xmrig | 1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
Size

3.2MB
MD5

986f893406387cf3c8217a76b70377dc
SHA1

950e718a59e3353b845a89b84aeecf55a12477b7
SHA256

1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809
SHA512

2230c94e556df2dc35f80251120e2063fc6fe3e0a40606fe129dcd797c59d405c33b14a44a29f67f3fe904609fbd14b829c9424e5eaed5f3bf2f1b8f30b29732
SSDEEP

98304:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrW3:SbBeSFkL

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 64 IoCs

resource	yara_rule
behavioral2/memory/820-0-0x00007FF6B4D90000-0x00007FF6B5186000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000800000002342d-5.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023432-10.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2572-12-0x00007FF672620000-0x00007FF672A16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023431-21.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023435-39.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2364-38-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023437-45.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023438-66.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000800000002343a-75.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343f-101.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023441-111.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023443-117.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023444-128.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023448-143.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344a-150.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344c-168.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023450-180.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344e-178.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344f-175.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344d-173.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344b-163.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023449-153.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023447-141.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023446-138.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023445-133.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023442-115.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023440-105.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0008000000023439-95.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343e-91.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343d-85.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343c-81.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343b-70.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023436-44.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/792-37-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023434-34.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4476-30-0x00007FF601580000-0x00007FF601976000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023433-28.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4392-17-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2104-849-0x00007FF7281A0000-0x00007FF728596000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2448-858-0x00007FF754F60000-0x00007FF755356000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1032-878-0x00007FF730C40000-0x00007FF731036000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1196-870-0x00007FF707B60000-0x00007FF707F56000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/556-865-0x00007FF728D10000-0x00007FF729106000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4820-884-0x00007FF7B0C10000-0x00007FF7B1006000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2960-899-0x00007FF7B2F70000-0x00007FF7B3366000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4464-920-0x00007FF66A430000-0x00007FF66A826000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2956-919-0x00007FF7C86C0000-0x00007FF7C8AB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1184-930-0x00007FF714D00000-0x00007FF7150F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3752-1030-0x00007FF6FEB80000-0x00007FF6FEF76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1332-1032-0x00007FF6CCA60000-0x00007FF6CCE56000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1252-933-0x00007FF6695C0000-0x00007FF6699B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4776-928-0x00007FF7BDAE0000-0x00007FF7BDED6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4588-915-0x00007FF6804D0000-0x00007FF6808C6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4024-910-0x00007FF75CA70000-0x00007FF75CE66000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4536-905-0x00007FF7F24D0000-0x00007FF7F28C6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4528-892-0x00007FF67B260000-0x00007FF67B656000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2012-857-0x00007FF698350000-0x00007FF698746000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4392-1967-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/792-1969-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4476-1968-0x00007FF601580000-0x00007FF601976000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2364-1971-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2572-1983-0x00007FF672620000-0x00007FF672A16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4392-1984-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/820-0-0x00007FF6B4D90000-0x00007FF6B5186000-memory.dmp	UPX
behavioral2/files/0x000800000002342d-5.dat	UPX
behavioral2/files/0x0007000000023432-10.dat	UPX
behavioral2/memory/2572-12-0x00007FF672620000-0x00007FF672A16000-memory.dmp	UPX
behavioral2/files/0x0007000000023431-21.dat	UPX
behavioral2/files/0x0007000000023435-39.dat	UPX
behavioral2/memory/2364-38-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	UPX
behavioral2/files/0x0007000000023437-45.dat	UPX
behavioral2/files/0x0007000000023438-66.dat	UPX
behavioral2/files/0x000800000002343a-75.dat	UPX
behavioral2/files/0x000700000002343f-101.dat	UPX
behavioral2/files/0x0007000000023441-111.dat	UPX
behavioral2/files/0x0007000000023443-117.dat	UPX
behavioral2/files/0x0007000000023444-128.dat	UPX
behavioral2/files/0x0007000000023448-143.dat	UPX
behavioral2/files/0x000700000002344a-150.dat	UPX
behavioral2/files/0x000700000002344c-168.dat	UPX
behavioral2/files/0x0007000000023450-180.dat	UPX
behavioral2/files/0x000700000002344e-178.dat	UPX
behavioral2/files/0x000700000002344f-175.dat	UPX
behavioral2/files/0x000700000002344d-173.dat	UPX
behavioral2/files/0x000700000002344b-163.dat	UPX
behavioral2/files/0x0007000000023449-153.dat	UPX
behavioral2/files/0x0007000000023447-141.dat	UPX
behavioral2/files/0x0007000000023446-138.dat	UPX
behavioral2/files/0x0007000000023445-133.dat	UPX
behavioral2/files/0x0007000000023442-115.dat	UPX
behavioral2/files/0x0007000000023440-105.dat	UPX
behavioral2/files/0x0008000000023439-95.dat	UPX
behavioral2/files/0x000700000002343e-91.dat	UPX
behavioral2/files/0x000700000002343d-85.dat	UPX
behavioral2/files/0x000700000002343c-81.dat	UPX
behavioral2/files/0x000700000002343b-70.dat	UPX
behavioral2/files/0x0007000000023436-44.dat	UPX
behavioral2/memory/792-37-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	UPX
behavioral2/files/0x0007000000023434-34.dat	UPX
behavioral2/memory/4476-30-0x00007FF601580000-0x00007FF601976000-memory.dmp	UPX
behavioral2/files/0x0007000000023433-28.dat	UPX
behavioral2/memory/4392-17-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	UPX
behavioral2/memory/2104-849-0x00007FF7281A0000-0x00007FF728596000-memory.dmp	UPX
behavioral2/memory/2448-858-0x00007FF754F60000-0x00007FF755356000-memory.dmp	UPX
behavioral2/memory/1032-878-0x00007FF730C40000-0x00007FF731036000-memory.dmp	UPX
behavioral2/memory/1196-870-0x00007FF707B60000-0x00007FF707F56000-memory.dmp	UPX
behavioral2/memory/556-865-0x00007FF728D10000-0x00007FF729106000-memory.dmp	UPX
behavioral2/memory/4820-884-0x00007FF7B0C10000-0x00007FF7B1006000-memory.dmp	UPX
behavioral2/memory/2960-899-0x00007FF7B2F70000-0x00007FF7B3366000-memory.dmp	UPX
behavioral2/memory/4464-920-0x00007FF66A430000-0x00007FF66A826000-memory.dmp	UPX
behavioral2/memory/2956-919-0x00007FF7C86C0000-0x00007FF7C8AB6000-memory.dmp	UPX
behavioral2/memory/1184-930-0x00007FF714D00000-0x00007FF7150F6000-memory.dmp	UPX
behavioral2/memory/3752-1030-0x00007FF6FEB80000-0x00007FF6FEF76000-memory.dmp	UPX
behavioral2/memory/1332-1032-0x00007FF6CCA60000-0x00007FF6CCE56000-memory.dmp	UPX
behavioral2/memory/1252-933-0x00007FF6695C0000-0x00007FF6699B6000-memory.dmp	UPX
behavioral2/memory/4776-928-0x00007FF7BDAE0000-0x00007FF7BDED6000-memory.dmp	UPX
behavioral2/memory/4588-915-0x00007FF6804D0000-0x00007FF6808C6000-memory.dmp	UPX
behavioral2/memory/4024-910-0x00007FF75CA70000-0x00007FF75CE66000-memory.dmp	UPX
behavioral2/memory/4536-905-0x00007FF7F24D0000-0x00007FF7F28C6000-memory.dmp	UPX
behavioral2/memory/4528-892-0x00007FF67B260000-0x00007FF67B656000-memory.dmp	UPX
behavioral2/memory/2012-857-0x00007FF698350000-0x00007FF698746000-memory.dmp	UPX
behavioral2/memory/4392-1967-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	UPX
behavioral2/memory/792-1969-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	UPX
behavioral2/memory/4476-1968-0x00007FF601580000-0x00007FF601976000-memory.dmp	UPX
behavioral2/memory/2364-1971-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	UPX
behavioral2/memory/2572-1983-0x00007FF672620000-0x00007FF672A16000-memory.dmp	UPX
behavioral2/memory/4392-1984-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/820-0-0x00007FF6B4D90000-0x00007FF6B5186000-memory.dmp	xmrig
behavioral2/files/0x000800000002342d-5.dat	xmrig
behavioral2/files/0x0007000000023432-10.dat	xmrig
behavioral2/memory/2572-12-0x00007FF672620000-0x00007FF672A16000-memory.dmp	xmrig
behavioral2/files/0x0007000000023431-21.dat	xmrig
behavioral2/files/0x0007000000023435-39.dat	xmrig
behavioral2/memory/2364-38-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-45.dat	xmrig
behavioral2/files/0x0007000000023438-66.dat	xmrig
behavioral2/files/0x000800000002343a-75.dat	xmrig
behavioral2/files/0x000700000002343f-101.dat	xmrig
behavioral2/files/0x0007000000023441-111.dat	xmrig
behavioral2/files/0x0007000000023443-117.dat	xmrig
behavioral2/files/0x0007000000023444-128.dat	xmrig
behavioral2/files/0x0007000000023448-143.dat	xmrig
behavioral2/files/0x000700000002344a-150.dat	xmrig
behavioral2/files/0x000700000002344c-168.dat	xmrig
behavioral2/files/0x0007000000023450-180.dat	xmrig
behavioral2/files/0x000700000002344e-178.dat	xmrig
behavioral2/files/0x000700000002344f-175.dat	xmrig
behavioral2/files/0x000700000002344d-173.dat	xmrig
behavioral2/files/0x000700000002344b-163.dat	xmrig
behavioral2/files/0x0007000000023449-153.dat	xmrig
behavioral2/files/0x0007000000023447-141.dat	xmrig
behavioral2/files/0x0007000000023446-138.dat	xmrig
behavioral2/files/0x0007000000023445-133.dat	xmrig
behavioral2/files/0x0007000000023442-115.dat	xmrig
behavioral2/files/0x0007000000023440-105.dat	xmrig
behavioral2/files/0x0008000000023439-95.dat	xmrig
behavioral2/files/0x000700000002343e-91.dat	xmrig
behavioral2/files/0x000700000002343d-85.dat	xmrig
behavioral2/files/0x000700000002343c-81.dat	xmrig
behavioral2/files/0x000700000002343b-70.dat	xmrig
behavioral2/files/0x0007000000023436-44.dat	xmrig
behavioral2/memory/792-37-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	xmrig
behavioral2/files/0x0007000000023434-34.dat	xmrig
behavioral2/memory/4476-30-0x00007FF601580000-0x00007FF601976000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-28.dat	xmrig
behavioral2/memory/4392-17-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	xmrig
behavioral2/memory/2104-849-0x00007FF7281A0000-0x00007FF728596000-memory.dmp	xmrig
behavioral2/memory/2448-858-0x00007FF754F60000-0x00007FF755356000-memory.dmp	xmrig
behavioral2/memory/1032-878-0x00007FF730C40000-0x00007FF731036000-memory.dmp	xmrig
behavioral2/memory/1196-870-0x00007FF707B60000-0x00007FF707F56000-memory.dmp	xmrig
behavioral2/memory/556-865-0x00007FF728D10000-0x00007FF729106000-memory.dmp	xmrig
behavioral2/memory/4820-884-0x00007FF7B0C10000-0x00007FF7B1006000-memory.dmp	xmrig
behavioral2/memory/2960-899-0x00007FF7B2F70000-0x00007FF7B3366000-memory.dmp	xmrig
behavioral2/memory/4464-920-0x00007FF66A430000-0x00007FF66A826000-memory.dmp	xmrig
behavioral2/memory/2956-919-0x00007FF7C86C0000-0x00007FF7C8AB6000-memory.dmp	xmrig
behavioral2/memory/1184-930-0x00007FF714D00000-0x00007FF7150F6000-memory.dmp	xmrig
behavioral2/memory/3752-1030-0x00007FF6FEB80000-0x00007FF6FEF76000-memory.dmp	xmrig
behavioral2/memory/1332-1032-0x00007FF6CCA60000-0x00007FF6CCE56000-memory.dmp	xmrig
behavioral2/memory/1252-933-0x00007FF6695C0000-0x00007FF6699B6000-memory.dmp	xmrig
behavioral2/memory/4776-928-0x00007FF7BDAE0000-0x00007FF7BDED6000-memory.dmp	xmrig
behavioral2/memory/4588-915-0x00007FF6804D0000-0x00007FF6808C6000-memory.dmp	xmrig
behavioral2/memory/4024-910-0x00007FF75CA70000-0x00007FF75CE66000-memory.dmp	xmrig
behavioral2/memory/4536-905-0x00007FF7F24D0000-0x00007FF7F28C6000-memory.dmp	xmrig
behavioral2/memory/4528-892-0x00007FF67B260000-0x00007FF67B656000-memory.dmp	xmrig
behavioral2/memory/2012-857-0x00007FF698350000-0x00007FF698746000-memory.dmp	xmrig
behavioral2/memory/4392-1967-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	xmrig
behavioral2/memory/792-1969-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	xmrig
behavioral2/memory/4476-1968-0x00007FF601580000-0x00007FF601976000-memory.dmp	xmrig
behavioral2/memory/2364-1971-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	xmrig
behavioral2/memory/2572-1983-0x00007FF672620000-0x00007FF672A16000-memory.dmp	xmrig
behavioral2/memory/4392-1984-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2604	powershell.exe
10	2604	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2572	KSHssgo.exe
4392	PkASvpK.exe
4476	euSIddb.exe
2104	NhSeUuA.exe
792	sMWyUaZ.exe
2364	ksHypBB.exe
2012	EddnZHJ.exe
1332	seawaQf.exe
2448	LmZkNQm.exe
556	jzixers.exe
1196	aIsHDpn.exe
1032	nBxYOwN.exe
4820	BFnxDlT.exe
4528	DSwUZWr.exe
2960	WSJlIlY.exe
4536	pPhqRax.exe
4024	GchYCKn.exe
4588	jhSHWRA.exe
2956	wdoDnTV.exe
4464	jsnoHEc.exe
4776	iAfHoCw.exe
1184	lmlsShP.exe
1252	BbanDuH.exe
3752	AQbREvi.exe
3228	rpbevdq.exe
4584	bLRRsUH.exe
2056	DznVePs.exe
4184	pMMyNQX.exe
2276	gyqtHlN.exe
1068	JMWTCZd.exe
2988	oGScFpS.exe
2312	vJwfiza.exe
2748	SJnpkbi.exe
3464	rWFbJIP.exe
1544	ePezeBj.exe
4504	azcYjjS.exe
2972	yRLshxj.exe
2184	gJHeJAd.exe
2248	aMirzxc.exe
3284	JRsdcQT.exe
2968	KYTzSbt.exe
4868	FWYFlha.exe
2460	imHzXfp.exe
1380	viorSOm.exe
1412	WsqaYsM.exe
2924	qTuISza.exe
1848	RKGBBmx.exe
4304	MnIadaC.exe
4484	hzPrViY.exe
3276	KpyiVZG.exe
4256	RCbjwmc.exe
1868	eBpjwCT.exe
3584	JEvpqGG.exe
704	xzfuMeG.exe
3268	LINbMsh.exe
3352	PNgTziz.exe
3540	IiCZprP.exe
4640	lZpvCic.exe
3808	QLAfKKh.exe
4980	OpLfuza.exe
1612	bIcEGsm.exe
4812	EHugCbd.exe
1436	aNFaVIu.exe
1020	AYVjbMj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/820-0-0x00007FF6B4D90000-0x00007FF6B5186000-memory.dmp	upx
behavioral2/files/0x000800000002342d-5.dat	upx
behavioral2/files/0x0007000000023432-10.dat	upx
behavioral2/memory/2572-12-0x00007FF672620000-0x00007FF672A16000-memory.dmp	upx
behavioral2/files/0x0007000000023431-21.dat	upx
behavioral2/files/0x0007000000023435-39.dat	upx
behavioral2/memory/2364-38-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	upx
behavioral2/files/0x0007000000023437-45.dat	upx
behavioral2/files/0x0007000000023438-66.dat	upx
behavioral2/files/0x000800000002343a-75.dat	upx
behavioral2/files/0x000700000002343f-101.dat	upx
behavioral2/files/0x0007000000023441-111.dat	upx
behavioral2/files/0x0007000000023443-117.dat	upx
behavioral2/files/0x0007000000023444-128.dat	upx
behavioral2/files/0x0007000000023448-143.dat	upx
behavioral2/files/0x000700000002344a-150.dat	upx
behavioral2/files/0x000700000002344c-168.dat	upx
behavioral2/files/0x0007000000023450-180.dat	upx
behavioral2/files/0x000700000002344e-178.dat	upx
behavioral2/files/0x000700000002344f-175.dat	upx
behavioral2/files/0x000700000002344d-173.dat	upx
behavioral2/files/0x000700000002344b-163.dat	upx
behavioral2/files/0x0007000000023449-153.dat	upx
behavioral2/files/0x0007000000023447-141.dat	upx
behavioral2/files/0x0007000000023446-138.dat	upx
behavioral2/files/0x0007000000023445-133.dat	upx
behavioral2/files/0x0007000000023442-115.dat	upx
behavioral2/files/0x0007000000023440-105.dat	upx
behavioral2/files/0x0008000000023439-95.dat	upx
behavioral2/files/0x000700000002343e-91.dat	upx
behavioral2/files/0x000700000002343d-85.dat	upx
behavioral2/files/0x000700000002343c-81.dat	upx
behavioral2/files/0x000700000002343b-70.dat	upx
behavioral2/files/0x0007000000023436-44.dat	upx
behavioral2/memory/792-37-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	upx
behavioral2/files/0x0007000000023434-34.dat	upx
behavioral2/memory/4476-30-0x00007FF601580000-0x00007FF601976000-memory.dmp	upx
behavioral2/files/0x0007000000023433-28.dat	upx
behavioral2/memory/4392-17-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	upx
behavioral2/memory/2104-849-0x00007FF7281A0000-0x00007FF728596000-memory.dmp	upx
behavioral2/memory/2448-858-0x00007FF754F60000-0x00007FF755356000-memory.dmp	upx
behavioral2/memory/1032-878-0x00007FF730C40000-0x00007FF731036000-memory.dmp	upx
behavioral2/memory/1196-870-0x00007FF707B60000-0x00007FF707F56000-memory.dmp	upx
behavioral2/memory/556-865-0x00007FF728D10000-0x00007FF729106000-memory.dmp	upx
behavioral2/memory/4820-884-0x00007FF7B0C10000-0x00007FF7B1006000-memory.dmp	upx
behavioral2/memory/2960-899-0x00007FF7B2F70000-0x00007FF7B3366000-memory.dmp	upx
behavioral2/memory/4464-920-0x00007FF66A430000-0x00007FF66A826000-memory.dmp	upx
behavioral2/memory/2956-919-0x00007FF7C86C0000-0x00007FF7C8AB6000-memory.dmp	upx
behavioral2/memory/1184-930-0x00007FF714D00000-0x00007FF7150F6000-memory.dmp	upx
behavioral2/memory/3752-1030-0x00007FF6FEB80000-0x00007FF6FEF76000-memory.dmp	upx
behavioral2/memory/1332-1032-0x00007FF6CCA60000-0x00007FF6CCE56000-memory.dmp	upx
behavioral2/memory/1252-933-0x00007FF6695C0000-0x00007FF6699B6000-memory.dmp	upx
behavioral2/memory/4776-928-0x00007FF7BDAE0000-0x00007FF7BDED6000-memory.dmp	upx
behavioral2/memory/4588-915-0x00007FF6804D0000-0x00007FF6808C6000-memory.dmp	upx
behavioral2/memory/4024-910-0x00007FF75CA70000-0x00007FF75CE66000-memory.dmp	upx
behavioral2/memory/4536-905-0x00007FF7F24D0000-0x00007FF7F28C6000-memory.dmp	upx
behavioral2/memory/4528-892-0x00007FF67B260000-0x00007FF67B656000-memory.dmp	upx
behavioral2/memory/2012-857-0x00007FF698350000-0x00007FF698746000-memory.dmp	upx
behavioral2/memory/4392-1967-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	upx
behavioral2/memory/792-1969-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp	upx
behavioral2/memory/4476-1968-0x00007FF601580000-0x00007FF601976000-memory.dmp	upx
behavioral2/memory/2364-1971-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp	upx
behavioral2/memory/2572-1983-0x00007FF672620000-0x00007FF672A16000-memory.dmp	upx
behavioral2/memory/4392-1984-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\TOmIiaj.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\LloidgJ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\PRgTFuk.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\OmMvUik.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\cOckGWo.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\KEwAWZE.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\sfiWxkI.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\uFcoavK.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\kEsmHbA.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\FMTsKXQ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\vDtrzXe.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\xhXLLke.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\OkKcwPC.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\PeIttaQ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\JdLUTHn.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\tGaWHGQ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\pPiHJwk.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\ouNHYUg.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\wLSIQFh.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\BIWxxuP.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\rWjKGhF.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\DAqgkpN.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\VymqQBe.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\vSoJFpa.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\mzsjQpH.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\IIDWVAZ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\djssvdP.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\aipgbJL.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\holssfE.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\DPkOcJE.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\pTUuQle.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\HGsrRjA.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\LQZlCBO.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\bQxebTI.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\zMgFgGU.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\nFeOwpg.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\NKHlZDu.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\wdwceFj.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\aMDISIk.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\mRKZfxl.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\xpUcTwF.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\pwweqSl.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\TgLUUVJ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\ubsJzCL.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\tiVeDeA.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\aNmatRN.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\mnzzXBn.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\MZxefTy.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\YtPrzAW.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\BKOYafb.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\YVyvGuT.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\PEnUmYn.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\zwtoZig.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\laQhVCJ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\baBvrBD.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\pnEQlEV.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\nFZIOLb.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\lptHayg.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\QvaSoBj.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\uOqhHGM.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\rItPbtB.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\HZpCSvQ.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\jFmuxBX.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
File created	C:\Windows\System\LRDNiuY.exe	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
Token: SeLockMemoryPrivilege	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
Token: SeDebugPrivilege	2604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2604	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	83
PID 820 wrote to memory of 2604	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	83
PID 820 wrote to memory of 2572	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	84
PID 820 wrote to memory of 2572	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	84
PID 820 wrote to memory of 4392	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	85
PID 820 wrote to memory of 4392	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	85
PID 820 wrote to memory of 792	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	86
PID 820 wrote to memory of 792	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	86
PID 820 wrote to memory of 4476	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	87
PID 820 wrote to memory of 4476	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	87
PID 820 wrote to memory of 2104	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	88
PID 820 wrote to memory of 2104	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	88
PID 820 wrote to memory of 2364	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	89
PID 820 wrote to memory of 2364	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	89
PID 820 wrote to memory of 2012	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	90
PID 820 wrote to memory of 2012	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	90
PID 820 wrote to memory of 1332	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	91
PID 820 wrote to memory of 1332	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	91
PID 820 wrote to memory of 2448	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	92
PID 820 wrote to memory of 2448	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	92
PID 820 wrote to memory of 556	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	93
PID 820 wrote to memory of 556	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	93
PID 820 wrote to memory of 1196	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	94
PID 820 wrote to memory of 1196	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	94
PID 820 wrote to memory of 1032	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	95
PID 820 wrote to memory of 1032	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	95
PID 820 wrote to memory of 4820	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	96
PID 820 wrote to memory of 4820	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	96
PID 820 wrote to memory of 4528	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	97
PID 820 wrote to memory of 4528	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	97
PID 820 wrote to memory of 2960	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	98
PID 820 wrote to memory of 2960	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	98
PID 820 wrote to memory of 4536	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	99
PID 820 wrote to memory of 4536	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	99
PID 820 wrote to memory of 4024	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	100
PID 820 wrote to memory of 4024	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	100
PID 820 wrote to memory of 4588	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	101
PID 820 wrote to memory of 4588	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	101
PID 820 wrote to memory of 2956	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	102
PID 820 wrote to memory of 2956	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	102
PID 820 wrote to memory of 4464	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	103
PID 820 wrote to memory of 4464	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	103
PID 820 wrote to memory of 4776	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	104
PID 820 wrote to memory of 4776	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	104
PID 820 wrote to memory of 1184	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	105
PID 820 wrote to memory of 1184	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	105
PID 820 wrote to memory of 1252	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	106
PID 820 wrote to memory of 1252	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	106
PID 820 wrote to memory of 3752	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	107
PID 820 wrote to memory of 3752	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	107
PID 820 wrote to memory of 3228	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	108
PID 820 wrote to memory of 3228	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	108
PID 820 wrote to memory of 4584	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	109
PID 820 wrote to memory of 4584	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	109
PID 820 wrote to memory of 2056	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	110
PID 820 wrote to memory of 2056	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	110
PID 820 wrote to memory of 4184	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	111
PID 820 wrote to memory of 4184	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	111
PID 820 wrote to memory of 2276	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	112
PID 820 wrote to memory of 2276	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	112
PID 820 wrote to memory of 1068	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	113
PID 820 wrote to memory of 1068	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	113
PID 820 wrote to memory of 2988	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	114
PID 820 wrote to memory of 2988	820	1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe	114

C:\Users\Admin\AppData\Local\Temp\1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe
"C:\Users\Admin\AppData\Local\Temp\1b1a511c32f0cfd66a934d249513fd0dd4f4ecd06a3359746db92e4c05ace809.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2604" "2920" "2896" "2924" "0" "0" "2928" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13092
- C:\Windows\System\KSHssgo.exe
  C:\Windows\System\KSHssgo.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\PkASvpK.exe
  C:\Windows\System\PkASvpK.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\sMWyUaZ.exe
  C:\Windows\System\sMWyUaZ.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System\euSIddb.exe
  C:\Windows\System\euSIddb.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\NhSeUuA.exe
  C:\Windows\System\NhSeUuA.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\ksHypBB.exe
  C:\Windows\System\ksHypBB.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\EddnZHJ.exe
  C:\Windows\System\EddnZHJ.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\seawaQf.exe
  C:\Windows\System\seawaQf.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\LmZkNQm.exe
  C:\Windows\System\LmZkNQm.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\jzixers.exe
  C:\Windows\System\jzixers.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\aIsHDpn.exe
  C:\Windows\System\aIsHDpn.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\nBxYOwN.exe
  C:\Windows\System\nBxYOwN.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\BFnxDlT.exe
  C:\Windows\System\BFnxDlT.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\DSwUZWr.exe
  C:\Windows\System\DSwUZWr.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\WSJlIlY.exe
  C:\Windows\System\WSJlIlY.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\pPhqRax.exe
  C:\Windows\System\pPhqRax.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\GchYCKn.exe
  C:\Windows\System\GchYCKn.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\jhSHWRA.exe
  C:\Windows\System\jhSHWRA.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\wdoDnTV.exe
  C:\Windows\System\wdoDnTV.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\jsnoHEc.exe
  C:\Windows\System\jsnoHEc.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\iAfHoCw.exe
  C:\Windows\System\iAfHoCw.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\lmlsShP.exe
  C:\Windows\System\lmlsShP.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\BbanDuH.exe
  C:\Windows\System\BbanDuH.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\AQbREvi.exe
  C:\Windows\System\AQbREvi.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\rpbevdq.exe
  C:\Windows\System\rpbevdq.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\bLRRsUH.exe
  C:\Windows\System\bLRRsUH.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\DznVePs.exe
  C:\Windows\System\DznVePs.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\pMMyNQX.exe
  C:\Windows\System\pMMyNQX.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\gyqtHlN.exe
  C:\Windows\System\gyqtHlN.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\JMWTCZd.exe
  C:\Windows\System\JMWTCZd.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\oGScFpS.exe
  C:\Windows\System\oGScFpS.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\vJwfiza.exe
  C:\Windows\System\vJwfiza.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\SJnpkbi.exe
  C:\Windows\System\SJnpkbi.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\rWFbJIP.exe
  C:\Windows\System\rWFbJIP.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\ePezeBj.exe
  C:\Windows\System\ePezeBj.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\azcYjjS.exe
  C:\Windows\System\azcYjjS.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\yRLshxj.exe
  C:\Windows\System\yRLshxj.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\gJHeJAd.exe
  C:\Windows\System\gJHeJAd.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\aMirzxc.exe
  C:\Windows\System\aMirzxc.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\JRsdcQT.exe
  C:\Windows\System\JRsdcQT.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\KYTzSbt.exe
  C:\Windows\System\KYTzSbt.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\FWYFlha.exe
  C:\Windows\System\FWYFlha.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\imHzXfp.exe
  C:\Windows\System\imHzXfp.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\viorSOm.exe
  C:\Windows\System\viorSOm.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\WsqaYsM.exe
  C:\Windows\System\WsqaYsM.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\qTuISza.exe
  C:\Windows\System\qTuISza.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\RKGBBmx.exe
  C:\Windows\System\RKGBBmx.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\MnIadaC.exe
  C:\Windows\System\MnIadaC.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\hzPrViY.exe
  C:\Windows\System\hzPrViY.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\KpyiVZG.exe
  C:\Windows\System\KpyiVZG.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\RCbjwmc.exe
  C:\Windows\System\RCbjwmc.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\eBpjwCT.exe
  C:\Windows\System\eBpjwCT.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\JEvpqGG.exe
  C:\Windows\System\JEvpqGG.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\xzfuMeG.exe
  C:\Windows\System\xzfuMeG.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System\LINbMsh.exe
  C:\Windows\System\LINbMsh.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\PNgTziz.exe
  C:\Windows\System\PNgTziz.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\IiCZprP.exe
  C:\Windows\System\IiCZprP.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\lZpvCic.exe
  C:\Windows\System\lZpvCic.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\QLAfKKh.exe
  C:\Windows\System\QLAfKKh.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\OpLfuza.exe
  C:\Windows\System\OpLfuza.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\bIcEGsm.exe
  C:\Windows\System\bIcEGsm.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\EHugCbd.exe
  C:\Windows\System\EHugCbd.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\aNFaVIu.exe
  C:\Windows\System\aNFaVIu.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\AYVjbMj.exe
  C:\Windows\System\AYVjbMj.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\xEwAdeI.exe
  C:\Windows\System\xEwAdeI.exe
  2⤵
  PID:4352
- C:\Windows\System\gcKKLNq.exe
  C:\Windows\System\gcKKLNq.exe
  2⤵
  PID:116
- C:\Windows\System\NydOQjD.exe
  C:\Windows\System\NydOQjD.exe
  2⤵
  PID:4708
- C:\Windows\System\gQjquGD.exe
  C:\Windows\System\gQjquGD.exe
  2⤵
  PID:3664
- C:\Windows\System\chrfFcO.exe
  C:\Windows\System\chrfFcO.exe
  2⤵
  PID:1608
- C:\Windows\System\YewsKjg.exe
  C:\Windows\System\YewsKjg.exe
  2⤵
  PID:856
- C:\Windows\System\dnPLKaN.exe
  C:\Windows\System\dnPLKaN.exe
  2⤵
  PID:4244
- C:\Windows\System\gYLVXmD.exe
  C:\Windows\System\gYLVXmD.exe
  2⤵
  PID:2148
- C:\Windows\System\ROnBKIU.exe
  C:\Windows\System\ROnBKIU.exe
  2⤵
  PID:5144
- C:\Windows\System\oaabhsc.exe
  C:\Windows\System\oaabhsc.exe
  2⤵
  PID:5172
- C:\Windows\System\eXUPqFX.exe
  C:\Windows\System\eXUPqFX.exe
  2⤵
  PID:5200
- C:\Windows\System\NVGNCCv.exe
  C:\Windows\System\NVGNCCv.exe
  2⤵
  PID:5228
- C:\Windows\System\hkcoSci.exe
  C:\Windows\System\hkcoSci.exe
  2⤵
  PID:5256
- C:\Windows\System\NAZrMNX.exe
  C:\Windows\System\NAZrMNX.exe
  2⤵
  PID:5284
- C:\Windows\System\hjahymD.exe
  C:\Windows\System\hjahymD.exe
  2⤵
  PID:5312
- C:\Windows\System\WUehKwi.exe
  C:\Windows\System\WUehKwi.exe
  2⤵
  PID:5344
- C:\Windows\System\pncFaED.exe
  C:\Windows\System\pncFaED.exe
  2⤵
  PID:5368
- C:\Windows\System\PPcxHHw.exe
  C:\Windows\System\PPcxHHw.exe
  2⤵
  PID:5396
- C:\Windows\System\KitLWrv.exe
  C:\Windows\System\KitLWrv.exe
  2⤵
  PID:5424
- C:\Windows\System\PZdllFD.exe
  C:\Windows\System\PZdllFD.exe
  2⤵
  PID:5452
- C:\Windows\System\BBvBZbL.exe
  C:\Windows\System\BBvBZbL.exe
  2⤵
  PID:5480
- C:\Windows\System\BJgkekz.exe
  C:\Windows\System\BJgkekz.exe
  2⤵
  PID:5508
- C:\Windows\System\crLtnPs.exe
  C:\Windows\System\crLtnPs.exe
  2⤵
  PID:5536
- C:\Windows\System\nTRIiiZ.exe
  C:\Windows\System\nTRIiiZ.exe
  2⤵
  PID:5564
- C:\Windows\System\KKEnHAq.exe
  C:\Windows\System\KKEnHAq.exe
  2⤵
  PID:5592
- C:\Windows\System\jJjuInS.exe
  C:\Windows\System\jJjuInS.exe
  2⤵
  PID:5620
- C:\Windows\System\XtMAmKI.exe
  C:\Windows\System\XtMAmKI.exe
  2⤵
  PID:5652
- C:\Windows\System\rzZikMa.exe
  C:\Windows\System\rzZikMa.exe
  2⤵
  PID:5676
- C:\Windows\System\qzHfWFb.exe
  C:\Windows\System\qzHfWFb.exe
  2⤵
  PID:5708
- C:\Windows\System\QQGtNbj.exe
  C:\Windows\System\QQGtNbj.exe
  2⤵
  PID:5736
- C:\Windows\System\jIhZmTa.exe
  C:\Windows\System\jIhZmTa.exe
  2⤵
  PID:5764
- C:\Windows\System\QGlLfVF.exe
  C:\Windows\System\QGlLfVF.exe
  2⤵
  PID:5792
- C:\Windows\System\WvijMtt.exe
  C:\Windows\System\WvijMtt.exe
  2⤵
  PID:5816
- C:\Windows\System\LrSeZdr.exe
  C:\Windows\System\LrSeZdr.exe
  2⤵
  PID:5844
- C:\Windows\System\eavqazJ.exe
  C:\Windows\System\eavqazJ.exe
  2⤵
  PID:5872
- C:\Windows\System\WZYoLYt.exe
  C:\Windows\System\WZYoLYt.exe
  2⤵
  PID:5900
- C:\Windows\System\NIpWQqO.exe
  C:\Windows\System\NIpWQqO.exe
  2⤵
  PID:5932
- C:\Windows\System\WPaKFSD.exe
  C:\Windows\System\WPaKFSD.exe
  2⤵
  PID:5956
- C:\Windows\System\fgIyFGY.exe
  C:\Windows\System\fgIyFGY.exe
  2⤵
  PID:5988
- C:\Windows\System\TsMYhmX.exe
  C:\Windows\System\TsMYhmX.exe
  2⤵
  PID:6016
- C:\Windows\System\oxRQPTo.exe
  C:\Windows\System\oxRQPTo.exe
  2⤵
  PID:6044
- C:\Windows\System\GYRXhiY.exe
  C:\Windows\System\GYRXhiY.exe
  2⤵
  PID:6080
- C:\Windows\System\KbkzHmv.exe
  C:\Windows\System\KbkzHmv.exe
  2⤵
  PID:6112
- C:\Windows\System\tgpgqeh.exe
  C:\Windows\System\tgpgqeh.exe
  2⤵
  PID:6140
- C:\Windows\System\RJmUmgX.exe
  C:\Windows\System\RJmUmgX.exe
  2⤵
  PID:2400
- C:\Windows\System\kiTDmxE.exe
  C:\Windows\System\kiTDmxE.exe
  2⤵
  PID:3096
- C:\Windows\System\tqZzWXL.exe
  C:\Windows\System\tqZzWXL.exe
  2⤵
  PID:4252
- C:\Windows\System\ROSNQAp.exe
  C:\Windows\System\ROSNQAp.exe
  2⤵
  PID:5108
- C:\Windows\System\RtEfzZw.exe
  C:\Windows\System\RtEfzZw.exe
  2⤵
  PID:5132
- C:\Windows\System\gnYfeXp.exe
  C:\Windows\System\gnYfeXp.exe
  2⤵
  PID:5188
- C:\Windows\System\iEDbDjL.exe
  C:\Windows\System\iEDbDjL.exe
  2⤵
  PID:5268
- C:\Windows\System\USgbBGl.exe
  C:\Windows\System\USgbBGl.exe
  2⤵
  PID:5328
- C:\Windows\System\dmEUNDQ.exe
  C:\Windows\System\dmEUNDQ.exe
  2⤵
  PID:5388
- C:\Windows\System\mVscfVF.exe
  C:\Windows\System\mVscfVF.exe
  2⤵
  PID:5464
- C:\Windows\System\AlLeRTP.exe
  C:\Windows\System\AlLeRTP.exe
  2⤵
  PID:5524
- C:\Windows\System\QtmFtuG.exe
  C:\Windows\System\QtmFtuG.exe
  2⤵
  PID:5584
- C:\Windows\System\qoqJNAQ.exe
  C:\Windows\System\qoqJNAQ.exe
  2⤵
  PID:5664
- C:\Windows\System\RpfVMpN.exe
  C:\Windows\System\RpfVMpN.exe
  2⤵
  PID:5724
- C:\Windows\System\cbKTvIj.exe
  C:\Windows\System\cbKTvIj.exe
  2⤵
  PID:5784
- C:\Windows\System\AxcrdCT.exe
  C:\Windows\System\AxcrdCT.exe
  2⤵
  PID:5860
- C:\Windows\System\QNMJxGQ.exe
  C:\Windows\System\QNMJxGQ.exe
  2⤵
  PID:5920
- C:\Windows\System\bAGNlzQ.exe
  C:\Windows\System\bAGNlzQ.exe
  2⤵
  PID:5976
- C:\Windows\System\WOyVESJ.exe
  C:\Windows\System\WOyVESJ.exe
  2⤵
  PID:6040
- C:\Windows\System\aPHfyqY.exe
  C:\Windows\System\aPHfyqY.exe
  2⤵
  PID:6104
- C:\Windows\System\iteTMMS.exe
  C:\Windows\System\iteTMMS.exe
  2⤵
  PID:1688
- C:\Windows\System\TKyXnvv.exe
  C:\Windows\System\TKyXnvv.exe
  2⤵
  PID:420
- C:\Windows\System\QhZTMfp.exe
  C:\Windows\System\QhZTMfp.exe
  2⤵
  PID:5184
- C:\Windows\System\mllXBXK.exe
  C:\Windows\System\mllXBXK.exe
  2⤵
  PID:5360
- C:\Windows\System\vlShynf.exe
  C:\Windows\System\vlShynf.exe
  2⤵
  PID:5496
- C:\Windows\System\frlJlda.exe
  C:\Windows\System\frlJlda.exe
  2⤵
  PID:5636
- C:\Windows\System\CPlSsRm.exe
  C:\Windows\System\CPlSsRm.exe
  2⤵
  PID:5776
- C:\Windows\System\FeLfoVn.exe
  C:\Windows\System\FeLfoVn.exe
  2⤵
  PID:6060
- C:\Windows\System\LMpeXmR.exe
  C:\Windows\System\LMpeXmR.exe
  2⤵
  PID:6148
- C:\Windows\System\uroKyUj.exe
  C:\Windows\System\uroKyUj.exe
  2⤵
  PID:6176
- C:\Windows\System\nmKojXg.exe
  C:\Windows\System\nmKojXg.exe
  2⤵
  PID:6204
- C:\Windows\System\mRAafZm.exe
  C:\Windows\System\mRAafZm.exe
  2⤵
  PID:6232
- C:\Windows\System\iBERzmJ.exe
  C:\Windows\System\iBERzmJ.exe
  2⤵
  PID:6260
- C:\Windows\System\zZyVhOp.exe
  C:\Windows\System\zZyVhOp.exe
  2⤵
  PID:6288
- C:\Windows\System\XXsAlHR.exe
  C:\Windows\System\XXsAlHR.exe
  2⤵
  PID:6324
- C:\Windows\System\DJOEjhH.exe
  C:\Windows\System\DJOEjhH.exe
  2⤵
  PID:6352
- C:\Windows\System\iVbfnEG.exe
  C:\Windows\System\iVbfnEG.exe
  2⤵
  PID:6372
- C:\Windows\System\cVRMoHb.exe
  C:\Windows\System\cVRMoHb.exe
  2⤵
  PID:6400
- C:\Windows\System\RITFtaK.exe
  C:\Windows\System\RITFtaK.exe
  2⤵
  PID:6428
- C:\Windows\System\qQafQCk.exe
  C:\Windows\System\qQafQCk.exe
  2⤵
  PID:6456
- C:\Windows\System\GxhhykT.exe
  C:\Windows\System\GxhhykT.exe
  2⤵
  PID:6484
- C:\Windows\System\PqvXHvg.exe
  C:\Windows\System\PqvXHvg.exe
  2⤵
  PID:6512
- C:\Windows\System\VFooNNj.exe
  C:\Windows\System\VFooNNj.exe
  2⤵
  PID:6540
- C:\Windows\System\OnaYgnh.exe
  C:\Windows\System\OnaYgnh.exe
  2⤵
  PID:6568
- C:\Windows\System\gSBDAng.exe
  C:\Windows\System\gSBDAng.exe
  2⤵
  PID:6596
- C:\Windows\System\cwXlACe.exe
  C:\Windows\System\cwXlACe.exe
  2⤵
  PID:6624
- C:\Windows\System\rGIMJjR.exe
  C:\Windows\System\rGIMJjR.exe
  2⤵
  PID:6652
- C:\Windows\System\xQdSJdI.exe
  C:\Windows\System\xQdSJdI.exe
  2⤵
  PID:6680
- C:\Windows\System\xFvKtld.exe
  C:\Windows\System\xFvKtld.exe
  2⤵
  PID:6708
- C:\Windows\System\jqqOxmj.exe
  C:\Windows\System\jqqOxmj.exe
  2⤵
  PID:6736
- C:\Windows\System\pIkGXps.exe
  C:\Windows\System\pIkGXps.exe
  2⤵
  PID:6764
- C:\Windows\System\vPMcTbo.exe
  C:\Windows\System\vPMcTbo.exe
  2⤵
  PID:6792
- C:\Windows\System\ejyAeXn.exe
  C:\Windows\System\ejyAeXn.exe
  2⤵
  PID:6820
- C:\Windows\System\MklaFBc.exe
  C:\Windows\System\MklaFBc.exe
  2⤵
  PID:6848
- C:\Windows\System\zlSiVIb.exe
  C:\Windows\System\zlSiVIb.exe
  2⤵
  PID:6876
- C:\Windows\System\lxrjgfa.exe
  C:\Windows\System\lxrjgfa.exe
  2⤵
  PID:6904
- C:\Windows\System\xqlhLxV.exe
  C:\Windows\System\xqlhLxV.exe
  2⤵
  PID:6932
- C:\Windows\System\Gjhmugk.exe
  C:\Windows\System\Gjhmugk.exe
  2⤵
  PID:6960
- C:\Windows\System\jGmSoUb.exe
  C:\Windows\System\jGmSoUb.exe
  2⤵
  PID:6988
- C:\Windows\System\rTzFRrw.exe
  C:\Windows\System\rTzFRrw.exe
  2⤵
  PID:7016
- C:\Windows\System\ZQLtKqy.exe
  C:\Windows\System\ZQLtKqy.exe
  2⤵
  PID:7044
- C:\Windows\System\wfMXxhW.exe
  C:\Windows\System\wfMXxhW.exe
  2⤵
  PID:7072
- C:\Windows\System\MxXRuMu.exe
  C:\Windows\System\MxXRuMu.exe
  2⤵
  PID:7100
- C:\Windows\System\lEPATrG.exe
  C:\Windows\System\lEPATrG.exe
  2⤵
  PID:7128
- C:\Windows\System\wRtsIEO.exe
  C:\Windows\System\wRtsIEO.exe
  2⤵
  PID:7156
- C:\Windows\System\NUsZiAT.exe
  C:\Windows\System\NUsZiAT.exe
  2⤵
  PID:3860
- C:\Windows\System\NVdwUgA.exe
  C:\Windows\System\NVdwUgA.exe
  2⤵
  PID:5244
- C:\Windows\System\rVayqIM.exe
  C:\Windows\System\rVayqIM.exe
  2⤵
  PID:5576
- C:\Windows\System\smVFjhF.exe
  C:\Windows\System\smVFjhF.exe
  2⤵
  PID:5892
- C:\Windows\System\MynVCBN.exe
  C:\Windows\System\MynVCBN.exe
  2⤵
  PID:6168
- C:\Windows\System\TqZDdQS.exe
  C:\Windows\System\TqZDdQS.exe
  2⤵
  PID:1620
- C:\Windows\System\JwXWKnk.exe
  C:\Windows\System\JwXWKnk.exe
  2⤵
  PID:6300
- C:\Windows\System\epbxUOd.exe
  C:\Windows\System\epbxUOd.exe
  2⤵
  PID:6384
- C:\Windows\System\uplZKsK.exe
  C:\Windows\System\uplZKsK.exe
  2⤵
  PID:6420
- C:\Windows\System\dlwkDjj.exe
  C:\Windows\System\dlwkDjj.exe
  2⤵
  PID:6496
- C:\Windows\System\JpdxKhN.exe
  C:\Windows\System\JpdxKhN.exe
  2⤵
  PID:6552
- C:\Windows\System\UKXkuqS.exe
  C:\Windows\System\UKXkuqS.exe
  2⤵
  PID:6612
- C:\Windows\System\PGMRWHr.exe
  C:\Windows\System\PGMRWHr.exe
  2⤵
  PID:6672
- C:\Windows\System\sviAMIu.exe
  C:\Windows\System\sviAMIu.exe
  2⤵
  PID:6748
- C:\Windows\System\BnhLaBh.exe
  C:\Windows\System\BnhLaBh.exe
  2⤵
  PID:6808
- C:\Windows\System\lTHnyGG.exe
  C:\Windows\System\lTHnyGG.exe
  2⤵
  PID:6868
- C:\Windows\System\kEyGlQY.exe
  C:\Windows\System\kEyGlQY.exe
  2⤵
  PID:6944
- C:\Windows\System\SyLYIEG.exe
  C:\Windows\System\SyLYIEG.exe
  2⤵
  PID:7004
- C:\Windows\System\ZrTRkbN.exe
  C:\Windows\System\ZrTRkbN.exe
  2⤵
  PID:7064
- C:\Windows\System\rRzaUHn.exe
  C:\Windows\System\rRzaUHn.exe
  2⤵
  PID:7140
- C:\Windows\System\nHMuOAD.exe
  C:\Windows\System\nHMuOAD.exe
  2⤵
  PID:5024
- C:\Windows\System\gFjPTdf.exe
  C:\Windows\System\gFjPTdf.exe
  2⤵
  PID:5836
- C:\Windows\System\zkOlpOq.exe
  C:\Windows\System\zkOlpOq.exe
  2⤵
  PID:6220
- C:\Windows\System\DDyBmid.exe
  C:\Windows\System\DDyBmid.exe
  2⤵
  PID:6368
- C:\Windows\System\pGODIgN.exe
  C:\Windows\System\pGODIgN.exe
  2⤵
  PID:6528
- C:\Windows\System\iXURcqC.exe
  C:\Windows\System\iXURcqC.exe
  2⤵
  PID:6644
- C:\Windows\System\nFBLsgM.exe
  C:\Windows\System\nFBLsgM.exe
  2⤵
  PID:6780
- C:\Windows\System\DNnGqcD.exe
  C:\Windows\System\DNnGqcD.exe
  2⤵
  PID:6920
- C:\Windows\System\cAILjTL.exe
  C:\Windows\System\cAILjTL.exe
  2⤵
  PID:7092
- C:\Windows\System\tayabdV.exe
  C:\Windows\System\tayabdV.exe
  2⤵
  PID:7192
- C:\Windows\System\qHCTtwk.exe
  C:\Windows\System\qHCTtwk.exe
  2⤵
  PID:7220
- C:\Windows\System\PSVwAed.exe
  C:\Windows\System\PSVwAed.exe
  2⤵
  PID:7248
- C:\Windows\System\fgjjqnV.exe
  C:\Windows\System\fgjjqnV.exe
  2⤵
  PID:7276
- C:\Windows\System\sxRiusx.exe
  C:\Windows\System\sxRiusx.exe
  2⤵
  PID:7304
- C:\Windows\System\ifzqCYY.exe
  C:\Windows\System\ifzqCYY.exe
  2⤵
  PID:7332
- C:\Windows\System\TNuDKMr.exe
  C:\Windows\System\TNuDKMr.exe
  2⤵
  PID:7360
- C:\Windows\System\jQTWfdP.exe
  C:\Windows\System\jQTWfdP.exe
  2⤵
  PID:7388
- C:\Windows\System\BmYZOwF.exe
  C:\Windows\System\BmYZOwF.exe
  2⤵
  PID:7416
- C:\Windows\System\xKDAkTr.exe
  C:\Windows\System\xKDAkTr.exe
  2⤵
  PID:7444
- C:\Windows\System\wHZnmjK.exe
  C:\Windows\System\wHZnmjK.exe
  2⤵
  PID:7472
- C:\Windows\System\JWjqozM.exe
  C:\Windows\System\JWjqozM.exe
  2⤵
  PID:7500
- C:\Windows\System\aCeSsbk.exe
  C:\Windows\System\aCeSsbk.exe
  2⤵
  PID:7528
- C:\Windows\System\SHcHkTI.exe
  C:\Windows\System\SHcHkTI.exe
  2⤵
  PID:7556
- C:\Windows\System\uUuuCXk.exe
  C:\Windows\System\uUuuCXk.exe
  2⤵
  PID:7584
- C:\Windows\System\OPMhWfm.exe
  C:\Windows\System\OPMhWfm.exe
  2⤵
  PID:7612
- C:\Windows\System\MZxefTy.exe
  C:\Windows\System\MZxefTy.exe
  2⤵
  PID:7640
- C:\Windows\System\djSFSCX.exe
  C:\Windows\System\djSFSCX.exe
  2⤵
  PID:7668
- C:\Windows\System\NjRfivT.exe
  C:\Windows\System\NjRfivT.exe
  2⤵
  PID:7696
- C:\Windows\System\IPqfZlp.exe
  C:\Windows\System\IPqfZlp.exe
  2⤵
  PID:7724
- C:\Windows\System\ejrLCAg.exe
  C:\Windows\System\ejrLCAg.exe
  2⤵
  PID:7752
- C:\Windows\System\bSwrKbz.exe
  C:\Windows\System\bSwrKbz.exe
  2⤵
  PID:7780
- C:\Windows\System\ICtxMOC.exe
  C:\Windows\System\ICtxMOC.exe
  2⤵
  PID:7808
- C:\Windows\System\fuGnXjY.exe
  C:\Windows\System\fuGnXjY.exe
  2⤵
  PID:7836
- C:\Windows\System\BgEYcfl.exe
  C:\Windows\System\BgEYcfl.exe
  2⤵
  PID:7864
- C:\Windows\System\TTyfnJt.exe
  C:\Windows\System\TTyfnJt.exe
  2⤵
  PID:7892
- C:\Windows\System\mWvOpiB.exe
  C:\Windows\System\mWvOpiB.exe
  2⤵
  PID:7920
- C:\Windows\System\SSFVAPm.exe
  C:\Windows\System\SSFVAPm.exe
  2⤵
  PID:7948
- C:\Windows\System\SCRtgTc.exe
  C:\Windows\System\SCRtgTc.exe
  2⤵
  PID:7976
- C:\Windows\System\TmUMQfY.exe
  C:\Windows\System\TmUMQfY.exe
  2⤵
  PID:8004
- C:\Windows\System\lClWtjl.exe
  C:\Windows\System\lClWtjl.exe
  2⤵
  PID:8032
- C:\Windows\System\viFZzjA.exe
  C:\Windows\System\viFZzjA.exe
  2⤵
  PID:8060
- C:\Windows\System\GjYUAFJ.exe
  C:\Windows\System\GjYUAFJ.exe
  2⤵
  PID:8088
- C:\Windows\System\EnVJmpx.exe
  C:\Windows\System\EnVJmpx.exe
  2⤵
  PID:8116
- C:\Windows\System\sLJlIdt.exe
  C:\Windows\System\sLJlIdt.exe
  2⤵
  PID:8144
- C:\Windows\System\RpJDEvk.exe
  C:\Windows\System\RpJDEvk.exe
  2⤵
  PID:8172
- C:\Windows\System\UDUUbWH.exe
  C:\Windows\System\UDUUbWH.exe
  2⤵
  PID:6096
- C:\Windows\System\OWQMTbv.exe
  C:\Windows\System\OWQMTbv.exe
  2⤵
  PID:6160
- C:\Windows\System\XWbIMBZ.exe
  C:\Windows\System\XWbIMBZ.exe
  2⤵
  PID:3472
- C:\Windows\System\tNtliZl.exe
  C:\Windows\System\tNtliZl.exe
  2⤵
  PID:6720
- C:\Windows\System\yhpayvB.exe
  C:\Windows\System\yhpayvB.exe
  2⤵
  PID:6980
- C:\Windows\System\BuvhhVq.exe
  C:\Windows\System\BuvhhVq.exe
  2⤵
  PID:7204
- C:\Windows\System\kBobxZb.exe
  C:\Windows\System\kBobxZb.exe
  2⤵
  PID:7260
- C:\Windows\System\VFveGsp.exe
  C:\Windows\System\VFveGsp.exe
  2⤵
  PID:2900
- C:\Windows\System\BratqIG.exe
  C:\Windows\System\BratqIG.exe
  2⤵
  PID:7376
- C:\Windows\System\MGuiyGR.exe
  C:\Windows\System\MGuiyGR.exe
  2⤵
  PID:7436
- C:\Windows\System\hJtIhYD.exe
  C:\Windows\System\hJtIhYD.exe
  2⤵
  PID:7632
- C:\Windows\System\NMjyyLx.exe
  C:\Windows\System\NMjyyLx.exe
  2⤵
  PID:7716
- C:\Windows\System\GINzgTt.exe
  C:\Windows\System\GINzgTt.exe
  2⤵
  PID:7800
- C:\Windows\System\hQBCIFR.exe
  C:\Windows\System\hQBCIFR.exe
  2⤵
  PID:7848
- C:\Windows\System\kRUrDCJ.exe
  C:\Windows\System\kRUrDCJ.exe
  2⤵
  PID:1248
- C:\Windows\System\lyuXStv.exe
  C:\Windows\System\lyuXStv.exe
  2⤵
  PID:7904
- C:\Windows\System\dIQitTS.exe
  C:\Windows\System\dIQitTS.exe
  2⤵
  PID:7936
- C:\Windows\System\NrNFAfu.exe
  C:\Windows\System\NrNFAfu.exe
  2⤵
  PID:7988
- C:\Windows\System\nvAIdyx.exe
  C:\Windows\System\nvAIdyx.exe
  2⤵
  PID:408
- C:\Windows\System\syciMfg.exe
  C:\Windows\System\syciMfg.exe
  2⤵
  PID:8076
- C:\Windows\System\QRQPQel.exe
  C:\Windows\System\QRQPQel.exe
  2⤵
  PID:452
- C:\Windows\System\OSAdSVw.exe
  C:\Windows\System\OSAdSVw.exe
  2⤵
  PID:216
- C:\Windows\System\tJFjmDy.exe
  C:\Windows\System\tJFjmDy.exe
  2⤵
  PID:2260
- C:\Windows\System\eMEchzv.exe
  C:\Windows\System\eMEchzv.exe
  2⤵
  PID:1464
- C:\Windows\System\RtuYwPo.exe
  C:\Windows\System\RtuYwPo.exe
  2⤵
  PID:4204
- C:\Windows\System\HltoPNA.exe
  C:\Windows\System\HltoPNA.exe
  2⤵
  PID:7236
- C:\Windows\System\jMlHuPT.exe
  C:\Windows\System\jMlHuPT.exe
  2⤵
  PID:2680
- C:\Windows\System\sayGEsD.exe
  C:\Windows\System\sayGEsD.exe
  2⤵
  PID:7344
- C:\Windows\System\kjcznUG.exe
  C:\Windows\System\kjcznUG.exe
  2⤵
  PID:4212
- C:\Windows\System\lDnrQck.exe
  C:\Windows\System\lDnrQck.exe
  2⤵
  PID:5996
- C:\Windows\System\eMoEINw.exe
  C:\Windows\System\eMoEINw.exe
  2⤵
  PID:3324
- C:\Windows\System\HCtlFgM.exe
  C:\Windows\System\HCtlFgM.exe
  2⤵
  PID:3020
- C:\Windows\System\tuSRDOe.exe
  C:\Windows\System\tuSRDOe.exe
  2⤵
  PID:3304
- C:\Windows\System\JiGlQSO.exe
  C:\Windows\System\JiGlQSO.exe
  2⤵
  PID:7680
- C:\Windows\System\DxKUdEu.exe
  C:\Windows\System\DxKUdEu.exe
  2⤵
  PID:7828
- C:\Windows\System\WskhSji.exe
  C:\Windows\System\WskhSji.exe
  2⤵
  PID:3336
- C:\Windows\System\CZrCvBF.exe
  C:\Windows\System\CZrCvBF.exe
  2⤵
  PID:4892
- C:\Windows\System\yPhpJVo.exe
  C:\Windows\System\yPhpJVo.exe
  2⤵
  PID:7116
- C:\Windows\System\bpsepkO.exe
  C:\Windows\System\bpsepkO.exe
  2⤵
  PID:6340
- C:\Windows\System\WNmZvMu.exe
  C:\Windows\System\WNmZvMu.exe
  2⤵
  PID:1468
- C:\Windows\System\NCkrIGc.exe
  C:\Windows\System\NCkrIGc.exe
  2⤵
  PID:3292
- C:\Windows\System\sQszUCQ.exe
  C:\Windows\System\sQszUCQ.exe
  2⤵
  PID:2176
- C:\Windows\System\OpHBNAO.exe
  C:\Windows\System\OpHBNAO.exe
  2⤵
  PID:4276
- C:\Windows\System\NzIzgHq.exe
  C:\Windows\System\NzIzgHq.exe
  2⤵
  PID:8188
- C:\Windows\System\Tolqddz.exe
  C:\Windows\System\Tolqddz.exe
  2⤵
  PID:4060
- C:\Windows\System\BSXoxEk.exe
  C:\Windows\System\BSXoxEk.exe
  2⤵
  PID:1864
- C:\Windows\System\CqJuXYi.exe
  C:\Windows\System\CqJuXYi.exe
  2⤵
  PID:8208
- C:\Windows\System\JPHPHZh.exe
  C:\Windows\System\JPHPHZh.exe
  2⤵
  PID:8236
- C:\Windows\System\WtPfKjn.exe
  C:\Windows\System\WtPfKjn.exe
  2⤵
  PID:8260
- C:\Windows\System\wUrHxuj.exe
  C:\Windows\System\wUrHxuj.exe
  2⤵
  PID:8288
- C:\Windows\System\WAMlYCE.exe
  C:\Windows\System\WAMlYCE.exe
  2⤵
  PID:8308
- C:\Windows\System\GhOvkkh.exe
  C:\Windows\System\GhOvkkh.exe
  2⤵
  PID:8336
- C:\Windows\System\RNrMBdb.exe
  C:\Windows\System\RNrMBdb.exe
  2⤵
  PID:8364
- C:\Windows\System\NxqFeNL.exe
  C:\Windows\System\NxqFeNL.exe
  2⤵
  PID:8392
- C:\Windows\System\EOXpdzc.exe
  C:\Windows\System\EOXpdzc.exe
  2⤵
  PID:8420
- C:\Windows\System\JboPbvv.exe
  C:\Windows\System\JboPbvv.exe
  2⤵
  PID:8448
- C:\Windows\System\VqUvVWv.exe
  C:\Windows\System\VqUvVWv.exe
  2⤵
  PID:8464
- C:\Windows\System\FCnojth.exe
  C:\Windows\System\FCnojth.exe
  2⤵
  PID:8500
- C:\Windows\System\UTXqCkG.exe
  C:\Windows\System\UTXqCkG.exe
  2⤵
  PID:8528
- C:\Windows\System\AKAAtbe.exe
  C:\Windows\System\AKAAtbe.exe
  2⤵
  PID:8560
- C:\Windows\System\qObOpIc.exe
  C:\Windows\System\qObOpIc.exe
  2⤵
  PID:8592
- C:\Windows\System\DBuhOzG.exe
  C:\Windows\System\DBuhOzG.exe
  2⤵
  PID:8620
- C:\Windows\System\iZbgrmt.exe
  C:\Windows\System\iZbgrmt.exe
  2⤵
  PID:8648
- C:\Windows\System\ZImocvw.exe
  C:\Windows\System\ZImocvw.exe
  2⤵
  PID:8676
- C:\Windows\System\qnzUDxc.exe
  C:\Windows\System\qnzUDxc.exe
  2⤵
  PID:8704
- C:\Windows\System\yLZIDsb.exe
  C:\Windows\System\yLZIDsb.exe
  2⤵
  PID:8732
- C:\Windows\System\gxwamaz.exe
  C:\Windows\System\gxwamaz.exe
  2⤵
  PID:8768
- C:\Windows\System\uhhDgjI.exe
  C:\Windows\System\uhhDgjI.exe
  2⤵
  PID:8800
- C:\Windows\System\hwHCeho.exe
  C:\Windows\System\hwHCeho.exe
  2⤵
  PID:8828
- C:\Windows\System\seGgwsu.exe
  C:\Windows\System\seGgwsu.exe
  2⤵
  PID:8852
- C:\Windows\System\PlUrhuw.exe
  C:\Windows\System\PlUrhuw.exe
  2⤵
  PID:8884
- C:\Windows\System\AHBDgFG.exe
  C:\Windows\System\AHBDgFG.exe
  2⤵
  PID:8912
- C:\Windows\System\tUcHfFq.exe
  C:\Windows\System\tUcHfFq.exe
  2⤵
  PID:8984
- C:\Windows\System\cXuZhqN.exe
  C:\Windows\System\cXuZhqN.exe
  2⤵
  PID:9012
- C:\Windows\System\lcCGFPW.exe
  C:\Windows\System\lcCGFPW.exe
  2⤵
  PID:9032
- C:\Windows\System\heUEpPH.exe
  C:\Windows\System\heUEpPH.exe
  2⤵
  PID:9056
- C:\Windows\System\VdNbvFA.exe
  C:\Windows\System\VdNbvFA.exe
  2⤵
  PID:9088
- C:\Windows\System\JkWRHlo.exe
  C:\Windows\System\JkWRHlo.exe
  2⤵
  PID:9108
- C:\Windows\System\EZrsIEz.exe
  C:\Windows\System\EZrsIEz.exe
  2⤵
  PID:9144
- C:\Windows\System\yLPQNkJ.exe
  C:\Windows\System\yLPQNkJ.exe
  2⤵
  PID:9160
- C:\Windows\System\KZWYDnf.exe
  C:\Windows\System\KZWYDnf.exe
  2⤵
  PID:9180
- C:\Windows\System\vVFOABw.exe
  C:\Windows\System\vVFOABw.exe
  2⤵
  PID:1496
- C:\Windows\System\DAyizCC.exe
  C:\Windows\System\DAyizCC.exe
  2⤵
  PID:7464
- C:\Windows\System\iJPcRih.exe
  C:\Windows\System\iJPcRih.exe
  2⤵
  PID:8248
- C:\Windows\System\iteqxxz.exe
  C:\Windows\System\iteqxxz.exe
  2⤵
  PID:8284
- C:\Windows\System\VLVekQZ.exe
  C:\Windows\System\VLVekQZ.exe
  2⤵
  PID:8352
- C:\Windows\System\TPiSkac.exe
  C:\Windows\System\TPiSkac.exe
  2⤵
  PID:8456
- C:\Windows\System\OVicvfS.exe
  C:\Windows\System\OVicvfS.exe
  2⤵
  PID:8524
- C:\Windows\System\zRFmKQU.exe
  C:\Windows\System\zRFmKQU.exe
  2⤵
  PID:8604
- C:\Windows\System\jSzoJYh.exe
  C:\Windows\System\jSzoJYh.exe
  2⤵
  PID:8636
- C:\Windows\System\GerefGq.exe
  C:\Windows\System\GerefGq.exe
  2⤵
  PID:8668
- C:\Windows\System\VELyjof.exe
  C:\Windows\System\VELyjof.exe
  2⤵
  PID:8716
- C:\Windows\System\AtMNGrr.exe
  C:\Windows\System\AtMNGrr.exe
  2⤵
  PID:8848
- C:\Windows\System\nWJGcxa.exe
  C:\Windows\System\nWJGcxa.exe
  2⤵
  PID:3608
- C:\Windows\System\emqujjg.exe
  C:\Windows\System\emqujjg.exe
  2⤵
  PID:8896
- C:\Windows\System\WnumFnd.exe
  C:\Windows\System\WnumFnd.exe
  2⤵
  PID:536
- C:\Windows\System\EmcbhBe.exe
  C:\Windows\System\EmcbhBe.exe
  2⤵
  PID:1580
- C:\Windows\System\etclqvr.exe
  C:\Windows\System\etclqvr.exe
  2⤵
  PID:1108
- C:\Windows\System\KylYRRf.exe
  C:\Windows\System\KylYRRf.exe
  2⤵
  PID:9068
- C:\Windows\System\isXhESu.exe
  C:\Windows\System\isXhESu.exe
  2⤵
  PID:3484
- C:\Windows\System\chFVnIE.exe
  C:\Windows\System\chFVnIE.exe
  2⤵
  PID:9128
- C:\Windows\System\XKjJDMP.exe
  C:\Windows\System\XKjJDMP.exe
  2⤵
  PID:9176
- C:\Windows\System\XzMzblG.exe
  C:\Windows\System\XzMzblG.exe
  2⤵
  PID:8200
- C:\Windows\System\WGisEVT.exe
  C:\Windows\System\WGisEVT.exe
  2⤵
  PID:8404
- C:\Windows\System\IwdQUaR.exe
  C:\Windows\System\IwdQUaR.exe
  2⤵
  PID:8408
- C:\Windows\System\KejQeHj.exe
  C:\Windows\System\KejQeHj.exe
  2⤵
  PID:8660
- C:\Windows\System\WZsgJaq.exe
  C:\Windows\System\WZsgJaq.exe
  2⤵
  PID:8784
- C:\Windows\System\NUCOxua.exe
  C:\Windows\System\NUCOxua.exe
  2⤵
  PID:8944
- C:\Windows\System\iTrfRPw.exe
  C:\Windows\System\iTrfRPw.exe
  2⤵
  PID:3416
- C:\Windows\System\YqMDQLs.exe
  C:\Windows\System\YqMDQLs.exe
  2⤵
  PID:4356
- C:\Windows\System\kpbWebM.exe
  C:\Windows\System\kpbWebM.exe
  2⤵
  PID:5004
- C:\Windows\System\MBHUmZj.exe
  C:\Windows\System\MBHUmZj.exe
  2⤵
  PID:8580
- C:\Windows\System\upafWXL.exe
  C:\Windows\System\upafWXL.exe
  2⤵
  PID:9020
- C:\Windows\System\icNRKPG.exe
  C:\Windows\System\icNRKPG.exe
  2⤵
  PID:8980
- C:\Windows\System\msYdYKH.exe
  C:\Windows\System\msYdYKH.exe
  2⤵
  PID:8476
- C:\Windows\System\fZHEFwC.exe
  C:\Windows\System\fZHEFwC.exe
  2⤵
  PID:8940
- C:\Windows\System\RydleOW.exe
  C:\Windows\System\RydleOW.exe
  2⤵
  PID:8324
- C:\Windows\System\BVaUyUz.exe
  C:\Windows\System\BVaUyUz.exe
  2⤵
  PID:9244
- C:\Windows\System\bvNltpg.exe
  C:\Windows\System\bvNltpg.exe
  2⤵
  PID:9272
- C:\Windows\System\qnICknp.exe
  C:\Windows\System\qnICknp.exe
  2⤵
  PID:9308
- C:\Windows\System\KUOFTuk.exe
  C:\Windows\System\KUOFTuk.exe
  2⤵
  PID:9324
- C:\Windows\System\cLMGwOp.exe
  C:\Windows\System\cLMGwOp.exe
  2⤵
  PID:9352
- C:\Windows\System\HqxlDNS.exe
  C:\Windows\System\HqxlDNS.exe
  2⤵
  PID:9392
- C:\Windows\System\JXixuOk.exe
  C:\Windows\System\JXixuOk.exe
  2⤵
  PID:9420
- C:\Windows\System\XOQIZyn.exe
  C:\Windows\System\XOQIZyn.exe
  2⤵
  PID:9452
- C:\Windows\System\MKYAbFV.exe
  C:\Windows\System\MKYAbFV.exe
  2⤵
  PID:9468
- C:\Windows\System\gfgtKdw.exe
  C:\Windows\System\gfgtKdw.exe
  2⤵
  PID:9504
- C:\Windows\System\PeQZAgi.exe
  C:\Windows\System\PeQZAgi.exe
  2⤵
  PID:9536
- C:\Windows\System\vOnIwsj.exe
  C:\Windows\System\vOnIwsj.exe
  2⤵
  PID:9564
- C:\Windows\System\IokxuQW.exe
  C:\Windows\System\IokxuQW.exe
  2⤵
  PID:9592
- C:\Windows\System\hWesZvf.exe
  C:\Windows\System\hWesZvf.exe
  2⤵
  PID:9620
- C:\Windows\System\xFruloo.exe
  C:\Windows\System\xFruloo.exe
  2⤵
  PID:9648
- C:\Windows\System\igPkdZo.exe
  C:\Windows\System\igPkdZo.exe
  2⤵
  PID:9676
- C:\Windows\System\HkWKVPV.exe
  C:\Windows\System\HkWKVPV.exe
  2⤵
  PID:9704
- C:\Windows\System\UGldxpy.exe
  C:\Windows\System\UGldxpy.exe
  2⤵
  PID:9736
- C:\Windows\System\VLaXjLB.exe
  C:\Windows\System\VLaXjLB.exe
  2⤵
  PID:9764
- C:\Windows\System\zwRgsXN.exe
  C:\Windows\System\zwRgsXN.exe
  2⤵
  PID:9792
- C:\Windows\System\GpcpfFE.exe
  C:\Windows\System\GpcpfFE.exe
  2⤵
  PID:9820
- C:\Windows\System\EJXZefD.exe
  C:\Windows\System\EJXZefD.exe
  2⤵
  PID:9844
- C:\Windows\System\mZzBEcl.exe
  C:\Windows\System\mZzBEcl.exe
  2⤵
  PID:9876
- C:\Windows\System\SvIGRaz.exe
  C:\Windows\System\SvIGRaz.exe
  2⤵
  PID:9904
- C:\Windows\System\nuvHviZ.exe
  C:\Windows\System\nuvHviZ.exe
  2⤵
  PID:9928
- C:\Windows\System\REQXvRO.exe
  C:\Windows\System\REQXvRO.exe
  2⤵
  PID:9956
- C:\Windows\System\NHLoQyI.exe
  C:\Windows\System\NHLoQyI.exe
  2⤵
  PID:9988
- C:\Windows\System\TRguPDP.exe
  C:\Windows\System\TRguPDP.exe
  2⤵
  PID:10020
- C:\Windows\System\VKntHJl.exe
  C:\Windows\System\VKntHJl.exe
  2⤵
  PID:10048
- C:\Windows\System\dAbkfzQ.exe
  C:\Windows\System\dAbkfzQ.exe
  2⤵
  PID:10084
- C:\Windows\System\CIvERLS.exe
  C:\Windows\System\CIvERLS.exe
  2⤵
  PID:10112
- C:\Windows\System\mOfqqrO.exe
  C:\Windows\System\mOfqqrO.exe
  2⤵
  PID:10140
- C:\Windows\System\IGrKThA.exe
  C:\Windows\System\IGrKThA.exe
  2⤵
  PID:10168
- C:\Windows\System\feNfREa.exe
  C:\Windows\System\feNfREa.exe
  2⤵
  PID:10192
- C:\Windows\System\aMDISIk.exe
  C:\Windows\System\aMDISIk.exe
  2⤵
  PID:10232
- C:\Windows\System\IEUsZyO.exe
  C:\Windows\System\IEUsZyO.exe
  2⤵
  PID:9260
- C:\Windows\System\gHnoqrS.exe
  C:\Windows\System\gHnoqrS.exe
  2⤵
  PID:9348
- C:\Windows\System\HrCeNij.exe
  C:\Windows\System\HrCeNij.exe
  2⤵
  PID:9416
- C:\Windows\System\EvyPtmb.exe
  C:\Windows\System\EvyPtmb.exe
  2⤵
  PID:9480
- C:\Windows\System\STqInMo.exe
  C:\Windows\System\STqInMo.exe
  2⤵
  PID:9548
- C:\Windows\System\kMjeuCu.exe
  C:\Windows\System\kMjeuCu.exe
  2⤵
  PID:9604
- C:\Windows\System\QROhRnX.exe
  C:\Windows\System\QROhRnX.exe
  2⤵
  PID:9640
- C:\Windows\System\EKojuCL.exe
  C:\Windows\System\EKojuCL.exe
  2⤵
  PID:9748
- C:\Windows\System\XkRwJJV.exe
  C:\Windows\System\XkRwJJV.exe
  2⤵
  PID:9804
- C:\Windows\System\ctYcvqh.exe
  C:\Windows\System\ctYcvqh.exe
  2⤵
  PID:9836
- C:\Windows\System\wmlvXPa.exe
  C:\Windows\System\wmlvXPa.exe
  2⤵
  PID:9896
- C:\Windows\System\oJUXpdS.exe
  C:\Windows\System\oJUXpdS.exe
  2⤵
  PID:9972
- C:\Windows\System\TOIqyFr.exe
  C:\Windows\System\TOIqyFr.exe
  2⤵
  PID:10016
- C:\Windows\System\LAMpqMk.exe
  C:\Windows\System\LAMpqMk.exe
  2⤵
  PID:10132
- C:\Windows\System\QnLxYzW.exe
  C:\Windows\System\QnLxYzW.exe
  2⤵
  PID:10208
- C:\Windows\System\lWiWNrh.exe
  C:\Windows\System\lWiWNrh.exe
  2⤵
  PID:9284
- C:\Windows\System\eJnVzKR.exe
  C:\Windows\System\eJnVzKR.exe
  2⤵
  PID:9412
- C:\Windows\System\yYEDIrL.exe
  C:\Windows\System\yYEDIrL.exe
  2⤵
  PID:9528
- C:\Windows\System\RraCLgM.exe
  C:\Windows\System\RraCLgM.exe
  2⤵
  PID:9632
- C:\Windows\System\flOIRvO.exe
  C:\Windows\System\flOIRvO.exe
  2⤵
  PID:9888
- C:\Windows\System\njymxih.exe
  C:\Windows\System\njymxih.exe
  2⤵
  PID:7876
- C:\Windows\System\uyBtleu.exe
  C:\Windows\System\uyBtleu.exe
  2⤵
  PID:10188
- C:\Windows\System\MijcxZT.exe
  C:\Windows\System\MijcxZT.exe
  2⤵
  PID:9464
- C:\Windows\System\jKYrWWX.exe
  C:\Windows\System\jKYrWWX.exe
  2⤵
  PID:9720
- C:\Windows\System\MgaCEsO.exe
  C:\Windows\System\MgaCEsO.exe
  2⤵
  PID:9940
- C:\Windows\System\BcIljHq.exe
  C:\Windows\System\BcIljHq.exe
  2⤵
  PID:9576
- C:\Windows\System\KLLoKrx.exe
  C:\Windows\System\KLLoKrx.exe
  2⤵
  PID:9404
- C:\Windows\System\JYvSNKP.exe
  C:\Windows\System\JYvSNKP.exe
  2⤵
  PID:10272
- C:\Windows\System\PPxYFRw.exe
  C:\Windows\System\PPxYFRw.exe
  2⤵
  PID:10292
- C:\Windows\System\lbqqglM.exe
  C:\Windows\System\lbqqglM.exe
  2⤵
  PID:10312
- C:\Windows\System\UUFfgfk.exe
  C:\Windows\System\UUFfgfk.exe
  2⤵
  PID:10332
- C:\Windows\System\HxEslEC.exe
  C:\Windows\System\HxEslEC.exe
  2⤵
  PID:10348
- C:\Windows\System\fsVTDOD.exe
  C:\Windows\System\fsVTDOD.exe
  2⤵
  PID:10404
- C:\Windows\System\gpHOlGC.exe
  C:\Windows\System\gpHOlGC.exe
  2⤵
  PID:10440
- C:\Windows\System\kMkEiMA.exe
  C:\Windows\System\kMkEiMA.exe
  2⤵
  PID:10456
- C:\Windows\System\QECYtcK.exe
  C:\Windows\System\QECYtcK.exe
  2⤵
  PID:10496
- C:\Windows\System\VCjdIKS.exe
  C:\Windows\System\VCjdIKS.exe
  2⤵
  PID:10524
- C:\Windows\System\xdnvtJS.exe
  C:\Windows\System\xdnvtJS.exe
  2⤵
  PID:10552
- C:\Windows\System\QvPjHOc.exe
  C:\Windows\System\QvPjHOc.exe
  2⤵
  PID:10580
- C:\Windows\System\NDmSpFa.exe
  C:\Windows\System\NDmSpFa.exe
  2⤵
  PID:10608
- C:\Windows\System\AQnMOEM.exe
  C:\Windows\System\AQnMOEM.exe
  2⤵
  PID:10636
- C:\Windows\System\GjJYgXC.exe
  C:\Windows\System\GjJYgXC.exe
  2⤵
  PID:10664
- C:\Windows\System\UFHONtG.exe
  C:\Windows\System\UFHONtG.exe
  2⤵
  PID:10692
- C:\Windows\System\KCDfyYI.exe
  C:\Windows\System\KCDfyYI.exe
  2⤵
  PID:10720
- C:\Windows\System\QhSLQYH.exe
  C:\Windows\System\QhSLQYH.exe
  2⤵
  PID:10748
- C:\Windows\System\odqwDHd.exe
  C:\Windows\System\odqwDHd.exe
  2⤵
  PID:10776
- C:\Windows\System\KYJAMTU.exe
  C:\Windows\System\KYJAMTU.exe
  2⤵
  PID:10792
- C:\Windows\System\WvgHOVa.exe
  C:\Windows\System\WvgHOVa.exe
  2⤵
  PID:10808
- C:\Windows\System\gOzsDam.exe
  C:\Windows\System\gOzsDam.exe
  2⤵
  PID:10856
- C:\Windows\System\sTAnBSI.exe
  C:\Windows\System\sTAnBSI.exe
  2⤵
  PID:10880
- C:\Windows\System\vpoHkQb.exe
  C:\Windows\System\vpoHkQb.exe
  2⤵
  PID:10920
- C:\Windows\System\UcUTaVI.exe
  C:\Windows\System\UcUTaVI.exe
  2⤵
  PID:10948
- C:\Windows\System\fRtZqlr.exe
  C:\Windows\System\fRtZqlr.exe
  2⤵
  PID:10996
- C:\Windows\System\NnQFhPn.exe
  C:\Windows\System\NnQFhPn.exe
  2⤵
  PID:11024
- C:\Windows\System\zdLsxgc.exe
  C:\Windows\System\zdLsxgc.exe
  2⤵
  PID:11052
- C:\Windows\System\DpQnxmB.exe
  C:\Windows\System\DpQnxmB.exe
  2⤵
  PID:11080
- C:\Windows\System\zXhfHcg.exe
  C:\Windows\System\zXhfHcg.exe
  2⤵
  PID:11096
- C:\Windows\System\lhTRRIb.exe
  C:\Windows\System\lhTRRIb.exe
  2⤵
  PID:11136
- C:\Windows\System\WmBJfkl.exe
  C:\Windows\System\WmBJfkl.exe
  2⤵
  PID:11164
- C:\Windows\System\etumsCf.exe
  C:\Windows\System\etumsCf.exe
  2⤵
  PID:11196
- C:\Windows\System\iMCkZoA.exe
  C:\Windows\System\iMCkZoA.exe
  2⤵
  PID:11224
- C:\Windows\System\FMhuLuN.exe
  C:\Windows\System\FMhuLuN.exe
  2⤵
  PID:11252
- C:\Windows\System\AmrOGhU.exe
  C:\Windows\System\AmrOGhU.exe
  2⤵
  PID:10260
- C:\Windows\System\IapAqVY.exe
  C:\Windows\System\IapAqVY.exe
  2⤵
  PID:10320
- C:\Windows\System\smbhlpK.exe
  C:\Windows\System\smbhlpK.exe
  2⤵
  PID:10396
- C:\Windows\System\zwxnyTL.exe
  C:\Windows\System\zwxnyTL.exe
  2⤵
  PID:10448
- C:\Windows\System\VGQdJjR.exe
  C:\Windows\System\VGQdJjR.exe
  2⤵
  PID:10520
- C:\Windows\System\DPOfrbA.exe
  C:\Windows\System\DPOfrbA.exe
  2⤵
  PID:10592
- C:\Windows\System\UZThMIS.exe
  C:\Windows\System\UZThMIS.exe
  2⤵
  PID:10656
- C:\Windows\System\ANORgLR.exe
  C:\Windows\System\ANORgLR.exe
  2⤵
  PID:10716
- C:\Windows\System\KkfKKan.exe
  C:\Windows\System\KkfKKan.exe
  2⤵
  PID:10772
- C:\Windows\System\tgRPABA.exe
  C:\Windows\System\tgRPABA.exe
  2⤵
  PID:10840
- C:\Windows\System\JpHqiBN.exe
  C:\Windows\System\JpHqiBN.exe
  2⤵
  PID:10912
- C:\Windows\System\bFeAvgG.exe
  C:\Windows\System\bFeAvgG.exe
  2⤵
  PID:10992
- C:\Windows\System\NNJfKdn.exe
  C:\Windows\System\NNJfKdn.exe
  2⤵
  PID:11064
- C:\Windows\System\raojhuu.exe
  C:\Windows\System\raojhuu.exe
  2⤵
  PID:11132
- C:\Windows\System\gXNsIiD.exe
  C:\Windows\System\gXNsIiD.exe
  2⤵
  PID:11192
- C:\Windows\System\ioCZPEX.exe
  C:\Windows\System\ioCZPEX.exe
  2⤵
  PID:9240
- C:\Windows\System\avkhsxG.exe
  C:\Windows\System\avkhsxG.exe
  2⤵
  PID:10344
- C:\Windows\System\YBeHnNp.exe
  C:\Windows\System\YBeHnNp.exe
  2⤵
  PID:10508
- C:\Windows\System\foZumrP.exe
  C:\Windows\System\foZumrP.exe
  2⤵
  PID:10620
- C:\Windows\System\PLzAlyT.exe
  C:\Windows\System\PLzAlyT.exe
  2⤵
  PID:10680
- C:\Windows\System\OUzUdbk.exe
  C:\Windows\System\OUzUdbk.exe
  2⤵
  PID:10988
- C:\Windows\System\piZiVWu.exe
  C:\Windows\System\piZiVWu.exe
  2⤵
  PID:11160
- C:\Windows\System\BEYnwlP.exe
  C:\Windows\System\BEYnwlP.exe
  2⤵
  PID:10308
- C:\Windows\System\PwSTbie.exe
  C:\Windows\System\PwSTbie.exe
  2⤵
  PID:10676
- C:\Windows\System\dOdTnVm.exe
  C:\Windows\System\dOdTnVm.exe
  2⤵
  PID:11048
- C:\Windows\System\pWMLkQe.exe
  C:\Windows\System\pWMLkQe.exe
  2⤵
  PID:10432
- C:\Windows\System\aGyhfRr.exe
  C:\Windows\System\aGyhfRr.exe
  2⤵
  PID:11120
- C:\Windows\System\ddFeqCl.exe
  C:\Windows\System\ddFeqCl.exe
  2⤵
  PID:11272
- C:\Windows\System\lJPvttN.exe
  C:\Windows\System\lJPvttN.exe
  2⤵
  PID:11296
- C:\Windows\System\ctReQTQ.exe
  C:\Windows\System\ctReQTQ.exe
  2⤵
  PID:11328
- C:\Windows\System\GxjFErX.exe
  C:\Windows\System\GxjFErX.exe
  2⤵
  PID:11348
- C:\Windows\System\UIePDOs.exe
  C:\Windows\System\UIePDOs.exe
  2⤵
  PID:11376
- C:\Windows\System\lSnOGjo.exe
  C:\Windows\System\lSnOGjo.exe
  2⤵
  PID:11408
- C:\Windows\System\IjQJwuJ.exe
  C:\Windows\System\IjQJwuJ.exe
  2⤵
  PID:11428
- C:\Windows\System\PvwQXfk.exe
  C:\Windows\System\PvwQXfk.exe
  2⤵
  PID:11456
- C:\Windows\System\lfJLdEf.exe
  C:\Windows\System\lfJLdEf.exe
  2⤵
  PID:11504
- C:\Windows\System\tpmDmXw.exe
  C:\Windows\System\tpmDmXw.exe
  2⤵
  PID:11540
- C:\Windows\System\AKXgxgc.exe
  C:\Windows\System\AKXgxgc.exe
  2⤵
  PID:11556
- C:\Windows\System\gzxjrxC.exe
  C:\Windows\System\gzxjrxC.exe
  2⤵
  PID:11604
- C:\Windows\System\hDFeMFe.exe
  C:\Windows\System\hDFeMFe.exe
  2⤵
  PID:11656
- C:\Windows\System\dnwPUaE.exe
  C:\Windows\System\dnwPUaE.exe
  2⤵
  PID:11672
- C:\Windows\System\WabKUTQ.exe
  C:\Windows\System\WabKUTQ.exe
  2⤵
  PID:11716
- C:\Windows\System\bgyzFAP.exe
  C:\Windows\System\bgyzFAP.exe
  2⤵
  PID:11744
- C:\Windows\System\ypHlyIe.exe
  C:\Windows\System\ypHlyIe.exe
  2⤵
  PID:11772
- C:\Windows\System\rvxTSsK.exe
  C:\Windows\System\rvxTSsK.exe
  2⤵
  PID:11800
- C:\Windows\System\PQBSuPd.exe
  C:\Windows\System\PQBSuPd.exe
  2⤵
  PID:11828
- C:\Windows\System\PKagWOb.exe
  C:\Windows\System\PKagWOb.exe
  2⤵
  PID:11860
- C:\Windows\System\NhWNCTb.exe
  C:\Windows\System\NhWNCTb.exe
  2⤵
  PID:11888
- C:\Windows\System\UujhisC.exe
  C:\Windows\System\UujhisC.exe
  2⤵
  PID:11916
- C:\Windows\System\OoeDLPa.exe
  C:\Windows\System\OoeDLPa.exe
  2⤵
  PID:11944
- C:\Windows\System\ZrddPlg.exe
  C:\Windows\System\ZrddPlg.exe
  2⤵
  PID:11976
- C:\Windows\System\XzNbVuU.exe
  C:\Windows\System\XzNbVuU.exe
  2⤵
  PID:12000
- C:\Windows\System\IDaBfhU.exe
  C:\Windows\System\IDaBfhU.exe
  2⤵
  PID:12024
- C:\Windows\System\HoPiHoS.exe
  C:\Windows\System\HoPiHoS.exe
  2⤵
  PID:12052
- C:\Windows\System\lQwzCWi.exe
  C:\Windows\System\lQwzCWi.exe
  2⤵
  PID:12092
- C:\Windows\System\ZmOTfKs.exe
  C:\Windows\System\ZmOTfKs.exe
  2⤵
  PID:12120
- C:\Windows\System\iqNWriv.exe
  C:\Windows\System\iqNWriv.exe
  2⤵
  PID:12148
- C:\Windows\System\taxureR.exe
  C:\Windows\System\taxureR.exe
  2⤵
  PID:12176
- C:\Windows\System\vErYVmE.exe
  C:\Windows\System\vErYVmE.exe
  2⤵
  PID:12192
- C:\Windows\System\igaHWGd.exe
  C:\Windows\System\igaHWGd.exe
  2⤵
  PID:12220
- C:\Windows\System\bbbWheU.exe
  C:\Windows\System\bbbWheU.exe
  2⤵
  PID:12260
- C:\Windows\System\nSrBngU.exe
  C:\Windows\System\nSrBngU.exe
  2⤵
  PID:10936
- C:\Windows\System\rznPzfH.exe
  C:\Windows\System\rznPzfH.exe
  2⤵
  PID:11292
- C:\Windows\System\lYHtQHY.exe
  C:\Windows\System\lYHtQHY.exe
  2⤵
  PID:11388
- C:\Windows\System\eGGSdBO.exe
  C:\Windows\System\eGGSdBO.exe
  2⤵
  PID:11464
- C:\Windows\System\ajjkfva.exe
  C:\Windows\System\ajjkfva.exe
  2⤵
  PID:11524
- C:\Windows\System\DjirGcp.exe
  C:\Windows\System\DjirGcp.exe
  2⤵
  PID:11640
- C:\Windows\System\rbaDpPQ.exe
  C:\Windows\System\rbaDpPQ.exe
  2⤵
  PID:11708
- C:\Windows\System\RwHchcy.exe
  C:\Windows\System\RwHchcy.exe
  2⤵
  PID:11764
- C:\Windows\System\rblMbXY.exe
  C:\Windows\System\rblMbXY.exe
  2⤵
  PID:11812
- C:\Windows\System\QdFMQyb.exe
  C:\Windows\System\QdFMQyb.exe
  2⤵
  PID:11884
- C:\Windows\System\sUsfoCV.exe
  C:\Windows\System\sUsfoCV.exe
  2⤵
  PID:448
- C:\Windows\System\xNfJmID.exe
  C:\Windows\System\xNfJmID.exe
  2⤵
  PID:11956
- C:\Windows\System\ChjTHJj.exe
  C:\Windows\System\ChjTHJj.exe
  2⤵
  PID:11996
- C:\Windows\System\yNBSMhD.exe
  C:\Windows\System\yNBSMhD.exe
  2⤵
  PID:12044
- C:\Windows\System\LHqVupQ.exe
  C:\Windows\System\LHqVupQ.exe
  2⤵
  PID:12112
- C:\Windows\System\trBmCwn.exe
  C:\Windows\System\trBmCwn.exe
  2⤵
  PID:11280
- C:\Windows\System\iUpQkyb.exe
  C:\Windows\System\iUpQkyb.exe
  2⤵
  PID:11392
- C:\Windows\System\VgxYxln.exe
  C:\Windows\System\VgxYxln.exe
  2⤵
  PID:11400
- C:\Windows\System\QUYgZEN.exe
  C:\Windows\System\QUYgZEN.exe
  2⤵
  PID:11940
- C:\Windows\System\ZLvzwhe.exe
  C:\Windows\System\ZLvzwhe.exe
  2⤵
  PID:12144
- C:\Windows\System\xiONbcw.exe
  C:\Windows\System\xiONbcw.exe
  2⤵
  PID:11444
- C:\Windows\System\buDSyYb.exe
  C:\Windows\System\buDSyYb.exe
  2⤵
  PID:12280
- C:\Windows\System\dyQrxfv.exe
  C:\Windows\System\dyQrxfv.exe
  2⤵
  PID:12316
- C:\Windows\System\HIJypKH.exe
  C:\Windows\System\HIJypKH.exe
  2⤵
  PID:12356
- C:\Windows\System\xtNrbdP.exe
  C:\Windows\System\xtNrbdP.exe
  2⤵
  PID:12396
- C:\Windows\System\MqoFlOQ.exe
  C:\Windows\System\MqoFlOQ.exe
  2⤵
  PID:12416
- C:\Windows\System\LRDNiuY.exe
  C:\Windows\System\LRDNiuY.exe
  2⤵
  PID:12468
- C:\Windows\System\aQSlAJV.exe
  C:\Windows\System\aQSlAJV.exe
  2⤵
  PID:12488
- C:\Windows\System\aEtaWia.exe
  C:\Windows\System\aEtaWia.exe
  2⤵
  PID:12536
- C:\Windows\System\eGSUEHC.exe
  C:\Windows\System\eGSUEHC.exe
  2⤵
  PID:12564
- C:\Windows\System\HqFBtrR.exe
  C:\Windows\System\HqFBtrR.exe
  2⤵
  PID:12592
- C:\Windows\System\LNbCFrH.exe
  C:\Windows\System\LNbCFrH.exe
  2⤵
  PID:12608
- C:\Windows\System\oeQkyqJ.exe
  C:\Windows\System\oeQkyqJ.exe
  2⤵
  PID:12624
- C:\Windows\System\GsvHSMF.exe
  C:\Windows\System\GsvHSMF.exe
  2⤵
  PID:12644
- C:\Windows\System\lsOsjEC.exe
  C:\Windows\System\lsOsjEC.exe
  2⤵
  PID:12668
- C:\Windows\System\kZsTzyQ.exe
  C:\Windows\System\kZsTzyQ.exe
  2⤵
  PID:12732
- C:\Windows\System\XigjgUW.exe
  C:\Windows\System\XigjgUW.exe
  2⤵
  PID:12768
- C:\Windows\System\CZsltpM.exe
  C:\Windows\System\CZsltpM.exe
  2⤵
  PID:12792
- C:\Windows\System\YxIenFM.exe
  C:\Windows\System\YxIenFM.exe
  2⤵
  PID:12816
- C:\Windows\System\wMVKrim.exe
  C:\Windows\System\wMVKrim.exe
  2⤵
  PID:12860
- C:\Windows\System\ltbGrPL.exe
  C:\Windows\System\ltbGrPL.exe
  2⤵
  PID:12876
- C:\Windows\System\ctdqJvF.exe
  C:\Windows\System\ctdqJvF.exe
  2⤵
  PID:12920
- C:\Windows\System\gDzUsKP.exe
  C:\Windows\System\gDzUsKP.exe
  2⤵
  PID:12952
- C:\Windows\System\nvvlkdk.exe
  C:\Windows\System\nvvlkdk.exe
  2⤵
  PID:12988
- C:\Windows\System\RYRWshs.exe
  C:\Windows\System\RYRWshs.exe
  2⤵
  PID:13020
- C:\Windows\System\OXGRudh.exe
  C:\Windows\System\OXGRudh.exe
  2⤵
  PID:13048
- C:\Windows\System\KZJHSwx.exe
  C:\Windows\System\KZJHSwx.exe
  2⤵
  PID:13080
- C:\Windows\System\tUbrELh.exe
  C:\Windows\System\tUbrELh.exe
  2⤵
  PID:13108
- C:\Windows\System\lOyCMwB.exe
  C:\Windows\System\lOyCMwB.exe
  2⤵
  PID:13124
- C:\Windows\System\jgxLCWP.exe
  C:\Windows\System\jgxLCWP.exe
  2⤵
  PID:13164
- C:\Windows\System\kkaSKQk.exe
  C:\Windows\System\kkaSKQk.exe
  2⤵
  PID:13192
- C:\Windows\System\oxXTXcU.exe
  C:\Windows\System\oxXTXcU.exe
  2⤵
  PID:13220
- C:\Windows\System\ZpcOVrX.exe
  C:\Windows\System\ZpcOVrX.exe
  2⤵
  PID:13248
- C:\Windows\System\dOwNEFd.exe
  C:\Windows\System\dOwNEFd.exe
  2⤵
  PID:13268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytnn25ev.hzp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AQbREvi.exe

Filesize
3.2MB

MD5
200d1840480bd48c38626bf1b1d91762

SHA1
748e72ed303c20bc4f6717d0971d49c7c91b0831

SHA256
29121b775489cf9ec3cdb3bd154198b3f36f1f3d9ca3622c3c11de0e2e0dede6

SHA512
e6ce906f28d560169a5cf283e3df3e166c915ecce81e33bdc16fdcd52e36c3fba536dc9f1147e47942400960e0aa8799e664f81431f6d7ccf5edcbd4152becf5

Download Submit
C:\Windows\System\BFnxDlT.exe

Filesize
3.2MB

MD5
0cd9a4268a6734d7e2d4c677e79a05df

SHA1
1db065ad61de48abd279207fbe9e49af401dd89a

SHA256
7953bdf8b01fb47b51c3843be11755b34eaee7a158c16b7c3a4ab2d590eea046

SHA512
0ed1d9ff3f5e56118ea37b79c3ca63b2dc779bb9db13a646d937e44fcb2b7e75edb4ca72dbc37141b6f624be3354442b2ef7b6eb8133f501a414e8a44f25bb85

Download Submit
C:\Windows\System\BbanDuH.exe

Filesize
3.2MB

MD5
5d31d228207bc2ca4d2925b51280dd0d

SHA1
4a176ddb61999f5078c2491231b91fefa8ec8fe8

SHA256
735638790171efc0a3bac27f1b82017d569092c84f8e0301b1c7f634b923b726

SHA512
666f6a8be1fb3550066069e5e585411ebaa2d19582fc8e1c206471bc395c69a54ca3d11be0bb6a04a8a18a43eb61a29dca4ce8c0a3dd3f5f8635ba8741d39389

Download Submit
C:\Windows\System\DSwUZWr.exe

Filesize
3.2MB

MD5
633cf33beb1769aaccb0c1294ba2f5c3

SHA1
73edaf0715dccb2c1e2001121737a9ec876e707f

SHA256
be19fac1cf0d16057407e4636f0a402e4c15560b8df769cb98067b533aca5f02

SHA512
27e562d6635f083d8f0cdb7574c1a67702ca099a3299519bf67f85d816dce07bf3a2df9f30f24dfd775a49ffa73ed845146ab663093b6c3ab197930ed5a0d804

Download Submit
C:\Windows\System\DznVePs.exe

Filesize
3.2MB

MD5
d0d3ca5c44fcf5c77393195c596b38b3

SHA1
c9e135cb51a62d77f026ebe383d6e8cbf3f258e7

SHA256
dd8c7f6f8f378ca35f12d9e317ff65fdb926f222ce79ca0032eb541db7c5d857

SHA512
53fd98fb6006c7d0368b0ee80b9952eaebebd5cee9f8da198b9bb851be9014ccd716dbae35d5410f0525a14364befe20e2a4687d6a6bdbd187a64516c469d654

Download Submit
C:\Windows\System\EddnZHJ.exe

Filesize
3.2MB

MD5
94ef13b71b08b1219ce4ac5a7c812b5e

SHA1
70d31028d8c387b9e383975526b81086b6bb5fa8

SHA256
b4913815b9c7fc5e0664fc5ab4bc83c3def423b6342da8f1a13f671e992cecbc

SHA512
6856ba37b4e51f5f7703ef8dd1aa5d0886f0af1c242c328eac0a57440e9d29c5f2806a48d9dfebcda29e2ef82a45718a1a930003d7b809b2c998d5f097a1b949

Download Submit
C:\Windows\System\GchYCKn.exe

Filesize
3.2MB

MD5
a4bce92a05f607c4d23a2488e76de501

SHA1
555faa07f12e403ec9ab76dc5287d118d00cdda1

SHA256
ba7f4b484f83d4831cc581b99844eadfbd0a54f89e60b6eb77d7ada37e70e0c5

SHA512
43c02e4a045f7c604a172e2693de2b752a117da901a201b5cadf317671df8d575b37782e2b47fdd5242d43f0ce705e74657a92f0b2cde0b6ff34648ffc1c274f

Download Submit
C:\Windows\System\JMWTCZd.exe

Filesize
3.2MB

MD5
acd73e95ba37c8c427a8c0453c4f8b00

SHA1
69fa22805bd02f2ecd1c1c2bac15cfa8d9337332

SHA256
6b62784267b0786e1abdf1840e7a677cf972a49d509081e97e3b86d474a83d00

SHA512
da1389866be904ee107b176aa23897df515155cd98ee79e837b53f5608d9ceb13761f5afbcaccd168006758c982664991d28f24138eb6ed17ce38014e596fbbc

Download Submit
C:\Windows\System\KSHssgo.exe

Filesize
3.2MB

MD5
658159a492f80bbaa124a66117ba464d

SHA1
7ac0966419b3a3defdf6dbc4ed6b00b10ff6a6e4

SHA256
8d08f73cad3d175fb46e5f3a7a72706ac935227f33288400c73088fa31b17890

SHA512
f464db8ccfbcba538b032f5679b6e883a529864b07940156dcb940e128178dbc150f3858735fef01fcc7d4a9156541bbfd2d382929fca2d572aa35921e87e935

Download Submit
C:\Windows\System\LmZkNQm.exe

Filesize
3.2MB

MD5
e5fef1bca3ede5463f8e23a9ff5eb71a

SHA1
ecd37e9deeafe2832afed93610ff822adcf92a48

SHA256
27a0efeb189ee1bf6080f631d3de8dae2cd05159af6b2c2d4cb3d7b0bd29c6eb

SHA512
e4bec943b109746e13089390d68fdf5a47c435284996f2577d53589315e13b4c8e92bd3cc26918e7cf9994c2999168812148f6acc7ee1b0a8f0da1da6e5611d5

Download Submit
C:\Windows\System\NhSeUuA.exe

Filesize
3.2MB

MD5
3a699356086d4b620db21b4c3d8b6554

SHA1
ac98b5939f619d363ddb023358ef685315851587

SHA256
701da946ebe675ab5578c0fe82c79e07d5db7f50a6fcaae7824bdfedf7311b5d

SHA512
41415016b910bce33cc069dd48662b875cbcae8e6c1a32f918a9e209323f3ec8fc3210adbbe8cce04e9b602dc52d25a2538b38e877b32f6fc88bc3c416eb7a69

Download Submit
C:\Windows\System\PkASvpK.exe

Filesize
3.2MB

MD5
0fd6fbfee6295c0fa98b3fb3529a9537

SHA1
4dcb412b7c29627a5aa1d2827ba270e2c7fdf51e

SHA256
db3380ab6b35e2467f4830124f3b8fc8d2d88fe0868d67ab56a0aa1993b4b6c7

SHA512
90bd7e00e3fe4899d97adcf626d11b2d410059cbf11a9ccf1e3776a6451305244959517f2f7a274757dcd77cc39a77c79e336b9f2e100c94a938628f9d4bbee0

Download Submit
C:\Windows\System\SJnpkbi.exe

Filesize
3.2MB

MD5
40dff6ff75e425fceea7f4655e40a2f4

SHA1
2f3cfcf708bc75ff2a989e6036e44f681f485ca9

SHA256
87f1188ad639c49b6bccf2a4a4aa8638ad33db68928a10f42c6db735d976e086

SHA512
c00ad7cb799dc66fc599c332fba85a1b876fe98e43659cc0f29852859007d4b6aab1cff64530ccf8e00a8a177c91eb1ef79528882e5ff81906a3bb335c10fecd

Download Submit
C:\Windows\System\WSJlIlY.exe

Filesize
3.2MB

MD5
86a19e2caee21ec5509affdd74871940

SHA1
ddef8d8eb901acebf2b8de05a4b9b4c9ee481cfa

SHA256
6563f2fd1eb99f1149a1138b05eed71c3e5f110a8e2d5470761a44dfeca6a6ee

SHA512
99d5768c290ae9e228e37f7b49b40386fbc0ed9a8f600b4fa16cf89536a52c03f258be029630f745873f903c15ae2fe6960d7fce0991cda6127ced4ad91b9de8

Download Submit
C:\Windows\System\YcfFdZR.exe

Filesize
8B

MD5
0b02220145771e90ebe4310a5742c9eb

SHA1
9bd568d96b03bd5446f96a7b59c08196eb5a57c3

SHA256
6135f164d0697be47c97ab606a7a1adcbc1eb3846ae4debecafb1a6ccfd23e4e

SHA512
cb08dee7f4e4dd1bb8de836a2364c078d9de5aef5dcb329e7e0b8e1cc2bfaa06c42f8b8ddf04bdb30392074759beef091a761854b0812b9a726b3c820c99a5a8

Download Submit
C:\Windows\System\aIsHDpn.exe

Filesize
3.2MB

MD5
ab9531da645ebe240ec2dd6fa5c1215a

SHA1
951c2d01b50438b85faad86dcad641737a8e2b92

SHA256
77e7d0e77231d612b579d8a4dd9284df6ef1b063bbf5ef5ce167cdca98861654

SHA512
37dc73f5333a70ce3c17ebeea23eb54fc01140e5bcac784129164c77f715fcec0fe72082ac849995b5871221ab99a31c4485de123f3921d30b99138ea05a3b02

Download Submit
C:\Windows\System\bLRRsUH.exe

Filesize
3.2MB

MD5
3b9c1e1d69233bb6e3ed9fdaa87a6cee

SHA1
b4a8a01d7dfed924db249b8b07d337ee8233a4fd

SHA256
091a94a27fe60d74f45c94ea2b3a9b7a4d1263331348df80dce3eb9315c44f5b

SHA512
edd4dfbc1a866167daed15f9f9d9c058b8b79ba7248329e2cfe9bb38f0415e9a4e78168965fff2671a5a0175897aadc9c3bc464ddbfa57a867b31640c325b3da

Download Submit
C:\Windows\System\euSIddb.exe

Filesize
3.2MB

MD5
d14d574a52160df486a95b3bc2a10546

SHA1
05cdbe24e5d8085806ffd90813f0fa07f490b3bf

SHA256
9c34c81f11e59f06dbb416ef45c068350d4804627c30a8a6ac330107a40af41a

SHA512
12875310646e54267ae1d24113194f0683920f9538f932fffe99931320c29dddf7e4d9d1ab3a609953ab6fa3a0a45f04a3d92ec8353e5b927d4f283a3893939a

Download Submit
C:\Windows\System\gyqtHlN.exe

Filesize
3.2MB

MD5
03eafad77518417542ccb740ba098c2f

SHA1
2ab913aa6e6840b5113cd01a855d5d9899902395

SHA256
6fd0d8a8e1abc725422c628de7c3918226666f9fc4003f5acdff5aa03f42cead

SHA512
1ca0a26625dd35ee491923dc04f20054b6a67c75f5402d625c9f286423604d95c0536415f2a3d61137cab972c02376c21d4e158eccd3eb9f698d74679016427c

Download Submit
C:\Windows\System\iAfHoCw.exe

Filesize
3.2MB

MD5
a6bbf83995a47d103509046121804a24

SHA1
f904c3581d0bb896eb3ad66cd3bdc06e60e91cb1

SHA256
116ecdd643c61972a2f54699b5f5fae41bf34006de1fd5e0531d4281bd17274b

SHA512
405d03c72337a7047c0a3ac8e5b36a6859e15e564a814d06caf3b57060bc2d9833d8cec8b43a661ed5495290c2a865bc2183671561f213b14b92e675d892e002

Download Submit
C:\Windows\System\jhSHWRA.exe

Filesize
3.2MB

MD5
f0c7e84199b3d1dfcb92ec12d2d7cbb7

SHA1
3e2b2520417298e3a167376fe7a0324e009670ce

SHA256
18dc90b39e838bdd56cb4e7c597918e656ab4852162bd885ed916a5159a1bf0d

SHA512
1250ab737d1bb7200bb36859dc1f087a840886e67afff71e03c1ac04ca881297bb11393a9a61c72705677bb20faa296d0177dca524a5423195a4477fbebb7844

Download Submit
C:\Windows\System\jsnoHEc.exe

Filesize
3.2MB

MD5
d4cc29237a7fb7054122b87a6217e630

SHA1
ee58dca12b121a7c240cb272abdc3bdaea554f46

SHA256
2f0cfe3fdafc4b8e952063e4a2cf6e34b21835f52bb129bd481aea44783ff148

SHA512
2af3e7118383e8e729b34669f5950df8a488c14176e17d24541bc2bd08d02dfb0c4086b2d67adcf55b6b98fc06381c959d7254eefe4b18c15f2e4c740b5d87bf

Download Submit
C:\Windows\System\jzixers.exe

Filesize
3.2MB

MD5
df311a1d320f8b46a490e3d67328098a

SHA1
dd2e80a0ac68861444491a71b92cb3f20edb3732

SHA256
c43a913f4a2aad4a83a940429821f06cab4b405e0b83c538686218a690d15c0c

SHA512
53852b072135cf7d9004bb9e10f308c3f3c2fef0c2ac303673f3618b85377298df75bfb3c963bb43a0f6851dd3c22496ea8a5b3b0cf226dae2bbd271fdfaec39

Download Submit
C:\Windows\System\ksHypBB.exe

Filesize
3.2MB

MD5
931c616c2c71594a2719bbf87ea76164

SHA1
e1ceae9e8c7f38bc267b4cde13ff3c81c322bb00

SHA256
fe996858f978a6a1cfaa4886f06b436aaa8efd62c45895e92edc911c4be685aa

SHA512
37e124ee5b696f444c3df59de276a56d4a274ec3e999c0a8f9d5efda9a65aa3b2ef00eed590db9defed66e6b6db345504ac02b1e7ee7ff6c2cd3d1f8f4e7c08c

Download Submit
C:\Windows\System\lmlsShP.exe

Filesize
3.2MB

MD5
dcba8c61ede9f0261cc8e5f500691b3a

SHA1
fc52b8888ee2ab5699141ca1da24490d88ea16ba

SHA256
8988f9df74d9e2eedfa5555fcbc7a2bf5d99bb6893b143dccce57933e0492869

SHA512
72f5d81462419988b6f2212971c2c8674114b568d99b3d0b28edb4c178803deba78c08d3d59377dcef1d9e7fcf77bba3fbffba6fe45a73877deb760a505168e5

Download Submit
C:\Windows\System\nBxYOwN.exe

Filesize
3.2MB

MD5
a4819a8cec15d3ad73cf8d5deec95bf4

SHA1
7545fb755d0b2e2ffcbedfe94ed55cffb1e96930

SHA256
53613b1d7587f9cb22b7bf95f394d79823808486ab5bdb0fe062c27ad71df85f

SHA512
065080fc39d0082b8d8cfc64b0c5ebb3ca78ac6ba704bf6dbafaddcf78d9bdfe71ecc4fd06b1e3fb426bad7257867866657011df3f0e2934cb125e80c2323a33

Download Submit
C:\Windows\System\oGScFpS.exe

Filesize
3.2MB

MD5
54f6a57c50752106d85895bd3ba12ade

SHA1
fb00f04fc0c60842a1057b893b984054f8930e1f

SHA256
12262817089f45fad2a128244f8908e98984183ddea213b65b776f7304b59464

SHA512
c26a7276d8ab27802333b3cd80f61551c7d053e95efd1cbcb585393d9626b563d2100d931894c11b9f2c004e4cc6f11bf6a9753d92247fed3850454ddd260cc8

Download Submit
C:\Windows\System\pMMyNQX.exe

Filesize
3.2MB

MD5
0cb4ef72d2fc9e45a31f5da39a859a43

SHA1
0a08c8ef0c8c43cbf0cea6d44f0083b81dbce82e

SHA256
5690441d35356926fcb18b6ecbf09812def876179e187deca354ac59ec50efc8

SHA512
367838ce0122f307ed8227b1905e511a483878557aa775a3205ed0c74c762808dd262077dbbb288d246cb6ead6667c5d7ed1512e0c8fe5be66ef9bf809415207

Download Submit
C:\Windows\System\pPhqRax.exe

Filesize
3.2MB

MD5
83353ecebf1bc3236fbcdd66731972d5

SHA1
d6befce63d018e386c7ae1b8deb9550f3aefe82d

SHA256
27dd2eec61ed8729428dc2672c54b4dee46b3cd0ea684c5c2d59a8ba2d6a3650

SHA512
64eb2781fb54be78a544dbf2d8a6d2bcbcd66725dbd15d37bfd250b4fff73f4b6dcf3a35f7c10f4d72ece41426b0a77a0754f4ea6584895c82ebf1dc9c53cee2

Download Submit
C:\Windows\System\rpbevdq.exe

Filesize
3.2MB

MD5
d972a81751c58711c7d48de4b44ca7bf

SHA1
9f3653ef5280a0b13d831cd8a317f3416e84982b

SHA256
9002e624187d5fa1a789b24c67618afd460d0f224b87c7f28708b7c8cfa1bbb1

SHA512
30950ddf651cd7a30fe008ebd037217ad4bf0178d1612531687e293fcd191613b9628d6cbf9a0654992d530809fa9bda6bf503337cd1f68bb82b765af877af3f

Download Submit
C:\Windows\System\sMWyUaZ.exe

Filesize
3.2MB

MD5
9e6399a53d972d28c59e6ac7e8804189

SHA1
d186507ab775f7ec91d6cb67a31fae903e0961f8

SHA256
4cf397203e8d5917d81fbb36b4ada16a4e10691d4332f0fe229a1e4028ccafa4

SHA512
6e0f09f20dd592fdf50fba2394a945d24e962f4dc12f03580768a892a6df31e0b1ee1bd7614a5074a8ab7d5faa94ac9fb80b77328d43cea5f727bb851652322b

Download Submit
C:\Windows\System\seawaQf.exe

Filesize
3.2MB

MD5
a9d0ac7dddd028430974336e9e6ecc9f

SHA1
6693c28b108a27d08331e75a9b086097ce3f282b

SHA256
dfb436fe8b84dd725c7bfa549ec598680c2d30bb115f82cb9fef277271c2f443

SHA512
aadecbd31852f747380b73c0a538766eb14dbf04b1dd56b5d4b535d85e27b72439638e5150faa369f302bfdbc5984bce2e509b8a8fa8368565aa82fe69d86899

Download Submit
C:\Windows\System\vJwfiza.exe

Filesize
3.2MB

MD5
bd464e43e170dc227c16b03df5003185

SHA1
f1ff61f96f476c91c094b9084f00d000438c5e0e

SHA256
be67684d647a36e809c26968f0453fbe93232ae4b8b9c16c1e46dcba27e2802b

SHA512
7375a331a39ffda341f806fd162e87b648416858f42030b2ce630f75eb26b35342e54c4806d550040d17648723720eb1810e97cad97020cd2c3e270f75e2b54f

Download Submit
C:\Windows\System\wdoDnTV.exe

Filesize
3.2MB

MD5
be09821af4c7be651106e3738334c474

SHA1
55c22fc4b63a8ef29b96bc7f8a337fdc56c72c55

SHA256
7a417e3eda57cd5901c84aee6c3cf5bb7c37bc58346fc550c24b4edc25cef1a1

SHA512
24a0e058d120703fce06235f2c3b0aa158fca526e57d6e1308e239f23520aac7f8872f0513f3509dd62e19903af0464ac955dd9e6bc701d2675e270ca3ab7a2b

Download Submit
memory/556-1994-0x00007FF728D10000-0x00007FF729106000-memory.dmp

Filesize
4.0MB

Download
memory/556-865-0x00007FF728D10000-0x00007FF729106000-memory.dmp

Filesize
4.0MB

Download
memory/792-1988-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp

Filesize
4.0MB

Download
memory/792-1969-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp

Filesize
4.0MB

Download
memory/792-37-0x00007FF6B2310000-0x00007FF6B2706000-memory.dmp

Filesize
4.0MB

Download
memory/820-0-0x00007FF6B4D90000-0x00007FF6B5186000-memory.dmp

Filesize
4.0MB

Download
memory/820-1-0x000002097B8A0000-0x000002097B8B0000-memory.dmp

Filesize
64KB

Download
memory/1032-1992-0x00007FF730C40000-0x00007FF731036000-memory.dmp

Filesize
4.0MB

Download
memory/1032-878-0x00007FF730C40000-0x00007FF731036000-memory.dmp

Filesize
4.0MB

Download
memory/1184-930-0x00007FF714D00000-0x00007FF7150F6000-memory.dmp

Filesize
4.0MB

Download
memory/1184-2004-0x00007FF714D00000-0x00007FF7150F6000-memory.dmp

Filesize
4.0MB

Download
memory/1196-870-0x00007FF707B60000-0x00007FF707F56000-memory.dmp

Filesize
4.0MB

Download
memory/1196-1990-0x00007FF707B60000-0x00007FF707F56000-memory.dmp

Filesize
4.0MB

Download
memory/1252-2006-0x00007FF6695C0000-0x00007FF6699B6000-memory.dmp

Filesize
4.0MB

Download
memory/1252-933-0x00007FF6695C0000-0x00007FF6699B6000-memory.dmp

Filesize
4.0MB

Download
memory/1332-1032-0x00007FF6CCA60000-0x00007FF6CCE56000-memory.dmp

Filesize
4.0MB

Download
memory/1332-1991-0x00007FF6CCA60000-0x00007FF6CCE56000-memory.dmp

Filesize
4.0MB

Download
memory/2012-1989-0x00007FF698350000-0x00007FF698746000-memory.dmp

Filesize
4.0MB

Download
memory/2012-857-0x00007FF698350000-0x00007FF698746000-memory.dmp

Filesize
4.0MB

Download
memory/2104-1987-0x00007FF7281A0000-0x00007FF728596000-memory.dmp

Filesize
4.0MB

Download
memory/2104-849-0x00007FF7281A0000-0x00007FF728596000-memory.dmp

Filesize
4.0MB

Download
memory/2364-1986-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp

Filesize
4.0MB

Download
memory/2364-38-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp

Filesize
4.0MB

Download
memory/2364-1971-0x00007FF6AA890000-0x00007FF6AAC86000-memory.dmp

Filesize
4.0MB

Download
memory/2448-1993-0x00007FF754F60000-0x00007FF755356000-memory.dmp

Filesize
4.0MB

Download
memory/2448-858-0x00007FF754F60000-0x00007FF755356000-memory.dmp

Filesize
4.0MB

Download
memory/2572-12-0x00007FF672620000-0x00007FF672A16000-memory.dmp

Filesize
4.0MB

Download
memory/2572-1983-0x00007FF672620000-0x00007FF672A16000-memory.dmp

Filesize
4.0MB

Download
memory/2604-1972-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-7-0x00007FFB16103000-0x00007FFB16105000-memory.dmp

Filesize
8KB

Download
memory/2604-841-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-61-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-60-0x000001F44A600000-0x000001F44A622000-memory.dmp

Filesize
136KB

Download
memory/2604-387-0x000001F44B240000-0x000001F44B9E6000-memory.dmp

Filesize
7.6MB

Download
memory/2604-1970-0x00007FFB16103000-0x00007FFB16105000-memory.dmp

Filesize
8KB

Download
memory/2604-1982-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-1973-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

Filesize
10.8MB

Download
memory/2956-919-0x00007FF7C86C0000-0x00007FF7C8AB6000-memory.dmp

Filesize
4.0MB

Download
memory/2956-2002-0x00007FF7C86C0000-0x00007FF7C8AB6000-memory.dmp

Filesize
4.0MB

Download
memory/2960-899-0x00007FF7B2F70000-0x00007FF7B3366000-memory.dmp

Filesize
4.0MB

Download
memory/2960-2001-0x00007FF7B2F70000-0x00007FF7B3366000-memory.dmp

Filesize
4.0MB

Download
memory/3752-1999-0x00007FF6FEB80000-0x00007FF6FEF76000-memory.dmp

Filesize
4.0MB

Download
memory/3752-1030-0x00007FF6FEB80000-0x00007FF6FEF76000-memory.dmp

Filesize
4.0MB

Download
memory/4024-910-0x00007FF75CA70000-0x00007FF75CE66000-memory.dmp

Filesize
4.0MB

Download
memory/4024-1997-0x00007FF75CA70000-0x00007FF75CE66000-memory.dmp

Filesize
4.0MB

Download
memory/4392-17-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp

Filesize
4.0MB

Download
memory/4392-1967-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp

Filesize
4.0MB

Download
memory/4392-1984-0x00007FF71BA20000-0x00007FF71BE16000-memory.dmp

Filesize
4.0MB

Download
memory/4464-920-0x00007FF66A430000-0x00007FF66A826000-memory.dmp

Filesize
4.0MB

Download
memory/4464-2003-0x00007FF66A430000-0x00007FF66A826000-memory.dmp

Filesize
4.0MB

Download
memory/4476-1968-0x00007FF601580000-0x00007FF601976000-memory.dmp

Filesize
4.0MB

Download
memory/4476-30-0x00007FF601580000-0x00007FF601976000-memory.dmp

Filesize
4.0MB

Download
memory/4476-1985-0x00007FF601580000-0x00007FF601976000-memory.dmp

Filesize
4.0MB

Download
memory/4528-1995-0x00007FF67B260000-0x00007FF67B656000-memory.dmp

Filesize
4.0MB

Download
memory/4528-892-0x00007FF67B260000-0x00007FF67B656000-memory.dmp

Filesize
4.0MB

Download
memory/4536-1998-0x00007FF7F24D0000-0x00007FF7F28C6000-memory.dmp

Filesize
4.0MB

Download
memory/4536-905-0x00007FF7F24D0000-0x00007FF7F28C6000-memory.dmp

Filesize
4.0MB

Download
memory/4588-915-0x00007FF6804D0000-0x00007FF6808C6000-memory.dmp

Filesize
4.0MB

Download
memory/4588-1996-0x00007FF6804D0000-0x00007FF6808C6000-memory.dmp

Filesize
4.0MB

Download
memory/4776-928-0x00007FF7BDAE0000-0x00007FF7BDED6000-memory.dmp

Filesize
4.0MB

Download
memory/4776-2005-0x00007FF7BDAE0000-0x00007FF7BDED6000-memory.dmp

Filesize
4.0MB

Download
memory/4820-2000-0x00007FF7B0C10000-0x00007FF7B1006000-memory.dmp

Filesize
4.0MB

Download
memory/4820-884-0x00007FF7B0C10000-0x00007FF7B1006000-memory.dmp

Filesize
4.0MB

Download