upx
C:\Windows\System\ZCVMYJG.exe	upx
C:\Windows\System\AwoxGAm.exe	upx
C:\Windows\System\PmFWZhH.exe	upx
C:\Windows\System\vOPjjEZ.exe	upx
C:\Windows\System\jdLSczy.exe	upx
behavioral2/memory/4204-112-0x00007FF7E2870000-0x00007FF7E2C66000-memory.dmp	upx
behavioral2/memory/4848-108-0x00007FF72BC20000-0x00007FF72C016000-memory.dmp	upx
C:\Windows\System\PvuAXVv.exe	upx
behavioral2/memory/2424-1437-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp	upx
behavioral2/memory/1696-2571-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp	upx
behavioral2/memory/4912-5282-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp	upx
behavioral2/memory/2432-5334-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp	upx
behavioral2/memory/3160-5337-0x00007FF615190000-0x00007FF615586000-memory.dmp	upx
behavioral2/memory/3524-5812-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
4 raw.githubusercontent.com

flow	ioc
2	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe

description	ioc	process
File created	C:\Windows\System\mQtiufY.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\OPVnRif.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ZnqgCHd.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\hNeaFwO.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\awwZMgZ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\xAjkZYJ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\HCVqkxZ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\XMXjZCA.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\QdftsaQ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\xaCPcdn.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\LinrVDt.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\sCEIsKT.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\DxEnszY.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\cssWqUl.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\GNAKkkU.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\XpjabnI.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\JHDtWYP.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\hHOzCtU.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ZigATsJ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\GhECpKY.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\zAjPUNr.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\filGqEf.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\nyTAoUf.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\qeerTQA.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\WuCfvCd.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ahOunxP.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\DBBFTOj.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ZZOqqgO.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\mEEupsI.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ylXYudN.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ffPVvLm.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\sIIbIia.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\RwYNggN.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\hFDiaPf.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\vouTqYr.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\CitGurI.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\zwZltdI.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\sseUQWm.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\rzNDSZG.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\SfHycZB.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\hPAhwVx.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\gDRBYfJ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\IdbteXG.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\fcuxWLx.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ISGxaUd.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\IQEeCbt.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\PsiONtS.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\nHfVdRM.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\qDgbwPG.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\JupEFfQ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\TdGalvr.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\yOrvUwm.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\rbfDUoR.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\dMfABkW.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\sjyGIBx.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\oJOpVNl.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\dZTJbRo.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ozVALcX.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\ubKhtBN.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\GGsnmtv.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\LNSynUQ.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\CQXsDYg.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\eqegohT.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
File created	C:\Windows\System\YpkyNQt.exe	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 54 IoCs

Processes:

dwm.exedwm.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

5056 powershell.exe
5056 powershell.exe

pid	process
5056	powershell.exe
5056	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	pid	process
Token: SeLockMemoryPrivilege	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
Token: SeLockMemoryPrivilege	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeCreateGlobalPrivilege	13452	dwm.exe
Token: SeChangeNotifyPrivilege	13452	dwm.exe
Token: 33	13452	dwm.exe
Token: SeIncBasePriorityPrivilege	13452	dwm.exe
Token: SeCreateGlobalPrivilege	13396	dwm.exe
Token: SeChangeNotifyPrivilege	13396	dwm.exe
Token: 33	13396	dwm.exe
Token: SeIncBasePriorityPrivilege	13396	dwm.exe
Token: SeShutdownPrivilege	13396	dwm.exe
Token: SeCreatePagefilePrivilege	13396	dwm.exe
Token: SeCreateGlobalPrivilege	7420	dwm.exe
Token: SeChangeNotifyPrivilege	7420	dwm.exe
Token: 33	7420	dwm.exe
Token: SeIncBasePriorityPrivilege	7420	dwm.exe
Token: SeCreateGlobalPrivilege	9552	dwm.exe
Token: SeChangeNotifyPrivilege	9552	dwm.exe
Token: 33	9552	dwm.exe
Token: SeIncBasePriorityPrivilege	9552	dwm.exe
Token: SeCreateGlobalPrivilege	12264	dwm.exe
Token: SeChangeNotifyPrivilege	12264	dwm.exe
Token: 33	12264	dwm.exe
Token: SeIncBasePriorityPrivilege	12264	dwm.exe
Token: SeCreateGlobalPrivilege	15624	dwm.exe
Token: SeChangeNotifyPrivilege	15624	dwm.exe
Token: 33	15624	dwm.exe
Token: SeIncBasePriorityPrivilege	15624	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe

description	pid	process	target process
PID 2424 wrote to memory of 5056	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	powershell.exe
PID 2424 wrote to memory of 5056	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	powershell.exe
PID 2424 wrote to memory of 3412	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	egsDKbJ.exe
PID 2424 wrote to memory of 3412	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	egsDKbJ.exe
PID 2424 wrote to memory of 2972	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	astLpiU.exe
PID 2424 wrote to memory of 2972	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	astLpiU.exe
PID 2424 wrote to memory of 2788	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	VkZfFDK.exe
PID 2424 wrote to memory of 2788	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	VkZfFDK.exe
PID 2424 wrote to memory of 2040	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	zUirCvd.exe
PID 2424 wrote to memory of 2040	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	zUirCvd.exe
PID 2424 wrote to memory of 3448	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	jkFvQJt.exe
PID 2424 wrote to memory of 3448	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	jkFvQJt.exe
PID 2424 wrote to memory of 4912	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	DytsZrc.exe
PID 2424 wrote to memory of 4912	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	DytsZrc.exe
PID 2424 wrote to memory of 4928	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	DvjPTqV.exe
PID 2424 wrote to memory of 4928	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	DvjPTqV.exe
PID 2424 wrote to memory of 1072	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	YLchyPY.exe
PID 2424 wrote to memory of 1072	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	YLchyPY.exe
PID 2424 wrote to memory of 4564	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	kIjJfpo.exe
PID 2424 wrote to memory of 4564	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	kIjJfpo.exe
PID 2424 wrote to memory of 1432	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	kHEQUld.exe
PID 2424 wrote to memory of 1432	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	kHEQUld.exe
PID 2424 wrote to memory of 2604	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	aEbyxbc.exe
PID 2424 wrote to memory of 2604	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	aEbyxbc.exe
PID 2424 wrote to memory of 2432	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	XqLvGXa.exe
PID 2424 wrote to memory of 2432	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	XqLvGXa.exe
PID 2424 wrote to memory of 3160	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	RaApCni.exe
PID 2424 wrote to memory of 3160	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	RaApCni.exe
PID 2424 wrote to memory of 4848	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	PvuAXVv.exe
PID 2424 wrote to memory of 4848	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	PvuAXVv.exe
PID 2424 wrote to memory of 4204	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	HBwYzHP.exe
PID 2424 wrote to memory of 4204	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	HBwYzHP.exe
PID 2424 wrote to memory of 640	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	jdLSczy.exe
PID 2424 wrote to memory of 640	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	jdLSczy.exe
PID 2424 wrote to memory of 876	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	ZCVMYJG.exe
PID 2424 wrote to memory of 876	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	ZCVMYJG.exe
PID 2424 wrote to memory of 2764	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	AwoxGAm.exe
PID 2424 wrote to memory of 2764	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	AwoxGAm.exe
PID 2424 wrote to memory of 1696	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	vOPjjEZ.exe
PID 2424 wrote to memory of 1696	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	vOPjjEZ.exe
PID 2424 wrote to memory of 3524	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	PmFWZhH.exe
PID 2424 wrote to memory of 3524	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	PmFWZhH.exe
PID 2424 wrote to memory of 4620	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	DsjIVhy.exe
PID 2424 wrote to memory of 4620	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	DsjIVhy.exe
PID 2424 wrote to memory of 492	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	eOnTnCu.exe
PID 2424 wrote to memory of 492	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	eOnTnCu.exe
PID 2424 wrote to memory of 1660	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	zbMItyJ.exe
PID 2424 wrote to memory of 1660	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	zbMItyJ.exe
PID 2424 wrote to memory of 1876	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	MlQBKQy.exe
PID 2424 wrote to memory of 1876	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	MlQBKQy.exe
PID 2424 wrote to memory of 3568	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	IXVTDDT.exe
PID 2424 wrote to memory of 3568	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	IXVTDDT.exe
PID 2424 wrote to memory of 2440	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	FbbsOgK.exe
PID 2424 wrote to memory of 2440	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	FbbsOgK.exe
PID 2424 wrote to memory of 1420	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	qRCVWqh.exe
PID 2424 wrote to memory of 1420	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	qRCVWqh.exe
PID 2424 wrote to memory of 208	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	nLfVDhl.exe
PID 2424 wrote to memory of 208	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	nLfVDhl.exe
PID 2424 wrote to memory of 3128	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	mWhloCu.exe
PID 2424 wrote to memory of 3128	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	mWhloCu.exe
PID 2424 wrote to memory of 2400	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	gEYZgPD.exe
PID 2424 wrote to memory of 2400	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	gEYZgPD.exe
PID 2424 wrote to memory of 4380	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	uZuqROm.exe
PID 2424 wrote to memory of 4380	2424	93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe	uZuqROm.exe

C:\Users\Admin\AppData\Local\Temp\93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe
"C:\Users\Admin\AppData\Local\Temp\93641813b84a4306f6b798f815ed3ef47bba95a24cbd6611d66eb7edc6361468.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System\egsDKbJ.exe
C:\Windows\System\egsDKbJ.exe
2⤵
- Executes dropped EXE
PID:3412

C:\Windows\System\astLpiU.exe
C:\Windows\System\astLpiU.exe
2⤵
- Executes dropped EXE
PID:2972

C:\Windows\System\VkZfFDK.exe
C:\Windows\System\VkZfFDK.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\zUirCvd.exe
C:\Windows\System\zUirCvd.exe
2⤵
- Executes dropped EXE
PID:2040

C:\Windows\System\jkFvQJt.exe
C:\Windows\System\jkFvQJt.exe
2⤵
- Executes dropped EXE
PID:3448

C:\Windows\System\DytsZrc.exe
C:\Windows\System\DytsZrc.exe
2⤵
- Executes dropped EXE
PID:4912

C:\Windows\System\DvjPTqV.exe
C:\Windows\System\DvjPTqV.exe
2⤵
- Executes dropped EXE
PID:4928

C:\Windows\System\YLchyPY.exe
C:\Windows\System\YLchyPY.exe
2⤵
- Executes dropped EXE
PID:1072

C:\Windows\System\kIjJfpo.exe
C:\Windows\System\kIjJfpo.exe
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\System\kHEQUld.exe
C:\Windows\System\kHEQUld.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\aEbyxbc.exe
C:\Windows\System\aEbyxbc.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\XqLvGXa.exe
C:\Windows\System\XqLvGXa.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System\RaApCni.exe
C:\Windows\System\RaApCni.exe
2⤵
- Executes dropped EXE
PID:3160

C:\Windows\System\PvuAXVv.exe
C:\Windows\System\PvuAXVv.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\HBwYzHP.exe
C:\Windows\System\HBwYzHP.exe
2⤵
- Executes dropped EXE
PID:4204

C:\Windows\System\jdLSczy.exe
C:\Windows\System\jdLSczy.exe
2⤵
- Executes dropped EXE
PID:640

C:\Windows\System\ZCVMYJG.exe
C:\Windows\System\ZCVMYJG.exe
2⤵
- Executes dropped EXE
PID:876

C:\Windows\System\AwoxGAm.exe
C:\Windows\System\AwoxGAm.exe
2⤵
- Executes dropped EXE
PID:2764

C:\Windows\System\vOPjjEZ.exe
C:\Windows\System\vOPjjEZ.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System\PmFWZhH.exe
C:\Windows\System\PmFWZhH.exe
2⤵
- Executes dropped EXE
PID:3524

C:\Windows\System\DsjIVhy.exe
C:\Windows\System\DsjIVhy.exe
2⤵
- Executes dropped EXE
PID:4620

C:\Windows\System\eOnTnCu.exe
C:\Windows\System\eOnTnCu.exe
2⤵
- Executes dropped EXE
PID:492

C:\Windows\System\zbMItyJ.exe
C:\Windows\System\zbMItyJ.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\System\MlQBKQy.exe
C:\Windows\System\MlQBKQy.exe
2⤵
- Executes dropped EXE
PID:1876

C:\Windows\System\IXVTDDT.exe
C:\Windows\System\IXVTDDT.exe
2⤵
- Executes dropped EXE
PID:3568

C:\Windows\System\FbbsOgK.exe
C:\Windows\System\FbbsOgK.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\qRCVWqh.exe
C:\Windows\System\qRCVWqh.exe
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\System\nLfVDhl.exe
C:\Windows\System\nLfVDhl.exe
2⤵
- Executes dropped EXE
PID:208

C:\Windows\System\mWhloCu.exe
C:\Windows\System\mWhloCu.exe
2⤵
- Executes dropped EXE
PID:3128

C:\Windows\System\gEYZgPD.exe
C:\Windows\System\gEYZgPD.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\uZuqROm.exe
C:\Windows\System\uZuqROm.exe
2⤵
- Executes dropped EXE
PID:4380

C:\Windows\System\NbrxIat.exe
C:\Windows\System\NbrxIat.exe
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\System\wdHwIOq.exe
C:\Windows\System\wdHwIOq.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\wikCwDx.exe
C:\Windows\System\wikCwDx.exe
2⤵
- Executes dropped EXE
PID:1252

C:\Windows\System\pwAuKiY.exe
C:\Windows\System\pwAuKiY.exe
2⤵
- Executes dropped EXE
PID:4328

C:\Windows\System\uuutHdE.exe
C:\Windows\System\uuutHdE.exe
2⤵
- Executes dropped EXE
PID:2028

C:\Windows\System\qltWUmC.exe
C:\Windows\System\qltWUmC.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\System\GkTffSL.exe
C:\Windows\System\GkTffSL.exe
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\System\IMqHSfE.exe
C:\Windows\System\IMqHSfE.exe
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\System\VLjaELH.exe
C:\Windows\System\VLjaELH.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\System\egUCHtn.exe
C:\Windows\System\egUCHtn.exe
2⤵
- Executes dropped EXE
PID:5024

C:\Windows\System\ZfXzrZU.exe
C:\Windows\System\ZfXzrZU.exe
2⤵
- Executes dropped EXE
PID:760

C:\Windows\System\zVpCPTz.exe
C:\Windows\System\zVpCPTz.exe
2⤵
- Executes dropped EXE
PID:4884

C:\Windows\System\luWfMeA.exe
C:\Windows\System\luWfMeA.exe
2⤵
- Executes dropped EXE
PID:4664

C:\Windows\System\pmAagTw.exe
C:\Windows\System\pmAagTw.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Windows\System\cIYPehm.exe
C:\Windows\System\cIYPehm.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\System\izIaTMP.exe
C:\Windows\System\izIaTMP.exe
2⤵
- Executes dropped EXE
PID:4792

C:\Windows\System\GOmIqae.exe
C:\Windows\System\GOmIqae.exe
2⤵
- Executes dropped EXE
PID:812

C:\Windows\System\rjiKXNl.exe
C:\Windows\System\rjiKXNl.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\grbENAX.exe
C:\Windows\System\grbENAX.exe
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\System\CcCTpPn.exe
C:\Windows\System\CcCTpPn.exe
2⤵
- Executes dropped EXE
PID:3444

C:\Windows\System\nqRmlrG.exe
C:\Windows\System\nqRmlrG.exe
2⤵
- Executes dropped EXE
PID:4636

C:\Windows\System\BXoKiYG.exe
C:\Windows\System\BXoKiYG.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\dtIDPLU.exe
C:\Windows\System\dtIDPLU.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\CyVNUCq.exe
C:\Windows\System\CyVNUCq.exe
2⤵
- Executes dropped EXE
PID:3592

C:\Windows\System\DLWyxrH.exe
C:\Windows\System\DLWyxrH.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\System\Kqdbywi.exe
C:\Windows\System\Kqdbywi.exe
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\System\hTFRZVc.exe
C:\Windows\System\hTFRZVc.exe
2⤵
- Executes dropped EXE
PID:4240

C:\Windows\System\eKXzuET.exe
C:\Windows\System\eKXzuET.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\JOtsMNt.exe
C:\Windows\System\JOtsMNt.exe
2⤵
- Executes dropped EXE
PID:636

C:\Windows\System\gsDDvFT.exe
C:\Windows\System\gsDDvFT.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Windows\System\zmzZDOH.exe
C:\Windows\System\zmzZDOH.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\System\JUhIzBt.exe
C:\Windows\System\JUhIzBt.exe
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\System\kVabDXR.exe
C:\Windows\System\kVabDXR.exe
2⤵
- Executes dropped EXE
PID:3392

C:\Windows\System\bUnbepB.exe
C:\Windows\System\bUnbepB.exe
2⤵
PID:552

C:\Windows\System\fseCHvK.exe
C:\Windows\System\fseCHvK.exe
2⤵
PID:4588

C:\Windows\System\ihfOkgh.exe
C:\Windows\System\ihfOkgh.exe
2⤵
PID:4496

C:\Windows\System\PecuyhJ.exe
C:\Windows\System\PecuyhJ.exe
2⤵
PID:220

C:\Windows\System\dPDoAog.exe
C:\Windows\System\dPDoAog.exe
2⤵
PID:4336

C:\Windows\System\WQnBReB.exe
C:\Windows\System\WQnBReB.exe
2⤵
PID:1656

C:\Windows\System\UOrwYQN.exe
C:\Windows\System\UOrwYQN.exe
2⤵
PID:2592

C:\Windows\System\lNUGpAK.exe
C:\Windows\System\lNUGpAK.exe
2⤵
PID:5148

C:\Windows\System\OswWKfC.exe
C:\Windows\System\OswWKfC.exe
2⤵
PID:5176

C:\Windows\System\FQEbwMq.exe
C:\Windows\System\FQEbwMq.exe
2⤵
PID:5228

C:\Windows\System\UgZlXVE.exe
C:\Windows\System\UgZlXVE.exe
2⤵
PID:5288

C:\Windows\System\HHtTjRC.exe
C:\Windows\System\HHtTjRC.exe
2⤵
PID:5332

C:\Windows\System\bvBFkKM.exe
C:\Windows\System\bvBFkKM.exe
2⤵
PID:5408

C:\Windows\System\GkaBCvR.exe
C:\Windows\System\GkaBCvR.exe
2⤵
PID:5436

C:\Windows\System\YJgAaDM.exe
C:\Windows\System\YJgAaDM.exe
2⤵
PID:5508

C:\Windows\System\zJQlhwe.exe
C:\Windows\System\zJQlhwe.exe
2⤵
PID:5564

C:\Windows\System\DRbLqBV.exe
C:\Windows\System\DRbLqBV.exe
2⤵
PID:5604

C:\Windows\System\sNCtHRg.exe
C:\Windows\System\sNCtHRg.exe
2⤵
PID:5656

C:\Windows\System\slOqivG.exe
C:\Windows\System\slOqivG.exe
2⤵
PID:5700

C:\Windows\System\LGBKMrU.exe
C:\Windows\System\LGBKMrU.exe
2⤵
PID:5756

C:\Windows\System\eTMSBTj.exe
C:\Windows\System\eTMSBTj.exe
2⤵
PID:5776

C:\Windows\System\TMQnSmi.exe
C:\Windows\System\TMQnSmi.exe
2⤵
PID:5828

C:\Windows\System\XbENlzq.exe
C:\Windows\System\XbENlzq.exe
2⤵
PID:5864

C:\Windows\System\TtrbNJn.exe
C:\Windows\System\TtrbNJn.exe
2⤵
PID:5916

C:\Windows\System\IGqchIG.exe
C:\Windows\System\IGqchIG.exe
2⤵
PID:5944

C:\Windows\System\hSAWSEU.exe
C:\Windows\System\hSAWSEU.exe
2⤵
PID:5996

C:\Windows\System\sIIbIia.exe
C:\Windows\System\sIIbIia.exe
2⤵
PID:6036

C:\Windows\System\NstSDSh.exe
C:\Windows\System\NstSDSh.exe
2⤵
PID:6052

C:\Windows\System\uJWjdcM.exe
C:\Windows\System\uJWjdcM.exe
2⤵
PID:6076

C:\Windows\System\mYrCWst.exe
C:\Windows\System\mYrCWst.exe
2⤵
PID:6120

C:\Windows\System\hpVNycW.exe
C:\Windows\System\hpVNycW.exe
2⤵
PID:4612

C:\Windows\System\GjzILmo.exe
C:\Windows\System\GjzILmo.exe
2⤵
PID:4072

C:\Windows\System\KRywdFz.exe
C:\Windows\System\KRywdFz.exe
2⤵
PID:5252

C:\Windows\System\kjbGNeV.exe
C:\Windows\System\kjbGNeV.exe
2⤵
PID:4140

C:\Windows\System\debnHdJ.exe
C:\Windows\System\debnHdJ.exe
2⤵
PID:3912

C:\Windows\System\EMtVRAN.exe
C:\Windows\System\EMtVRAN.exe
2⤵
PID:4632

C:\Windows\System\wPHKEcg.exe
C:\Windows\System\wPHKEcg.exe
2⤵
PID:5096

C:\Windows\System\yChExCw.exe
C:\Windows\System\yChExCw.exe
2⤵
PID:5320

C:\Windows\System\hpwCHUA.exe
C:\Windows\System\hpwCHUA.exe
2⤵
PID:5392

C:\Windows\System\wuIwKPy.exe
C:\Windows\System\wuIwKPy.exe
2⤵
PID:5504

C:\Windows\System\ziHRvjI.exe
C:\Windows\System\ziHRvjI.exe
2⤵
PID:5544

C:\Windows\System\jWROEEo.exe
C:\Windows\System\jWROEEo.exe
2⤵
PID:5620

C:\Windows\System\mEeUbRy.exe
C:\Windows\System\mEeUbRy.exe
2⤵
PID:4864

C:\Windows\System\QZeRdfa.exe
C:\Windows\System\QZeRdfa.exe
2⤵
PID:5792

C:\Windows\System\itGQqQI.exe
C:\Windows\System\itGQqQI.exe
2⤵
PID:5764

C:\Windows\System\qnCPNTf.exe
C:\Windows\System\qnCPNTf.exe
2⤵
PID:5936

C:\Windows\System\RMsWAJh.exe
C:\Windows\System\RMsWAJh.exe
2⤵
PID:6004

C:\Windows\System\elWzIKO.exe
C:\Windows\System\elWzIKO.exe
2⤵
PID:6064

C:\Windows\System\aCbVjqh.exe
C:\Windows\System\aCbVjqh.exe
2⤵
PID:5348

C:\Windows\System\KGtddbP.exe
C:\Windows\System\KGtddbP.exe
2⤵
PID:3564

C:\Windows\System\iRHPgcS.exe
C:\Windows\System\iRHPgcS.exe
2⤵
PID:5168

C:\Windows\System\BVhfqhD.exe
C:\Windows\System\BVhfqhD.exe
2⤵
PID:1352

C:\Windows\System\ZxQMUWk.exe
C:\Windows\System\ZxQMUWk.exe
2⤵
PID:4832

C:\Windows\System\DvdfcQU.exe
C:\Windows\System\DvdfcQU.exe
2⤵
PID:1688

C:\Windows\System\WLGEVBm.exe
C:\Windows\System\WLGEVBm.exe
2⤵
PID:5384

C:\Windows\System\svimqSy.exe
C:\Windows\System\svimqSy.exe
2⤵
PID:5532

C:\Windows\System\ebrPFMI.exe
C:\Windows\System\ebrPFMI.exe
2⤵
PID:5632

C:\Windows\System\NNwfadq.exe
C:\Windows\System\NNwfadq.exe
2⤵
PID:3096

C:\Windows\System\IcYoZzk.exe
C:\Windows\System\IcYoZzk.exe
2⤵
PID:5904

C:\Windows\System\eJVDMMA.exe
C:\Windows\System\eJVDMMA.exe
2⤵
PID:5976

C:\Windows\System\zBlGHpq.exe
C:\Windows\System\zBlGHpq.exe
2⤵
PID:6100

C:\Windows\System\pAFBuuM.exe
C:\Windows\System\pAFBuuM.exe
2⤵
PID:5376

C:\Windows\System\lEEYiou.exe
C:\Windows\System\lEEYiou.exe
2⤵
PID:2528

C:\Windows\System\lhlSbLY.exe
C:\Windows\System\lhlSbLY.exe
2⤵
PID:5028

C:\Windows\System\JkWLORf.exe
C:\Windows\System\JkWLORf.exe
2⤵
PID:3772

C:\Windows\System\NminAII.exe
C:\Windows\System\NminAII.exe
2⤵
PID:864

C:\Windows\System\MrWAptg.exe
C:\Windows\System\MrWAptg.exe
2⤵
PID:5312

C:\Windows\System\msbztlm.exe
C:\Windows\System\msbztlm.exe
2⤵
PID:5460

C:\Windows\System\cbDQpLe.exe
C:\Windows\System\cbDQpLe.exe
2⤵
PID:5500

C:\Windows\System\nvpuKvO.exe
C:\Windows\System\nvpuKvO.exe
2⤵
PID:5752

C:\Windows\System\RSyRecb.exe
C:\Windows\System\RSyRecb.exe
2⤵
PID:5972

C:\Windows\System\ChNazCX.exe
C:\Windows\System\ChNazCX.exe
2⤵
PID:6072

C:\Windows\System\GTlMqku.exe
C:\Windows\System\GTlMqku.exe
2⤵
PID:4980

C:\Windows\System\rSiOPnL.exe
C:\Windows\System\rSiOPnL.exe
2⤵
PID:3800

C:\Windows\System\gbpPjHj.exe
C:\Windows\System\gbpPjHj.exe
2⤵
PID:3124

C:\Windows\System\hITFQBH.exe
C:\Windows\System\hITFQBH.exe
2⤵
PID:5316

C:\Windows\System\KbhEhJm.exe
C:\Windows\System\KbhEhJm.exe
2⤵
PID:5676

C:\Windows\System\IsxHewY.exe
C:\Windows\System\IsxHewY.exe
2⤵
PID:5724

C:\Windows\System\UmwxtqO.exe
C:\Windows\System\UmwxtqO.exe
2⤵
PID:5212

C:\Windows\System\HPLfhtG.exe
C:\Windows\System\HPLfhtG.exe
2⤵
PID:5300

C:\Windows\System\LgUzsiq.exe
C:\Windows\System\LgUzsiq.exe
2⤵
PID:5424

C:\Windows\System\AlIgWuG.exe
C:\Windows\System\AlIgWuG.exe
2⤵
PID:6172

C:\Windows\System\mjvwEer.exe
C:\Windows\System\mjvwEer.exe
2⤵
PID:6204

C:\Windows\System\RVMoQSP.exe
C:\Windows\System\RVMoQSP.exe
2⤵
PID:6236

C:\Windows\System\yQvnNxA.exe
C:\Windows\System\yQvnNxA.exe
2⤵
PID:6252

C:\Windows\System\GNlEpdL.exe
C:\Windows\System\GNlEpdL.exe
2⤵
PID:6276

C:\Windows\System\yPAnKqF.exe
C:\Windows\System\yPAnKqF.exe
2⤵
PID:6296

C:\Windows\System\eGMJlHQ.exe
C:\Windows\System\eGMJlHQ.exe
2⤵
PID:6312

C:\Windows\System\rBSyggX.exe
C:\Windows\System\rBSyggX.exe
2⤵
PID:6404

C:\Windows\System\mvurscq.exe
C:\Windows\System\mvurscq.exe
2⤵
PID:6440

C:\Windows\System\LlMUoRK.exe
C:\Windows\System\LlMUoRK.exe
2⤵
PID:6460

C:\Windows\System\yFjXzoi.exe
C:\Windows\System\yFjXzoi.exe
2⤵
PID:6500

C:\Windows\System\TjtMIkq.exe
C:\Windows\System\TjtMIkq.exe
2⤵
PID:6532

C:\Windows\System\vpfJtDg.exe
C:\Windows\System\vpfJtDg.exe
2⤵
PID:6580

C:\Windows\System\iRkxkcY.exe
C:\Windows\System\iRkxkcY.exe
2⤵
PID:6604

C:\Windows\System\AKlLUOO.exe
C:\Windows\System\AKlLUOO.exe
2⤵
PID:6644

C:\Windows\System\KdMdkWV.exe
C:\Windows\System\KdMdkWV.exe
2⤵
PID:6676

C:\Windows\System\YGjBFBR.exe
C:\Windows\System\YGjBFBR.exe
2⤵
PID:6708

C:\Windows\System\BNUeAwW.exe
C:\Windows\System\BNUeAwW.exe
2⤵
PID:6736

C:\Windows\System\gHjffKr.exe
C:\Windows\System\gHjffKr.exe
2⤵
PID:6760

C:\Windows\System\XTGKTDy.exe
C:\Windows\System\XTGKTDy.exe
2⤵
PID:6776

C:\Windows\System\BBzuABb.exe
C:\Windows\System\BBzuABb.exe
2⤵
PID:6824

C:\Windows\System\kPxCFDh.exe
C:\Windows\System\kPxCFDh.exe
2⤵
PID:6884

C:\Windows\System\bzKmEeZ.exe
C:\Windows\System\bzKmEeZ.exe
2⤵
PID:6936

C:\Windows\System\zPCyrvX.exe
C:\Windows\System\zPCyrvX.exe
2⤵
PID:6964

C:\Windows\System\tgabkfF.exe
C:\Windows\System\tgabkfF.exe
2⤵
PID:6996

C:\Windows\System\qxJOhwd.exe
C:\Windows\System\qxJOhwd.exe
2⤵
PID:7024

C:\Windows\System\akupbGe.exe
C:\Windows\System\akupbGe.exe
2⤵
PID:7052

C:\Windows\System\TGuxRlH.exe
C:\Windows\System\TGuxRlH.exe
2⤵
PID:7080

C:\Windows\System\AVfLdfN.exe
C:\Windows\System\AVfLdfN.exe
2⤵
PID:7116

C:\Windows\System\WVsguNo.exe
C:\Windows\System\WVsguNo.exe
2⤵
PID:7140

C:\Windows\System\fTQERvF.exe
C:\Windows\System\fTQERvF.exe
2⤵
PID:4944

C:\Windows\System\AxdSwxX.exe
C:\Windows\System\AxdSwxX.exe
2⤵
PID:6180

C:\Windows\System\cXEaDGb.exe
C:\Windows\System\cXEaDGb.exe
2⤵
PID:6232

C:\Windows\System\CEEupGl.exe
C:\Windows\System\CEEupGl.exe
2⤵
PID:6264

C:\Windows\System\BdMOhWv.exe
C:\Windows\System\BdMOhWv.exe
2⤵
PID:6332

C:\Windows\System\BpNEpwV.exe
C:\Windows\System\BpNEpwV.exe
2⤵
PID:6420

C:\Windows\System\AMexRMK.exe
C:\Windows\System\AMexRMK.exe
2⤵
PID:6456

C:\Windows\System\UlQVhnr.exe
C:\Windows\System\UlQVhnr.exe
2⤵
PID:6516

C:\Windows\System\JyPxyqF.exe
C:\Windows\System\JyPxyqF.exe
2⤵
PID:6568

C:\Windows\System\UwyAcrP.exe
C:\Windows\System\UwyAcrP.exe
2⤵
PID:6652

C:\Windows\System\OFJvWpP.exe
C:\Windows\System\OFJvWpP.exe
2⤵
PID:6688

C:\Windows\System\TvLpSbP.exe
C:\Windows\System\TvLpSbP.exe
2⤵
PID:6772

C:\Windows\System\mQtTQGA.exe
C:\Windows\System\mQtTQGA.exe
2⤵
PID:6836

C:\Windows\System\yjMRtzS.exe
C:\Windows\System\yjMRtzS.exe
2⤵
PID:6924

C:\Windows\System\JrRmZEu.exe
C:\Windows\System\JrRmZEu.exe
2⤵
PID:7016

C:\Windows\System\YsGFyVl.exe
C:\Windows\System\YsGFyVl.exe
2⤵
PID:7072

C:\Windows\System\TXBkqPq.exe
C:\Windows\System\TXBkqPq.exe
2⤵
PID:7132

C:\Windows\System\XgslzMy.exe
C:\Windows\System\XgslzMy.exe
2⤵
PID:6228

C:\Windows\System\QrrMACl.exe
C:\Windows\System\QrrMACl.exe
2⤵
PID:6348

C:\Windows\System\rDrpwWm.exe
C:\Windows\System\rDrpwWm.exe
2⤵
PID:6436

C:\Windows\System\IvddSjR.exe
C:\Windows\System\IvddSjR.exe
2⤵
PID:6600

C:\Windows\System\nyhAOek.exe
C:\Windows\System\nyhAOek.exe
2⤵
PID:6756

C:\Windows\System\gpupLLG.exe
C:\Windows\System\gpupLLG.exe
2⤵
PID:6904

C:\Windows\System\ImWoYuz.exe
C:\Windows\System\ImWoYuz.exe
2⤵
PID:7104

C:\Windows\System\YQABcLU.exe
C:\Windows\System\YQABcLU.exe
2⤵
PID:6320

C:\Windows\System\peVnSrY.exe
C:\Windows\System\peVnSrY.exe
2⤵
PID:6684

C:\Windows\System\ZDNnIuL.exe
C:\Windows\System\ZDNnIuL.exe
2⤵
PID:7064

C:\Windows\System\Yfigzyy.exe
C:\Windows\System\Yfigzyy.exe
2⤵
PID:7048

C:\Windows\System\adxLGrO.exe
C:\Windows\System\adxLGrO.exe
2⤵
PID:7176

C:\Windows\System\tVhrYoD.exe
C:\Windows\System\tVhrYoD.exe
2⤵
PID:7196

C:\Windows\System\ZlTeanl.exe
C:\Windows\System\ZlTeanl.exe
2⤵
PID:7224

C:\Windows\System\vXDzdDu.exe
C:\Windows\System\vXDzdDu.exe
2⤵
PID:7256

C:\Windows\System\sboALdB.exe
C:\Windows\System\sboALdB.exe
2⤵
PID:7284

C:\Windows\System\WntUvCp.exe
C:\Windows\System\WntUvCp.exe
2⤵
PID:7312

C:\Windows\System\kPJbkMI.exe
C:\Windows\System\kPJbkMI.exe
2⤵
PID:7340

C:\Windows\System\lTasJuM.exe
C:\Windows\System\lTasJuM.exe
2⤵
PID:7384

C:\Windows\System\LtbHYQL.exe
C:\Windows\System\LtbHYQL.exe
2⤵
PID:7412

C:\Windows\System\WgDLDbp.exe
C:\Windows\System\WgDLDbp.exe
2⤵
PID:7468

C:\Windows\System\obqKYiO.exe
C:\Windows\System\obqKYiO.exe
2⤵
PID:7508

C:\Windows\System\HqfCneR.exe
C:\Windows\System\HqfCneR.exe
2⤵
PID:7564

C:\Windows\System\CaOqZwN.exe
C:\Windows\System\CaOqZwN.exe
2⤵
PID:7588

C:\Windows\System\BhbOEJF.exe
C:\Windows\System\BhbOEJF.exe
2⤵
PID:7620

C:\Windows\System\zGKLtYH.exe
C:\Windows\System\zGKLtYH.exe
2⤵
PID:7676

C:\Windows\System\esKbHhV.exe
C:\Windows\System\esKbHhV.exe
2⤵
PID:7728

C:\Windows\System\lqpCoVt.exe
C:\Windows\System\lqpCoVt.exe
2⤵
PID:7772

C:\Windows\System\RulxCzP.exe
C:\Windows\System\RulxCzP.exe
2⤵
PID:7808

C:\Windows\System\yGBMVtV.exe
C:\Windows\System\yGBMVtV.exe
2⤵
PID:7836

C:\Windows\System\SFiHCXk.exe
C:\Windows\System\SFiHCXk.exe
2⤵
PID:7856

C:\Windows\System\abcRAxg.exe
C:\Windows\System\abcRAxg.exe
2⤵
PID:7892

C:\Windows\System\txCETmt.exe
C:\Windows\System\txCETmt.exe
2⤵
PID:7928

C:\Windows\System\FoRgsVB.exe
C:\Windows\System\FoRgsVB.exe
2⤵
PID:7952

C:\Windows\System\CCqcLnW.exe
C:\Windows\System\CCqcLnW.exe
2⤵
PID:7984

C:\Windows\System\HxElyJm.exe
C:\Windows\System\HxElyJm.exe
2⤵
PID:8036

C:\Windows\System\XRiVZOc.exe
C:\Windows\System\XRiVZOc.exe
2⤵
PID:8060

C:\Windows\System\HQICYhz.exe
C:\Windows\System\HQICYhz.exe
2⤵
PID:8088

C:\Windows\System\DJHYXpn.exe
C:\Windows\System\DJHYXpn.exe
2⤵
PID:8120

C:\Windows\System\fbmmYqk.exe
C:\Windows\System\fbmmYqk.exe
2⤵
PID:8144

C:\Windows\System\xwQIMxM.exe
C:\Windows\System\xwQIMxM.exe
2⤵
PID:8176

C:\Windows\System\PIcoLaB.exe
C:\Windows\System\PIcoLaB.exe
2⤵
PID:7208

C:\Windows\System\GhECpKY.exe
C:\Windows\System\GhECpKY.exe
2⤵
PID:7264

C:\Windows\System\qfFDdEQ.exe
C:\Windows\System\qfFDdEQ.exe
2⤵
PID:7336

C:\Windows\System\JBLhwyq.exe
C:\Windows\System\JBLhwyq.exe
2⤵
PID:7424

C:\Windows\System\sAjNNNE.exe
C:\Windows\System\sAjNNNE.exe
2⤵
PID:7572

C:\Windows\System\GKTuIHx.exe
C:\Windows\System\GKTuIHx.exe
2⤵
PID:7672

C:\Windows\System\gOUlkYA.exe
C:\Windows\System\gOUlkYA.exe
2⤵
PID:7760

C:\Windows\System\kIRsRGH.exe
C:\Windows\System\kIRsRGH.exe
2⤵
PID:6292

C:\Windows\System\LFduVua.exe
C:\Windows\System\LFduVua.exe
2⤵
PID:7884

C:\Windows\System\jRgNQzX.exe
C:\Windows\System\jRgNQzX.exe
2⤵
PID:7948

C:\Windows\System\bYKNTps.exe
C:\Windows\System\bYKNTps.exe
2⤵
PID:8048

C:\Windows\System\ZwsQcKh.exe
C:\Windows\System\ZwsQcKh.exe
2⤵
PID:8104

C:\Windows\System\vyavnqm.exe
C:\Windows\System\vyavnqm.exe
2⤵
PID:8164

C:\Windows\System\xPRSDXW.exe
C:\Windows\System\xPRSDXW.exe
2⤵
PID:7280

C:\Windows\System\EPLvBio.exe
C:\Windows\System\EPLvBio.exe
2⤵
PID:7464

C:\Windows\System\hCUmYPY.exe
C:\Windows\System\hCUmYPY.exe
2⤵
PID:7688

C:\Windows\System\cfAbZlo.exe
C:\Windows\System\cfAbZlo.exe
2⤵
PID:7844

C:\Windows\System\zGwQLXn.exe
C:\Windows\System\zGwQLXn.exe
2⤵
PID:8024

C:\Windows\System\ZvssGae.exe
C:\Windows\System\ZvssGae.exe
2⤵
PID:7220

C:\Windows\System\GYZzSsQ.exe
C:\Windows\System\GYZzSsQ.exe
2⤵
PID:7584

C:\Windows\System\EOywQdm.exe
C:\Windows\System\EOywQdm.exe
2⤵
PID:1864

C:\Windows\System\VAsfHpV.exe
C:\Windows\System\VAsfHpV.exe
2⤵
PID:7396

C:\Windows\System\CyPSnWQ.exe
C:\Windows\System\CyPSnWQ.exe
2⤵
PID:7324

C:\Windows\System\HQuUsQX.exe
C:\Windows\System\HQuUsQX.exe
2⤵
PID:8208

C:\Windows\System\ftZkOnj.exe
C:\Windows\System\ftZkOnj.exe
2⤵
PID:8236

C:\Windows\System\OWeZvoV.exe
C:\Windows\System\OWeZvoV.exe
2⤵
PID:8264

C:\Windows\System\MeCXLze.exe
C:\Windows\System\MeCXLze.exe
2⤵
PID:8296

C:\Windows\System\frxqZha.exe
C:\Windows\System\frxqZha.exe
2⤵
PID:8324

C:\Windows\System\fYUlJcP.exe
C:\Windows\System\fYUlJcP.exe
2⤵
PID:8356

C:\Windows\System\VNQgqfF.exe
C:\Windows\System\VNQgqfF.exe
2⤵
PID:8388

C:\Windows\System\ukQrrVZ.exe
C:\Windows\System\ukQrrVZ.exe
2⤵
PID:8416

C:\Windows\System\jCZIbUj.exe
C:\Windows\System\jCZIbUj.exe
2⤵
PID:8456

C:\Windows\System\UKqvdlf.exe
C:\Windows\System\UKqvdlf.exe
2⤵
PID:8472

C:\Windows\System\ouFMRdI.exe
C:\Windows\System\ouFMRdI.exe
2⤵
PID:8500

C:\Windows\System\dqKLYfr.exe
C:\Windows\System\dqKLYfr.exe
2⤵
PID:8528

C:\Windows\System\pBwIqDI.exe
C:\Windows\System\pBwIqDI.exe
2⤵
PID:8556

C:\Windows\System\dSynTEH.exe
C:\Windows\System\dSynTEH.exe
2⤵
PID:8584

C:\Windows\System\YQWWWts.exe
C:\Windows\System\YQWWWts.exe
2⤵
PID:8612

C:\Windows\System\SiXkYSv.exe
C:\Windows\System\SiXkYSv.exe
2⤵
PID:8640

C:\Windows\System\EaiPmgB.exe
C:\Windows\System\EaiPmgB.exe
2⤵
PID:8668

C:\Windows\System\RPjxBZN.exe
C:\Windows\System\RPjxBZN.exe
2⤵
PID:8696

C:\Windows\System\pZqksdM.exe
C:\Windows\System\pZqksdM.exe
2⤵
PID:8724

C:\Windows\System\zQKbOUF.exe
C:\Windows\System\zQKbOUF.exe
2⤵
PID:8752

C:\Windows\System\HCVqkxZ.exe
C:\Windows\System\HCVqkxZ.exe
2⤵
PID:8780

C:\Windows\System\xNuhcdi.exe
C:\Windows\System\xNuhcdi.exe
2⤵
PID:8808

C:\Windows\System\kSlihhi.exe
C:\Windows\System\kSlihhi.exe
2⤵
PID:8836

C:\Windows\System\ycuSuua.exe
C:\Windows\System\ycuSuua.exe
2⤵
PID:8864

C:\Windows\System\tgPXspw.exe
C:\Windows\System\tgPXspw.exe
2⤵
PID:8892

C:\Windows\System\dojOZIk.exe
C:\Windows\System\dojOZIk.exe
2⤵
PID:8920

C:\Windows\System\NddWhYF.exe
C:\Windows\System\NddWhYF.exe
2⤵
PID:8952

C:\Windows\System\zgKGNQW.exe
C:\Windows\System\zgKGNQW.exe
2⤵
PID:8976

C:\Windows\System\HMCUaqD.exe
C:\Windows\System\HMCUaqD.exe
2⤵
PID:9004

C:\Windows\System\ETAoFAc.exe
C:\Windows\System\ETAoFAc.exe
2⤵
PID:9032

C:\Windows\System\BtwiMnh.exe
C:\Windows\System\BtwiMnh.exe
2⤵
PID:9060

C:\Windows\System\paJiXta.exe
C:\Windows\System\paJiXta.exe
2⤵
PID:9088

C:\Windows\System\WykzmDb.exe
C:\Windows\System\WykzmDb.exe
2⤵
PID:9116

C:\Windows\System\GTUZtAs.exe
C:\Windows\System\GTUZtAs.exe
2⤵
PID:9144

C:\Windows\System\IKFugvC.exe
C:\Windows\System\IKFugvC.exe
2⤵
PID:9176

C:\Windows\System\lgygFyQ.exe
C:\Windows\System\lgygFyQ.exe
2⤵
PID:9192

C:\Windows\System\nNEDKlh.exe
C:\Windows\System\nNEDKlh.exe
2⤵
PID:8200

C:\Windows\System\bGRGYct.exe
C:\Windows\System\bGRGYct.exe
2⤵
PID:8232

C:\Windows\System\XzTCiUr.exe
C:\Windows\System\XzTCiUr.exe
2⤵
PID:8292

C:\Windows\System\EkjeKxa.exe
C:\Windows\System\EkjeKxa.exe
2⤵
PID:8368

C:\Windows\System\WKGHthS.exe
C:\Windows\System\WKGHthS.exe
2⤵
PID:8412

C:\Windows\System\SCAcZJR.exe
C:\Windows\System\SCAcZJR.exe
2⤵
PID:8540

C:\Windows\System\nKySBJm.exe
C:\Windows\System\nKySBJm.exe
2⤵
PID:8632

C:\Windows\System\ULkZXXj.exe
C:\Windows\System\ULkZXXj.exe
2⤵
PID:8712

C:\Windows\System\HOakhjM.exe
C:\Windows\System\HOakhjM.exe
2⤵
PID:8772

C:\Windows\System\DHDQihC.exe
C:\Windows\System\DHDQihC.exe
2⤵
PID:8832

C:\Windows\System\gbimvXs.exe
C:\Windows\System\gbimvXs.exe
2⤵
PID:8888

C:\Windows\System\afVRTxP.exe
C:\Windows\System\afVRTxP.exe
2⤵
PID:8964

C:\Windows\System\LoCmrtU.exe
C:\Windows\System\LoCmrtU.exe
2⤵
PID:9028

C:\Windows\System\HeoplJF.exe
C:\Windows\System\HeoplJF.exe
2⤵
PID:9080

C:\Windows\System\VEJGDIV.exe
C:\Windows\System\VEJGDIV.exe
2⤵
PID:9136

C:\Windows\System\pwhGXaT.exe
C:\Windows\System\pwhGXaT.exe
2⤵
PID:9208

C:\Windows\System\HFFDesy.exe
C:\Windows\System\HFFDesy.exe
2⤵
PID:8260

C:\Windows\System\loSTJqX.exe
C:\Windows\System\loSTJqX.exe
2⤵
PID:8580

C:\Windows\System\IlVtJtq.exe
C:\Windows\System\IlVtJtq.exe
2⤵
PID:8628

C:\Windows\System\eKjJiRu.exe
C:\Windows\System\eKjJiRu.exe
2⤵
PID:8800

C:\Windows\System\Ffidhae.exe
C:\Windows\System\Ffidhae.exe
2⤵
PID:8912

C:\Windows\System\qEoeupV.exe
C:\Windows\System\qEoeupV.exe
2⤵
PID:3992

C:\Windows\System\vSCfeWm.exe
C:\Windows\System\vSCfeWm.exe
2⤵
PID:9168

C:\Windows\System\mHnnDMq.exe
C:\Windows\System\mHnnDMq.exe
2⤵
PID:8492

C:\Windows\System\jGgsaNX.exe
C:\Windows\System\jGgsaNX.exe
2⤵
PID:8884

C:\Windows\System\ZZKLVTE.exe
C:\Windows\System\ZZKLVTE.exe
2⤵
PID:8320

C:\Windows\System\RMmyYqH.exe
C:\Windows\System\RMmyYqH.exe
2⤵
PID:9056

C:\Windows\System\REjyfye.exe
C:\Windows\System\REjyfye.exe
2⤵
PID:8692

C:\Windows\System\elPZKTl.exe
C:\Windows\System\elPZKTl.exe
2⤵
PID:9240

C:\Windows\System\aNNnGlj.exe
C:\Windows\System\aNNnGlj.exe
2⤵
PID:9268

C:\Windows\System\yPTsoVu.exe
C:\Windows\System\yPTsoVu.exe
2⤵
PID:9308

C:\Windows\System\XMXjZCA.exe
C:\Windows\System\XMXjZCA.exe
2⤵
PID:9340

C:\Windows\System\PSeEnQb.exe
C:\Windows\System\PSeEnQb.exe
2⤵
PID:9360

C:\Windows\System\EnlWMUd.exe
C:\Windows\System\EnlWMUd.exe
2⤵
PID:9388

C:\Windows\System\NRbtyNn.exe
C:\Windows\System\NRbtyNn.exe
2⤵
PID:9412

C:\Windows\System\pfiIhPZ.exe
C:\Windows\System\pfiIhPZ.exe
2⤵
PID:9448

C:\Windows\System\nVFdJHI.exe
C:\Windows\System\nVFdJHI.exe
2⤵
PID:9468

C:\Windows\System\jHZvjRq.exe
C:\Windows\System\jHZvjRq.exe
2⤵
PID:9508

C:\Windows\System\eiBstYe.exe
C:\Windows\System\eiBstYe.exe
2⤵
PID:9536

C:\Windows\System\zIHwTit.exe
C:\Windows\System\zIHwTit.exe
2⤵
PID:9564

C:\Windows\System\ezDBKiU.exe
C:\Windows\System\ezDBKiU.exe
2⤵
PID:9592

C:\Windows\System\XUkggrr.exe
C:\Windows\System\XUkggrr.exe
2⤵
PID:9608

C:\Windows\System\YSNfvvX.exe
C:\Windows\System\YSNfvvX.exe
2⤵
PID:9648

C:\Windows\System\MGrjQjm.exe
C:\Windows\System\MGrjQjm.exe
2⤵
PID:9676

C:\Windows\System\VlaKGBf.exe
C:\Windows\System\VlaKGBf.exe
2⤵
PID:9704

C:\Windows\System\jpSpgPC.exe
C:\Windows\System\jpSpgPC.exe
2⤵
PID:9732

C:\Windows\System\xJAXBJr.exe
C:\Windows\System\xJAXBJr.exe
2⤵
PID:9760

C:\Windows\System\xcoYTKx.exe
C:\Windows\System\xcoYTKx.exe
2⤵
PID:9788

C:\Windows\System\EJwNEnJ.exe
C:\Windows\System\EJwNEnJ.exe
2⤵
PID:9808

C:\Windows\System\cLaBNmo.exe
C:\Windows\System\cLaBNmo.exe
2⤵
PID:9844

C:\Windows\System\uScgACO.exe
C:\Windows\System\uScgACO.exe
2⤵
PID:9880

C:\Windows\System\QofhXsm.exe
C:\Windows\System\QofhXsm.exe
2⤵
PID:9908

C:\Windows\System\IsCZhCS.exe
C:\Windows\System\IsCZhCS.exe
2⤵
PID:9944

C:\Windows\System\obCxDkk.exe
C:\Windows\System\obCxDkk.exe
2⤵
PID:9996

C:\Windows\System\yYOcxkX.exe
C:\Windows\System\yYOcxkX.exe
2⤵
PID:10028

C:\Windows\System\kBzrQpB.exe
C:\Windows\System\kBzrQpB.exe
2⤵
PID:10056

C:\Windows\System\mTWGFdz.exe
C:\Windows\System\mTWGFdz.exe
2⤵
PID:10084

C:\Windows\System\hUqyxCh.exe
C:\Windows\System\hUqyxCh.exe
2⤵
PID:10112

C:\Windows\System\uNOZsGk.exe
C:\Windows\System\uNOZsGk.exe
2⤵
PID:10140

C:\Windows\System\FzDWgdL.exe
C:\Windows\System\FzDWgdL.exe
2⤵
PID:10168

C:\Windows\System\GGlMXvm.exe
C:\Windows\System\GGlMXvm.exe
2⤵
PID:10196

C:\Windows\System\EYtxNQG.exe
C:\Windows\System\EYtxNQG.exe
2⤵
PID:10224

C:\Windows\System\eEKTxrC.exe
C:\Windows\System\eEKTxrC.exe
2⤵
PID:9224

C:\Windows\System\tbrRhKv.exe
C:\Windows\System\tbrRhKv.exe
2⤵
PID:9264

C:\Windows\System\TLIAZUK.exe
C:\Windows\System\TLIAZUK.exe
2⤵
PID:9356

C:\Windows\System\uxGEVIs.exe
C:\Windows\System\uxGEVIs.exe
2⤵
PID:9396

C:\Windows\System\npveKGp.exe
C:\Windows\System\npveKGp.exe
2⤵
PID:9488

C:\Windows\System\Fcmhrls.exe
C:\Windows\System\Fcmhrls.exe
2⤵
PID:9556

C:\Windows\System\uozjjvC.exe
C:\Windows\System\uozjjvC.exe
2⤵
PID:9588

C:\Windows\System\OmKnlAM.exe
C:\Windows\System\OmKnlAM.exe
2⤵
PID:9628

C:\Windows\System\RaBJfcw.exe
C:\Windows\System\RaBJfcw.exe
2⤵
PID:9752

C:\Windows\System\eGDsHIc.exe
C:\Windows\System\eGDsHIc.exe
2⤵
PID:9780

C:\Windows\System\OFHbppO.exe
C:\Windows\System\OFHbppO.exe
2⤵
PID:9864

C:\Windows\System\MXrQMXJ.exe
C:\Windows\System\MXrQMXJ.exe
2⤵
PID:9980

C:\Windows\System\hkwnGZA.exe
C:\Windows\System\hkwnGZA.exe
2⤵
PID:10008

C:\Windows\System\ZrQQXmp.exe
C:\Windows\System\ZrQQXmp.exe
2⤵
PID:10068

C:\Windows\System\BDKWhiq.exe
C:\Windows\System\BDKWhiq.exe
2⤵
PID:10104

C:\Windows\System\bxhAHdj.exe
C:\Windows\System\bxhAHdj.exe
2⤵
PID:10152

C:\Windows\System\UZsjAOv.exe
C:\Windows\System\UZsjAOv.exe
2⤵
PID:10180

C:\Windows\System\YsjMztX.exe
C:\Windows\System\YsjMztX.exe
2⤵
PID:9532

C:\Windows\System\UfXdbiR.exe
C:\Windows\System\UfXdbiR.exe
2⤵
PID:9584

C:\Windows\System\qChEMBO.exe
C:\Windows\System\qChEMBO.exe
2⤵
PID:9992

C:\Windows\System\CPRtwll.exe
C:\Windows\System\CPRtwll.exe
2⤵
PID:10040

C:\Windows\System\KPStWlQ.exe
C:\Windows\System\KPStWlQ.exe
2⤵
PID:10132

C:\Windows\System\DBrdWDb.exe
C:\Windows\System\DBrdWDb.exe
2⤵
PID:9528

C:\Windows\System\ZOaoWNh.exe
C:\Windows\System\ZOaoWNh.exe
2⤵
PID:9916

C:\Windows\System\vQRkzuZ.exe
C:\Windows\System\vQRkzuZ.exe
2⤵
PID:10096

C:\Windows\System\WnhzWoH.exe
C:\Windows\System\WnhzWoH.exe
2⤵
PID:9668

C:\Windows\System\ErUMYzB.exe
C:\Windows\System\ErUMYzB.exe
2⤵
PID:10080

C:\Windows\System\JRqzCIj.exe
C:\Windows\System\JRqzCIj.exe
2⤵
PID:10268

C:\Windows\System\oETLJWb.exe
C:\Windows\System\oETLJWb.exe
2⤵
PID:10296

C:\Windows\System\dgguxvz.exe
C:\Windows\System\dgguxvz.exe
2⤵
PID:10324

C:\Windows\System\TxMuowR.exe
C:\Windows\System\TxMuowR.exe
2⤵
PID:10352

C:\Windows\System\nMTVeWk.exe
C:\Windows\System\nMTVeWk.exe
2⤵
PID:10380

C:\Windows\System\XhhiPDg.exe
C:\Windows\System\XhhiPDg.exe
2⤵
PID:10408

C:\Windows\System\MvEEDGI.exe
C:\Windows\System\MvEEDGI.exe
2⤵
PID:10428

C:\Windows\System\sQIILDo.exe
C:\Windows\System\sQIILDo.exe
2⤵
PID:10464

C:\Windows\System\MCJIzlW.exe
C:\Windows\System\MCJIzlW.exe
2⤵
PID:10492

C:\Windows\System\omRTeeQ.exe
C:\Windows\System\omRTeeQ.exe
2⤵
PID:10520

C:\Windows\System\BPasOVp.exe
C:\Windows\System\BPasOVp.exe
2⤵
PID:10548

C:\Windows\System\SpYsQJD.exe
C:\Windows\System\SpYsQJD.exe
2⤵
PID:10576

C:\Windows\System\jelyFca.exe
C:\Windows\System\jelyFca.exe
2⤵
PID:10604

C:\Windows\System\UdHuYPY.exe
C:\Windows\System\UdHuYPY.exe
2⤵
PID:10632

C:\Windows\System\UuASzDU.exe
C:\Windows\System\UuASzDU.exe
2⤵
PID:10660

C:\Windows\System\ogtxtiQ.exe
C:\Windows\System\ogtxtiQ.exe
2⤵
PID:10704

C:\Windows\System\AxWSKQV.exe
C:\Windows\System\AxWSKQV.exe
2⤵
PID:10720

C:\Windows\System\aPfcNyB.exe
C:\Windows\System\aPfcNyB.exe
2⤵
PID:10748

C:\Windows\System\TxImOds.exe
C:\Windows\System\TxImOds.exe
2⤵
PID:10776

C:\Windows\System\MBOrfLG.exe
C:\Windows\System\MBOrfLG.exe
2⤵
PID:10812

C:\Windows\System\ylzlWUu.exe
C:\Windows\System\ylzlWUu.exe
2⤵
PID:10840

C:\Windows\System\KgjNaEH.exe
C:\Windows\System\KgjNaEH.exe
2⤵
PID:10892

C:\Windows\System\uUtLOGe.exe
C:\Windows\System\uUtLOGe.exe
2⤵
PID:10920

C:\Windows\System\TbNGKph.exe
C:\Windows\System\TbNGKph.exe
2⤵
PID:10936

C:\Windows\System\eVhzPhY.exe
C:\Windows\System\eVhzPhY.exe
2⤵
PID:10964

C:\Windows\System\IOCuDdr.exe
C:\Windows\System\IOCuDdr.exe
2⤵
PID:11008

C:\Windows\System\ReGPGOa.exe
C:\Windows\System\ReGPGOa.exe
2⤵
PID:11028

C:\Windows\System\icVUveV.exe
C:\Windows\System\icVUveV.exe
2⤵
PID:11048

C:\Windows\System\XNniMRY.exe
C:\Windows\System\XNniMRY.exe
2⤵
PID:11084

C:\Windows\System\TJcOgsG.exe
C:\Windows\System\TJcOgsG.exe
2⤵
PID:11124

C:\Windows\System\vjLtKgB.exe
C:\Windows\System\vjLtKgB.exe
2⤵
PID:11148

C:\Windows\System\NljYnZb.exe
C:\Windows\System\NljYnZb.exe
2⤵
PID:11168

C:\Windows\System\FePxuSz.exe
C:\Windows\System\FePxuSz.exe
2⤵
PID:11200

C:\Windows\System\qGHOYGE.exe
C:\Windows\System\qGHOYGE.exe
2⤵
PID:11224

C:\Windows\System\BqzJsGE.exe
C:\Windows\System\BqzJsGE.exe
2⤵
PID:9640

C:\Windows\System\FvCubBX.exe
C:\Windows\System\FvCubBX.exe
2⤵
PID:10284

C:\Windows\System\boktEMw.exe
C:\Windows\System\boktEMw.exe
2⤵
PID:10376

C:\Windows\System\BINzAOF.exe
C:\Windows\System\BINzAOF.exe
2⤵
PID:10448

C:\Windows\System\YOPiCjX.exe
C:\Windows\System\YOPiCjX.exe
2⤵
PID:10508

C:\Windows\System\NQqIvkf.exe
C:\Windows\System\NQqIvkf.exe
2⤵
PID:10588

C:\Windows\System\zwiOfnZ.exe
C:\Windows\System\zwiOfnZ.exe
2⤵
PID:10624

C:\Windows\System\NvbmCdo.exe
C:\Windows\System\NvbmCdo.exe
2⤵
PID:10712

C:\Windows\System\LxeaXZG.exe
C:\Windows\System\LxeaXZG.exe
2⤵
PID:10772

C:\Windows\System\ohIsCgD.exe
C:\Windows\System\ohIsCgD.exe
2⤵
PID:10860

C:\Windows\System\rQRWXsT.exe
C:\Windows\System\rQRWXsT.exe
2⤵
PID:10916

C:\Windows\System\fMWnDDp.exe
C:\Windows\System\fMWnDDp.exe
2⤵
PID:11000

C:\Windows\System\OKVxHga.exe
C:\Windows\System\OKVxHga.exe
2⤵
PID:11056

C:\Windows\System\GLFwLug.exe
C:\Windows\System\GLFwLug.exe
2⤵
PID:11136

C:\Windows\System\pWvpjnN.exe
C:\Windows\System\pWvpjnN.exe
2⤵
PID:11184

C:\Windows\System\FOGJepS.exe
C:\Windows\System\FOGJepS.exe
2⤵
PID:11216

C:\Windows\System\QEIabDP.exe
C:\Windows\System\QEIabDP.exe
2⤵
PID:10348

C:\Windows\System\JzWgYmn.exe
C:\Windows\System\JzWgYmn.exe
2⤵
PID:10480

C:\Windows\System\IeHhdBi.exe
C:\Windows\System\IeHhdBi.exe
2⤵
PID:10616

C:\Windows\System\HJEGrEI.exe
C:\Windows\System\HJEGrEI.exe
2⤵
PID:10684

C:\Windows\System\PUsqYqJ.exe
C:\Windows\System\PUsqYqJ.exe
2⤵
PID:10980

C:\Windows\System\zELyLwN.exe
C:\Windows\System\zELyLwN.exe
2⤵
PID:11016

C:\Windows\System\psNiIFK.exe
C:\Windows\System\psNiIFK.exe
2⤵
PID:11252

C:\Windows\System\DttCjjM.exe
C:\Windows\System\DttCjjM.exe
2⤵
PID:10264

C:\Windows\System\mCxNopu.exe
C:\Windows\System\mCxNopu.exe
2⤵
PID:10700

C:\Windows\System\ELMTEZo.exe
C:\Windows\System\ELMTEZo.exe
2⤵
PID:10960

C:\Windows\System\ZHNJIiJ.exe
C:\Windows\System\ZHNJIiJ.exe
2⤵
PID:10560

C:\Windows\System\psqhjyb.exe
C:\Windows\System\psqhjyb.exe
2⤵
PID:11036

C:\Windows\System\xmsHtaG.exe
C:\Windows\System\xmsHtaG.exe
2⤵
PID:11292

C:\Windows\System\SKufFcj.exe
C:\Windows\System\SKufFcj.exe
2⤵
PID:11320

C:\Windows\System\kklgfvc.exe
C:\Windows\System\kklgfvc.exe
2⤵
PID:11348

C:\Windows\System\RdUUHPc.exe
C:\Windows\System\RdUUHPc.exe
2⤵
PID:11364

C:\Windows\System\pXDhrbL.exe
C:\Windows\System\pXDhrbL.exe
2⤵
PID:11404

C:\Windows\System\nilkAXX.exe
C:\Windows\System\nilkAXX.exe
2⤵
PID:11432

C:\Windows\System\UFPCfME.exe
C:\Windows\System\UFPCfME.exe
2⤵
PID:11460

C:\Windows\System\oawYGVN.exe
C:\Windows\System\oawYGVN.exe
2⤵
PID:11504

C:\Windows\System\tKJTeZR.exe
C:\Windows\System\tKJTeZR.exe
2⤵
PID:11552

C:\Windows\System\GvwUias.exe
C:\Windows\System\GvwUias.exe
2⤵
PID:11580

C:\Windows\System\PpFPzhP.exe
C:\Windows\System\PpFPzhP.exe
2⤵
PID:11612

C:\Windows\System\yOPLqpC.exe
C:\Windows\System\yOPLqpC.exe
2⤵
PID:11680

C:\Windows\System\pGLsxPo.exe
C:\Windows\System\pGLsxPo.exe
2⤵
PID:11708

C:\Windows\System\ctLsjwX.exe
C:\Windows\System\ctLsjwX.exe
2⤵
PID:11756

C:\Windows\System\wjbQRcY.exe
C:\Windows\System\wjbQRcY.exe
2⤵
PID:11792

C:\Windows\System\Cyvcyax.exe
C:\Windows\System\Cyvcyax.exe
2⤵
PID:11816

C:\Windows\System\rDkJvFG.exe
C:\Windows\System\rDkJvFG.exe
2⤵
PID:11852

C:\Windows\System\uKccGST.exe
C:\Windows\System\uKccGST.exe
2⤵
PID:11876

C:\Windows\System\HWHmNUw.exe
C:\Windows\System\HWHmNUw.exe
2⤵
PID:11932

C:\Windows\System\bhFTvXr.exe
C:\Windows\System\bhFTvXr.exe
2⤵
PID:11948

C:\Windows\System\zesLuOG.exe
C:\Windows\System\zesLuOG.exe
2⤵
PID:11968

C:\Windows\System\lxqdsrX.exe
C:\Windows\System\lxqdsrX.exe
2⤵
PID:11992

C:\Windows\System\xfyEbKG.exe
C:\Windows\System\xfyEbKG.exe
2⤵
PID:12036

C:\Windows\System\DsVusoq.exe
C:\Windows\System\DsVusoq.exe
2⤵
PID:12072

C:\Windows\System\CQHyFgp.exe
C:\Windows\System\CQHyFgp.exe
2⤵
PID:12088

C:\Windows\System\WbIzmYs.exe
C:\Windows\System\WbIzmYs.exe
2⤵
PID:12132

C:\Windows\System\qTAVdjh.exe
C:\Windows\System\qTAVdjh.exe
2⤵
PID:12172

C:\Windows\System\gDneqLZ.exe
C:\Windows\System\gDneqLZ.exe
2⤵
PID:12196

C:\Windows\System\YSfsYsN.exe
C:\Windows\System\YSfsYsN.exe
2⤵
PID:12216

C:\Windows\System\mjcsFkF.exe
C:\Windows\System\mjcsFkF.exe
2⤵
PID:12232

C:\Windows\System\nxJHodg.exe
C:\Windows\System\nxJHodg.exe
2⤵
PID:12256

C:\Windows\System\JFsidMQ.exe
C:\Windows\System\JFsidMQ.exe
2⤵
PID:12276

C:\Windows\System\RhnNuhn.exe
C:\Windows\System\RhnNuhn.exe
2⤵
PID:11312

C:\Windows\System\WJFpnpX.exe
C:\Windows\System\WJFpnpX.exe
2⤵
PID:11400

C:\Windows\System\LjIZoUn.exe
C:\Windows\System\LjIZoUn.exe
2⤵
PID:11456

C:\Windows\System\BiAgYBu.exe
C:\Windows\System\BiAgYBu.exe
2⤵
PID:11532

C:\Windows\System\BbtAqmt.exe
C:\Windows\System\BbtAqmt.exe
2⤵
PID:11608

C:\Windows\System\aLylVdq.exe
C:\Windows\System\aLylVdq.exe
2⤵
PID:10872

C:\Windows\System\iWEIFPO.exe
C:\Windows\System\iWEIFPO.exe
2⤵
PID:11704

C:\Windows\System\UWCWZSU.exe
C:\Windows\System\UWCWZSU.exe
2⤵
PID:11832

C:\Windows\System\ixctrDF.exe
C:\Windows\System\ixctrDF.exe
2⤵
PID:11944

C:\Windows\System\jWdMTHT.exe
C:\Windows\System\jWdMTHT.exe
2⤵
PID:12060

C:\Windows\System\LIGGpMs.exe
C:\Windows\System\LIGGpMs.exe
2⤵
PID:12152

C:\Windows\System\aJzEHfF.exe
C:\Windows\System\aJzEHfF.exe
2⤵
PID:12228

C:\Windows\System\KZlPmhH.exe
C:\Windows\System\KZlPmhH.exe
2⤵
PID:11340

C:\Windows\System\JTxPpSO.exe
C:\Windows\System\JTxPpSO.exe
2⤵
PID:11472

C:\Windows\System\MsdLxHq.exe
C:\Windows\System\MsdLxHq.exe
2⤵
PID:11604

C:\Windows\System\KsVAOau.exe
C:\Windows\System\KsVAOau.exe
2⤵
PID:10800

C:\Windows\System\UmLiHeD.exe
C:\Windows\System\UmLiHeD.exe
2⤵
PID:11904

C:\Windows\System\mitJAom.exe
C:\Windows\System\mitJAom.exe
2⤵
PID:11984

C:\Windows\System\rRuXWKD.exe
C:\Windows\System\rRuXWKD.exe
2⤵
PID:12120

C:\Windows\System\TXANrPV.exe
C:\Windows\System\TXANrPV.exe
2⤵
PID:11428

C:\Windows\System\ckqHhtk.exe
C:\Windows\System\ckqHhtk.exe
2⤵
PID:11956

C:\Windows\System\wiBSADd.exe
C:\Windows\System\wiBSADd.exe
2⤵
PID:11632

C:\Windows\System\pCKqoJD.exe
C:\Windows\System\pCKqoJD.exe
2⤵
PID:12296

C:\Windows\System\SCqVFqg.exe
C:\Windows\System\SCqVFqg.exe
2⤵
PID:12324

C:\Windows\System\soNiRtJ.exe
C:\Windows\System\soNiRtJ.exe
2⤵
PID:12352

C:\Windows\System\OzoCdXQ.exe
C:\Windows\System\OzoCdXQ.exe
2⤵
PID:12380

C:\Windows\System\fCrhUXs.exe
C:\Windows\System\fCrhUXs.exe
2⤵
PID:12400

C:\Windows\System\ubxEvMG.exe
C:\Windows\System\ubxEvMG.exe
2⤵
PID:12424

C:\Windows\System\XXLAtdD.exe
C:\Windows\System\XXLAtdD.exe
2⤵
PID:12456

C:\Windows\System\cVlCWGY.exe
C:\Windows\System\cVlCWGY.exe
2⤵
PID:12484

C:\Windows\System\lCmFdjY.exe
C:\Windows\System\lCmFdjY.exe
2⤵
PID:12528

C:\Windows\System\HnVFCHx.exe
C:\Windows\System\HnVFCHx.exe
2⤵
PID:12556

C:\Windows\System\yCKJNmP.exe
C:\Windows\System\yCKJNmP.exe
2⤵
PID:12588

C:\Windows\System\kDhxJuA.exe
C:\Windows\System\kDhxJuA.exe
2⤵
PID:12616

C:\Windows\System\pLkHVkH.exe
C:\Windows\System\pLkHVkH.exe
2⤵
PID:12644

C:\Windows\System\NyxGerT.exe
C:\Windows\System\NyxGerT.exe
2⤵
PID:12672

C:\Windows\System\GvMKezQ.exe
C:\Windows\System\GvMKezQ.exe
2⤵
PID:12700

C:\Windows\System\GbhkDYD.exe
C:\Windows\System\GbhkDYD.exe
2⤵
PID:12716

C:\Windows\System\xroWEeQ.exe
C:\Windows\System\xroWEeQ.exe
2⤵
PID:12760

C:\Windows\System\KhWQqvB.exe
C:\Windows\System\KhWQqvB.exe
2⤵
PID:12776

C:\Windows\System\jFpudyk.exe
C:\Windows\System\jFpudyk.exe
2⤵
PID:12792

C:\Windows\System\Qxuzkyc.exe
C:\Windows\System\Qxuzkyc.exe
2⤵
PID:12824

C:\Windows\System\MARrsfL.exe
C:\Windows\System\MARrsfL.exe
2⤵
PID:12860

C:\Windows\System\miEroaG.exe
C:\Windows\System\miEroaG.exe
2⤵
PID:12900

C:\Windows\System\uTCqnRX.exe
C:\Windows\System\uTCqnRX.exe
2⤵
PID:12928

C:\Windows\System\EVqFCSN.exe
C:\Windows\System\EVqFCSN.exe
2⤵
PID:12956

C:\Windows\System\mCTFPXb.exe
C:\Windows\System\mCTFPXb.exe
2⤵
PID:12984

C:\Windows\System\xNIQvJq.exe
C:\Windows\System\xNIQvJq.exe
2⤵
PID:13012

C:\Windows\System\VdMNMeN.exe
C:\Windows\System\VdMNMeN.exe
2⤵
PID:13040

C:\Windows\System\MvRCrhD.exe
C:\Windows\System\MvRCrhD.exe
2⤵
PID:13068

C:\Windows\System\tgcjAFl.exe
C:\Windows\System\tgcjAFl.exe
2⤵
PID:13096

C:\Windows\System\jurvqyv.exe
C:\Windows\System\jurvqyv.exe
2⤵
PID:13124

C:\Windows\System\jsloqbj.exe
C:\Windows\System\jsloqbj.exe
2⤵
PID:13152

C:\Windows\System\RotfCWq.exe
C:\Windows\System\RotfCWq.exe
2⤵
PID:13180

C:\Windows\System\FPXyqEi.exe
C:\Windows\System\FPXyqEi.exe
2⤵
PID:13212

C:\Windows\System\VznHeUg.exe
C:\Windows\System\VznHeUg.exe
2⤵
PID:13240

C:\Windows\System\pswjFxB.exe
C:\Windows\System\pswjFxB.exe
2⤵
PID:13268

C:\Windows\System\NZsHayT.exe
C:\Windows\System\NZsHayT.exe
2⤵
PID:13296

C:\Windows\System\GtztvmA.exe
C:\Windows\System\GtztvmA.exe
2⤵
PID:2652

C:\Windows\System\TnVWLii.exe
C:\Windows\System\TnVWLii.exe
2⤵
PID:4316

C:\Windows\System\fRhwweQ.exe
C:\Windows\System\fRhwweQ.exe
2⤵
PID:12364

C:\Windows\System\FMqVgAs.exe
C:\Windows\System\FMqVgAs.exe
2⤵
PID:12416

C:\Windows\System\TLhXWmX.exe
C:\Windows\System\TLhXWmX.exe
2⤵
PID:12468

C:\Windows\System\nnOuBhu.exe
C:\Windows\System\nnOuBhu.exe
2⤵
PID:12584

C:\Windows\System\pLzROhK.exe
C:\Windows\System\pLzROhK.exe
2⤵
PID:12640

C:\Windows\System\yPRxqEq.exe
C:\Windows\System\yPRxqEq.exe
2⤵
PID:12708

C:\Windows\System\HlxqTQM.exe
C:\Windows\System\HlxqTQM.exe
2⤵
PID:12772

C:\Windows\System\KTIvJCa.exe
C:\Windows\System\KTIvJCa.exe
2⤵
PID:12832

C:\Windows\System\TqUdfCF.exe
C:\Windows\System\TqUdfCF.exe
2⤵
PID:12896

C:\Windows\System\yUapfPS.exe
C:\Windows\System\yUapfPS.exe
2⤵
PID:12944

C:\Windows\System\mmyONvw.exe
C:\Windows\System\mmyONvw.exe
2⤵
PID:13032

C:\Windows\System\pqMQpmm.exe
C:\Windows\System\pqMQpmm.exe
2⤵
PID:13080

C:\Windows\System\KsEpNll.exe
C:\Windows\System\KsEpNll.exe
2⤵
PID:13148

C:\Windows\System\RDNiuzj.exe
C:\Windows\System\RDNiuzj.exe
2⤵
PID:13228

C:\Windows\System\KbavIDQ.exe
C:\Windows\System\KbavIDQ.exe
2⤵
PID:13260

C:\Windows\System\pcunkPw.exe
C:\Windows\System\pcunkPw.exe
2⤵
PID:11576

C:\Windows\System\ZLcIjew.exe
C:\Windows\System\ZLcIjew.exe
2⤵
PID:12440

C:\Windows\System\JhRmFjL.exe
C:\Windows\System\JhRmFjL.exe
2⤵
PID:12628

C:\Windows\System\FKIMUTk.exe
C:\Windows\System\FKIMUTk.exe
2⤵
PID:12692

C:\Windows\System\VypEoGL.exe
C:\Windows\System\VypEoGL.exe
2⤵
PID:12848

C:\Windows\System\pOBhQWA.exe
C:\Windows\System\pOBhQWA.exe
2⤵
PID:13052

C:\Windows\System\PcDoneL.exe
C:\Windows\System\PcDoneL.exe
2⤵
PID:13208

C:\Windows\System\wZdmJGv.exe
C:\Windows\System\wZdmJGv.exe
2⤵
PID:12336

C:\Windows\System\UdZpgQq.exe
C:\Windows\System\UdZpgQq.exe
2⤵
PID:12688

C:\Windows\System\ymsJkvQ.exe
C:\Windows\System\ymsJkvQ.exe
2⤵
PID:13116

C:\Windows\System\dNSBucU.exe
C:\Windows\System\dNSBucU.exe
2⤵
PID:11892

C:\Windows\System\aeAfbar.exe
C:\Windows\System\aeAfbar.exe
2⤵
PID:12920

C:\Windows\System\ILUoQZO.exe
C:\Windows\System\ILUoQZO.exe
2⤵
PID:11888

C:\Windows\System\KlFOoZi.exe
C:\Windows\System\KlFOoZi.exe
2⤵
PID:12160

C:\Windows\System\cqrcUaj.exe
C:\Windows\System\cqrcUaj.exe
2⤵
PID:12100

C:\Windows\System\oDqLUrr.exe
C:\Windows\System\oDqLUrr.exe
2⤵
PID:12552

C:\Windows\System\bIopgtf.exe
C:\Windows\System\bIopgtf.exe
2⤵
PID:13388

C:\Windows\System\pHbkwcu.exe
C:\Windows\System\pHbkwcu.exe
2⤵
PID:13324

C:\Windows\System\lpAlbeM.exe
C:\Windows\System\lpAlbeM.exe
2⤵
PID:13356

C:\Windows\System\dLIrPQH.exe
C:\Windows\System\dLIrPQH.exe
2⤵
PID:13380

C:\Windows\System\GlYLvNy.exe
C:\Windows\System\GlYLvNy.exe
2⤵
PID:7360

C:\Windows\System\aynMwrH.exe
C:\Windows\System\aynMwrH.exe
2⤵
PID:14076

C:\Windows\System\NcxHGgI.exe
C:\Windows\System\NcxHGgI.exe
2⤵
PID:14096

C:\Windows\System\rKtWaNy.exe
C:\Windows\System\rKtWaNy.exe
2⤵
PID:14124

C:\Windows\System\AmIBbUf.exe
C:\Windows\System\AmIBbUf.exe
2⤵
PID:14176

C:\Windows\System\HlvKooD.exe
C:\Windows\System\HlvKooD.exe
2⤵
PID:5072

C:\Windows\System\GfQaPVx.exe
C:\Windows\System\GfQaPVx.exe
2⤵
PID:13688

C:\Windows\System\lKIlaXj.exe
C:\Windows\System\lKIlaXj.exe
2⤵
PID:14264

C:\Windows\System\vGTgtfQ.exe
C:\Windows\System\vGTgtfQ.exe
2⤵
PID:4068

C:\Windows\System\dznoLbh.exe
C:\Windows\System\dznoLbh.exe
2⤵
PID:13444

C:\Windows\System\QclxGxq.exe
C:\Windows\System\QclxGxq.exe
2⤵
PID:5092

C:\Windows\System\pOQSkRT.exe
C:\Windows\System\pOQSkRT.exe
2⤵
PID:13488

C:\Windows\System\bphCUYz.exe
C:\Windows\System\bphCUYz.exe
2⤵
PID:13520

C:\Windows\System\NmTdKno.exe
C:\Windows\System\NmTdKno.exe
2⤵
PID:13976

C:\Windows\System\lmaGWgQ.exe
C:\Windows\System\lmaGWgQ.exe
2⤵
PID:13996

C:\Windows\System\LEqbGym.exe
C:\Windows\System\LEqbGym.exe
2⤵
PID:5464

C:\Windows\System\wXorjhB.exe
C:\Windows\System\wXorjhB.exe
2⤵
PID:5716

C:\Windows\System\krqaFdn.exe
C:\Windows\System\krqaFdn.exe
2⤵
PID:11732

C:\Windows\System\LnKzvdf.exe
C:\Windows\System\LnKzvdf.exe
2⤵
PID:3520

C:\Windows\System\vmstBFr.exe
C:\Windows\System\vmstBFr.exe
2⤵
PID:5432

C:\Windows\System\fARHnHh.exe
C:\Windows\System\fARHnHh.exe
2⤵
PID:14052

C:\Windows\System\cJfZDXF.exe
C:\Windows\System\cJfZDXF.exe
2⤵
PID:14060

C:\Windows\System\JLiLTaC.exe
C:\Windows\System\JLiLTaC.exe
2⤵
PID:5808

C:\Windows\System\qzgUoqI.exe
C:\Windows\System\qzgUoqI.exe
2⤵
PID:14140

C:\Windows\System\EVynfyb.exe
C:\Windows\System\EVynfyb.exe
2⤵
PID:14152

C:\Windows\System\wkPcosh.exe
C:\Windows\System\wkPcosh.exe
2⤵
PID:5052

C:\Windows\System\lPJWnQE.exe
C:\Windows\System\lPJWnQE.exe
2⤵
PID:3004

C:\Windows\System\WpzgzJQ.exe
C:\Windows\System\WpzgzJQ.exe
2⤵
PID:14088

C:\Windows\System\zCoHaqg.exe
C:\Windows\System\zCoHaqg.exe
2⤵
PID:6632

C:\Windows\System\oeXHsyR.exe
C:\Windows\System\oeXHsyR.exe
2⤵
PID:14072

C:\Windows\System\nbeURWg.exe
C:\Windows\System\nbeURWg.exe
2⤵
PID:6956

C:\Windows\System\ahtiqDX.exe
C:\Windows\System\ahtiqDX.exe
2⤵
PID:2904

C:\Windows\System\yDNaacs.exe
C:\Windows\System\yDNaacs.exe
2⤵
PID:5592

C:\Windows\System\ZjLsuax.exe
C:\Windows\System\ZjLsuax.exe
2⤵
PID:6328

C:\Windows\System\rlMGkSK.exe
C:\Windows\System\rlMGkSK.exe
2⤵
PID:4220

C:\Windows\System\HmyvgFg.exe
C:\Windows\System\HmyvgFg.exe
2⤵
PID:4600

C:\Windows\System\DLxzvQg.exe
C:\Windows\System\DLxzvQg.exe
2⤵
PID:6624

C:\Windows\System\qgrslMC.exe
C:\Windows\System\qgrslMC.exe
2⤵
PID:6800

C:\Windows\System\PbfAhHt.exe
C:\Windows\System\PbfAhHt.exe
2⤵
PID:14240

C:\Windows\System\MWfJkgC.exe
C:\Windows\System\MWfJkgC.exe
2⤵
PID:6988

C:\Windows\System\WggqWUG.exe
C:\Windows\System\WggqWUG.exe
2⤵
PID:6164

C:\Windows\System\LZrpuVr.exe
C:\Windows\System\LZrpuVr.exe
2⤵
PID:1444

C:\Windows\System\fbUUHVU.exe
C:\Windows\System\fbUUHVU.exe
2⤵
PID:4176

C:\Windows\System\rsZCEBb.exe
C:\Windows\System\rsZCEBb.exe
2⤵
PID:6808

C:\Windows\System\wJVbMpz.exe
C:\Windows\System\wJVbMpz.exe
2⤵
PID:13332

C:\Windows\System\rKhsXxW.exe
C:\Windows\System\rKhsXxW.exe
2⤵
PID:6452

C:\Windows\System\TQHejzE.exe
C:\Windows\System\TQHejzE.exe
2⤵
PID:6992

C:\Windows\System\TxUwRcq.exe
C:\Windows\System\TxUwRcq.exe
2⤵
PID:5280

C:\Windows\System\giZwWQi.exe
C:\Windows\System\giZwWQi.exe
2⤵
PID:4340

C:\Windows\System\fjmcgWL.exe
C:\Windows\System\fjmcgWL.exe
2⤵
PID:7204

C:\Windows\System\aefSjph.exe
C:\Windows\System\aefSjph.exe
2⤵
PID:384

C:\Windows\System\IkSBNKL.exe
C:\Windows\System\IkSBNKL.exe
2⤵
PID:1168

C:\Windows\System\vkrnzSp.exe
C:\Windows\System\vkrnzSp.exe
2⤵
PID:1528

C:\Windows\System\fexQbHn.exe
C:\Windows\System\fexQbHn.exe
2⤵
PID:1220

C:\Windows\System\twkRjVN.exe
C:\Windows\System\twkRjVN.exe
2⤵
PID:13420

C:\Windows\System\fOvXnOn.exe
C:\Windows\System\fOvXnOn.exe
2⤵
PID:6152

C:\Windows\System\kjVcHjj.exe
C:\Windows\System\kjVcHjj.exe
2⤵
PID:13504

C:\Windows\System\LEMCoVe.exe
C:\Windows\System\LEMCoVe.exe
2⤵
PID:3168

C:\Windows\System\DsmzsCn.exe
C:\Windows\System\DsmzsCn.exe
2⤵
PID:6168

C:\Windows\System\lgoruqx.exe
C:\Windows\System\lgoruqx.exe
2⤵
PID:13572

C:\Windows\System\iAtuiCp.exe
C:\Windows\System\iAtuiCp.exe
2⤵
PID:6220

C:\Windows\System\KIiOYYp.exe
C:\Windows\System\KIiOYYp.exe
2⤵
PID:13708

C:\Windows\System\KuZqSGy.exe
C:\Windows\System\KuZqSGy.exe
2⤵
PID:3928

C:\Windows\System\ZGXGvGA.exe
C:\Windows\System\ZGXGvGA.exe
2⤵
PID:13720

C:\Windows\System\vLvEPnl.exe
C:\Windows\System\vLvEPnl.exe
2⤵
PID:13740

C:\Windows\System\nJdbvlR.exe
C:\Windows\System\nJdbvlR.exe
2⤵
PID:13768

C:\Windows\System\NEHkxrP.exe
C:\Windows\System\NEHkxrP.exe
2⤵
PID:2176

C:\Windows\System\twRoYYd.exe
C:\Windows\System\twRoYYd.exe
2⤵
PID:8972

C:\Windows\System\wkiSuLM.exe
C:\Windows\System\wkiSuLM.exe
2⤵
PID:9160

C:\Windows\System\bRHODIh.exe
C:\Windows\System\bRHODIh.exe
2⤵
PID:8768

C:\Windows\System\DFcSrcC.exe
C:\Windows\System\DFcSrcC.exe
2⤵
PID:896

C:\Windows\System\KJJbXpq.exe
C:\Windows\System\KJJbXpq.exe
2⤵
PID:8636

C:\Windows\System\AFWlbIX.exe
C:\Windows\System\AFWlbIX.exe
2⤵
PID:8524

C:\Windows\System\uHYEnoL.exe
C:\Windows\System\uHYEnoL.exe
2⤵
PID:4808

C:\Windows\System\TfGOnPv.exe
C:\Windows\System\TfGOnPv.exe
2⤵
PID:9428

C:\Windows\System\BXOKJjx.exe
C:\Windows\System\BXOKJjx.exe
2⤵
PID:9524

C:\Windows\System\NOocwLa.exe
C:\Windows\System\NOocwLa.exe
2⤵
PID:14016

C:\Windows\System\caVnNfc.exe
C:\Windows\System\caVnNfc.exe
2⤵
PID:9692

C:\Windows\System\MnEmdAI.exe
C:\Windows\System\MnEmdAI.exe
2⤵
PID:9740

C:\Windows\System\sEUpBln.exe
C:\Windows\System\sEUpBln.exe
2⤵
PID:4872

C:\Windows\System\bbEgiVT.exe
C:\Windows\System\bbEgiVT.exe
2⤵
PID:2180

C:\Windows\System\XOLFSSw.exe
C:\Windows\System\XOLFSSw.exe
2⤵
PID:9860

C:\Windows\System\VadWamZ.exe
C:\Windows\System\VadWamZ.exe
2⤵
PID:9924

C:\Windows\System\lGwuLtp.exe
C:\Windows\System\lGwuLtp.exe
2⤵
PID:9964

C:\Windows\System\XKgBkna.exe
C:\Windows\System\XKgBkna.exe
2⤵
PID:10072

C:\Windows\System\bqKrPOu.exe
C:\Windows\System\bqKrPOu.exe
2⤵
PID:10120

C:\Windows\System\mZqlcUB.exe
C:\Windows\System\mZqlcUB.exe
2⤵
PID:10204

C:\Windows\System\xpFIcCt.exe
C:\Windows\System\xpFIcCt.exe
2⤵
PID:9456

C:\Windows\System\bBPzugk.exe
C:\Windows\System\bBPzugk.exe
2⤵
PID:9156

C:\Windows\System\QVZPmkz.exe
C:\Windows\System\QVZPmkz.exe
2⤵
PID:9828

C:\Windows\System\QfovVrI.exe
C:\Windows\System\QfovVrI.exe
2⤵
PID:5556

C:\Windows\System\EKGCSIU.exe
C:\Windows\System\EKGCSIU.exe
2⤵
PID:8228

C:\Windows\System\uxDHRXG.exe
C:\Windows\System\uxDHRXG.exe
2⤵
PID:6916

C:\Windows\System\DvfJZKV.exe
C:\Windows\System\DvfJZKV.exe
2⤵
PID:2708

C:\Windows\System\yhOZUbi.exe
C:\Windows\System\yhOZUbi.exe
2⤵
PID:4100

C:\Windows\System\IrWldzE.exe
C:\Windows\System\IrWldzE.exe
2⤵
PID:9700

C:\Windows\System\kBCtlZO.exe
C:\Windows\System\kBCtlZO.exe
2⤵
PID:4584

C:\Windows\System\EYcGNIU.exe
C:\Windows\System\EYcGNIU.exe
2⤵
PID:9856

C:\Windows\System\OfCjyxj.exe
C:\Windows\System\OfCjyxj.exe
2⤵
PID:9296

C:\Windows\System\RodujIf.exe
C:\Windows\System\RodujIf.exe
2⤵
PID:9332

C:\Windows\System\ReEKSbc.exe
C:\Windows\System\ReEKSbc.exe
2⤵
PID:10248

C:\Windows\System\thSpcae.exe
C:\Windows\System\thSpcae.exe
2⤵
PID:10312

C:\Windows\System\YGmrgCF.exe
C:\Windows\System\YGmrgCF.exe
2⤵
PID:10360

C:\Windows\System\ooOFPuX.exe
C:\Windows\System\ooOFPuX.exe
2⤵
PID:10440

C:\Windows\System\xoBZNEH.exe
C:\Windows\System\xoBZNEH.exe
2⤵
PID:1572

C:\Windows\System\kqCDGVu.exe
C:\Windows\System\kqCDGVu.exe
2⤵
PID:10516

C:\Windows\System\mgmQWje.exe
C:\Windows\System\mgmQWje.exe
2⤵
PID:10528

C:\Windows\System\nfenoqO.exe
C:\Windows\System\nfenoqO.exe
2⤵
PID:10648

C:\Windows\System\TwjbeVZ.exe
C:\Windows\System\TwjbeVZ.exe
2⤵
PID:10828

C:\Windows\System\qCoMKuW.exe
C:\Windows\System\qCoMKuW.exe
2⤵
PID:1216

C:\Windows\System\dCQUNqI.exe
C:\Windows\System\dCQUNqI.exe
2⤵
PID:10900

C:\Windows\System\PvSnCms.exe
C:\Windows\System\PvSnCms.exe
2⤵
PID:10944

C:\Windows\System\DxjlDUp.exe
C:\Windows\System\DxjlDUp.exe
2⤵
PID:13448

C:\Windows\System\DlyiCTB.exe
C:\Windows\System\DlyiCTB.exe
2⤵
PID:5172

C:\Windows\System\pYPepPp.exe
C:\Windows\System\pYPepPp.exe
2⤵
PID:5224

C:\Windows\System\WUrinfp.exe
C:\Windows\System\WUrinfp.exe
2⤵
PID:4276

C:\Windows\System\EsvVTej.exe
C:\Windows\System\EsvVTej.exe
2⤵
PID:11256

C:\Windows\System\VIyUgap.exe
C:\Windows\System\VIyUgap.exe
2⤵
PID:7404

C:\Windows\System\TUUqKvm.exe
C:\Windows\System\TUUqKvm.exe
2⤵
PID:10532

C:\Windows\System\lbUOnBm.exe
C:\Windows\System\lbUOnBm.exe
2⤵
PID:13596

C:\Windows\System\FVlWWDf.exe
C:\Windows\System\FVlWWDf.exe
2⤵
PID:7484

C:\Windows\System\ahKEGgh.exe
C:\Windows\System\ahKEGgh.exe
2⤵
PID:11024

C:\Windows\System\ouaigde.exe
C:\Windows\System\ouaigde.exe
2⤵
PID:11140

C:\Windows\System\SOORPNG.exe
C:\Windows\System\SOORPNG.exe
2⤵
PID:7576

C:\Windows\System\GpLPpBP.exe
C:\Windows\System\GpLPpBP.exe
2⤵
PID:13764

C:\Windows\System\VrhzbCo.exe
C:\Windows\System\VrhzbCo.exe
2⤵
PID:11108

C:\Windows\System\LDzxZUP.exe
C:\Windows\System\LDzxZUP.exe
2⤵
PID:764

C:\Windows\System\FCVLOeQ.exe
C:\Windows\System\FCVLOeQ.exe
2⤵
PID:13804

C:\Windows\System\unqAJtz.exe
C:\Windows\System\unqAJtz.exe
2⤵
PID:7692

C:\Windows\System\FSEmJFK.exe
C:\Windows\System\FSEmJFK.exe
2⤵
PID:7684

C:\Windows\System\RtzgpWn.exe
C:\Windows\System\RtzgpWn.exe
2⤵
PID:6340

C:\Windows\System\MctLLwN.exe
C:\Windows\System\MctLLwN.exe
2⤵
PID:7744

C:\Windows\System\lUjhTAo.exe
C:\Windows\System\lUjhTAo.exe
2⤵
PID:13876

C:\Windows\System\HKzzCXU.exe
C:\Windows\System\HKzzCXU.exe
2⤵
PID:6412

C:\Windows\System\STvsgSm.exe
C:\Windows\System\STvsgSm.exe
2⤵
PID:11328

C:\Windows\System\ySUcVFh.exe
C:\Windows\System\ySUcVFh.exe
2⤵
PID:1968

C:\Windows\System\anMyJNg.exe
C:\Windows\System\anMyJNg.exe
2⤵
PID:11372

C:\Windows\System\MQfXPnY.exe
C:\Windows\System\MQfXPnY.exe
2⤵
PID:13916

C:\Windows\System\ubBgUBP.exe
C:\Windows\System\ubBgUBP.exe
2⤵
PID:7900

C:\Windows\System\fRHBEmk.exe
C:\Windows\System\fRHBEmk.exe
2⤵
PID:13940

C:\Windows\System\YcfRIrs.exe
C:\Windows\System\YcfRIrs.exe
2⤵
PID:13924

C:\Windows\System\xGfvWGM.exe
C:\Windows\System\xGfvWGM.exe
2⤵
PID:7924

C:\Windows\System\lZFXBcg.exe
C:\Windows\System\lZFXBcg.exe
2⤵
PID:1436

C:\Windows\System\HeGOYDS.exe
C:\Windows\System\HeGOYDS.exe
2⤵
PID:1892

C:\Windows\System\DIixueJ.exe
C:\Windows\System\DIixueJ.exe
2⤵
PID:5244

C:\Windows\System\FgFnuTb.exe
C:\Windows\System\FgFnuTb.exe
2⤵
PID:2492

C:\Windows\System\teIzUOq.exe
C:\Windows\System\teIzUOq.exe
2⤵
PID:8028

C:\Windows\System\gmzQDJK.exe
C:\Windows\System\gmzQDJK.exe
2⤵
PID:5652

C:\Windows\System\uHeXXRP.exe
C:\Windows\System\uHeXXRP.exe
2⤵
PID:5572

C:\Windows\System\mbRZwOP.exe
C:\Windows\System\mbRZwOP.exe
2⤵
PID:5824

C:\Windows\System\OHWnXwE.exe
C:\Windows\System\OHWnXwE.exe
2⤵
PID:5664

C:\Windows\System\ZECREkX.exe
C:\Windows\System\ZECREkX.exe
2⤵
PID:2380

C:\Windows\System\wOvwuOm.exe
C:\Windows\System\wOvwuOm.exe
2⤵
PID:7408

C:\Windows\System\oJoAEMj.exe
C:\Windows\System\oJoAEMj.exe
2⤵
PID:1248

C:\Windows\System\DmxVpIy.exe
C:\Windows\System\DmxVpIy.exe
2⤵
PID:5208

C:\Windows\System\LVQPphl.exe
C:\Windows\System\LVQPphl.exe
2⤵
PID:7556

C:\Windows\System\qpXpTjB.exe
C:\Windows\System\qpXpTjB.exe
2⤵
PID:11824

C:\Windows\System\WcqPGkQ.exe
C:\Windows\System\WcqPGkQ.exe
2⤵
PID:11768

C:\Windows\System\ENRyvoD.exe
C:\Windows\System\ENRyvoD.exe
2⤵
PID:7012

C:\Windows\System\LpRLCsZ.exe
C:\Windows\System\LpRLCsZ.exe
2⤵
PID:11688

C:\Windows\System\DdZeSlL.exe
C:\Windows\System\DdZeSlL.exe
2⤵
PID:7068

C:\Windows\System\YrvLoYf.exe
C:\Windows\System\YrvLoYf.exe
2⤵
PID:12008

C:\Windows\System\prKolGh.exe
C:\Windows\System\prKolGh.exe
2⤵
PID:5136

C:\Windows\System\AeLUfLn.exe
C:\Windows\System\AeLUfLn.exe
2⤵
PID:7920

C:\Windows\System\ydjXthM.exe
C:\Windows\System\ydjXthM.exe
2⤵
PID:13988

C:\Windows\System\CFNgyfY.exe
C:\Windows\System\CFNgyfY.exe
2⤵
PID:6044

C:\Windows\System\JKSQjcE.exe
C:\Windows\System\JKSQjcE.exe
2⤵
PID:8044

C:\Windows\System\GBheZZF.exe
C:\Windows\System\GBheZZF.exe
2⤵
PID:14012

C:\Windows\System\sbZnxId.exe
C:\Windows\System\sbZnxId.exe
2⤵
PID:7608

C:\Windows\System\nnjtGyc.exe
C:\Windows\System\nnjtGyc.exe
2⤵
PID:7936

C:\Windows\System\OKHawhe.exe
C:\Windows\System\OKHawhe.exe
2⤵
PID:7800

C:\Windows\System\oMdfUaK.exe
C:\Windows\System\oMdfUaK.exe
2⤵
PID:8140

C:\Windows\System\fJheoKr.exe
C:\Windows\System\fJheoKr.exe
2⤵
PID:8244

C:\Windows\System\hSvFCYy.exe
C:\Windows\System\hSvFCYy.exe
2⤵
PID:8364

C:\Windows\System\JUvRkXb.exe
C:\Windows\System\JUvRkXb.exe
2⤵
PID:8428

C:\Windows\System\BzxPKtF.exe
C:\Windows\System\BzxPKtF.exe
2⤵
PID:8536

C:\Windows\System\SBPCpGZ.exe
C:\Windows\System\SBPCpGZ.exe
2⤵
PID:8572

C:\Windows\System\AUFGZKE.exe
C:\Windows\System\AUFGZKE.exe
2⤵
PID:8656

C:\Windows\System\gMcBIuI.exe
C:\Windows\System\gMcBIuI.exe
2⤵
PID:8760

C:\Windows\System\abDBRQp.exe
C:\Windows\System\abDBRQp.exe
2⤵
PID:8880

C:\Windows\System\wAZFCWF.exe
C:\Windows\System\wAZFCWF.exe
2⤵
PID:8936

C:\Windows\System\sRewJQG.exe
C:\Windows\System\sRewJQG.exe
2⤵
PID:9012

C:\Windows\System\scVWvxr.exe
C:\Windows\System\scVWvxr.exe
2⤵
PID:14020

C:\Windows\System\UrBixhg.exe
C:\Windows\System\UrBixhg.exe
2⤵
PID:9164

C:\Windows\System\GdoJnxC.exe
C:\Windows\System\GdoJnxC.exe
2⤵
PID:8316

C:\Windows\System\FAwYSES.exe
C:\Windows\System\FAwYSES.exe
2⤵
PID:8660

C:\Windows\System\LxeQXjD.exe
C:\Windows\System\LxeQXjD.exe
2⤵
PID:5340

C:\Windows\System\HLGkEdJ.exe
C:\Windows\System\HLGkEdJ.exe
2⤵
PID:11784

C:\Windows\System\NfYudEb.exe
C:\Windows\System\NfYudEb.exe
2⤵
PID:12012

C:\Windows\System\uhiCHal.exe
C:\Windows\System\uhiCHal.exe
2⤵
PID:5416

C:\Windows\System\KIYUCTY.exe
C:\Windows\System\KIYUCTY.exe
2⤵
PID:12108

C:\Windows\System\AVkgUtQ.exe
C:\Windows\System\AVkgUtQ.exe
2⤵
PID:12192

C:\Windows\System\wHIbUuB.exe
C:\Windows\System\wHIbUuB.exe
2⤵
PID:11304

C:\Windows\System\PJJAFcV.exe
C:\Windows\System\PJJAFcV.exe
2⤵
PID:12212

C:\Windows\System\OUCuQdL.exe
C:\Windows\System\OUCuQdL.exe
2⤵
PID:10876

C:\Windows\System\KaEgHpn.exe
C:\Windows\System\KaEgHpn.exe
2⤵
PID:12348

C:\Windows\System\liGLiHp.exe
C:\Windows\System\liGLiHp.exe
2⤵
PID:9436

C:\Windows\System\JNvRUEO.exe
C:\Windows\System\JNvRUEO.exe
2⤵
PID:9728

C:\Windows\System\RtHEWLp.exe
C:\Windows\System\RtHEWLp.exe
2⤵
PID:12652

C:\Windows\System\hrkIeiK.exe
C:\Windows\System\hrkIeiK.exe
2⤵
PID:6284

C:\Windows\System\qwvoQMy.exe
C:\Windows\System\qwvoQMy.exe
2⤵
PID:4952

C:\Windows\System\yEbPHvK.exe
C:\Windows\System\yEbPHvK.exe
2⤵
PID:12876

C:\Windows\System\VMiEmiI.exe
C:\Windows\System\VMiEmiI.exe
2⤵
PID:6552

C:\Windows\System\OkBhLww.exe
C:\Windows\System\OkBhLww.exe
2⤵
PID:9928

C:\Windows\System\EGmygqU.exe
C:\Windows\System\EGmygqU.exe
2⤵
PID:12972

C:\Windows\System\eUAYxWf.exe
C:\Windows\System\eUAYxWf.exe
2⤵
PID:10004

C:\Windows\System\NLkmOCp.exe
C:\Windows\System\NLkmOCp.exe
2⤵
PID:13168

C:\Windows\System\YlVzMjc.exe
C:\Windows\System\YlVzMjc.exe
2⤵
PID:13192

C:\Windows\System\TAWwpoy.exe
C:\Windows\System\TAWwpoy.exe
2⤵
PID:10232

C:\Windows\System\HziuTkk.exe
C:\Windows\System\HziuTkk.exe
2⤵
PID:13248

C:\Windows\System\GavaYDg.exe
C:\Windows\System\GavaYDg.exe
2⤵
PID:9900

C:\Windows\System\gErBnrD.exe
C:\Windows\System\gErBnrD.exe
2⤵
PID:12664

C:\Windows\System\llosDMB.exe
C:\Windows\System\llosDMB.exe
2⤵
PID:6768

C:\Windows\System\RgqjWRq.exe
C:\Windows\System\RgqjWRq.exe
2⤵
PID:12924

C:\Windows\System\ddKjcFV.exe
C:\Windows\System\ddKjcFV.exe
2⤵
PID:14172

C:\Windows\System\dspIsJk.exe
C:\Windows\System\dspIsJk.exe
2⤵
PID:4244

C:\Windows\System\vQgzpjg.exe
C:\Windows\System\vQgzpjg.exe
2⤵
PID:11544

C:\Windows\System\jriqjrU.exe
C:\Windows\System\jriqjrU.exe
2⤵
PID:13236

C:\Windows\System\oEhkweE.exe
C:\Windows\System\oEhkweE.exe
2⤵
PID:13288

C:\Windows\System\aoqLacg.exe
C:\Windows\System\aoqLacg.exe
2⤵
PID:14244

C:\Windows\System\lgGspsY.exe
C:\Windows\System\lgGspsY.exe
2⤵
PID:3948

C:\Windows\System\NEWyWOI.exe
C:\Windows\System\NEWyWOI.exe
2⤵
PID:9620

C:\Windows\System\nVHzxtK.exe
C:\Windows\System\nVHzxtK.exe
2⤵
PID:1068

C:\Windows\System\AKsytru.exe
C:\Windows\System\AKsytru.exe
2⤵
PID:10276

C:\Windows\System\SogLujG.exe
C:\Windows\System\SogLujG.exe
2⤵
PID:5964

C:\Windows\System\MuyZSJQ.exe
C:\Windows\System\MuyZSJQ.exe
2⤵
PID:5848

C:\Windows\System\XjXCxjz.exe
C:\Windows\System\XjXCxjz.exe
2⤵
PID:6908

C:\Windows\System\rnDcEtT.exe
C:\Windows\System\rnDcEtT.exe
2⤵
PID:10472

C:\Windows\System\VmqKAUt.exe
C:\Windows\System\VmqKAUt.exe
2⤵
PID:13556

C:\Windows\System\cZNAeeM.exe
C:\Windows\System\cZNAeeM.exe
2⤵
PID:13568

C:\Windows\System\qlUlATR.exe
C:\Windows\System\qlUlATR.exe
2⤵
PID:13564

C:\Windows\System\umrhrgY.exe
C:\Windows\System\umrhrgY.exe
2⤵
PID:10556

C:\Windows\System\qZWdHde.exe
C:\Windows\System\qZWdHde.exe
2⤵
PID:376

C:\Windows\System\gODyLCy.exe
C:\Windows\System\gODyLCy.exe
2⤵
PID:12096

C:\Windows\System\kCkPyqT.exe
C:\Windows\System\kCkPyqT.exe
2⤵
PID:12572

C:\Windows\System\axaLhrG.exe
C:\Windows\System\axaLhrG.exe
2⤵
PID:12148

C:\Windows\System\gPFuyaa.exe
C:\Windows\System\gPFuyaa.exe
2⤵
PID:11040

C:\Windows\System\siDbgKd.exe
C:\Windows\System\siDbgKd.exe
2⤵
PID:13512

C:\Windows\System\paeaCRF.exe
C:\Windows\System\paeaCRF.exe
2⤵
PID:11104

C:\Windows\System\JxTmdsb.exe
C:\Windows\System\JxTmdsb.exe
2⤵
PID:10424

C:\Windows\System\RNfDZpU.exe
C:\Windows\System\RNfDZpU.exe
2⤵
PID:13588

C:\Windows\System\LpsQVFT.exe
C:\Windows\System\LpsQVFT.exe
2⤵
PID:10804

C:\Windows\System\OpsfSps.exe
C:\Windows\System\OpsfSps.exe
2⤵
PID:11072

C:\Windows\System\aJPdKrM.exe
C:\Windows\System\aJPdKrM.exe
2⤵
PID:10260

C:\Windows\System\tdCgGhA.exe
C:\Windows\System\tdCgGhA.exe
2⤵
PID:13776

C:\Windows\System\XpsUoMu.exe
C:\Windows\System\XpsUoMu.exe
2⤵
PID:13796

C:\Windows\System\FonCipA.exe
C:\Windows\System\FonCipA.exe
2⤵
PID:6364

C:\Windows\System\ygdHvzj.exe
C:\Windows\System\ygdHvzj.exe
2⤵
PID:10336

C:\Windows\System\eWDwRlM.exe
C:\Windows\System\eWDwRlM.exe
2⤵
PID:13852

C:\Windows\System\TppGJTz.exe
C:\Windows\System\TppGJTz.exe
2⤵
PID:1428

C:\Windows\System\wuVgudx.exe
C:\Windows\System\wuVgudx.exe
2⤵
PID:8156

C:\Windows\System\IoyUofw.exe
C:\Windows\System\IoyUofw.exe
2⤵
PID:3884

C:\Windows\System\OXFfxWY.exe
C:\Windows\System\OXFfxWY.exe
2⤵
PID:7848

C:\Windows\System\frpNKrJ.exe
C:\Windows\System\frpNKrJ.exe
2⤵
PID:7372

C:\Windows\System\ONjbBRA.exe
C:\Windows\System\ONjbBRA.exe
2⤵
PID:13912

C:\Windows\System\cJcNDrK.exe
C:\Windows\System\cJcNDrK.exe
2⤵
PID:6468

C:\Windows\System\bugzmoS.exe
C:\Windows\System\bugzmoS.exe
2⤵
PID:1416

C:\Windows\System\kYFCsml.exe
C:\Windows\System\kYFCsml.exe
2⤵
PID:11468

C:\Windows\System\dNgPesv.exe
C:\Windows\System\dNgPesv.exe
2⤵
PID:6540

C:\Windows\System\dfUtZLg.exe
C:\Windows\System\dfUtZLg.exe
2⤵
PID:6160

C:\Windows\System\XKEoFRD.exe
C:\Windows\System\XKEoFRD.exe
2⤵
PID:6620

C:\Windows\System\HBIPhXo.exe
C:\Windows\System\HBIPhXo.exe
2⤵
PID:11716

C:\Windows\System\gnDmKdG.exe
C:\Windows\System\gnDmKdG.exe
2⤵
PID:10852

C:\Windows\System\GSgOqvf.exe
C:\Windows\System\GSgOqvf.exe
2⤵
PID:632

C:\Windows\System\DADDJwC.exe
C:\Windows\System\DADDJwC.exe
2⤵
PID:5356

C:\Windows\System\CNrhIrx.exe
C:\Windows\System\CNrhIrx.exe
2⤵
PID:6672

C:\Windows\System\STmmjjd.exe
C:\Windows\System\STmmjjd.exe
2⤵
PID:8084

C:\Windows\System\SzgaLIk.exe
C:\Windows\System\SzgaLIk.exe
2⤵
PID:11676

C:\Windows\System\KFEKAIh.exe
C:\Windows\System\KFEKAIh.exe
2⤵
PID:4260

C:\Windows\System\EabuGoS.exe
C:\Windows\System\EabuGoS.exe
2⤵
PID:380

C:\Windows\System\aFItUIt.exe
C:\Windows\System\aFItUIt.exe
2⤵
PID:7712

C:\Windows\System\fFvHfRv.exe
C:\Windows\System\fFvHfRv.exe
2⤵
PID:7980

C:\Windows\System\WkHkRgr.exe
C:\Windows\System\WkHkRgr.exe
2⤵
PID:8336

C:\Windows\System\rsuYRIS.exe
C:\Windows\System\rsuYRIS.exe
2⤵
PID:11060

C:\Windows\System\wkFPhPO.exe
C:\Windows\System\wkFPhPO.exe
2⤵
PID:8844

C:\Windows\System\ASQHNvE.exe
C:\Windows\System\ASQHNvE.exe
2⤵
PID:8904

C:\Windows\System\yJQdDDl.exe
C:\Windows\System\yJQdDDl.exe
2⤵
PID:4368

C:\Windows\System\goQmHxH.exe
C:\Windows\System\goQmHxH.exe
2⤵
PID:8676

C:\Windows\System\UaToPAV.exe
C:\Windows\System\UaToPAV.exe
2⤵
PID:8440

C:\Windows\System\TKitdFq.exe
C:\Windows\System\TKitdFq.exe
2⤵
PID:9132

C:\Windows\System\lCqTahW.exe
C:\Windows\System\lCqTahW.exe
2⤵
PID:12080

C:\Windows\System\ITqCLeT.exe
C:\Windows\System\ITqCLeT.exe
2⤵
PID:12272

C:\Windows\System\MPQmLEH.exe
C:\Windows\System\MPQmLEH.exe
2⤵
PID:5112

C:\Windows\System\KjRbVBW.exe
C:\Windows\System\KjRbVBW.exe
2⤵
PID:11572

C:\Windows\System\TlAkHww.exe
C:\Windows\System\TlAkHww.exe
2⤵
PID:4976

C:\Windows\System\oQPxETD.exe
C:\Windows\System\oQPxETD.exe
2⤵
PID:11884

C:\Windows\System\aayUVHY.exe
C:\Windows\System\aayUVHY.exe
2⤵
PID:11916

C:\Windows\System\UNzgLEY.exe
C:\Windows\System\UNzgLEY.exe
2⤵
PID:12696

C:\Windows\System\sLoVouZ.exe
C:\Windows\System\sLoVouZ.exe
2⤵
PID:14212

C:\Windows\System\KTrewxH.exe
C:\Windows\System\KTrewxH.exe
2⤵
PID:12168

C:\Windows\System\vtGWWki.exe
C:\Windows\System\vtGWWki.exe
2⤵
PID:11392

C:\Windows\System\RkDEzQN.exe
C:\Windows\System\RkDEzQN.exe
2⤵
PID:956

C:\Windows\System\rsvEqKM.exe
C:\Windows\System\rsvEqKM.exe
2⤵
PID:9804

C:\Windows\System\eQfdzyz.exe
C:\Windows\System\eQfdzyz.exe
2⤵
PID:13028

C:\Windows\System\XZLfTgS.exe
C:\Windows\System\XZLfTgS.exe
2⤵
PID:11744

C:\Windows\System\kContGE.exe
C:\Windows\System\kContGE.exe
2⤵
PID:11940

C:\Windows\System\xjxUCEG.exe
C:\Windows\System\xjxUCEG.exe
2⤵
PID:12916

C:\Windows\System\nOHWfWm.exe
C:\Windows\System\nOHWfWm.exe
2⤵
PID:11356

C:\Windows\System\IcrKziu.exe
C:\Windows\System\IcrKziu.exe
2⤵
PID:11868

C:\Windows\System\buHhxGl.exe
C:\Windows\System\buHhxGl.exe
2⤵
PID:12268

C:\Windows\System\zcJmcmC.exe
C:\Windows\System\zcJmcmC.exe
2⤵
PID:12420

C:\Windows\System\cmYWgzP.exe
C:\Windows\System\cmYWgzP.exe
2⤵
PID:12464

C:\Windows\System\qYSzZwP.exe
C:\Windows\System\qYSzZwP.exe
2⤵
PID:12516

C:\Windows\System\zBcThzr.exe
C:\Windows\System\zBcThzr.exe
2⤵
PID:9372

C:\Windows\System\hBUurtT.exe
C:\Windows\System\hBUurtT.exe
2⤵
PID:12340

C:\Windows\System\Qbhltzc.exe
C:\Windows\System\Qbhltzc.exe
2⤵
PID:13224

C:\Windows\System\CcwPdbe.exe
C:\Windows\System\CcwPdbe.exe
2⤵
PID:12408

C:\Windows\System\KTJFhbn.exe
C:\Windows\System\KTJFhbn.exe
2⤵
PID:9796

C:\Windows\System\pzmKaME.exe
C:\Windows\System\pzmKaME.exe
2⤵
PID:13204

C:\Windows\System\uBDcSVF.exe
C:\Windows\System\uBDcSVF.exe
2⤵
PID:1184

C:\Windows\System\KHWjYaI.exe
C:\Windows\System\KHWjYaI.exe
2⤵
PID:816

C:\Windows\System\BHMIlGP.exe
C:\Windows\System\BHMIlGP.exe
2⤵
PID:5836

C:\Windows\System\nSgYVil.exe
C:\Windows\System\nSgYVil.exe
2⤵
PID:5404

C:\Windows\System\GYtwxai.exe
C:\Windows\System\GYtwxai.exe
2⤵
PID:6732

C:\Windows\System\aUcPcLR.exe
C:\Windows\System\aUcPcLR.exe
2⤵
PID:13552

C:\Windows\System\mZsMqqh.exe
C:\Windows\System\mZsMqqh.exe
2⤵
PID:2912

C:\Windows\System\FlUTtMu.exe
C:\Windows\System\FlUTtMu.exe
2⤵
PID:13604

C:\Windows\System\kAggHqP.exe
C:\Windows\System\kAggHqP.exe
2⤵
PID:12604

C:\Windows\System\Jduiuok.exe
C:\Windows\System\Jduiuok.exe
2⤵
PID:10292

C:\Windows\System\XrGoCwo.exe
C:\Windows\System\XrGoCwo.exe
2⤵
PID:3584

C:\Windows\System\uwEHtoS.exe
C:\Windows\System\uwEHtoS.exe
2⤵
PID:2996

C:\Windows\System\ueEioRK.exe
C:\Windows\System\ueEioRK.exe
2⤵
PID:10948

C:\Windows\System\qTtuRKs.exe
C:\Windows\System\qTtuRKs.exe
2⤵
PID:7780

C:\Windows\System\cwNkOLs.exe
C:\Windows\System\cwNkOLs.exe
2⤵
PID:3824

C:\Windows\System\krxbwnC.exe
C:\Windows\System\krxbwnC.exe
2⤵
PID:6556

C:\Windows\System\NoKiIwx.exe
C:\Windows\System\NoKiIwx.exe
2⤵
PID:11652

C:\Windows\System\vwwkMdP.exe
C:\Windows\System\vwwkMdP.exe
2⤵
PID:7192

C:\Windows\System\dynfWLm.exe
C:\Windows\System\dynfWLm.exe
2⤵
PID:8452

C:\Windows\System\ggoyMFK.exe
C:\Windows\System\ggoyMFK.exe
2⤵
PID:9444

C:\Windows\System\EgGagDl.exe
C:\Windows\System\EgGagDl.exe
2⤵
PID:5192

C:\Windows\System\SrxTxAo.exe
C:\Windows\System\SrxTxAo.exe
2⤵
PID:7804

C:\Windows\System\uWcECGe.exe
C:\Windows\System\uWcECGe.exe
2⤵
PID:7904

C:\Windows\System\TaxRoSg.exe
C:\Windows\System\TaxRoSg.exe
2⤵
PID:8684

C:\Windows\System\pbStqnX.exe
C:\Windows\System\pbStqnX.exe
2⤵
PID:11812

C:\Windows\System\qOtpNxM.exe
C:\Windows\System\qOtpNxM.exe
2⤵
PID:3192

C:\Windows\System\UnACnMb.exe
C:\Windows\System\UnACnMb.exe
2⤵
PID:9580

C:\Windows\System\OYhUsZf.exe
C:\Windows\System\OYhUsZf.exe
2⤵
PID:12068

C:\Windows\System\JzBxrUO.exe
C:\Windows\System\JzBxrUO.exe
2⤵
PID:1540

C:\Windows\System\lQWDugC.exe
C:\Windows\System\lQWDugC.exe
2⤵
PID:12480

C:\Windows\System\EUyeRMs.exe
C:\Windows\System\EUyeRMs.exe
2⤵
PID:13220

C:\Windows\System\VLIMDql.exe
C:\Windows\System\VLIMDql.exe
2⤵
PID:1560

C:\Windows\System\zEEtlQY.exe
C:\Windows\System\zEEtlQY.exe
2⤵
PID:12808

C:\Windows\System\XTEVbgE.exe
C:\Windows\System\XTEVbgE.exe
2⤵
PID:13008

C:\Windows\System\kifkZBA.exe
C:\Windows\System\kifkZBA.exe
2⤵
PID:11548

C:\Windows\System\cgtPyJG.exe
C:\Windows\System\cgtPyJG.exe
2⤵
PID:2312

C:\Windows\System\KISoDpm.exe
C:\Windows\System\KISoDpm.exe
2⤵
PID:10976

C:\Windows\System\CYKXKWz.exe
C:\Windows\System\CYKXKWz.exe
2⤵
PID:6496

C:\Windows\System\lWuwqDz.exe
C:\Windows\System\lWuwqDz.exe
2⤵
PID:2076

C:\Windows\System\rQpspwY.exe
C:\Windows\System\rQpspwY.exe
2⤵
PID:6448

C:\Windows\System\YbZhMgx.exe
C:\Windows\System\YbZhMgx.exe
2⤵
PID:13680

C:\Windows\System\yaiOEPN.exe
C:\Windows\System\yaiOEPN.exe
2⤵
PID:10536

C:\Windows\System\VicYCmv.exe
C:\Windows\System\VicYCmv.exe
2⤵
PID:5600

C:\Windows\System\LhhItja.exe
C:\Windows\System\LhhItja.exe
2⤵
PID:9836

C:\Windows\System\JBUJOhz.exe
C:\Windows\System\JBUJOhz.exe
2⤵
PID:13784

C:\Windows\System\eoJYrAa.exe
C:\Windows\System\eoJYrAa.exe
2⤵
PID:10052

C:\Windows\System\sRhEhQf.exe
C:\Windows\System\sRhEhQf.exe
2⤵
PID:3208

C:\Windows\System\uccYVzs.exe
C:\Windows\System\uccYVzs.exe
2⤵
PID:14108

C:\Windows\System\xPqKjHW.exe
C:\Windows\System\xPqKjHW.exe
2⤵
PID:8396

C:\Windows\System\UUbdUTD.exe
C:\Windows\System\UUbdUTD.exe
2⤵
PID:11156

C:\Windows\System\kzxXUoF.exe
C:\Windows\System\kzxXUoF.exe
2⤵
PID:1232

C:\Windows\System\gtFIUAe.exe
C:\Windows\System\gtFIUAe.exe
2⤵
PID:4948

C:\Windows\System\pXRAUGe.exe
C:\Windows\System\pXRAUGe.exe
2⤵
PID:4256

C:\Windows\System\XjqMyXx.exe
C:\Windows\System\XjqMyXx.exe
2⤵
PID:12740

C:\Windows\System\FKqfWnL.exe
C:\Windows\System\FKqfWnL.exe
2⤵
PID:8168

C:\Windows\System\FJkwueb.exe
C:\Windows\System\FJkwueb.exe
2⤵
PID:13480

C:\Windows\System\zhSJvRM.exe
C:\Windows\System\zhSJvRM.exe
2⤵
PID:2636

C:\Windows\System\OZHazOg.exe
C:\Windows\System\OZHazOg.exe
2⤵
PID:5264

C:\Windows\System\DWJrtdf.exe
C:\Windows\System\DWJrtdf.exe
2⤵
PID:9016

C:\Windows\System\FUvMXsE.exe
C:\Windows\System\FUvMXsE.exe
2⤵
PID:14204

C:\Windows\System\DqaRFJn.exe
C:\Windows\System\DqaRFJn.exe
2⤵
PID:13948

C:\Windows\System\MxKrcdM.exe
C:\Windows\System\MxKrcdM.exe
2⤵
PID:9304

C:\Windows\System\yJIGDBg.exe
C:\Windows\System\yJIGDBg.exe
2⤵
PID:404

C:\Windows\System\TUyGaiN.exe
C:\Windows\System\TUyGaiN.exe
2⤵
PID:14168

C:\Windows\System\lhjelkw.exe
C:\Windows\System\lhjelkw.exe
2⤵
PID:8284

C:\Windows\System\QCCFQCL.exe
C:\Windows\System\QCCFQCL.exe
2⤵
PID:12736

C:\Windows\System\TcivgEJ.exe
C:\Windows\System\TcivgEJ.exe
2⤵
PID:10564

C:\Windows\System\MFqRsYV.exe
C:\Windows\System\MFqRsYV.exe
2⤵
PID:12376

C:\Windows\System\sEwsMYG.exe
C:\Windows\System\sEwsMYG.exe
2⤵
PID:5912

C:\Windows\System\TnlJUkO.exe
C:\Windows\System\TnlJUkO.exe
2⤵
PID:10100

C:\Windows\System\wpflnvy.exe
C:\Windows\System\wpflnvy.exe
2⤵
PID:11844

C:\Windows\System\awfyRWS.exe
C:\Windows\System\awfyRWS.exe
2⤵
PID:2928

C:\Windows\System\OJMoyCl.exe
C:\Windows\System\OJMoyCl.exe
2⤵
PID:5880

C:\Windows\System\NBDrtNC.exe
C:\Windows\System\NBDrtNC.exe
2⤵
PID:7868

C:\Windows\System\TiDFkVs.exe
C:\Windows\System\TiDFkVs.exe
2⤵
PID:6952

C:\Windows\System\kmiMryx.exe
C:\Windows\System\kmiMryx.exe
2⤵
PID:14352

C:\Windows\System\zdvswKJ.exe
C:\Windows\System\zdvswKJ.exe
2⤵
PID:14368

C:\Windows\System\SERUsAf.exe
C:\Windows\System\SERUsAf.exe
2⤵
PID:14384

C:\Windows\System\jEHjNAP.exe
C:\Windows\System\jEHjNAP.exe
2⤵
PID:14404

C:\Windows\System\CNNhvoi.exe
C:\Windows\System\CNNhvoi.exe
2⤵
PID:14420

C:\Windows\System\szyVBvF.exe
C:\Windows\System\szyVBvF.exe
2⤵
PID:14440

C:\Windows\System\PADPkTe.exe
C:\Windows\System\PADPkTe.exe
2⤵
PID:14456

C:\Windows\System\OEZbfPJ.exe
C:\Windows\System\OEZbfPJ.exe
2⤵
PID:14564

C:\Windows\System\ZHOmtZV.exe
C:\Windows\System\ZHOmtZV.exe
2⤵
PID:14612

C:\Windows\System\BMkmZXK.exe
C:\Windows\System\BMkmZXK.exe
2⤵
PID:14632

C:\Windows\System\zJbWUIc.exe
C:\Windows\System\zJbWUIc.exe
2⤵
PID:14648

C:\Windows\System\VYNyStv.exe
C:\Windows\System\VYNyStv.exe
2⤵
PID:14672

C:\Windows\System\pJtTNgj.exe
C:\Windows\System\pJtTNgj.exe
2⤵
PID:14688

C:\Windows\System\GELgDkc.exe
C:\Windows\System\GELgDkc.exe
2⤵
PID:14708

C:\Windows\System\rfrFUbm.exe
C:\Windows\System\rfrFUbm.exe
2⤵
PID:14728

C:\Windows\System\kfcjfyU.exe
C:\Windows\System\kfcjfyU.exe
2⤵
PID:14752

C:\Windows\System\GTEJWJq.exe
C:\Windows\System\GTEJWJq.exe
2⤵
PID:14768

C:\Windows\System\CMjIdoy.exe
C:\Windows\System\CMjIdoy.exe
2⤵
PID:14784

C:\Windows\System\IOWiPrj.exe
C:\Windows\System\IOWiPrj.exe
2⤵
PID:14808

C:\Windows\System\gpKtjvb.exe
C:\Windows\System\gpKtjvb.exe
2⤵
PID:14828

C:\Windows\System\SyrNbVK.exe
C:\Windows\System\SyrNbVK.exe
2⤵
PID:14944

C:\Windows\System\SMMsaLE.exe
C:\Windows\System\SMMsaLE.exe
2⤵
PID:15104

C:\Windows\System\rLznqin.exe
C:\Windows\System\rLznqin.exe
2⤵
PID:15144

C:\Windows\System\laNyDHs.exe
C:\Windows\System\laNyDHs.exe
2⤵
PID:15208

C:\Windows\System\oIvnHDc.exe
C:\Windows\System\oIvnHDc.exe
2⤵
PID:15228

C:\Windows\System\PPjdrnf.exe
C:\Windows\System\PPjdrnf.exe
2⤵
PID:6696

C:\Windows\System\tWjzFJn.exe
C:\Windows\System\tWjzFJn.exe
2⤵
PID:14960

C:\Windows\System\bdgtrSp.exe
C:\Windows\System\bdgtrSp.exe
2⤵
PID:15052

C:\Windows\System\oeyTYwF.exe
C:\Windows\System\oeyTYwF.exe
2⤵
PID:14320

C:\Windows\System\GxlbxKF.exe
C:\Windows\System\GxlbxKF.exe
2⤵
PID:15264

C:\Windows\System\PmuxAJw.exe
C:\Windows\System\PmuxAJw.exe
2⤵
PID:14680

C:\Windows\System\QUOeZsi.exe
C:\Windows\System\QUOeZsi.exe
2⤵
PID:14780

C:\Windows\System\KsZIDCB.exe
C:\Windows\System\KsZIDCB.exe
2⤵
PID:5956

C:\Windows\System\LrCbrKe.exe
C:\Windows\System\LrCbrKe.exe
2⤵
PID:4940

C:\Windows\System\ptnjuuB.exe
C:\Windows\System\ptnjuuB.exe
2⤵
PID:10288

C:\Windows\System\iPzzTNL.exe
C:\Windows\System\iPzzTNL.exe
2⤵
PID:14764

C:\Windows\System\sLTLChZ.exe
C:\Windows\System\sLTLChZ.exe
2⤵
PID:15184

C:\Windows\System\ibYvuOm.exe
C:\Windows\System\ibYvuOm.exe
2⤵
PID:6852

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13452

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13396

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7420

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:9552

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:12264

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:15624

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:15876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jo3xuh0u.q5k.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AwoxGAm.exe
Filesize
2.8MB

MD5
7a9b21cb8c6a8974a45633679e85bba8

SHA1
09f1bc945095ac9dffc112c969add48ba3b1c30a

SHA256
9a37a6ce98ed840fb87d133dcf0af2515839ebb0f385634ea71a58ea5c142398

SHA512
9069e5b4acab7716c08d7598ce6c1105f8b23519f7b75ef8d23226e5a36e51e69d7c74dffd78f51ca83542d3c1ce70762e5fc4f8428e98ee56a8e7b847847f1e

Download Submit
C:\Windows\System\DcDPGci.exe
Filesize
18B

MD5
7e241728f2343f18cf6d4cb72504ec78

SHA1
9cccbb0aba79ab3a2a9bf3155046eceaac78c7ba

SHA256
b2bd378e2abde42a5bf8b9cf629215db74a908498b48485014a09a596a8fd24d

SHA512
45847f8bf306e058894f07ec94236dd09abb29d6656564c3c9064e8b9250fff7a27d019d62b82152715bd4101f38c68aa1616c8e535f5837908b522624314c32

Download Submit
C:\Windows\System\DsjIVhy.exe
Filesize
2.8MB

MD5
f6da17cef98d85c866a0e1abcf957958

SHA1
41e9c910ba9621ec5365013130be647b3405838c

SHA256
8cc175f849859522247b9b418a38d91c2e9cbe48541a8816b746b502336ef0c7

SHA512
4977e41d5cd96b960238d97889f2216d5a08ac4862226bac962a29e64e2d53ac388cb78326582f048d8d9fd513a7b7ed75a944453b98b41ed4e7ac75b523b7ec

Download Submit
C:\Windows\System\DvjPTqV.exe
Filesize
2.8MB

MD5
d300790ff4fd51a521c849c5e3421286

SHA1
ba2e529605fe1f4b86080a5bb5cbd9762e285d69

SHA256
9eb411d139d3a254fa130a5723ba16e75d761e15ecbe819310cad15144957270

SHA512
a339d2a8bc16323798e126989a1a46422dce903e1aa1adac77e27f0997770d1609e7183f290b7807ea9d8889c2963646092ca228efe5d21ebddb357691adea4c

Download Submit
C:\Windows\System\DytsZrc.exe
Filesize
2.8MB

MD5
7c414b7ee965cdb0ba6a1dc6fb2fd730

SHA1
f33bc4a496a4db32a30051c9c9020bd36401f127

SHA256
2b165082aa2f08482f7a789d4876f6453304829d8bf5eaea32561d47264a0173

SHA512
f8e6605c81b7bcb77bc25cf9940ffcd847ea77d2c994e9fae5362391600bd979f0de2fd579d6f2be443179bbb30f33962bf0a29ef7c3262d2b2abff408e7e5e1

Download Submit
C:\Windows\System\FbbsOgK.exe
Filesize
2.8MB

MD5
2df900c9679cb2f43719126f602afb5c

SHA1
e71d2aa35bb3394c3ea0461197092ee37a2d3b9f

SHA256
d5354dae4560943b5cd8a85f91346f952d0bb10ff70e23bb51403d8876a3e4d2

SHA512
7756a9e67cd9759c4e4a81ab6415ddf8588c46f0381be85a6880eb6a8472f7dd9b89df0e45e52c598933fd33a473ec0d3593272e84675e5e08f837d44c073b72

Download Submit
C:\Windows\System\HBwYzHP.exe
Filesize
2.8MB

MD5
c62a8f6e93f19a1787504d6c3c9795c6

SHA1
ff8014afe4932a941b0ce32799926948d87305e7

SHA256
54c4de66518a81c20726117ba163c764c12bd102106a4495408cc702c467b998

SHA512
93ba0c2ac97461d5dbdf0ab165c1344d4b045f8db41205e197b63ed576d6186a9d8757aa835ca0e022a5d8bbb74781505221c1da1f6054e6c80d248326acea87

Download Submit
C:\Windows\System\IBLnnFs.exe
Filesize
8B

MD5
e71397695bfc95ac5fe1d82687725659

SHA1
45272317203fb987b8952f41b0170bd5a78944b0

SHA256
593106c260dc81c57565b84dcf164e3aba348716b31b67ed996f84e8eb33a8f2

SHA512
b0a8d0ea3899c2bbb7c006edeeb2ecf2f4894f56db8d8ff247c4e6fc5083c186ab234b2494615de540e99bc5dda8055b1dfec22d34c5a32a9febff889f810e0e

Download Submit
C:\Windows\System\IXVTDDT.exe
Filesize
2.8MB

MD5
e9f625ceb99629c19d02f524c5120c70

SHA1
f7f5e4bc830f5bcdb871f15cfce064f72ae5bf3f

SHA256
c195ad9e7f631d934fb6836021b9d47d55a5477546748ae025731a04239db971

SHA512
e0f95f3882de50ae03f508d437650b0791bff0ece287cf90722006c7420c51d06aa385635aa65455f68768924d8935f1269ccb34767b91e32a104341961a7baa

Download Submit
C:\Windows\System\MlQBKQy.exe
Filesize
2.8MB

MD5
94888240b0c34b772368e9a2eb2b33a8

SHA1
4d4dd0bc41b22d7f377d5143f06a20f31106547e

SHA256
ab30442f1d03a3d3a7a4bf44b49a9d7b8b43de3a695ebee17249aa5b8e1d88c9

SHA512
1c9244f89ceef4581857c17d88acc84c4fb927ac7f144f6b30394acf66d7f2096375ef2e4651815d897b50c91afc34bca0149d8898e84bb48ccf297f98c1de00

Download Submit
C:\Windows\System\NbrxIat.exe
Filesize
2.8MB

MD5
ef2002858d5857e1fdb1c157bf8d7216

SHA1
f83abf5aae4aa3d16d85d4ef7fe69cbb18f227dd

SHA256
70241e0b56e171e660ad9c5654975852d175a02d668e11d9d4e0d157d08afb6f

SHA512
39473226b7ecc4316a959aff6f3355020f931055131a1809be92ea31270a0fb0a432046ab1b0fae07e8ebf34c1443ba6c381e1e838bbda4f73f9000a12e41f0e

Download Submit
C:\Windows\System\PmFWZhH.exe
Filesize
2.8MB

MD5
2acfc023fe98c6d92b28f6390c5aa78e

SHA1
7090bc63e22ace72dbb4c565e112b11e57d27c60

SHA256
4a8346dc9cb8062ee0d08826ee6e260d8df2ab15646024906128d4bebf98162c

SHA512
39ae376bf2024bc8e46c8dfe9297059a4712f003a3ca0830ae675fb988cb293337a9965ebcaf022fa2cb22600ec88189df86d524d097b64f1ac0f85ecfb97125

Download Submit
C:\Windows\System\PvuAXVv.exe
Filesize
2.8MB

MD5
d5377ab585f79a158ae7c520b889a177

SHA1
a7c181f07af415626a4dba396a4307ded9ed41c3

SHA256
0257b115cd43165a83e644ca4b25e135d5018c279bcdd61ba2f14f708ba11dac

SHA512
4d798942a3b071940a100428f12d86b70253ba6882328e5d1aa017516cf79f86d91d75c15ccdbe47add0d5290f20cf9f71b7c42d7fbe0401bb1bbebebf96423f

Download Submit
C:\Windows\System\RaApCni.exe
Filesize
2.8MB

MD5
542f020b09cb2e2190ff26070a539f5b

SHA1
9412eb09761784ce1387b5bdc19ec2094a5a5a16

SHA256
8b56735636bc7241c5f940104768ef9ba6574fcadf02512624552156cf1fab0a

SHA512
5dea2c1435100a4b23230de5655148a183cff449a89c8eaeab425d6dd3c267aef32b370a00b0bc1d6e7e81d9ac53335eaf5cbcde82d42af397602544f560df84

Download Submit
C:\Windows\System\VkZfFDK.exe
Filesize
2.8MB

MD5
7189899f774e6f22f3639bd6c2a1e7e8

SHA1
a1e6bb9d912831782e447850f9826f4758af5d11

SHA256
0f72c5b9f5c79c79defc1c0c57319f819afc0fbbe2fba1400b0f9e0a65d9a631

SHA512
4e251bd42f58f159932ec87e14096219ea11e08e44334960fe599b08135320466c7e8e81ad6f24eed42ea7385e61b5fcbf4e274cececaf83a0f6c0463ee2bcae

Download Submit
C:\Windows\System\XqLvGXa.exe
Filesize
2.8MB

MD5
e3d8cc7136c648356d0bdaa365159490

SHA1
52cf3178dfdc27fbf6086c316ad72311ff7d1086

SHA256
e947024c81efd736f7545444bd769827e8a10bb0561c925d25ae352adae61427

SHA512
b76d41c12d18fb0b4c1f311bc317149ca35784c072e818ac701fb389b1d10fd250a27c818956ccc865b5cb77798f00552acd6b5e23bf5542bda60fcd43d416c8

Download Submit
C:\Windows\System\YLchyPY.exe
Filesize
2.8MB

MD5
4cae654b0998db8e4660d2d378fa4ffb

SHA1
3de174c1a68c2ed347a0b224ca2e20507e8c0c09

SHA256
5f8c2bf53bf12cb54e7973930628f3e454b002d71384f65f78a0df3f54b822f6

SHA512
337195356dd0be930581f05b24d9efe1c3a7733448307d65f9096b7906c8741547c0e34691b59d0a36b8e122ed919e4f45042864079a4c2231481eface96ff52

Download Submit
C:\Windows\System\ZCVMYJG.exe
Filesize
2.8MB

MD5
cf5931a1f4b8b7d81fac3a7169a7b734

SHA1
09ba85ca7bcad4104d27af16a98983c58ca7eef2

SHA256
cd9d78d7fcde4de3962acc0644a2efc8fb1b07663032f504be0bc125920d4ce6

SHA512
6df3aef0f1628fd9986aa0f00c36f489a4aaf0b8881e8c296b9d542fcf39be90e54f00a11a0d1fd62b250fc5288869af8588a2f430f1a2b628b2fada3a59d960

Download Submit
C:\Windows\System\aEbyxbc.exe
Filesize
2.8MB

MD5
b1377cf39f3b214a5e25fdf250e43829

SHA1
b21a7ffbf641faf6875522a33d94a9f668320bcf

SHA256
b2fdeb3281fc7c9268e50c048ab69fce17533875e71509616e301c1461f1bfe7

SHA512
0a5d781cfe6d9a0d1102f8f140880baceb41a141f4eb6c2d55924bee80df9b0d12476719b68aa7d0c3b9e2a0684ead177d9d531212a650c9bb8bd475673c86e6

Download Submit
C:\Windows\System\astLpiU.exe
Filesize
2.8MB

MD5
ebe862f70a4db2d766705e5b66a61ea8

SHA1
c8e31755995da0ad2bfa714b0b58fa628d17559a

SHA256
931584d15fafa0e66220b8c17a8917adb661a1846cb7a4322356e6824b670c01

SHA512
d9d4f795d8c48d820fa8f19eeefd5ea7e60d1205aa856a01964b8624173aad53e643602682280c0164ee2d1b22d25b0ebeeb30090b41cd57b1e61fc037cfb709

Download Submit
C:\Windows\System\eOnTnCu.exe
Filesize
2.8MB

MD5
5edf85f06067b32e2975ef89feacbf8e

SHA1
69342b053155b6e30100ef255209883b6d1fb295

SHA256
f9fefcd504ce8063230442d37c88af54cd29cc56770b4fd6cfd4817b4b2fb338

SHA512
178ebb4fbae8d2595a0c5bf5cf4cfecc6c4c0b12060152025ec06d047df32457d4041c6924f30961246c4f52065728a29709827f31bc39c191f1bbe578715135

Download Submit
C:\Windows\System\egsDKbJ.exe
Filesize
2.8MB

MD5
ef1964382ebf594e9565c25f0c0423f7

SHA1
6e79c1fe043721f0f8eb5439d912757702a7d8ee

SHA256
2d82df985685d54911d9a077c3a0693f92d220432726168ebf6e7cb1110cc361

SHA512
da80de2aa3e35e4d65d24f62c150e3a39c92b39ed5140f3467716feeb2ae9daf395697fdb781969da25fd256390ee0b4dd3748883f1f186dd0007e1eab7ea8d6

Download Submit
C:\Windows\System\gEYZgPD.exe
Filesize
2.8MB

MD5
4452bfdf5dbfd8b8e172097b01dc574d

SHA1
a0600687d5abab11e759cfa42773e10c96235051

SHA256
d573eb4250b946d6b3d26f8f57ed8d8a0d0a8e04576bc4244a2357b4c79213bf

SHA512
e97ec4b83bbde89ecd51b84c4ab77aa4022a7c768b648398814b2999b2e252f6ca432a03d67fb11e53553d7fcf891cff3c3c73a70987eb4a1ce9a6d52a771436

Download Submit
C:\Windows\System\jdLSczy.exe
Filesize
2.8MB

MD5
78d6ba7fd7aef4a899b6ce173ed7f1e0

SHA1
5cde8711830aed8125fdb492812971bc3b7a0fe4

SHA256
b0709654bd5013e5b52834df554238df889494dc43b4d92c6704640958331163

SHA512
53b3a3edb26281ead172f0ff4170e9c5d2c6b9fff5eab8515b497f1e543b5162b406a360c78b16324a098d2c37d6399a9b1d2b48953e60c54dc146801956970e

Download Submit
C:\Windows\System\jkFvQJt.exe
Filesize
2.8MB

MD5
72132d1c5b52e810bbdad02ac68c9b5e

SHA1
1a948ec628758153f77dfff18474d530cf0fec2f

SHA256
56a4e1c9b7b4ffd91a35eaf5e9be4314b72074c0c4732af7d0420d22313e7d53

SHA512
0f1221cebd379be8dbba72a03c11f6337770134213c3e8a051638932495fc97ac3d491e6c34cb40a710f401b5cb7f6179a436604820a417c5675e009487d5cdd

Download Submit
C:\Windows\System\kHEQUld.exe
Filesize
2.8MB

MD5
a7a4c1fa096f30c2307f351421c846f7

SHA1
908b721b2ea32d3041a02a8ce99ca4f5a5fe01dd

SHA256
68f8b18624636cc355293189f7c4cf38b59bbc593c2180748e6f88d9d9c86ca2

SHA512
a03101e87c625ecd155d4459b307a1210b1c5247e330b4a5e2d01fa5bd4690c0f5e9d407109fe64e7589c38fa487472a396b5ca64cb5cce07b88e7a81651a88a

Download Submit
C:\Windows\System\kIjJfpo.exe
Filesize
2.8MB

MD5
5f688bb11b5547c6e976ec5b89ef09c5

SHA1
451f3b6e3a5dc615e03e83ae2efef7bea93a5560

SHA256
bf49c378d0417d2e0f167f080589a912e850e45e6780c02cb8cfb1c788868465

SHA512
9066d39eed959a5a4d407cadac2e926cc43dd7c06c5f8e4110785772f99f9f311c7ed3150491de47a1a34eac561f0bb22e82bc36e51243f5654b7a17ed6b4eff

Download Submit
C:\Windows\System\mWhloCu.exe
Filesize
2.8MB

MD5
adebbc5b78c9c60e9c15ce5578c1e589

SHA1
3514fe463e931f74ea5e191138c9ca3330ce67ec

SHA256
9919e75134e860f59e3376e2eadaeeb899df86be3c8c132bc68fe1dc5024c337

SHA512
6f583d1113951b95dfb14022d947465a9144e285ce1a337177faffa60b69c0e1bc6c6ac8cc4205bd9e892af5b562edc5693f97b269571e924890a41dce484e04

Download Submit
C:\Windows\System\nLfVDhl.exe
Filesize
2.8MB

MD5
510c2c761a1de16301b3058242ef70b8

SHA1
18ed087bea166f8e8701581a5f28a10740cc162c

SHA256
3bed25e72b0f0c66d4606b5c06b5283e976572cb17d4b56ca6e4666ba1c2a4f8

SHA512
125b5a1484fa2586e359e35ba00fa746baf7a30dbc09717e4c95c7f7a74a3da01476c1bf39266b3c838c4d5baf6f15caa3e2e6a19eb013befad7b0653cf62b53

Download Submit
C:\Windows\System\qRCVWqh.exe
Filesize
2.8MB

MD5
10097b226e61484c093ccbb7009ab959

SHA1
186f51b59067067c0ea14453d22f6720da62d5ca

SHA256
09712b1622ec942bce51dae520bd9dc8ce17bd5c8fd59ea58cbb73b1cad2774a

SHA512
452f843e6199270ff086245fe2f2354bf590afa4a02e2e4b38a92340e3d529183c2ca1be61b17120e22fd9fcf4346126b193d509fd2a7a39f8f4dc6921e30174

Download Submit
C:\Windows\System\uZuqROm.exe
Filesize
2.8MB

MD5
f40220478cf130274db7a78edca29b53

SHA1
0c6887a5a42ae36f890a07e628ce647c346a360c

SHA256
d6700423bd5e928dd0e2983bf82da84a04ed21fb446aa607e8579392e8101a53

SHA512
62c1752489b5bd3fb770e2ec1a444fad81ea9d59536f1e45a744fb7e5130fa0fffd2e17af644a6445a078b8eac55875cd8037aead06aa727ad6574fbab4dd748

Download Submit
C:\Windows\System\vOPjjEZ.exe
Filesize
2.8MB

MD5
893793566ab2b4345bf2b91efc995c7b

SHA1
663aced8d115c5bac80835438d2c648e1cdb5d3a

SHA256
b8d5dcf251c41fac2a0615580cddade7d9027f722f8d684042f2d7360e2fc879

SHA512
6b053b3f44ce0c5f81167dd10823dedd243769121bb35e314343938ed4d4b82eee7ba830ca6e475e04ac5ba82ad84f7c0f079a67efa30a52073f7251cd9fd6c9

Download Submit
C:\Windows\System\wdHwIOq.exe
Filesize
2.8MB

MD5
fee0dc509e31e854ece10e1363c21ec0

SHA1
b16e45cb0e4e106fe255cc8da71a6be6a9b63759

SHA256
a47f73b5b0e18bf2bad5d1e0f3ad3a8ddd631167d73901fff93b4dff81e13432

SHA512
06b84fd5648f20fcf85c0a9f069b77f774a5c6f8f4f88417e497f0437a894db2420e0da449a211e6b982959019679fa9429fb2b6ed9852b9e9c985ce29c0f012

Download Submit
C:\Windows\System\zUirCvd.exe
Filesize
2.8MB

MD5
5bde35979ef5c48e8f4094a6dab5f8c2

SHA1
90591b4a4d434525607e05795fb4146f85f7fadb

SHA256
c9498aebf3f9f274a8f02b6fb85ef0f23044533ebbfdbe877f12ba962aa6399b

SHA512
6dc8855635538c92c5cf12898a97911e00c5d37bce2e3eaa7dd5f06f5996b32b8f50266bf2da500a9abe2ee46c6a65c9da19191d4a9838f5a3c4734a5a641fb9

Download Submit
C:\Windows\System\zbMItyJ.exe
Filesize
2.8MB

MD5
7d38e2b98347f6921185383cce76836e

SHA1
cf4c31f8412c2114ecb40d73c857be85c5ab9160

SHA256
c2bd0b89a91fde2318363966ce972dfebaabea182b632364ca2e1d9d328e2a4d

SHA512
67edcc1a2eebb54f9767356ce664f304dbec635724eddd6acbfae6dfb53ee8f3f0fe9c6c4b70fdee1cd657a7287ba9360237bc730038e859a975c9924e655610

Download Submit
memory/492-5815-0x00007FF60B9F0000-0x00007FF60BDE6000-memory.dmp

Filesize
4.0MB

Download
memory/492-144-0x00007FF60B9F0000-0x00007FF60BDE6000-memory.dmp

Filesize
4.0MB

Download
memory/640-119-0x00007FF7794F0000-0x00007FF7798E6000-memory.dmp

Filesize
4.0MB

Download
memory/876-152-0x00007FF614B00000-0x00007FF614EF6000-memory.dmp

Filesize
4.0MB

Download
memory/876-5808-0x00007FF614B00000-0x00007FF614EF6000-memory.dmp

Filesize
4.0MB

Download
memory/1072-80-0x00007FF6C0370000-0x00007FF6C0766000-memory.dmp

Filesize
4.0MB

Download
memory/1432-91-0x00007FF602650000-0x00007FF602A46000-memory.dmp

Filesize
4.0MB

Download
memory/1660-169-0x00007FF66ED10000-0x00007FF66F106000-memory.dmp

Filesize
4.0MB

Download
memory/1696-132-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp

Filesize
4.0MB

Download
memory/1696-2571-0x00007FF78DE60000-0x00007FF78E256000-memory.dmp

Filesize
4.0MB

Download
memory/1876-170-0x00007FF6D3880000-0x00007FF6D3C76000-memory.dmp

Filesize
4.0MB

Download
memory/1876-5810-0x00007FF6D3880000-0x00007FF6D3C76000-memory.dmp

Filesize
4.0MB

Download
memory/2040-55-0x00007FF717000000-0x00007FF7173F6000-memory.dmp

Filesize
4.0MB

Download
memory/2424-1437-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp

Filesize
4.0MB

Download
memory/2424-0-0x00007FF756AB0000-0x00007FF756EA6000-memory.dmp

Filesize
4.0MB

Download
memory/2424-1-0x00000225BD3A0000-0x00000225BD3B0000-memory.dmp

Filesize
64KB

Download
memory/2432-5334-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp

Filesize
4.0MB

Download
memory/2432-92-0x00007FF7A33E0000-0x00007FF7A37D6000-memory.dmp

Filesize
4.0MB

Download
memory/2604-85-0x00007FF77C5B0000-0x00007FF77C9A6000-memory.dmp

Filesize
4.0MB

Download
memory/2764-5814-0x00007FF667D40000-0x00007FF668136000-memory.dmp

Filesize
4.0MB

Download
memory/2764-160-0x00007FF667D40000-0x00007FF668136000-memory.dmp

Filesize
4.0MB

Download
memory/2788-61-0x00007FF722BA0000-0x00007FF722F96000-memory.dmp

Filesize
4.0MB

Download
memory/2972-49-0x00007FF788C60000-0x00007FF789056000-memory.dmp

Filesize
4.0MB

Download
memory/3160-93-0x00007FF615190000-0x00007FF615586000-memory.dmp

Filesize
4.0MB

Download
memory/3160-5337-0x00007FF615190000-0x00007FF615586000-memory.dmp

Filesize
4.0MB

Download
memory/3412-45-0x00007FF738C00000-0x00007FF738FF6000-memory.dmp

Filesize
4.0MB

Download
memory/3448-68-0x00007FF68AEE0000-0x00007FF68B2D6000-memory.dmp

Filesize
4.0MB

Download
memory/3524-5812-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp

Filesize
4.0MB

Download
memory/3524-143-0x00007FF72ABD0000-0x00007FF72AFC6000-memory.dmp

Filesize
4.0MB

Download
memory/4204-112-0x00007FF7E2870000-0x00007FF7E2C66000-memory.dmp

Filesize
4.0MB

Download
memory/4564-90-0x00007FF779B50000-0x00007FF779F46000-memory.dmp

Filesize
4.0MB

Download
memory/4620-167-0x00007FF7D7220000-0x00007FF7D7616000-memory.dmp

Filesize
4.0MB

Download
memory/4848-108-0x00007FF72BC20000-0x00007FF72C016000-memory.dmp

Filesize
4.0MB

Download
memory/4912-77-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp

Filesize
4.0MB

Download
memory/4912-5282-0x00007FF67CC20000-0x00007FF67D016000-memory.dmp

Filesize
4.0MB

Download
memory/4928-89-0x00007FF6EF100000-0x00007FF6EF4F6000-memory.dmp

Filesize
4.0MB

Download
memory/5056-3-0x00007FF8E9E53000-0x00007FF8E9E55000-memory.dmp

Filesize
8KB

Download
memory/5056-1444-0x00007FF8E9E50000-0x00007FF8EA911000-memory.dmp

Filesize
10.8MB

Download
memory/5056-1771-0x00007FF8E9E53000-0x00007FF8E9E55000-memory.dmp

Filesize
8KB

Download
memory/5056-36-0x00007FF8E9E50000-0x00007FF8EA911000-memory.dmp

Filesize
10.8MB

Download
memory/5056-88-0x00007FF8E9E50000-0x00007FF8EA911000-memory.dmp

Filesize
10.8MB

Download
memory/5056-24-0x0000029D9F950000-0x0000029D9F972000-memory.dmp

Filesize
136KB

Download
memory/5056-94-0x0000029DA2820000-0x0000029DA2FC6000-memory.dmp

Filesize
7.6MB

Download