xmrig | b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e

Analysis

max time kernel
149s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
Size

2.7MB
MD5

232f43164434a5fa1940be38f48b2869
SHA1

5b04a4e4efc2b7162c7ab809acfa2e2290189576
SHA256

b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e
SHA512

0c195961d34ee239bce9094ad7504c84dcfcc10e31dfc20751afd3d40a1f652e925d6ce077a6ed1a02b695e42c90317f24db06aaa335f73813a220b86648d792
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMki8Cnki2WGcr:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2RZ

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 64 IoCs

resource	yara_rule
behavioral2/memory/2260-0-0x00007FF68E8E0000-0x00007FF68ECD6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023432-6.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023434-21.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023433-20.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023435-28.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343c-66.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343b-77.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023440-79.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023441-126.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1660-132-0x00007FF692360000-0x00007FF692756000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3736-137-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1272-142-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1068-144-0x00007FF65E4F0000-0x00007FF65E8E6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3160-148-0x00007FF649500000-0x00007FF6498F6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2724-147-0x00007FF659480000-0x00007FF659876000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/5016-146-0x00007FF656ED0000-0x00007FF6572C6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/612-145-0x00007FF7B2C00000-0x00007FF7B2FF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4120-143-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2688-141-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3040-140-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2412-139-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4240-138-0x00007FF7C6870000-0x00007FF7C6C66000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1704-136-0x00007FF688240000-0x00007FF688636000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2836-135-0x00007FF6CFA00000-0x00007FF6CFDF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3508-134-0x00007FF6F8AD0000-0x00007FF6F8EC6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4040-133-0x00007FF77FA00000-0x00007FF77FDF6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4012-131-0x00007FF7F51A0000-0x00007FF7F5596000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3568-130-0x00007FF77FA30000-0x00007FF77FE26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/952-129-0x00007FF749DE0000-0x00007FF74A1D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1560-128-0x00007FF7A8DB0000-0x00007FF7A91A6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023448-123.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343d-121.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/944-120-0x00007FF6BF4C0000-0x00007FF6BF8B6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023447-119.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023446-118.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023445-117.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023444-116.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023443-98.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023442-94.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023438-91.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343e-89.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023437-83.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343f-72.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343a-85.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023439-61.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023436-53.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2460-33-0x00007FF652880000-0x00007FF652C76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023431-18.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4988-24-0x00007FF65B950000-0x00007FF65BD46000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000900000002342a-14.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000800000002342e-172.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344b-159.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344d-186.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023450-198.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344f-197.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344e-199.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344c-185.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0008000000023449-184.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3736-2030-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2412-2031-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2688-2033-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3040-2032-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1272-2034-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4120-2035-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2260-0-0x00007FF68E8E0000-0x00007FF68ECD6000-memory.dmp	UPX
behavioral2/files/0x0007000000023432-6.dat	UPX
behavioral2/files/0x0007000000023434-21.dat	UPX
behavioral2/files/0x0007000000023433-20.dat	UPX
behavioral2/files/0x0007000000023435-28.dat	UPX
behavioral2/files/0x000700000002343c-66.dat	UPX
behavioral2/files/0x000700000002343b-77.dat	UPX
behavioral2/files/0x0007000000023440-79.dat	UPX
behavioral2/files/0x0007000000023441-126.dat	UPX
behavioral2/memory/1660-132-0x00007FF692360000-0x00007FF692756000-memory.dmp	UPX
behavioral2/memory/3736-137-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	UPX
behavioral2/memory/1272-142-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	UPX
behavioral2/memory/1068-144-0x00007FF65E4F0000-0x00007FF65E8E6000-memory.dmp	UPX
behavioral2/memory/3160-148-0x00007FF649500000-0x00007FF6498F6000-memory.dmp	UPX
behavioral2/memory/2724-147-0x00007FF659480000-0x00007FF659876000-memory.dmp	UPX
behavioral2/memory/5016-146-0x00007FF656ED0000-0x00007FF6572C6000-memory.dmp	UPX
behavioral2/memory/612-145-0x00007FF7B2C00000-0x00007FF7B2FF6000-memory.dmp	UPX
behavioral2/memory/4120-143-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	UPX
behavioral2/memory/2688-141-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	UPX
behavioral2/memory/3040-140-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	UPX
behavioral2/memory/2412-139-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	UPX
behavioral2/memory/4240-138-0x00007FF7C6870000-0x00007FF7C6C66000-memory.dmp	UPX
behavioral2/memory/1704-136-0x00007FF688240000-0x00007FF688636000-memory.dmp	UPX
behavioral2/memory/2836-135-0x00007FF6CFA00000-0x00007FF6CFDF6000-memory.dmp	UPX
behavioral2/memory/3508-134-0x00007FF6F8AD0000-0x00007FF6F8EC6000-memory.dmp	UPX
behavioral2/memory/4040-133-0x00007FF77FA00000-0x00007FF77FDF6000-memory.dmp	UPX
behavioral2/memory/4012-131-0x00007FF7F51A0000-0x00007FF7F5596000-memory.dmp	UPX
behavioral2/memory/3568-130-0x00007FF77FA30000-0x00007FF77FE26000-memory.dmp	UPX
behavioral2/memory/952-129-0x00007FF749DE0000-0x00007FF74A1D6000-memory.dmp	UPX
behavioral2/memory/1560-128-0x00007FF7A8DB0000-0x00007FF7A91A6000-memory.dmp	UPX
behavioral2/files/0x0007000000023448-123.dat	UPX
behavioral2/files/0x000700000002343d-121.dat	UPX
behavioral2/memory/944-120-0x00007FF6BF4C0000-0x00007FF6BF8B6000-memory.dmp	UPX
behavioral2/files/0x0007000000023447-119.dat	UPX
behavioral2/files/0x0007000000023446-118.dat	UPX
behavioral2/files/0x0007000000023445-117.dat	UPX
behavioral2/files/0x0007000000023444-116.dat	UPX
behavioral2/files/0x0007000000023443-98.dat	UPX
behavioral2/files/0x0007000000023442-94.dat	UPX
behavioral2/files/0x0007000000023438-91.dat	UPX
behavioral2/files/0x000700000002343e-89.dat	UPX
behavioral2/files/0x0007000000023437-83.dat	UPX
behavioral2/files/0x000700000002343f-72.dat	UPX
behavioral2/files/0x000700000002343a-85.dat	UPX
behavioral2/files/0x0007000000023439-61.dat	UPX
behavioral2/files/0x0007000000023436-53.dat	UPX
behavioral2/memory/2460-33-0x00007FF652880000-0x00007FF652C76000-memory.dmp	UPX
behavioral2/files/0x0007000000023431-18.dat	UPX
behavioral2/memory/4988-24-0x00007FF65B950000-0x00007FF65BD46000-memory.dmp	UPX
behavioral2/files/0x000900000002342a-14.dat	UPX
behavioral2/files/0x000800000002342e-172.dat	UPX
behavioral2/files/0x000700000002344b-159.dat	UPX
behavioral2/files/0x000700000002344d-186.dat	UPX
behavioral2/files/0x0007000000023450-198.dat	UPX
behavioral2/files/0x000700000002344f-197.dat	UPX
behavioral2/files/0x000700000002344e-199.dat	UPX
behavioral2/files/0x000700000002344c-185.dat	UPX
behavioral2/files/0x0008000000023449-184.dat	UPX
behavioral2/memory/3736-2030-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	UPX
behavioral2/memory/2412-2031-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	UPX
behavioral2/memory/2688-2033-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	UPX
behavioral2/memory/3040-2032-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	UPX
behavioral2/memory/1272-2034-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	UPX
behavioral2/memory/4120-2035-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2260-0-0x00007FF68E8E0000-0x00007FF68ECD6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023432-6.dat	xmrig
behavioral2/files/0x0007000000023434-21.dat	xmrig
behavioral2/files/0x0007000000023433-20.dat	xmrig
behavioral2/files/0x0007000000023435-28.dat	xmrig
behavioral2/files/0x000700000002343c-66.dat	xmrig
behavioral2/files/0x000700000002343b-77.dat	xmrig
behavioral2/files/0x0007000000023440-79.dat	xmrig
behavioral2/files/0x0007000000023441-126.dat	xmrig
behavioral2/memory/1660-132-0x00007FF692360000-0x00007FF692756000-memory.dmp	xmrig
behavioral2/memory/3736-137-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	xmrig
behavioral2/memory/1272-142-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	xmrig
behavioral2/memory/1068-144-0x00007FF65E4F0000-0x00007FF65E8E6000-memory.dmp	xmrig
behavioral2/memory/3160-148-0x00007FF649500000-0x00007FF6498F6000-memory.dmp	xmrig
behavioral2/memory/2724-147-0x00007FF659480000-0x00007FF659876000-memory.dmp	xmrig
behavioral2/memory/5016-146-0x00007FF656ED0000-0x00007FF6572C6000-memory.dmp	xmrig
behavioral2/memory/612-145-0x00007FF7B2C00000-0x00007FF7B2FF6000-memory.dmp	xmrig
behavioral2/memory/4120-143-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	xmrig
behavioral2/memory/2688-141-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	xmrig
behavioral2/memory/3040-140-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	xmrig
behavioral2/memory/2412-139-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	xmrig
behavioral2/memory/4240-138-0x00007FF7C6870000-0x00007FF7C6C66000-memory.dmp	xmrig
behavioral2/memory/1704-136-0x00007FF688240000-0x00007FF688636000-memory.dmp	xmrig
behavioral2/memory/2836-135-0x00007FF6CFA00000-0x00007FF6CFDF6000-memory.dmp	xmrig
behavioral2/memory/3508-134-0x00007FF6F8AD0000-0x00007FF6F8EC6000-memory.dmp	xmrig
behavioral2/memory/4040-133-0x00007FF77FA00000-0x00007FF77FDF6000-memory.dmp	xmrig
behavioral2/memory/4012-131-0x00007FF7F51A0000-0x00007FF7F5596000-memory.dmp	xmrig
behavioral2/memory/3568-130-0x00007FF77FA30000-0x00007FF77FE26000-memory.dmp	xmrig
behavioral2/memory/952-129-0x00007FF749DE0000-0x00007FF74A1D6000-memory.dmp	xmrig
behavioral2/memory/1560-128-0x00007FF7A8DB0000-0x00007FF7A91A6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023448-123.dat	xmrig
behavioral2/files/0x000700000002343d-121.dat	xmrig
behavioral2/memory/944-120-0x00007FF6BF4C0000-0x00007FF6BF8B6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023447-119.dat	xmrig
behavioral2/files/0x0007000000023446-118.dat	xmrig
behavioral2/files/0x0007000000023445-117.dat	xmrig
behavioral2/files/0x0007000000023444-116.dat	xmrig
behavioral2/files/0x0007000000023443-98.dat	xmrig
behavioral2/files/0x0007000000023442-94.dat	xmrig
behavioral2/files/0x0007000000023438-91.dat	xmrig
behavioral2/files/0x000700000002343e-89.dat	xmrig
behavioral2/files/0x0007000000023437-83.dat	xmrig
behavioral2/files/0x000700000002343f-72.dat	xmrig
behavioral2/files/0x000700000002343a-85.dat	xmrig
behavioral2/files/0x0007000000023439-61.dat	xmrig
behavioral2/files/0x0007000000023436-53.dat	xmrig
behavioral2/memory/2460-33-0x00007FF652880000-0x00007FF652C76000-memory.dmp	xmrig
behavioral2/files/0x0007000000023431-18.dat	xmrig
behavioral2/memory/4988-24-0x00007FF65B950000-0x00007FF65BD46000-memory.dmp	xmrig
behavioral2/files/0x000900000002342a-14.dat	xmrig
behavioral2/files/0x000800000002342e-172.dat	xmrig
behavioral2/files/0x000700000002344b-159.dat	xmrig
behavioral2/files/0x000700000002344d-186.dat	xmrig
behavioral2/files/0x0007000000023450-198.dat	xmrig
behavioral2/files/0x000700000002344f-197.dat	xmrig
behavioral2/files/0x000700000002344e-199.dat	xmrig
behavioral2/files/0x000700000002344c-185.dat	xmrig
behavioral2/files/0x0008000000023449-184.dat	xmrig
behavioral2/memory/3736-2030-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	xmrig
behavioral2/memory/2412-2031-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	xmrig
behavioral2/memory/2688-2033-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	xmrig
behavioral2/memory/3040-2032-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	xmrig
behavioral2/memory/1272-2034-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	xmrig
behavioral2/memory/4120-2035-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	5056	powershell.exe
17	5056	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5056	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4988	TFWZjLo.exe
2460	DtDMJfz.exe
612	InjUNDb.exe
944	mdSWjTY.exe
1560	JbFywaV.exe
5016	WzaPzvg.exe
952	MvrkEKh.exe
2724	RCNOyBQ.exe
3568	RXEsWeK.exe
4012	mJtuFLh.exe
1660	ZCpYoXf.exe
4040	ncOkaIo.exe
3508	ZMsLvpm.exe
2836	ZEsSeRE.exe
1704	KNCltXq.exe
3736	erjpoNX.exe
4240	LruzLFl.exe
3160	IdYjzhN.exe
2412	nfCCsos.exe
3040	rCOgwRL.exe
2688	PfAMFYB.exe
1272	rulSwbs.exe
4120	nKLjBvu.exe
1068	zrGREur.exe
3776	aPfhqhW.exe
2432	AobJQry.exe
3136	KhDDFKO.exe
3560	yGXcnut.exe
5048	QYGtNCv.exe
1804	hLlLePt.exe
3308	jconFLU.exe
548	QxyTXsa.exe
228	suLbZFJ.exe
4056	nzbjJsE.exe
4284	TLQYSZh.exe
4780	CHkvhjo.exe
3120	LDVtOMO.exe
2464	RNlvClG.exe
2080	kSfSwgU.exe
4328	YKOYcsk.exe
1224	EndpCUd.exe
3764	VtWaeTW.exe
2452	SqzxaAs.exe
1948	GbKPwJN.exe
2004	DWbEAFG.exe
1888	LoJmkEv.exe
4100	GivICiQ.exe
4464	bhzfjEp.exe
4084	xPrIelf.exe
4476	FSClUqm.exe
2320	DmSCSPS.exe
4676	ZkyETIC.exe
1876	RWJOSYg.exe
4628	DQocoHA.exe
2348	UPAyGGX.exe
2996	KdRRmiO.exe
3580	doWZAZt.exe
3940	Asievdw.exe
3980	JwFRlju.exe
1864	FKaqpjq.exe
3196	LrKAWze.exe
2316	QYwkeaT.exe
3632	dFGYTME.exe
1332	NTeVOcP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2260-0-0x00007FF68E8E0000-0x00007FF68ECD6000-memory.dmp	upx
behavioral2/files/0x0007000000023432-6.dat	upx
behavioral2/files/0x0007000000023434-21.dat	upx
behavioral2/files/0x0007000000023433-20.dat	upx
behavioral2/files/0x0007000000023435-28.dat	upx
behavioral2/files/0x000700000002343c-66.dat	upx
behavioral2/files/0x000700000002343b-77.dat	upx
behavioral2/files/0x0007000000023440-79.dat	upx
behavioral2/files/0x0007000000023441-126.dat	upx
behavioral2/memory/1660-132-0x00007FF692360000-0x00007FF692756000-memory.dmp	upx
behavioral2/memory/3736-137-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	upx
behavioral2/memory/1272-142-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	upx
behavioral2/memory/1068-144-0x00007FF65E4F0000-0x00007FF65E8E6000-memory.dmp	upx
behavioral2/memory/3160-148-0x00007FF649500000-0x00007FF6498F6000-memory.dmp	upx
behavioral2/memory/2724-147-0x00007FF659480000-0x00007FF659876000-memory.dmp	upx
behavioral2/memory/5016-146-0x00007FF656ED0000-0x00007FF6572C6000-memory.dmp	upx
behavioral2/memory/612-145-0x00007FF7B2C00000-0x00007FF7B2FF6000-memory.dmp	upx
behavioral2/memory/4120-143-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	upx
behavioral2/memory/2688-141-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	upx
behavioral2/memory/3040-140-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	upx
behavioral2/memory/2412-139-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	upx
behavioral2/memory/4240-138-0x00007FF7C6870000-0x00007FF7C6C66000-memory.dmp	upx
behavioral2/memory/1704-136-0x00007FF688240000-0x00007FF688636000-memory.dmp	upx
behavioral2/memory/2836-135-0x00007FF6CFA00000-0x00007FF6CFDF6000-memory.dmp	upx
behavioral2/memory/3508-134-0x00007FF6F8AD0000-0x00007FF6F8EC6000-memory.dmp	upx
behavioral2/memory/4040-133-0x00007FF77FA00000-0x00007FF77FDF6000-memory.dmp	upx
behavioral2/memory/4012-131-0x00007FF7F51A0000-0x00007FF7F5596000-memory.dmp	upx
behavioral2/memory/3568-130-0x00007FF77FA30000-0x00007FF77FE26000-memory.dmp	upx
behavioral2/memory/952-129-0x00007FF749DE0000-0x00007FF74A1D6000-memory.dmp	upx
behavioral2/memory/1560-128-0x00007FF7A8DB0000-0x00007FF7A91A6000-memory.dmp	upx
behavioral2/files/0x0007000000023448-123.dat	upx
behavioral2/files/0x000700000002343d-121.dat	upx
behavioral2/memory/944-120-0x00007FF6BF4C0000-0x00007FF6BF8B6000-memory.dmp	upx
behavioral2/files/0x0007000000023447-119.dat	upx
behavioral2/files/0x0007000000023446-118.dat	upx
behavioral2/files/0x0007000000023445-117.dat	upx
behavioral2/files/0x0007000000023444-116.dat	upx
behavioral2/files/0x0007000000023443-98.dat	upx
behavioral2/files/0x0007000000023442-94.dat	upx
behavioral2/files/0x0007000000023438-91.dat	upx
behavioral2/files/0x000700000002343e-89.dat	upx
behavioral2/files/0x0007000000023437-83.dat	upx
behavioral2/files/0x000700000002343f-72.dat	upx
behavioral2/files/0x000700000002343a-85.dat	upx
behavioral2/files/0x0007000000023439-61.dat	upx
behavioral2/files/0x0007000000023436-53.dat	upx
behavioral2/memory/2460-33-0x00007FF652880000-0x00007FF652C76000-memory.dmp	upx
behavioral2/files/0x0007000000023431-18.dat	upx
behavioral2/memory/4988-24-0x00007FF65B950000-0x00007FF65BD46000-memory.dmp	upx
behavioral2/files/0x000900000002342a-14.dat	upx
behavioral2/files/0x000800000002342e-172.dat	upx
behavioral2/files/0x000700000002344b-159.dat	upx
behavioral2/files/0x000700000002344d-186.dat	upx
behavioral2/files/0x0007000000023450-198.dat	upx
behavioral2/files/0x000700000002344f-197.dat	upx
behavioral2/files/0x000700000002344e-199.dat	upx
behavioral2/files/0x000700000002344c-185.dat	upx
behavioral2/files/0x0008000000023449-184.dat	upx
behavioral2/memory/3736-2030-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp	upx
behavioral2/memory/2412-2031-0x00007FF65C140000-0x00007FF65C536000-memory.dmp	upx
behavioral2/memory/2688-2033-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp	upx
behavioral2/memory/3040-2032-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp	upx
behavioral2/memory/1272-2034-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp	upx
behavioral2/memory/4120-2035-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\aGobznq.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\WOVjapS.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\qdOBxdb.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\BvqpkzC.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\qRUXvGL.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\KmfTeLd.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\WRNEXKV.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\DKdNwQI.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\RThNVjL.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\jbgMSoT.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\NNIUqUk.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\XKsluUM.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\DKkbrJF.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\MkuWibx.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\taHVEmi.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\iMJOFMi.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\Kmylvcd.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\iNDCNfZ.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\zrGREur.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\jUfAlvl.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\kkJBhlW.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\pGWqbrD.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\qoiOpIr.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\yeWWHcc.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\OaOCGos.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\DqKKBwi.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\WpesOpm.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\FbLsYVz.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\jImhPri.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\OhrMUjn.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\HtFuZgV.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\YhjLORs.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\cufbZOT.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\NfePlrG.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\rUvLnGO.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\ggvSIQG.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\sCKwlzM.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\PVyUOof.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\okmwNjW.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\KpFWHDm.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\CyOMHhQ.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\VtWaeTW.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\ditIxQd.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\nnCakeJ.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\XMzVtSO.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\ewIKdRA.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\kohMEbz.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\GqLVvKY.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\aiLAvRx.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\FSClUqm.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\GPeFbBO.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\jCgxqni.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\gzuDAoZ.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\DJgMNkL.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\crcsjRo.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\ZHgGKFl.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\BIlyUhX.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\QubWCmh.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\GleNtts.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\uhrvLLM.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\RdpUlpq.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\PXPaebw.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\OsbUadU.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
File created	C:\Windows\System\xIhdHMI.exe	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeLockMemoryPrivilege	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
Token: SeLockMemoryPrivilege	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
Token: SeCreateGlobalPrivilege	12832	dwm.exe
Token: SeChangeNotifyPrivilege	12832	dwm.exe
Token: 33	12832	dwm.exe
Token: SeIncBasePriorityPrivilege	12832	dwm.exe
Token: SeShutdownPrivilege	12832	dwm.exe
Token: SeCreatePagefilePrivilege	12832	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 5056	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	82
PID 2260 wrote to memory of 5056	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	82
PID 2260 wrote to memory of 4988	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	83
PID 2260 wrote to memory of 4988	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	83
PID 2260 wrote to memory of 2460	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	84
PID 2260 wrote to memory of 2460	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	84
PID 2260 wrote to memory of 612	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	85
PID 2260 wrote to memory of 612	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	85
PID 2260 wrote to memory of 944	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	86
PID 2260 wrote to memory of 944	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	86
PID 2260 wrote to memory of 1560	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	87
PID 2260 wrote to memory of 1560	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	87
PID 2260 wrote to memory of 5016	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	88
PID 2260 wrote to memory of 5016	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	88
PID 2260 wrote to memory of 952	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	89
PID 2260 wrote to memory of 952	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	89
PID 2260 wrote to memory of 2724	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	90
PID 2260 wrote to memory of 2724	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	90
PID 2260 wrote to memory of 1660	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	91
PID 2260 wrote to memory of 1660	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	91
PID 2260 wrote to memory of 3568	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	92
PID 2260 wrote to memory of 3568	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	92
PID 2260 wrote to memory of 4012	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	93
PID 2260 wrote to memory of 4012	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	93
PID 2260 wrote to memory of 4040	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	94
PID 2260 wrote to memory of 4040	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	94
PID 2260 wrote to memory of 3508	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	95
PID 2260 wrote to memory of 3508	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	95
PID 2260 wrote to memory of 2836	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	96
PID 2260 wrote to memory of 2836	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	96
PID 2260 wrote to memory of 1704	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	97
PID 2260 wrote to memory of 1704	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	97
PID 2260 wrote to memory of 3736	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	98
PID 2260 wrote to memory of 3736	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	98
PID 2260 wrote to memory of 4240	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	99
PID 2260 wrote to memory of 4240	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	99
PID 2260 wrote to memory of 3160	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	100
PID 2260 wrote to memory of 3160	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	100
PID 2260 wrote to memory of 2412	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	101
PID 2260 wrote to memory of 2412	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	101
PID 2260 wrote to memory of 3040	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	102
PID 2260 wrote to memory of 3040	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	102
PID 2260 wrote to memory of 2688	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	103
PID 2260 wrote to memory of 2688	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	103
PID 2260 wrote to memory of 1272	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	104
PID 2260 wrote to memory of 1272	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	104
PID 2260 wrote to memory of 4120	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	105
PID 2260 wrote to memory of 4120	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	105
PID 2260 wrote to memory of 1068	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	106
PID 2260 wrote to memory of 1068	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	106
PID 2260 wrote to memory of 3776	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	107
PID 2260 wrote to memory of 3776	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	107
PID 2260 wrote to memory of 2432	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	108
PID 2260 wrote to memory of 2432	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	108
PID 2260 wrote to memory of 3136	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	109
PID 2260 wrote to memory of 3136	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	109
PID 2260 wrote to memory of 3560	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	110
PID 2260 wrote to memory of 3560	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	110
PID 2260 wrote to memory of 5048	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	111
PID 2260 wrote to memory of 5048	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	111
PID 2260 wrote to memory of 1804	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	112
PID 2260 wrote to memory of 1804	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	112
PID 2260 wrote to memory of 3308	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	113
PID 2260 wrote to memory of 3308	2260	b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe	113

C:\Users\Admin\AppData\Local\Temp\b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe
"C:\Users\Admin\AppData\Local\Temp\b364233cd51b1ae3d9ea7f378fe6efc792812ae4d66efa63ad1687d2e5dd9e2e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5056" "2960" "2884" "2964" "0" "0" "2968" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13016
- C:\Windows\System\TFWZjLo.exe
  C:\Windows\System\TFWZjLo.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\DtDMJfz.exe
  C:\Windows\System\DtDMJfz.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\InjUNDb.exe
  C:\Windows\System\InjUNDb.exe
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Windows\System\mdSWjTY.exe
  C:\Windows\System\mdSWjTY.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\JbFywaV.exe
  C:\Windows\System\JbFywaV.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\WzaPzvg.exe
  C:\Windows\System\WzaPzvg.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\MvrkEKh.exe
  C:\Windows\System\MvrkEKh.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\RCNOyBQ.exe
  C:\Windows\System\RCNOyBQ.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\ZCpYoXf.exe
  C:\Windows\System\ZCpYoXf.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\RXEsWeK.exe
  C:\Windows\System\RXEsWeK.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\mJtuFLh.exe
  C:\Windows\System\mJtuFLh.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\ncOkaIo.exe
  C:\Windows\System\ncOkaIo.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\ZMsLvpm.exe
  C:\Windows\System\ZMsLvpm.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\ZEsSeRE.exe
  C:\Windows\System\ZEsSeRE.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\KNCltXq.exe
  C:\Windows\System\KNCltXq.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\erjpoNX.exe
  C:\Windows\System\erjpoNX.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\LruzLFl.exe
  C:\Windows\System\LruzLFl.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\IdYjzhN.exe
  C:\Windows\System\IdYjzhN.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\nfCCsos.exe
  C:\Windows\System\nfCCsos.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\rCOgwRL.exe
  C:\Windows\System\rCOgwRL.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\PfAMFYB.exe
  C:\Windows\System\PfAMFYB.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\rulSwbs.exe
  C:\Windows\System\rulSwbs.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\nKLjBvu.exe
  C:\Windows\System\nKLjBvu.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\zrGREur.exe
  C:\Windows\System\zrGREur.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\aPfhqhW.exe
  C:\Windows\System\aPfhqhW.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\AobJQry.exe
  C:\Windows\System\AobJQry.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\KhDDFKO.exe
  C:\Windows\System\KhDDFKO.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\yGXcnut.exe
  C:\Windows\System\yGXcnut.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\QYGtNCv.exe
  C:\Windows\System\QYGtNCv.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\hLlLePt.exe
  C:\Windows\System\hLlLePt.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\jconFLU.exe
  C:\Windows\System\jconFLU.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\QxyTXsa.exe
  C:\Windows\System\QxyTXsa.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\suLbZFJ.exe
  C:\Windows\System\suLbZFJ.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\nzbjJsE.exe
  C:\Windows\System\nzbjJsE.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\TLQYSZh.exe
  C:\Windows\System\TLQYSZh.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\CHkvhjo.exe
  C:\Windows\System\CHkvhjo.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\LDVtOMO.exe
  C:\Windows\System\LDVtOMO.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\RNlvClG.exe
  C:\Windows\System\RNlvClG.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\kSfSwgU.exe
  C:\Windows\System\kSfSwgU.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\YKOYcsk.exe
  C:\Windows\System\YKOYcsk.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\EndpCUd.exe
  C:\Windows\System\EndpCUd.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\VtWaeTW.exe
  C:\Windows\System\VtWaeTW.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\SqzxaAs.exe
  C:\Windows\System\SqzxaAs.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\GbKPwJN.exe
  C:\Windows\System\GbKPwJN.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\DWbEAFG.exe
  C:\Windows\System\DWbEAFG.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\LoJmkEv.exe
  C:\Windows\System\LoJmkEv.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\GivICiQ.exe
  C:\Windows\System\GivICiQ.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\bhzfjEp.exe
  C:\Windows\System\bhzfjEp.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\xPrIelf.exe
  C:\Windows\System\xPrIelf.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\FSClUqm.exe
  C:\Windows\System\FSClUqm.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\DmSCSPS.exe
  C:\Windows\System\DmSCSPS.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\ZkyETIC.exe
  C:\Windows\System\ZkyETIC.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\RWJOSYg.exe
  C:\Windows\System\RWJOSYg.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\DQocoHA.exe
  C:\Windows\System\DQocoHA.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\UPAyGGX.exe
  C:\Windows\System\UPAyGGX.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\KdRRmiO.exe
  C:\Windows\System\KdRRmiO.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\doWZAZt.exe
  C:\Windows\System\doWZAZt.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\Asievdw.exe
  C:\Windows\System\Asievdw.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\JwFRlju.exe
  C:\Windows\System\JwFRlju.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\FKaqpjq.exe
  C:\Windows\System\FKaqpjq.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\LrKAWze.exe
  C:\Windows\System\LrKAWze.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\QYwkeaT.exe
  C:\Windows\System\QYwkeaT.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\dFGYTME.exe
  C:\Windows\System\dFGYTME.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\NTeVOcP.exe
  C:\Windows\System\NTeVOcP.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\NfePlrG.exe
  C:\Windows\System\NfePlrG.exe
  2⤵
  PID:2800
- C:\Windows\System\KDoEfSF.exe
  C:\Windows\System\KDoEfSF.exe
  2⤵
  PID:1356
- C:\Windows\System\wMpnoBu.exe
  C:\Windows\System\wMpnoBu.exe
  2⤵
  PID:4896
- C:\Windows\System\NEcmVRB.exe
  C:\Windows\System\NEcmVRB.exe
  2⤵
  PID:4044
- C:\Windows\System\DeAYIzE.exe
  C:\Windows\System\DeAYIzE.exe
  2⤵
  PID:4932
- C:\Windows\System\YnWIHIQ.exe
  C:\Windows\System\YnWIHIQ.exe
  2⤵
  PID:4212
- C:\Windows\System\mUlKBKq.exe
  C:\Windows\System\mUlKBKq.exe
  2⤵
  PID:4428
- C:\Windows\System\HRzOlfd.exe
  C:\Windows\System\HRzOlfd.exe
  2⤵
  PID:3380
- C:\Windows\System\hJMkfzx.exe
  C:\Windows\System\hJMkfzx.exe
  2⤵
  PID:4660
- C:\Windows\System\cRuzhvi.exe
  C:\Windows\System\cRuzhvi.exe
  2⤵
  PID:1752
- C:\Windows\System\PzMpMxt.exe
  C:\Windows\System\PzMpMxt.exe
  2⤵
  PID:3392
- C:\Windows\System\cCfHILp.exe
  C:\Windows\System\cCfHILp.exe
  2⤵
  PID:1464
- C:\Windows\System\LcKziEl.exe
  C:\Windows\System\LcKziEl.exe
  2⤵
  PID:3816
- C:\Windows\System\NJKROZw.exe
  C:\Windows\System\NJKROZw.exe
  2⤵
  PID:1220
- C:\Windows\System\ghBbxld.exe
  C:\Windows\System\ghBbxld.exe
  2⤵
  PID:5080
- C:\Windows\System\PlPccJD.exe
  C:\Windows\System\PlPccJD.exe
  2⤵
  PID:540
- C:\Windows\System\ditIxQd.exe
  C:\Windows\System\ditIxQd.exe
  2⤵
  PID:532
- C:\Windows\System\uhrvLLM.exe
  C:\Windows\System\uhrvLLM.exe
  2⤵
  PID:3220
- C:\Windows\System\ggczDmV.exe
  C:\Windows\System\ggczDmV.exe
  2⤵
  PID:4976
- C:\Windows\System\dRNQOfU.exe
  C:\Windows\System\dRNQOfU.exe
  2⤵
  PID:4244
- C:\Windows\System\HAAgJuv.exe
  C:\Windows\System\HAAgJuv.exe
  2⤵
  PID:3092
- C:\Windows\System\hgICDqK.exe
  C:\Windows\System\hgICDqK.exe
  2⤵
  PID:1300
- C:\Windows\System\qOFwPDx.exe
  C:\Windows\System\qOFwPDx.exe
  2⤵
  PID:4752
- C:\Windows\System\wVttVnY.exe
  C:\Windows\System\wVttVnY.exe
  2⤵
  PID:664
- C:\Windows\System\XZPGWVX.exe
  C:\Windows\System\XZPGWVX.exe
  2⤵
  PID:1124
- C:\Windows\System\QFgQabk.exe
  C:\Windows\System\QFgQabk.exe
  2⤵
  PID:4124
- C:\Windows\System\QmYWnjL.exe
  C:\Windows\System\QmYWnjL.exe
  2⤵
  PID:4648
- C:\Windows\System\lvoXVZd.exe
  C:\Windows\System\lvoXVZd.exe
  2⤵
  PID:3212
- C:\Windows\System\GlBFWQS.exe
  C:\Windows\System\GlBFWQS.exe
  2⤵
  PID:2544
- C:\Windows\System\GqLVvKY.exe
  C:\Windows\System\GqLVvKY.exe
  2⤵
  PID:4728
- C:\Windows\System\WKensbE.exe
  C:\Windows\System\WKensbE.exe
  2⤵
  PID:5132
- C:\Windows\System\sdKAgBV.exe
  C:\Windows\System\sdKAgBV.exe
  2⤵
  PID:5156
- C:\Windows\System\Cgnpkww.exe
  C:\Windows\System\Cgnpkww.exe
  2⤵
  PID:5188
- C:\Windows\System\yvuYpOF.exe
  C:\Windows\System\yvuYpOF.exe
  2⤵
  PID:5212
- C:\Windows\System\gyjgOSf.exe
  C:\Windows\System\gyjgOSf.exe
  2⤵
  PID:5244
- C:\Windows\System\BPSqDnj.exe
  C:\Windows\System\BPSqDnj.exe
  2⤵
  PID:5268
- C:\Windows\System\MCbVFGI.exe
  C:\Windows\System\MCbVFGI.exe
  2⤵
  PID:5292
- C:\Windows\System\ieNHTok.exe
  C:\Windows\System\ieNHTok.exe
  2⤵
  PID:5324
- C:\Windows\System\TOvaUof.exe
  C:\Windows\System\TOvaUof.exe
  2⤵
  PID:5348
- C:\Windows\System\fPVRMRw.exe
  C:\Windows\System\fPVRMRw.exe
  2⤵
  PID:5384
- C:\Windows\System\WJWPglL.exe
  C:\Windows\System\WJWPglL.exe
  2⤵
  PID:5404
- C:\Windows\System\rHcQttK.exe
  C:\Windows\System\rHcQttK.exe
  2⤵
  PID:5436
- C:\Windows\System\yUAjNCQ.exe
  C:\Windows\System\yUAjNCQ.exe
  2⤵
  PID:5468
- C:\Windows\System\RdpUlpq.exe
  C:\Windows\System\RdpUlpq.exe
  2⤵
  PID:5504
- C:\Windows\System\eDKdAUn.exe
  C:\Windows\System\eDKdAUn.exe
  2⤵
  PID:5544
- C:\Windows\System\zfeGLgW.exe
  C:\Windows\System\zfeGLgW.exe
  2⤵
  PID:5584
- C:\Windows\System\cTzprGU.exe
  C:\Windows\System\cTzprGU.exe
  2⤵
  PID:5640
- C:\Windows\System\yQlcvdW.exe
  C:\Windows\System\yQlcvdW.exe
  2⤵
  PID:5660
- C:\Windows\System\LYuQAWo.exe
  C:\Windows\System\LYuQAWo.exe
  2⤵
  PID:5688
- C:\Windows\System\ncuFprP.exe
  C:\Windows\System\ncuFprP.exe
  2⤵
  PID:5720
- C:\Windows\System\alhMKJq.exe
  C:\Windows\System\alhMKJq.exe
  2⤵
  PID:5736
- C:\Windows\System\foNYSId.exe
  C:\Windows\System\foNYSId.exe
  2⤵
  PID:5776
- C:\Windows\System\tzkZSTC.exe
  C:\Windows\System\tzkZSTC.exe
  2⤵
  PID:5812
- C:\Windows\System\FbLsYVz.exe
  C:\Windows\System\FbLsYVz.exe
  2⤵
  PID:5836
- C:\Windows\System\ViIpKxB.exe
  C:\Windows\System\ViIpKxB.exe
  2⤵
  PID:5864
- C:\Windows\System\MdRGcKx.exe
  C:\Windows\System\MdRGcKx.exe
  2⤵
  PID:5888
- C:\Windows\System\ktMnyhd.exe
  C:\Windows\System\ktMnyhd.exe
  2⤵
  PID:5920
- C:\Windows\System\KyGQVfW.exe
  C:\Windows\System\KyGQVfW.exe
  2⤵
  PID:5952
- C:\Windows\System\hylPqFE.exe
  C:\Windows\System\hylPqFE.exe
  2⤵
  PID:5976
- C:\Windows\System\WOVjapS.exe
  C:\Windows\System\WOVjapS.exe
  2⤵
  PID:6004
- C:\Windows\System\xvblIMv.exe
  C:\Windows\System\xvblIMv.exe
  2⤵
  PID:6020
- C:\Windows\System\XroMSpt.exe
  C:\Windows\System\XroMSpt.exe
  2⤵
  PID:6040
- C:\Windows\System\PcAYvrF.exe
  C:\Windows\System\PcAYvrF.exe
  2⤵
  PID:6080
- C:\Windows\System\bnuobXi.exe
  C:\Windows\System\bnuobXi.exe
  2⤵
  PID:6124
- C:\Windows\System\qXmBElH.exe
  C:\Windows\System\qXmBElH.exe
  2⤵
  PID:5144
- C:\Windows\System\dtYeIEI.exe
  C:\Windows\System\dtYeIEI.exe
  2⤵
  PID:5200
- C:\Windows\System\WpesOpm.exe
  C:\Windows\System\WpesOpm.exe
  2⤵
  PID:5260
- C:\Windows\System\wSOdLTJ.exe
  C:\Windows\System\wSOdLTJ.exe
  2⤵
  PID:5332
- C:\Windows\System\jqZUmCL.exe
  C:\Windows\System\jqZUmCL.exe
  2⤵
  PID:5396
- C:\Windows\System\RaeJolD.exe
  C:\Windows\System\RaeJolD.exe
  2⤵
  PID:5476
- C:\Windows\System\LwWKXWQ.exe
  C:\Windows\System\LwWKXWQ.exe
  2⤵
  PID:5568
- C:\Windows\System\PVyUOof.exe
  C:\Windows\System\PVyUOof.exe
  2⤵
  PID:5656
- C:\Windows\System\jHUoUUL.exe
  C:\Windows\System\jHUoUUL.exe
  2⤵
  PID:5728
- C:\Windows\System\ebSAuWX.exe
  C:\Windows\System\ebSAuWX.exe
  2⤵
  PID:5796
- C:\Windows\System\mJseSBW.exe
  C:\Windows\System\mJseSBW.exe
  2⤵
  PID:5876
- C:\Windows\System\gzwqvXV.exe
  C:\Windows\System\gzwqvXV.exe
  2⤵
  PID:5940
- C:\Windows\System\HkmOvVY.exe
  C:\Windows\System\HkmOvVY.exe
  2⤵
  PID:5996
- C:\Windows\System\DgBCkCz.exe
  C:\Windows\System\DgBCkCz.exe
  2⤵
  PID:6076
- C:\Windows\System\mwYEOPy.exe
  C:\Windows\System\mwYEOPy.exe
  2⤵
  PID:6132
- C:\Windows\System\ptVgwnk.exe
  C:\Windows\System\ptVgwnk.exe
  2⤵
  PID:5252
- C:\Windows\System\XIsJDDH.exe
  C:\Windows\System\XIsJDDH.exe
  2⤵
  PID:5456
- C:\Windows\System\VuMwSHL.exe
  C:\Windows\System\VuMwSHL.exe
  2⤵
  PID:5648
- C:\Windows\System\PdFxwjL.exe
  C:\Windows\System\PdFxwjL.exe
  2⤵
  PID:5788
- C:\Windows\System\PioAiJY.exe
  C:\Windows\System\PioAiJY.exe
  2⤵
  PID:5968
- C:\Windows\System\BBGREDJ.exe
  C:\Windows\System\BBGREDJ.exe
  2⤵
  PID:5232
- C:\Windows\System\rkfycWD.exe
  C:\Windows\System\rkfycWD.exe
  2⤵
  PID:5608
- C:\Windows\System\FQHFJuy.exe
  C:\Windows\System\FQHFJuy.exe
  2⤵
  PID:5932
- C:\Windows\System\nnCakeJ.exe
  C:\Windows\System\nnCakeJ.exe
  2⤵
  PID:5560
- C:\Windows\System\UZuhbBX.exe
  C:\Windows\System\UZuhbBX.exe
  2⤵
  PID:6180
- C:\Windows\System\GenpnTe.exe
  C:\Windows\System\GenpnTe.exe
  2⤵
  PID:6216
- C:\Windows\System\uIzcAmp.exe
  C:\Windows\System\uIzcAmp.exe
  2⤵
  PID:6256
- C:\Windows\System\neJaxAE.exe
  C:\Windows\System\neJaxAE.exe
  2⤵
  PID:6300
- C:\Windows\System\NcPWRsl.exe
  C:\Windows\System\NcPWRsl.exe
  2⤵
  PID:6328
- C:\Windows\System\mXSvBZB.exe
  C:\Windows\System\mXSvBZB.exe
  2⤵
  PID:6368
- C:\Windows\System\ofMzxcn.exe
  C:\Windows\System\ofMzxcn.exe
  2⤵
  PID:6400
- C:\Windows\System\IlJCxVt.exe
  C:\Windows\System\IlJCxVt.exe
  2⤵
  PID:6424
- C:\Windows\System\aGobznq.exe
  C:\Windows\System\aGobznq.exe
  2⤵
  PID:6448
- C:\Windows\System\jQXPsTa.exe
  C:\Windows\System\jQXPsTa.exe
  2⤵
  PID:6484
- C:\Windows\System\OyxuCCc.exe
  C:\Windows\System\OyxuCCc.exe
  2⤵
  PID:6520
- C:\Windows\System\jmQZqgA.exe
  C:\Windows\System\jmQZqgA.exe
  2⤵
  PID:6540
- C:\Windows\System\OuPXLfn.exe
  C:\Windows\System\OuPXLfn.exe
  2⤵
  PID:6572
- C:\Windows\System\nixsBck.exe
  C:\Windows\System\nixsBck.exe
  2⤵
  PID:6604
- C:\Windows\System\WdDcMhF.exe
  C:\Windows\System\WdDcMhF.exe
  2⤵
  PID:6624
- C:\Windows\System\zqafjFP.exe
  C:\Windows\System\zqafjFP.exe
  2⤵
  PID:6656
- C:\Windows\System\ayQpfOf.exe
  C:\Windows\System\ayQpfOf.exe
  2⤵
  PID:6676
- C:\Windows\System\jqzDCSf.exe
  C:\Windows\System\jqzDCSf.exe
  2⤵
  PID:6704
- C:\Windows\System\XrQCrEZ.exe
  C:\Windows\System\XrQCrEZ.exe
  2⤵
  PID:6740
- C:\Windows\System\CNgZLlE.exe
  C:\Windows\System\CNgZLlE.exe
  2⤵
  PID:6768
- C:\Windows\System\aiLAvRx.exe
  C:\Windows\System\aiLAvRx.exe
  2⤵
  PID:6816
- C:\Windows\System\DKaWkFk.exe
  C:\Windows\System\DKaWkFk.exe
  2⤵
  PID:6868
- C:\Windows\System\xQiSJLS.exe
  C:\Windows\System\xQiSJLS.exe
  2⤵
  PID:6900
- C:\Windows\System\vTeryEi.exe
  C:\Windows\System\vTeryEi.exe
  2⤵
  PID:6924
- C:\Windows\System\UDaFWEA.exe
  C:\Windows\System\UDaFWEA.exe
  2⤵
  PID:6944
- C:\Windows\System\zvVsGiU.exe
  C:\Windows\System\zvVsGiU.exe
  2⤵
  PID:6968
- C:\Windows\System\tVCPWdd.exe
  C:\Windows\System\tVCPWdd.exe
  2⤵
  PID:7000
- C:\Windows\System\IfYAqaB.exe
  C:\Windows\System\IfYAqaB.exe
  2⤵
  PID:7028
- C:\Windows\System\tMhdJZE.exe
  C:\Windows\System\tMhdJZE.exe
  2⤵
  PID:7068
- C:\Windows\System\jUfAlvl.exe
  C:\Windows\System\jUfAlvl.exe
  2⤵
  PID:7104
- C:\Windows\System\yrcUzex.exe
  C:\Windows\System\yrcUzex.exe
  2⤵
  PID:7124
- C:\Windows\System\zdQAdtA.exe
  C:\Windows\System\zdQAdtA.exe
  2⤵
  PID:7160
- C:\Windows\System\aNxZZyM.exe
  C:\Windows\System\aNxZZyM.exe
  2⤵
  PID:6168
- C:\Windows\System\mvLgBLs.exe
  C:\Windows\System\mvLgBLs.exe
  2⤵
  PID:6316
- C:\Windows\System\rUvLnGO.exe
  C:\Windows\System\rUvLnGO.exe
  2⤵
  PID:6360
- C:\Windows\System\xFQsopH.exe
  C:\Windows\System\xFQsopH.exe
  2⤵
  PID:6476
- C:\Windows\System\pUJAJkV.exe
  C:\Windows\System\pUJAJkV.exe
  2⤵
  PID:6632
- C:\Windows\System\kYVTutp.exe
  C:\Windows\System\kYVTutp.exe
  2⤵
  PID:6692
- C:\Windows\System\ROCIROt.exe
  C:\Windows\System\ROCIROt.exe
  2⤵
  PID:6736
- C:\Windows\System\ennlTsC.exe
  C:\Windows\System\ennlTsC.exe
  2⤵
  PID:6760
- C:\Windows\System\iNDCNfZ.exe
  C:\Windows\System\iNDCNfZ.exe
  2⤵
  PID:6916
- C:\Windows\System\qoiOpIr.exe
  C:\Windows\System\qoiOpIr.exe
  2⤵
  PID:6912
- C:\Windows\System\ZbkuPAm.exe
  C:\Windows\System\ZbkuPAm.exe
  2⤵
  PID:7016
- C:\Windows\System\azQjSqT.exe
  C:\Windows\System\azQjSqT.exe
  2⤵
  PID:7112
- C:\Windows\System\fPAJcIq.exe
  C:\Windows\System\fPAJcIq.exe
  2⤵
  PID:7100
- C:\Windows\System\NrOlbzh.exe
  C:\Windows\System\NrOlbzh.exe
  2⤵
  PID:6292
- C:\Windows\System\jCcziQF.exe
  C:\Windows\System\jCcziQF.exe
  2⤵
  PID:5844
- C:\Windows\System\DBMLzXY.exe
  C:\Windows\System\DBMLzXY.exe
  2⤵
  PID:6644
- C:\Windows\System\GDPsJau.exe
  C:\Windows\System\GDPsJau.exe
  2⤵
  PID:6856
- C:\Windows\System\cOBGkpE.exe
  C:\Windows\System\cOBGkpE.exe
  2⤵
  PID:7048
- C:\Windows\System\JBbErbn.exe
  C:\Windows\System\JBbErbn.exe
  2⤵
  PID:6208
- C:\Windows\System\PrlAjkH.exe
  C:\Windows\System\PrlAjkH.exe
  2⤵
  PID:6584
- C:\Windows\System\LZAhkiQ.exe
  C:\Windows\System\LZAhkiQ.exe
  2⤵
  PID:6992
- C:\Windows\System\UBTEjyX.exe
  C:\Windows\System\UBTEjyX.exe
  2⤵
  PID:6172
- C:\Windows\System\mKbdgKF.exe
  C:\Windows\System\mKbdgKF.exe
  2⤵
  PID:7200
- C:\Windows\System\UsBFzgs.exe
  C:\Windows\System\UsBFzgs.exe
  2⤵
  PID:7216
- C:\Windows\System\LIDFiPf.exe
  C:\Windows\System\LIDFiPf.exe
  2⤵
  PID:7244
- C:\Windows\System\hPorYCi.exe
  C:\Windows\System\hPorYCi.exe
  2⤵
  PID:7276
- C:\Windows\System\IrrZxvh.exe
  C:\Windows\System\IrrZxvh.exe
  2⤵
  PID:7320
- C:\Windows\System\LaYMGxd.exe
  C:\Windows\System\LaYMGxd.exe
  2⤵
  PID:7336
- C:\Windows\System\UiJlnCf.exe
  C:\Windows\System\UiJlnCf.exe
  2⤵
  PID:7364
- C:\Windows\System\QfzRyKh.exe
  C:\Windows\System\QfzRyKh.exe
  2⤵
  PID:7396
- C:\Windows\System\LtNVcHJ.exe
  C:\Windows\System\LtNVcHJ.exe
  2⤵
  PID:7436
- C:\Windows\System\GVeFKIj.exe
  C:\Windows\System\GVeFKIj.exe
  2⤵
  PID:7464
- C:\Windows\System\UEGhhqh.exe
  C:\Windows\System\UEGhhqh.exe
  2⤵
  PID:7480
- C:\Windows\System\whwkXpA.exe
  C:\Windows\System\whwkXpA.exe
  2⤵
  PID:7508
- C:\Windows\System\KGECgJr.exe
  C:\Windows\System\KGECgJr.exe
  2⤵
  PID:7536
- C:\Windows\System\sMWkCEE.exe
  C:\Windows\System\sMWkCEE.exe
  2⤵
  PID:7564
- C:\Windows\System\drimwTR.exe
  C:\Windows\System\drimwTR.exe
  2⤵
  PID:7592
- C:\Windows\System\tEMwUFd.exe
  C:\Windows\System\tEMwUFd.exe
  2⤵
  PID:7624
- C:\Windows\System\xKjHjZX.exe
  C:\Windows\System\xKjHjZX.exe
  2⤵
  PID:7648
- C:\Windows\System\OyNysEQ.exe
  C:\Windows\System\OyNysEQ.exe
  2⤵
  PID:7664
- C:\Windows\System\ZKscsbR.exe
  C:\Windows\System\ZKscsbR.exe
  2⤵
  PID:7700
- C:\Windows\System\gyuTOGT.exe
  C:\Windows\System\gyuTOGT.exe
  2⤵
  PID:7724
- C:\Windows\System\iqFNdwO.exe
  C:\Windows\System\iqFNdwO.exe
  2⤵
  PID:7748
- C:\Windows\System\QASYyen.exe
  C:\Windows\System\QASYyen.exe
  2⤵
  PID:7788
- C:\Windows\System\enRDAyH.exe
  C:\Windows\System\enRDAyH.exe
  2⤵
  PID:7820
- C:\Windows\System\nMecEYe.exe
  C:\Windows\System\nMecEYe.exe
  2⤵
  PID:7852
- C:\Windows\System\PXPaebw.exe
  C:\Windows\System\PXPaebw.exe
  2⤵
  PID:7880
- C:\Windows\System\fAZchsC.exe
  C:\Windows\System\fAZchsC.exe
  2⤵
  PID:7900
- C:\Windows\System\qWiGrwm.exe
  C:\Windows\System\qWiGrwm.exe
  2⤵
  PID:7916
- C:\Windows\System\otAIbeQ.exe
  C:\Windows\System\otAIbeQ.exe
  2⤵
  PID:7952
- C:\Windows\System\FyurcIS.exe
  C:\Windows\System\FyurcIS.exe
  2⤵
  PID:7984
- C:\Windows\System\XMzVtSO.exe
  C:\Windows\System\XMzVtSO.exe
  2⤵
  PID:8024
- C:\Windows\System\TJCVCsi.exe
  C:\Windows\System\TJCVCsi.exe
  2⤵
  PID:8044
- C:\Windows\System\CLfhJaU.exe
  C:\Windows\System\CLfhJaU.exe
  2⤵
  PID:8060
- C:\Windows\System\hjtHAlS.exe
  C:\Windows\System\hjtHAlS.exe
  2⤵
  PID:8100
- C:\Windows\System\pMxbJzj.exe
  C:\Windows\System\pMxbJzj.exe
  2⤵
  PID:8124
- C:\Windows\System\okBRiSp.exe
  C:\Windows\System\okBRiSp.exe
  2⤵
  PID:8144
- C:\Windows\System\vnhcWsl.exe
  C:\Windows\System\vnhcWsl.exe
  2⤵
  PID:8184
- C:\Windows\System\KlCrYUF.exe
  C:\Windows\System\KlCrYUF.exe
  2⤵
  PID:7196
- C:\Windows\System\AQvITPA.exe
  C:\Windows\System\AQvITPA.exe
  2⤵
  PID:7268
- C:\Windows\System\fizAXmW.exe
  C:\Windows\System\fizAXmW.exe
  2⤵
  PID:7352
- C:\Windows\System\LcWDPhF.exe
  C:\Windows\System\LcWDPhF.exe
  2⤵
  PID:7420
- C:\Windows\System\pLouBGT.exe
  C:\Windows\System\pLouBGT.exe
  2⤵
  PID:7452
- C:\Windows\System\kaMEBCs.exe
  C:\Windows\System\kaMEBCs.exe
  2⤵
  PID:7552
- C:\Windows\System\ojTudHt.exe
  C:\Windows\System\ojTudHt.exe
  2⤵
  PID:7632
- C:\Windows\System\rmEBgOO.exe
  C:\Windows\System\rmEBgOO.exe
  2⤵
  PID:7684
- C:\Windows\System\xvTNmSQ.exe
  C:\Windows\System\xvTNmSQ.exe
  2⤵
  PID:7772
- C:\Windows\System\gKbcfJT.exe
  C:\Windows\System\gKbcfJT.exe
  2⤵
  PID:7848
- C:\Windows\System\ZdCwdOa.exe
  C:\Windows\System\ZdCwdOa.exe
  2⤵
  PID:7872
- C:\Windows\System\hDpPQen.exe
  C:\Windows\System\hDpPQen.exe
  2⤵
  PID:7948
- C:\Windows\System\NLhELJy.exe
  C:\Windows\System\NLhELJy.exe
  2⤵
  PID:8008
- C:\Windows\System\utzAKMx.exe
  C:\Windows\System\utzAKMx.exe
  2⤵
  PID:8072
- C:\Windows\System\FzfjiVW.exe
  C:\Windows\System\FzfjiVW.exe
  2⤵
  PID:8140
- C:\Windows\System\YACvgyP.exe
  C:\Windows\System\YACvgyP.exe
  2⤵
  PID:7184
- C:\Windows\System\JCJWHSl.exe
  C:\Windows\System\JCJWHSl.exe
  2⤵
  PID:7256
- C:\Windows\System\TumeDWP.exe
  C:\Windows\System\TumeDWP.exe
  2⤵
  PID:7476
- C:\Windows\System\BYuDJgd.exe
  C:\Windows\System\BYuDJgd.exe
  2⤵
  PID:7716
- C:\Windows\System\oGfhDiI.exe
  C:\Windows\System\oGfhDiI.exe
  2⤵
  PID:7828
- C:\Windows\System\uLHfqmH.exe
  C:\Windows\System\uLHfqmH.exe
  2⤵
  PID:7928
- C:\Windows\System\IbQlDpx.exe
  C:\Windows\System\IbQlDpx.exe
  2⤵
  PID:8056
- C:\Windows\System\bePXUEv.exe
  C:\Windows\System\bePXUEv.exe
  2⤵
  PID:7316
- C:\Windows\System\jGlKkll.exe
  C:\Windows\System\jGlKkll.exe
  2⤵
  PID:7676
- C:\Windows\System\aUQkgcQ.exe
  C:\Windows\System\aUQkgcQ.exe
  2⤵
  PID:8080
- C:\Windows\System\uZaOBlf.exe
  C:\Windows\System\uZaOBlf.exe
  2⤵
  PID:7448
- C:\Windows\System\tmtLwBL.exe
  C:\Windows\System\tmtLwBL.exe
  2⤵
  PID:8200
- C:\Windows\System\ASWRrgy.exe
  C:\Windows\System\ASWRrgy.exe
  2⤵
  PID:8232
- C:\Windows\System\taHVEmi.exe
  C:\Windows\System\taHVEmi.exe
  2⤵
  PID:8256
- C:\Windows\System\YBbMVEp.exe
  C:\Windows\System\YBbMVEp.exe
  2⤵
  PID:8284
- C:\Windows\System\HjTFbAB.exe
  C:\Windows\System\HjTFbAB.exe
  2⤵
  PID:8324
- C:\Windows\System\aJxQKLh.exe
  C:\Windows\System\aJxQKLh.exe
  2⤵
  PID:8348
- C:\Windows\System\NSbOFVq.exe
  C:\Windows\System\NSbOFVq.exe
  2⤵
  PID:8364
- C:\Windows\System\XpnbshJ.exe
  C:\Windows\System\XpnbshJ.exe
  2⤵
  PID:8392
- C:\Windows\System\ggvSIQG.exe
  C:\Windows\System\ggvSIQG.exe
  2⤵
  PID:8424
- C:\Windows\System\okmwNjW.exe
  C:\Windows\System\okmwNjW.exe
  2⤵
  PID:8464
- C:\Windows\System\ccnFRwi.exe
  C:\Windows\System\ccnFRwi.exe
  2⤵
  PID:8484
- C:\Windows\System\TVviEhI.exe
  C:\Windows\System\TVviEhI.exe
  2⤵
  PID:8508
- C:\Windows\System\bZGQkUR.exe
  C:\Windows\System\bZGQkUR.exe
  2⤵
  PID:8540
- C:\Windows\System\kfzcCxK.exe
  C:\Windows\System\kfzcCxK.exe
  2⤵
  PID:8568
- C:\Windows\System\gdsfPdR.exe
  C:\Windows\System\gdsfPdR.exe
  2⤵
  PID:8604
- C:\Windows\System\xVTqXsP.exe
  C:\Windows\System\xVTqXsP.exe
  2⤵
  PID:8664
- C:\Windows\System\aSgzlFg.exe
  C:\Windows\System\aSgzlFg.exe
  2⤵
  PID:8692
- C:\Windows\System\nufmRam.exe
  C:\Windows\System\nufmRam.exe
  2⤵
  PID:8716
- C:\Windows\System\ZMlChvq.exe
  C:\Windows\System\ZMlChvq.exe
  2⤵
  PID:8744
- C:\Windows\System\UcUjHhU.exe
  C:\Windows\System\UcUjHhU.exe
  2⤵
  PID:8772
- C:\Windows\System\kAlNegr.exe
  C:\Windows\System\kAlNegr.exe
  2⤵
  PID:8804
- C:\Windows\System\eYLlnAh.exe
  C:\Windows\System\eYLlnAh.exe
  2⤵
  PID:8840
- C:\Windows\System\uHPWPhk.exe
  C:\Windows\System\uHPWPhk.exe
  2⤵
  PID:8860
- C:\Windows\System\pURyfAI.exe
  C:\Windows\System\pURyfAI.exe
  2⤵
  PID:8892
- C:\Windows\System\WciZZnm.exe
  C:\Windows\System\WciZZnm.exe
  2⤵
  PID:8924
- C:\Windows\System\WhWoExK.exe
  C:\Windows\System\WhWoExK.exe
  2⤵
  PID:8944
- C:\Windows\System\oXDkEhC.exe
  C:\Windows\System\oXDkEhC.exe
  2⤵
  PID:8988
- C:\Windows\System\poqmzqy.exe
  C:\Windows\System\poqmzqy.exe
  2⤵
  PID:9020
- C:\Windows\System\gYHjwni.exe
  C:\Windows\System\gYHjwni.exe
  2⤵
  PID:9040
- C:\Windows\System\KxUTfIZ.exe
  C:\Windows\System\KxUTfIZ.exe
  2⤵
  PID:9076
- C:\Windows\System\BzuOMKr.exe
  C:\Windows\System\BzuOMKr.exe
  2⤵
  PID:9104
- C:\Windows\System\HdidmLN.exe
  C:\Windows\System\HdidmLN.exe
  2⤵
  PID:9132
- C:\Windows\System\Npgnvjw.exe
  C:\Windows\System\Npgnvjw.exe
  2⤵
  PID:9152
- C:\Windows\System\IesEcYC.exe
  C:\Windows\System\IesEcYC.exe
  2⤵
  PID:9180
- C:\Windows\System\DZZPcvM.exe
  C:\Windows\System\DZZPcvM.exe
  2⤵
  PID:9208
- C:\Windows\System\fojJucL.exe
  C:\Windows\System\fojJucL.exe
  2⤵
  PID:7908
- C:\Windows\System\spxxgpg.exe
  C:\Windows\System\spxxgpg.exe
  2⤵
  PID:8248
- C:\Windows\System\ZDQNlhm.exe
  C:\Windows\System\ZDQNlhm.exe
  2⤵
  PID:8356
- C:\Windows\System\QubWCmh.exe
  C:\Windows\System\QubWCmh.exe
  2⤵
  PID:8408
- C:\Windows\System\PEzniJY.exe
  C:\Windows\System\PEzniJY.exe
  2⤵
  PID:8440
- C:\Windows\System\tdQsUyx.exe
  C:\Windows\System\tdQsUyx.exe
  2⤵
  PID:8520
- C:\Windows\System\brqpGEy.exe
  C:\Windows\System\brqpGEy.exe
  2⤵
  PID:8596
- C:\Windows\System\gStosUH.exe
  C:\Windows\System\gStosUH.exe
  2⤵
  PID:8680
- C:\Windows\System\RUbVUyz.exe
  C:\Windows\System\RUbVUyz.exe
  2⤵
  PID:8792
- C:\Windows\System\ckRnjVw.exe
  C:\Windows\System\ckRnjVw.exe
  2⤵
  PID:8828
- C:\Windows\System\FtusXMc.exe
  C:\Windows\System\FtusXMc.exe
  2⤵
  PID:8916
- C:\Windows\System\pimoFci.exe
  C:\Windows\System\pimoFci.exe
  2⤵
  PID:8984
- C:\Windows\System\CyOMHhQ.exe
  C:\Windows\System\CyOMHhQ.exe
  2⤵
  PID:9004
- C:\Windows\System\TvhuQbc.exe
  C:\Windows\System\TvhuQbc.exe
  2⤵
  PID:9100
- C:\Windows\System\ptKNnTE.exe
  C:\Windows\System\ptKNnTE.exe
  2⤵
  PID:9168
- C:\Windows\System\lCTDSim.exe
  C:\Windows\System\lCTDSim.exe
  2⤵
  PID:6616
- C:\Windows\System\rnxswLp.exe
  C:\Windows\System\rnxswLp.exe
  2⤵
  PID:8304
- C:\Windows\System\XrkMQlh.exe
  C:\Windows\System\XrkMQlh.exe
  2⤵
  PID:8528
- C:\Windows\System\nlwuTgq.exe
  C:\Windows\System\nlwuTgq.exe
  2⤵
  PID:8648
- C:\Windows\System\yhYMPyl.exe
  C:\Windows\System\yhYMPyl.exe
  2⤵
  PID:8796
- C:\Windows\System\OPdoxfN.exe
  C:\Windows\System\OPdoxfN.exe
  2⤵
  PID:9012
- C:\Windows\System\URFfArh.exe
  C:\Windows\System\URFfArh.exe
  2⤵
  PID:9188
- C:\Windows\System\ftoRvpt.exe
  C:\Windows\System\ftoRvpt.exe
  2⤵
  PID:8296
- C:\Windows\System\haZzAEk.exe
  C:\Windows\System\haZzAEk.exe
  2⤵
  PID:8836
- C:\Windows\System\XEnMayz.exe
  C:\Windows\System\XEnMayz.exe
  2⤵
  PID:8980
- C:\Windows\System\LoHqwob.exe
  C:\Windows\System\LoHqwob.exe
  2⤵
  PID:8456
- C:\Windows\System\TOwfzta.exe
  C:\Windows\System\TOwfzta.exe
  2⤵
  PID:9228
- C:\Windows\System\YFXyzQt.exe
  C:\Windows\System\YFXyzQt.exe
  2⤵
  PID:9256
- C:\Windows\System\ABfkjOS.exe
  C:\Windows\System\ABfkjOS.exe
  2⤵
  PID:9284
- C:\Windows\System\cIrSHWD.exe
  C:\Windows\System\cIrSHWD.exe
  2⤵
  PID:9300
- C:\Windows\System\gkBCMSj.exe
  C:\Windows\System\gkBCMSj.exe
  2⤵
  PID:9320
- C:\Windows\System\QhChBfZ.exe
  C:\Windows\System\QhChBfZ.exe
  2⤵
  PID:9344
- C:\Windows\System\CmPtOaK.exe
  C:\Windows\System\CmPtOaK.exe
  2⤵
  PID:9376
- C:\Windows\System\eBTRVBW.exe
  C:\Windows\System\eBTRVBW.exe
  2⤵
  PID:9412
- C:\Windows\System\skRGSjA.exe
  C:\Windows\System\skRGSjA.exe
  2⤵
  PID:9444
- C:\Windows\System\vJGVFuo.exe
  C:\Windows\System\vJGVFuo.exe
  2⤵
  PID:9480
- C:\Windows\System\eKrCXty.exe
  C:\Windows\System\eKrCXty.exe
  2⤵
  PID:9500
- C:\Windows\System\ZbzRxVQ.exe
  C:\Windows\System\ZbzRxVQ.exe
  2⤵
  PID:9524
- C:\Windows\System\TAezZtF.exe
  C:\Windows\System\TAezZtF.exe
  2⤵
  PID:9564
- C:\Windows\System\YuZFGie.exe
  C:\Windows\System\YuZFGie.exe
  2⤵
  PID:9580
- C:\Windows\System\JlrYhkm.exe
  C:\Windows\System\JlrYhkm.exe
  2⤵
  PID:9620
- C:\Windows\System\VOGrwaD.exe
  C:\Windows\System\VOGrwaD.exe
  2⤵
  PID:9648
- C:\Windows\System\sfcyksQ.exe
  C:\Windows\System\sfcyksQ.exe
  2⤵
  PID:9664
- C:\Windows\System\OVxJNdn.exe
  C:\Windows\System\OVxJNdn.exe
  2⤵
  PID:9692
- C:\Windows\System\ghQIOlM.exe
  C:\Windows\System\ghQIOlM.exe
  2⤵
  PID:9720
- C:\Windows\System\giwpSZM.exe
  C:\Windows\System\giwpSZM.exe
  2⤵
  PID:9752
- C:\Windows\System\VUaKunR.exe
  C:\Windows\System\VUaKunR.exe
  2⤵
  PID:9788
- C:\Windows\System\VtDNxlb.exe
  C:\Windows\System\VtDNxlb.exe
  2⤵
  PID:9812
- C:\Windows\System\EmRfNFE.exe
  C:\Windows\System\EmRfNFE.exe
  2⤵
  PID:9848
- C:\Windows\System\uKxFJOT.exe
  C:\Windows\System\uKxFJOT.exe
  2⤵
  PID:9888
- C:\Windows\System\GPeFbBO.exe
  C:\Windows\System\GPeFbBO.exe
  2⤵
  PID:9904
- C:\Windows\System\wUyMnUR.exe
  C:\Windows\System\wUyMnUR.exe
  2⤵
  PID:9920
- C:\Windows\System\ETjzRzn.exe
  C:\Windows\System\ETjzRzn.exe
  2⤵
  PID:9940
- C:\Windows\System\EKcUkEh.exe
  C:\Windows\System\EKcUkEh.exe
  2⤵
  PID:9976
- C:\Windows\System\sZnvJXh.exe
  C:\Windows\System\sZnvJXh.exe
  2⤵
  PID:9996
- C:\Windows\System\wRbywkm.exe
  C:\Windows\System\wRbywkm.exe
  2⤵
  PID:10020
- C:\Windows\System\lIGSHOR.exe
  C:\Windows\System\lIGSHOR.exe
  2⤵
  PID:10060
- C:\Windows\System\WRNEXKV.exe
  C:\Windows\System\WRNEXKV.exe
  2⤵
  PID:10088
- C:\Windows\System\lJivxdm.exe
  C:\Windows\System\lJivxdm.exe
  2⤵
  PID:10128
- C:\Windows\System\xTozjfA.exe
  C:\Windows\System\xTozjfA.exe
  2⤵
  PID:10144
- C:\Windows\System\OhRknam.exe
  C:\Windows\System\OhRknam.exe
  2⤵
  PID:10172
- C:\Windows\System\ddDrcQd.exe
  C:\Windows\System\ddDrcQd.exe
  2⤵
  PID:10204
- C:\Windows\System\pcZfnHG.exe
  C:\Windows\System\pcZfnHG.exe
  2⤵
  PID:10232
- C:\Windows\System\ihczilV.exe
  C:\Windows\System\ihczilV.exe
  2⤵
  PID:9248
- C:\Windows\System\zKqxXbQ.exe
  C:\Windows\System\zKqxXbQ.exe
  2⤵
  PID:9316
- C:\Windows\System\eAIcelC.exe
  C:\Windows\System\eAIcelC.exe
  2⤵
  PID:9356
- C:\Windows\System\gsNIrNE.exe
  C:\Windows\System\gsNIrNE.exe
  2⤵
  PID:9440
- C:\Windows\System\PsfKKKl.exe
  C:\Windows\System\PsfKKKl.exe
  2⤵
  PID:9472
- C:\Windows\System\uLqBxMb.exe
  C:\Windows\System\uLqBxMb.exe
  2⤵
  PID:9544
- C:\Windows\System\pIPRQsX.exe
  C:\Windows\System\pIPRQsX.exe
  2⤵
  PID:9604
- C:\Windows\System\icuYDwC.exe
  C:\Windows\System\icuYDwC.exe
  2⤵
  PID:9684
- C:\Windows\System\pYBdouC.exe
  C:\Windows\System\pYBdouC.exe
  2⤵
  PID:9744
- C:\Windows\System\bmslChL.exe
  C:\Windows\System\bmslChL.exe
  2⤵
  PID:9840
- C:\Windows\System\YznoSTN.exe
  C:\Windows\System\YznoSTN.exe
  2⤵
  PID:9872
- C:\Windows\System\dRCtVxi.exe
  C:\Windows\System\dRCtVxi.exe
  2⤵
  PID:9932
- C:\Windows\System\aaOhrlo.exe
  C:\Windows\System\aaOhrlo.exe
  2⤵
  PID:10004
- C:\Windows\System\zleTMKs.exe
  C:\Windows\System\zleTMKs.exe
  2⤵
  PID:10048
- C:\Windows\System\tpadSjp.exe
  C:\Windows\System\tpadSjp.exe
  2⤵
  PID:10164
- C:\Windows\System\PeTILgO.exe
  C:\Windows\System\PeTILgO.exe
  2⤵
  PID:10228
- C:\Windows\System\wcehzyc.exe
  C:\Windows\System\wcehzyc.exe
  2⤵
  PID:9280
- C:\Windows\System\mZEaqAp.exe
  C:\Windows\System\mZEaqAp.exe
  2⤵
  PID:9476
- C:\Windows\System\cpxgcIW.exe
  C:\Windows\System\cpxgcIW.exe
  2⤵
  PID:9616
- C:\Windows\System\PixbpQJ.exe
  C:\Windows\System\PixbpQJ.exe
  2⤵
  PID:9784
- C:\Windows\System\kpRzplh.exe
  C:\Windows\System\kpRzplh.exe
  2⤵
  PID:10012
- C:\Windows\System\uwAZDka.exe
  C:\Windows\System\uwAZDka.exe
  2⤵
  PID:10100
- C:\Windows\System\UYrhjVM.exe
  C:\Windows\System\UYrhjVM.exe
  2⤵
  PID:9292
- C:\Windows\System\IWwsNxl.exe
  C:\Windows\System\IWwsNxl.exe
  2⤵
  PID:9508
- C:\Windows\System\OMHaOzz.exe
  C:\Windows\System\OMHaOzz.exe
  2⤵
  PID:9712
- C:\Windows\System\zjDYUts.exe
  C:\Windows\System\zjDYUts.exe
  2⤵
  PID:10008
- C:\Windows\System\SszFlnI.exe
  C:\Windows\System\SszFlnI.exe
  2⤵
  PID:9960
- C:\Windows\System\hjNmKbL.exe
  C:\Windows\System\hjNmKbL.exe
  2⤵
  PID:10244
- C:\Windows\System\jCgxqni.exe
  C:\Windows\System\jCgxqni.exe
  2⤵
  PID:10272
- C:\Windows\System\YRMdfZK.exe
  C:\Windows\System\YRMdfZK.exe
  2⤵
  PID:10300
- C:\Windows\System\sjInNvb.exe
  C:\Windows\System\sjInNvb.exe
  2⤵
  PID:10328
- C:\Windows\System\fSwGqRi.exe
  C:\Windows\System\fSwGqRi.exe
  2⤵
  PID:10368
- C:\Windows\System\BzOUXEa.exe
  C:\Windows\System\BzOUXEa.exe
  2⤵
  PID:10388
- C:\Windows\System\IEusGzz.exe
  C:\Windows\System\IEusGzz.exe
  2⤵
  PID:10412
- C:\Windows\System\QNmcfrc.exe
  C:\Windows\System\QNmcfrc.exe
  2⤵
  PID:10452
- C:\Windows\System\EbLiSeQ.exe
  C:\Windows\System\EbLiSeQ.exe
  2⤵
  PID:10480
- C:\Windows\System\rNOWLSe.exe
  C:\Windows\System\rNOWLSe.exe
  2⤵
  PID:10496
- C:\Windows\System\bOGxDve.exe
  C:\Windows\System\bOGxDve.exe
  2⤵
  PID:10536
- C:\Windows\System\wbFRpdH.exe
  C:\Windows\System\wbFRpdH.exe
  2⤵
  PID:10568
- C:\Windows\System\GOWFibC.exe
  C:\Windows\System\GOWFibC.exe
  2⤵
  PID:10592
- C:\Windows\System\rDMYRQn.exe
  C:\Windows\System\rDMYRQn.exe
  2⤵
  PID:10620
- C:\Windows\System\cdhYBOf.exe
  C:\Windows\System\cdhYBOf.exe
  2⤵
  PID:10648
- C:\Windows\System\qdOBxdb.exe
  C:\Windows\System\qdOBxdb.exe
  2⤵
  PID:10672
- C:\Windows\System\irLpZaa.exe
  C:\Windows\System\irLpZaa.exe
  2⤵
  PID:10696
- C:\Windows\System\BFFwrXB.exe
  C:\Windows\System\BFFwrXB.exe
  2⤵
  PID:10716
- C:\Windows\System\qTiVeee.exe
  C:\Windows\System\qTiVeee.exe
  2⤵
  PID:10756
- C:\Windows\System\vHuFCcA.exe
  C:\Windows\System\vHuFCcA.exe
  2⤵
  PID:10792
- C:\Windows\System\FgNPYlb.exe
  C:\Windows\System\FgNPYlb.exe
  2⤵
  PID:10816
- C:\Windows\System\zIKQGZy.exe
  C:\Windows\System\zIKQGZy.exe
  2⤵
  PID:10840
- C:\Windows\System\NNIUqUk.exe
  C:\Windows\System\NNIUqUk.exe
  2⤵
  PID:10868
- C:\Windows\System\HaaFhoF.exe
  C:\Windows\System\HaaFhoF.exe
  2⤵
  PID:10896
- C:\Windows\System\fCwabQs.exe
  C:\Windows\System\fCwabQs.exe
  2⤵
  PID:10920
- C:\Windows\System\TvdgMjD.exe
  C:\Windows\System\TvdgMjD.exe
  2⤵
  PID:10952
- C:\Windows\System\ftidMaR.exe
  C:\Windows\System\ftidMaR.exe
  2⤵
  PID:10992
- C:\Windows\System\KdtoSjR.exe
  C:\Windows\System\KdtoSjR.exe
  2⤵
  PID:11008
- C:\Windows\System\VXoCLtR.exe
  C:\Windows\System\VXoCLtR.exe
  2⤵
  PID:11036
- C:\Windows\System\PjEXVnU.exe
  C:\Windows\System\PjEXVnU.exe
  2⤵
  PID:11076
- C:\Windows\System\RhbPTwF.exe
  C:\Windows\System\RhbPTwF.exe
  2⤵
  PID:11092
- C:\Windows\System\LUDYaed.exe
  C:\Windows\System\LUDYaed.exe
  2⤵
  PID:11108
- C:\Windows\System\RPGNIMz.exe
  C:\Windows\System\RPGNIMz.exe
  2⤵
  PID:11140
- C:\Windows\System\DJgtRrW.exe
  C:\Windows\System\DJgtRrW.exe
  2⤵
  PID:11164
- C:\Windows\System\tQpbhYh.exe
  C:\Windows\System\tQpbhYh.exe
  2⤵
  PID:11204
- C:\Windows\System\lGtdHjH.exe
  C:\Windows\System\lGtdHjH.exe
  2⤵
  PID:11240
- C:\Windows\System\ptWBYyw.exe
  C:\Windows\System\ptWBYyw.exe
  2⤵
  PID:10260
- C:\Windows\System\XsACQBX.exe
  C:\Windows\System\XsACQBX.exe
  2⤵
  PID:10320
- C:\Windows\System\JIfqDtN.exe
  C:\Windows\System\JIfqDtN.exe
  2⤵
  PID:10400
- C:\Windows\System\AJAzRlJ.exe
  C:\Windows\System\AJAzRlJ.exe
  2⤵
  PID:10472
- C:\Windows\System\QFwRkPh.exe
  C:\Windows\System\QFwRkPh.exe
  2⤵
  PID:10528
- C:\Windows\System\PSobOlJ.exe
  C:\Windows\System\PSobOlJ.exe
  2⤵
  PID:10576
- C:\Windows\System\PEqgWsA.exe
  C:\Windows\System\PEqgWsA.exe
  2⤵
  PID:10668
- C:\Windows\System\mcYszIS.exe
  C:\Windows\System\mcYszIS.exe
  2⤵
  PID:10748
- C:\Windows\System\IMpShRE.exe
  C:\Windows\System\IMpShRE.exe
  2⤵
  PID:10812
- C:\Windows\System\iMJOFMi.exe
  C:\Windows\System\iMJOFMi.exe
  2⤵
  PID:10880
- C:\Windows\System\HZXpAuf.exe
  C:\Windows\System\HZXpAuf.exe
  2⤵
  PID:10940
- C:\Windows\System\PtlYlKQ.exe
  C:\Windows\System\PtlYlKQ.exe
  2⤵
  PID:10972
- C:\Windows\System\dNsLREU.exe
  C:\Windows\System\dNsLREU.exe
  2⤵
  PID:11056
- C:\Windows\System\QjNvIgm.exe
  C:\Windows\System\QjNvIgm.exe
  2⤵
  PID:11188
- C:\Windows\System\LWBuDoG.exe
  C:\Windows\System\LWBuDoG.exe
  2⤵
  PID:11236
- C:\Windows\System\BIlyUhX.exe
  C:\Windows\System\BIlyUhX.exe
  2⤵
  PID:10384
- C:\Windows\System\hqQqIzH.exe
  C:\Windows\System\hqQqIzH.exe
  2⤵
  PID:10448
- C:\Windows\System\OxhUwwg.exe
  C:\Windows\System\OxhUwwg.exe
  2⤵
  PID:10928
- C:\Windows\System\xMKGGst.exe
  C:\Windows\System\xMKGGst.exe
  2⤵
  PID:10936
- C:\Windows\System\deRoJxh.exe
  C:\Windows\System\deRoJxh.exe
  2⤵
  PID:9820
- C:\Windows\System\ozjJSzZ.exe
  C:\Windows\System\ozjJSzZ.exe
  2⤵
  PID:10508
- C:\Windows\System\fpAsXyN.exe
  C:\Windows\System\fpAsXyN.exe
  2⤵
  PID:10708
- C:\Windows\System\EneCDtI.exe
  C:\Windows\System\EneCDtI.exe
  2⤵
  PID:11300
- C:\Windows\System\RHCRVhM.exe
  C:\Windows\System\RHCRVhM.exe
  2⤵
  PID:11336
- C:\Windows\System\xhhncuy.exe
  C:\Windows\System\xhhncuy.exe
  2⤵
  PID:11392
- C:\Windows\System\bBSZSTA.exe
  C:\Windows\System\bBSZSTA.exe
  2⤵
  PID:11440
- C:\Windows\System\vWaOVHK.exe
  C:\Windows\System\vWaOVHK.exe
  2⤵
  PID:11456
- C:\Windows\System\FqPHjnE.exe
  C:\Windows\System\FqPHjnE.exe
  2⤵
  PID:11472
- C:\Windows\System\IVwbzso.exe
  C:\Windows\System\IVwbzso.exe
  2⤵
  PID:11488
- C:\Windows\System\ssHCIQj.exe
  C:\Windows\System\ssHCIQj.exe
  2⤵
  PID:11512
- C:\Windows\System\QDemkQc.exe
  C:\Windows\System\QDemkQc.exe
  2⤵
  PID:11528
- C:\Windows\System\xOKtipX.exe
  C:\Windows\System\xOKtipX.exe
  2⤵
  PID:11552
- C:\Windows\System\wqfKVhr.exe
  C:\Windows\System\wqfKVhr.exe
  2⤵
  PID:11572
- C:\Windows\System\ibCciVm.exe
  C:\Windows\System\ibCciVm.exe
  2⤵
  PID:11592
- C:\Windows\System\sCKwlzM.exe
  C:\Windows\System\sCKwlzM.exe
  2⤵
  PID:11636
- C:\Windows\System\lQGjfCF.exe
  C:\Windows\System\lQGjfCF.exe
  2⤵
  PID:11696
- C:\Windows\System\wrDcpvr.exe
  C:\Windows\System\wrDcpvr.exe
  2⤵
  PID:11720
- C:\Windows\System\DKdNwQI.exe
  C:\Windows\System\DKdNwQI.exe
  2⤵
  PID:11760
- C:\Windows\System\ERSXBEE.exe
  C:\Windows\System\ERSXBEE.exe
  2⤵
  PID:11792
- C:\Windows\System\THRvHKt.exe
  C:\Windows\System\THRvHKt.exe
  2⤵
  PID:11812
- C:\Windows\System\DklmgiV.exe
  C:\Windows\System\DklmgiV.exe
  2⤵
  PID:11864
- C:\Windows\System\yOWrhzP.exe
  C:\Windows\System\yOWrhzP.exe
  2⤵
  PID:11892
- C:\Windows\System\kehdcjl.exe
  C:\Windows\System\kehdcjl.exe
  2⤵
  PID:11928
- C:\Windows\System\KairjMp.exe
  C:\Windows\System\KairjMp.exe
  2⤵
  PID:11956
- C:\Windows\System\ZDVSZWc.exe
  C:\Windows\System\ZDVSZWc.exe
  2⤵
  PID:11976
- C:\Windows\System\yeWWHcc.exe
  C:\Windows\System\yeWWHcc.exe
  2⤵
  PID:12004
- C:\Windows\System\kLzqzgX.exe
  C:\Windows\System\kLzqzgX.exe
  2⤵
  PID:12040
- C:\Windows\System\fNjzxZM.exe
  C:\Windows\System\fNjzxZM.exe
  2⤵
  PID:12056
- C:\Windows\System\ZncfwAy.exe
  C:\Windows\System\ZncfwAy.exe
  2⤵
  PID:12088
- C:\Windows\System\tGlmJYn.exe
  C:\Windows\System\tGlmJYn.exe
  2⤵
  PID:12112
- C:\Windows\System\fIJCidU.exe
  C:\Windows\System\fIJCidU.exe
  2⤵
  PID:12144
- C:\Windows\System\jQzhyXy.exe
  C:\Windows\System\jQzhyXy.exe
  2⤵
  PID:12168
- C:\Windows\System\guPddmx.exe
  C:\Windows\System\guPddmx.exe
  2⤵
  PID:12184
- C:\Windows\System\KpFWHDm.exe
  C:\Windows\System\KpFWHDm.exe
  2⤵
  PID:12216
- C:\Windows\System\Jxtuhmc.exe
  C:\Windows\System\Jxtuhmc.exe
  2⤵
  PID:12236
- C:\Windows\System\CAYHMEF.exe
  C:\Windows\System\CAYHMEF.exe
  2⤵
  PID:12264
- C:\Windows\System\xIhdHMI.exe
  C:\Windows\System\xIhdHMI.exe
  2⤵
  PID:11256
- C:\Windows\System\dvQcPTw.exe
  C:\Windows\System\dvQcPTw.exe
  2⤵
  PID:11328
- C:\Windows\System\SabyGRd.exe
  C:\Windows\System\SabyGRd.exe
  2⤵
  PID:11408
- C:\Windows\System\HqKEjjA.exe
  C:\Windows\System\HqKEjjA.exe
  2⤵
  PID:11484
- C:\Windows\System\WdgQRSJ.exe
  C:\Windows\System\WdgQRSJ.exe
  2⤵
  PID:11520
- C:\Windows\System\uvaECpf.exe
  C:\Windows\System\uvaECpf.exe
  2⤵
  PID:11588
- C:\Windows\System\udUuMML.exe
  C:\Windows\System\udUuMML.exe
  2⤵
  PID:11748
- C:\Windows\System\PIIIepR.exe
  C:\Windows\System\PIIIepR.exe
  2⤵
  PID:11772
- C:\Windows\System\YhjLORs.exe
  C:\Windows\System\YhjLORs.exe
  2⤵
  PID:11844
- C:\Windows\System\XlkZrNE.exe
  C:\Windows\System\XlkZrNE.exe
  2⤵
  PID:11924
- C:\Windows\System\nWXdeWC.exe
  C:\Windows\System\nWXdeWC.exe
  2⤵
  PID:11964
- C:\Windows\System\FpUSCmH.exe
  C:\Windows\System\FpUSCmH.exe
  2⤵
  PID:12028
- C:\Windows\System\xcxfgrH.exe
  C:\Windows\System\xcxfgrH.exe
  2⤵
  PID:12076
- C:\Windows\System\IJUOFmR.exe
  C:\Windows\System\IJUOFmR.exe
  2⤵
  PID:12152
- C:\Windows\System\EgiaEcr.exe
  C:\Windows\System\EgiaEcr.exe
  2⤵
  PID:12200
- C:\Windows\System\gswtevJ.exe
  C:\Windows\System\gswtevJ.exe
  2⤵
  PID:12252
- C:\Windows\System\BKZTPiN.exe
  C:\Windows\System\BKZTPiN.exe
  2⤵
  PID:11384
- C:\Windows\System\aOSfgAd.exe
  C:\Windows\System\aOSfgAd.exe
  2⤵
  PID:11464
- C:\Windows\System\gxcIIiL.exe
  C:\Windows\System\gxcIIiL.exe
  2⤵
  PID:11632
- C:\Windows\System\RqHoSyZ.exe
  C:\Windows\System\RqHoSyZ.exe
  2⤵
  PID:11808
- C:\Windows\System\eShrhaK.exe
  C:\Windows\System\eShrhaK.exe
  2⤵
  PID:12096
- C:\Windows\System\PICQcGN.exe
  C:\Windows\System\PICQcGN.exe
  2⤵
  PID:12108
- C:\Windows\System\mCpszra.exe
  C:\Windows\System\mCpszra.exe
  2⤵
  PID:11452
- C:\Windows\System\GQqlIGh.exe
  C:\Windows\System\GQqlIGh.exe
  2⤵
  PID:11684
- C:\Windows\System\fwWoqiy.exe
  C:\Windows\System\fwWoqiy.exe
  2⤵
  PID:11912
- C:\Windows\System\nsXaLiq.exe
  C:\Windows\System\nsXaLiq.exe
  2⤵
  PID:12260
- C:\Windows\System\SICrWCN.exe
  C:\Windows\System\SICrWCN.exe
  2⤵
  PID:11900
- C:\Windows\System\YySkuqW.exe
  C:\Windows\System\YySkuqW.exe
  2⤵
  PID:12304
- C:\Windows\System\XKsluUM.exe
  C:\Windows\System\XKsluUM.exe
  2⤵
  PID:12336
- C:\Windows\System\YyKLceF.exe
  C:\Windows\System\YyKLceF.exe
  2⤵
  PID:12356
- C:\Windows\System\RMNPcYJ.exe
  C:\Windows\System\RMNPcYJ.exe
  2⤵
  PID:12376
- C:\Windows\System\gqQOLwk.exe
  C:\Windows\System\gqQOLwk.exe
  2⤵
  PID:12412
- C:\Windows\System\BvqpkzC.exe
  C:\Windows\System\BvqpkzC.exe
  2⤵
  PID:12456
- C:\Windows\System\KIUsCcX.exe
  C:\Windows\System\KIUsCcX.exe
  2⤵
  PID:12484
- C:\Windows\System\tJOWZXY.exe
  C:\Windows\System\tJOWZXY.exe
  2⤵
  PID:12512
- C:\Windows\System\PUDBOoW.exe
  C:\Windows\System\PUDBOoW.exe
  2⤵
  PID:12528
- C:\Windows\System\HTRhEXu.exe
  C:\Windows\System\HTRhEXu.exe
  2⤵
  PID:12556
- C:\Windows\System\JyQAJDh.exe
  C:\Windows\System\JyQAJDh.exe
  2⤵
  PID:12592
- C:\Windows\System\brcHeXN.exe
  C:\Windows\System\brcHeXN.exe
  2⤵
  PID:12612
- C:\Windows\System\nqLtjLv.exe
  C:\Windows\System\nqLtjLv.exe
  2⤵
  PID:12628
- C:\Windows\System\NJCCCFS.exe
  C:\Windows\System\NJCCCFS.exe
  2⤵
  PID:12664
- C:\Windows\System\OaOCGos.exe
  C:\Windows\System\OaOCGos.exe
  2⤵
  PID:12700
- C:\Windows\System\thRtQtB.exe
  C:\Windows\System\thRtQtB.exe
  2⤵
  PID:12728
- C:\Windows\System\GleNtts.exe
  C:\Windows\System\GleNtts.exe
  2⤵
  PID:12756
- C:\Windows\System\WzpHzLT.exe
  C:\Windows\System\WzpHzLT.exe
  2⤵
  PID:12772
- C:\Windows\System\NfGEZRu.exe
  C:\Windows\System\NfGEZRu.exe
  2⤵
  PID:12812
- C:\Windows\System\ViyIPfw.exe
  C:\Windows\System\ViyIPfw.exe
  2⤵
  PID:12836
- C:\Windows\System\gPESVLk.exe
  C:\Windows\System\gPESVLk.exe
  2⤵
  PID:12864
- C:\Windows\System\IrZsrBb.exe
  C:\Windows\System\IrZsrBb.exe
  2⤵
  PID:12884
- C:\Windows\System\XkFqKbg.exe
  C:\Windows\System\XkFqKbg.exe
  2⤵
  PID:12908
- C:\Windows\System\pgrYemj.exe
  C:\Windows\System\pgrYemj.exe
  2⤵
  PID:12936
- C:\Windows\System\Kmylvcd.exe
  C:\Windows\System\Kmylvcd.exe
  2⤵
  PID:12972
- C:\Windows\System\hNhtlZT.exe
  C:\Windows\System\hNhtlZT.exe
  2⤵
  PID:13008
- C:\Windows\System\jImhPri.exe
  C:\Windows\System\jImhPri.exe
  2⤵
  PID:13028
- C:\Windows\System\lrViFbL.exe
  C:\Windows\System\lrViFbL.exe
  2⤵
  PID:13068
- C:\Windows\System\tzNPPGw.exe
  C:\Windows\System\tzNPPGw.exe
  2⤵
  PID:13096
- C:\Windows\System\fsYuNfY.exe
  C:\Windows\System\fsYuNfY.exe
  2⤵
  PID:13124
- C:\Windows\System\NbsfwNm.exe
  C:\Windows\System\NbsfwNm.exe
  2⤵
  PID:13152
- C:\Windows\System\ewIKdRA.exe
  C:\Windows\System\ewIKdRA.exe
  2⤵
  PID:13184
- C:\Windows\System\yJQhtuo.exe
  C:\Windows\System\yJQhtuo.exe
  2⤵
  PID:13204
- C:\Windows\System\vHNiDHL.exe
  C:\Windows\System\vHNiDHL.exe
  2⤵
  PID:13232
- C:\Windows\System\kVfdJTM.exe
  C:\Windows\System\kVfdJTM.exe
  2⤵
  PID:13260
- C:\Windows\System\RQMGOzm.exe
  C:\Windows\System\RQMGOzm.exe
  2⤵
  PID:13300
- C:\Windows\System\HQQKBtU.exe
  C:\Windows\System\HQQKBtU.exe
  2⤵
  PID:11716
- C:\Windows\System\gzuDAoZ.exe
  C:\Windows\System\gzuDAoZ.exe
  2⤵
  PID:2552
- C:\Windows\System\KNVEjAq.exe
  C:\Windows\System\KNVEjAq.exe
  2⤵
  PID:12352
- C:\Windows\System\xcMuYpt.exe
  C:\Windows\System\xcMuYpt.exe
  2⤵
  PID:12440
- C:\Windows\System\vnUApUJ.exe
  C:\Windows\System\vnUApUJ.exe
  2⤵
  PID:12476
- C:\Windows\System\gbEFxDO.exe
  C:\Windows\System\gbEFxDO.exe
  2⤵
  PID:12540
- C:\Windows\System\KiWmnGA.exe
  C:\Windows\System\KiWmnGA.exe
  2⤵
  PID:12624
- C:\Windows\System\DJgMNkL.exe
  C:\Windows\System\DJgMNkL.exe
  2⤵
  PID:12684
- C:\Windows\System\OCOhwCT.exe
  C:\Windows\System\OCOhwCT.exe
  2⤵
  PID:12800
- C:\Windows\System\PHokVCa.exe
  C:\Windows\System\PHokVCa.exe
  2⤵
  PID:12796
- C:\Windows\System\jyIAQFq.exe
  C:\Windows\System\jyIAQFq.exe
  2⤵
  PID:12828
- C:\Windows\System\qiwNEmU.exe
  C:\Windows\System\qiwNEmU.exe
  2⤵
  PID:12988
- C:\Windows\System\VYsUAzD.exe
  C:\Windows\System\VYsUAzD.exe
  2⤵
  PID:12968

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjka4o3f.kij.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AobJQry.exe

Filesize
2.7MB

MD5
7f1bda63828760bf6957fa1cf7d42df7

SHA1
64d9d405ee490edd980d6911a0bf71b21b81f074

SHA256
4a4c5b8bdf9901cd9669c5c3f695a927e46c7d74185ecb6dc3d669b02584ee3a

SHA512
cf4d74971318a266098d6cb8fd738a2ccdc94caa8b76bb365d1e51fd55a143d67f89d011afa202815db21ec8e939f48481d4e49264e8135d13b46092b0408318

Download Submit
C:\Windows\System\DtDMJfz.exe

Filesize
2.7MB

MD5
831469ec03e8d4e54267aaeb16545952

SHA1
bdd8bf65e84fd5a8d449712d728f3f1b5c1896c4

SHA256
aa000d8f4fe25e9de5ee6eea8d23c1019de501f6d512d584949be2a980b2f1ca

SHA512
2ae408650efa282f494cf9a8da9f875f93ee1897629e0d698481f89b2ab9ff7d1249988fc2d285c2a6ad9aba5fe335b1cf1eca29268ffc25f9ee1a568d9cf593

Download Submit
C:\Windows\System\IdYjzhN.exe

Filesize
2.7MB

MD5
e791d4c18c21fc6f1e40d7efc3be9f4b

SHA1
1604d8518fad9db20c184728dc120e62ed4e246b

SHA256
62930aa80619bd660d0a2ea90e6e15f239abdc507d05eccd4f4ebf9c26767d4f

SHA512
8f63a230d686b504969c6f4dc5f74ba6b0d592c632ab1496c61ce48425d3d7976f70847a280041b73f31b4e930e8b2b390c5c6f0c7fa0530dd26765cffb3734f

Download Submit
C:\Windows\System\InjUNDb.exe

Filesize
2.7MB

MD5
e35df7e627d55c6c44fc4c6b2fbb28ff

SHA1
43ae74908aff495461b3cee1bf1f45fc5668953a

SHA256
4b3b877cd2e8ffaa77b14fda7484599f0b32f5700e883d86eeac1402a5f79e12

SHA512
14de4d03214f4f979ffa0e63b3bf1fbbf1af042a8d54ae15436647f08c0094051c8c790d842449f3528eef1654afdd5a6c02835ea04d2b1d6113a2f108f54ea6

Download Submit
C:\Windows\System\JbFywaV.exe

Filesize
2.7MB

MD5
045fd25621324306f44f04e86dbce03c

SHA1
21f01154918002a83cb3d83bdcff34c2fe901c1b

SHA256
c80a92fb532288f14f14e61e3560ec0c9a5b7dd8a35a8b53adc79370437d48fd

SHA512
452d8cf858312698afdb84ef3d09b6a4cd95422d81d5933c454958749888f37b17a42fcdb19ffad81abc2e4cb6365496d769c45234dbcc7810a5fd39968ae880

Download Submit
C:\Windows\System\KNCltXq.exe

Filesize
2.7MB

MD5
de08aa0b9245220ebcf107822f73b4bb

SHA1
19239234e5d9c29ca3b9c9f801c39e5a21d20ffd

SHA256
a545020cb897350a4c153ebfed436a082466d35efdbc9916b534f80fd1f67820

SHA512
b034b80db7af4726451866fb03d6b7070314816eddb2d85389a6004c25fcf616035980d7828fd384aa5e206c268f5befc9e3d30d366f1e9db5b34fd08319010a

Download Submit
C:\Windows\System\KhDDFKO.exe

Filesize
2.7MB

MD5
4d36918aeec2653551e2767adff5481d

SHA1
05f26a0d475a70df71d38592fdbad7dcb47e8ebc

SHA256
660f974bb5fe47cdf8be777aa707d2d4396fe9ebc2f0e338394da6aab9488052

SHA512
86faabf6fbc7c8d52b259d7a03a6bcfcdc98783b4dfa5f58d089551b0e099c8fe0be175a400004fc8b075295742770af9456dbd8cf0020356c116278876b258b

Download Submit
C:\Windows\System\KjmwfTV.exe

Filesize
8B

MD5
2adac273ce248e8d242a4b12f749bb46

SHA1
300bd2c60c669d978305195f11eaf26c73d9e457

SHA256
5a695799bf8f73300a4f9c4a59fd25b209a2457abf1051a262d540e520557456

SHA512
011941b215532355e8e4d21af78180da68d2fe04927118ebe818ec14ec4bfb6a7a2d9aaa01fdfd0cd2c6dc84968b5f642ccf10cc92c29aa0e1d06bcf6f120232

Download Submit
C:\Windows\System\LruzLFl.exe

Filesize
2.7MB

MD5
daa30bd5aab7f73a3305a21799c04783

SHA1
db478b163211e77b9167c64c5db1ab9fc4db875c

SHA256
bb916e789cd21bbd682696f93f6587da02972e82a0d5bb25abb339ed7713b61f

SHA512
9cceb3f21bff53f07841d438f87eb093cd6fba2468dede905aef0b6b449ccfb283f25c7f3c8db6e9d3578a23151e26fecc9d00623afe834191a1f203ea4f8369

Download Submit
C:\Windows\System\MvrkEKh.exe

Filesize
2.7MB

MD5
a8ee1186130d2e7ff7d123a8930bb575

SHA1
5ed7af56115b5ee49d8a62e8e90ceb518a419c63

SHA256
8e836ab7154ac6810177011580b3475b8fe466a3b50d4f41106b17adee6effb6

SHA512
f58c82c890026cf0b7a6b516a54e3bfa386aca2fc38909bfb89ee43b72304e1aa4800919c97b55c209c243f035e9d26b750e8c141d7a8af4c92702f5f8dda493

Download Submit
C:\Windows\System\PfAMFYB.exe

Filesize
2.7MB

MD5
6d890cff5bcbb16ae5323fd13e14af72

SHA1
261f53ab2c69e8f68503d40f13e5cf265e4350fa

SHA256
818c9107c142ab5efac17570909280fded5c9e240de9360899e6f7055356114a

SHA512
ddcf2dcacd446256a62b6f7ebc3d08a6356ee3059d51fe8d4732189a68520f9e75b4fa19dc0c31cb7d3756658f9ccefd54a97d218edb66d446d40b8551fde39a

Download Submit
C:\Windows\System\QYGtNCv.exe

Filesize
2.7MB

MD5
dd823d3bf022393f05d2dda3f0d1401f

SHA1
503659fe73aa4e9f72e617a3d7019f4421fe4c32

SHA256
d629ed9f85f8208b6094c07fea0cab45e247a66ed01105f181ee6ffaf4fd6286

SHA512
6f32eb1550bdffb5c3f34a99bf713c7f9069a476677d9cfa249fd1bd59d51fd9260a7dc7b9c4b7fb0968e3d40f12ab7643ca40c42df1a61524d31d740639160a

Download Submit
C:\Windows\System\QxyTXsa.exe

Filesize
2.7MB

MD5
0fc7cec98f8af80be8abe92e031bd7c6

SHA1
70a7c0b0c743e2f1592d42ef6be48dee3aeebb0c

SHA256
18216de4a9e3b20c66ce5df2ff3772c01f8a554c740a2c15ae9c522733709d8a

SHA512
66ce38f8fdc17959b266a40720766723775d6344c1c5e7f7700e90ec182b03dba0356886eed476ce9ab82af58e6391010b39ffd46efc19cc96f01c6a6a1adc5a

Download Submit
C:\Windows\System\RCNOyBQ.exe

Filesize
2.7MB

MD5
d4c0548f5273595be71522d9396e5666

SHA1
62bb8cc6727011adc306e814e9be5e4545d7618b

SHA256
f53685582be4a46c59cdfad79d4ac8fd976c091207f619e622abcf547ae8b682

SHA512
f80d0b7472dfe1cce0c2b7a50962840aeee64e06cab2b9bb10dfc72bed9aa30a315aa32764c91118ac9f53b2413c8fe7c175284dbcf045d30579d7a633d11c16

Download Submit
C:\Windows\System\RXEsWeK.exe

Filesize
2.7MB

MD5
332cf0932737e2ec9c504b51dfd5141d

SHA1
92e4e320479db2fbfd0a3c12ef04c4b57e4dff3a

SHA256
3349bc606162163eb09054bca97852a333c4af1024c6a62c99bd92de83e290ba

SHA512
833f849438746dc1ed4beecd4db10fdaa813b1bcf46165282fe22b8a904bee093191789b5ec57a3e54b16e2c0b771f1678e264e15fbb71259b651799a485d5c2

Download Submit
C:\Windows\System\TFWZjLo.exe

Filesize
2.7MB

MD5
12412bc420949569642c8a0bb4b1b083

SHA1
e7992a40cbe39ae0d06d0a7b6f5634c979fffa19

SHA256
93387d5954f1b90cdce8271c85b2a2ebd2e3f842e308a753153df60c9c14ebcc

SHA512
1b7d3093d66fa91baea9e1fe0c482fc1e15a6bac277a0c7724997891ad80ccdaf4bfca79c5bac740218945258bee9c49cf1648f1cbaa622d8079c53a6d7901a2

Download Submit
C:\Windows\System\WzaPzvg.exe

Filesize
2.7MB

MD5
075335d3c1aab6b8e90e0999da0c400a

SHA1
79a0e6c0180b227099b37776d4659fe3792f2766

SHA256
e61898c642e520940ff126332c7d2a25da2f03de0730ced432201932a010f126

SHA512
0ccfab2f1cfcfdb764ffdb1fa0b8e4f00729ac987767c5fb4fc2875aedcddb3a620169ea8af7a7ab6befcffecfdb532c4f4c409ef7d72911c85c09323ffcc8bf

Download Submit
C:\Windows\System\ZCpYoXf.exe

Filesize
2.7MB

MD5
fcc8600207b462ccd512c64f34acbd93

SHA1
c2726f37673429c9a8985ba015c0eb4d2d105787

SHA256
7d07c981287f41bb6e5e2436c925088f70aa175b7da21e6633cf75c9a54363a1

SHA512
56f8c61f368b6140ff604a50ef47429a0e084765015116033bef1aecf1a6ff387a2b2c00ba41cf9417b3759bfbefdf0b7db986b9f3ed18100a69e3f2e10675a0

Download Submit
C:\Windows\System\ZEsSeRE.exe

Filesize
2.7MB

MD5
0135224b5b4a2ba1d091961f43da02d6

SHA1
20a998d4e210ff6a166f7caaaebb38763147de28

SHA256
1a403e19a6db45263fdad688781ff4f5b457ee4c705c58dfa784b074fe8a1ef6

SHA512
44d916bd6aa9c19f8bfb9de288f1ebf5a0c7a853cbe4be69c1a9de94fe613c4008750b13835c540d381ec35f31c6ea858d11d93cd71f612d0603bdec274da7c4

Download Submit
C:\Windows\System\ZMsLvpm.exe

Filesize
2.7MB

MD5
593c9fbcbfa50d15d407b812cbe56156

SHA1
71b9bddcce2bfbc5a5d5a6d08e0ae021d0ff2a98

SHA256
36a2e32efba3f0308d2e9c122ec121edd272d69b75afc9619f822c41bdabbeb4

SHA512
1bee4ebe946bacc572b3b45b86114e3ef260dadaba42b71cd45b3b13f1ee288b4886633dc93548a203b84605683842ccdfb51cb7da5e86ac1288d308680204f5

Download Submit
C:\Windows\System\aPfhqhW.exe

Filesize
2.7MB

MD5
de797f1ef99b09f88d79abe3eb46bdfd

SHA1
ab94510fe65234f99c4fde6389faa79e2f8d43e3

SHA256
311e0e3638bd86603d0e1a4d9baa51705cd89b8ba76722019e4f07909e0fad66

SHA512
75117f95863a92cc0536257790bfd945730123d705d240b45f157079b1dbced41e0e99c93824c079389c5f482f544c96bb83eb88c9021618d5f9e068887755bd

Download Submit
C:\Windows\System\erjpoNX.exe

Filesize
2.7MB

MD5
bf131088c24119dc54dbbdfa4b9866b5

SHA1
9b44f91559093cd64a246ab83045adcb03037341

SHA256
69a4c1f03a58630d2ff77987ed32bbe02f1552bc1548a43eabbf088e2cb75d95

SHA512
5c3ca5a7e611021036ee50c997a6c71be6badef288aaf0f4895e08875b1bb6289e6958dec0ef920558ff4978144c667a25f96cf905109f6ba2cf61f0cc30b29f

Download Submit
C:\Windows\System\hLlLePt.exe

Filesize
2.7MB

MD5
925d555998f46a8f9f1d8b468fd3682e

SHA1
bb544099b53b34316f4d01868f5594df227a8396

SHA256
f2f29aa016fc6161b3eeae29b200fba0dc15e3678c02ec55c027f7172ab647a0

SHA512
7fdac067a46defc5f021f447c32a890a6c39af3776454d05c50765aeffcbd78846b5c0427e568ad7f6a597221b88750b5a8ac21742e7f8727133409479a6cb19

Download Submit
C:\Windows\System\jconFLU.exe

Filesize
2.7MB

MD5
01dd7e84d1138f69edc29609c52644d8

SHA1
66d0732953ed19a98ae90d0e9bf861ef0137f035

SHA256
7e59b21b22a056fbff57498fc9bb69f730cd77fa85199c267e5575e21a0b7589

SHA512
f06d634ce54e37f655a6261ff2a5615b03619c58a58e635eaf33748e8fbbc6f709e488a51b0213f33f9930d7d7a4451eba5de3bed9fd90911326057ebfbfe2dd

Download Submit
C:\Windows\System\mJtuFLh.exe

Filesize
2.7MB

MD5
7aaea4677fcfc032d21b3f653a2e726d

SHA1
1b02965e1d4b3080eae5ac4bdddc406146679416

SHA256
29855bae28cb3d0d9d3a1b7dc561b700496e31ba196699f09f29f8ae54c54514

SHA512
567defa71ad44478d493a785128dbc06eebc12dfe217fa871ebd8fd0d93d4cdfef5d439b4fb369845902778fe776b954e4a893fc31ca8463056072e1ec4b0088

Download Submit
C:\Windows\System\mdSWjTY.exe

Filesize
2.7MB

MD5
d4cc9ad770ac7a4c9cca4482debf5a72

SHA1
3573e7f846bba538ec99effbd048d34009122f44

SHA256
ffaaaae0b8193e3006fad36df53af226ac88dbeeb6d33064265f76b90d13836b

SHA512
18dd3029b3c4a753b74f66fffb468d65864a727c005c5ec2b99ca6ac59edfb55c8c0c5637bf4aba67d5b7c8d79f3541b2bde4bffc8e59de1bdaff8ccd45ba5c6

Download Submit
C:\Windows\System\nKLjBvu.exe

Filesize
2.7MB

MD5
74fcfc9ffc686753744f031739e42748

SHA1
32e78c27fd5acf2b2a92315cb1173e37dc55505d

SHA256
65152716ed8059f3d2303331ac500ac99a5100bf505df807fb5abec3865dd558

SHA512
63990445d7b001bdbd927b511743a87bac1c41a60da3ac8d7557c494b210560bf881b3b6d6ceee0fa486851b138635d053c11d8b5fb09022df7ca399f0541ab9

Download Submit
C:\Windows\System\ncOkaIo.exe

Filesize
2.7MB

MD5
b88c1d3ad88f060413458ce27cac3fa2

SHA1
eed12413b78bedadefc9e3667d807668d62ad8f3

SHA256
c741ea82099a150ab714e6220e22742d43b52ce6419794efab26fb65f4966c69

SHA512
197454ed2aeaadee30b59336ff0500cb563e257bdfb35aec1533c0cc8e9306566f03cec536da37b1bf28f16bb5f27a320b84cefd2cc53a9a9595dc0cdbebdbc1

Download Submit
C:\Windows\System\nfCCsos.exe

Filesize
2.7MB

MD5
7fcafa0671cac58eade64ef8a03659c7

SHA1
40d4f6b1bb2b01706054cbea9fc88ea460615c9a

SHA256
4630db5c5982893b1b353d1857f86ceda990bcbc410f63f2722f2173eac00d92

SHA512
35621af189c8deffa91f751e3374a9d41deb05da78f54907aaaf7dda5b94110575e8fab85b520bd237045ae3a06139f147fab50f21fcce4682f7dc89a678719d

Download Submit
C:\Windows\System\rCOgwRL.exe

Filesize
2.7MB

MD5
476c486cfd22d6218c530f268fa06033

SHA1
45b4c7fba7a1e199ccbbb44cdcde2bef16a20540

SHA256
f79bbd857da1d10d0f42cb4e2c9d3a995a7d41e764e39326ad71506161abfda1

SHA512
b2f0461e4b22c2fde7e4eb8d0588a01179bea26bf3efede036b39848c238d1bfb9a9231596ede112eb5691426a64157069890d6547fc1367c75f2acbcb528a65

Download Submit
C:\Windows\System\rulSwbs.exe

Filesize
2.7MB

MD5
fe634f4226fe993932e5bb1ab04e6b6d

SHA1
35314f541b7116174670be5dd6eb9015af419c18

SHA256
f21389a659dcc9c063fb6f9717965faffa46909f7ea930f75660e8696e1389de

SHA512
a3de9f87984f2becfa8bf8a83eb82f15262004320ebd1ea93fb48786befc2bb282e72ad2498b3edb4a23e414da3dfcbfdd6243116b848498f079640609177920

Download Submit
C:\Windows\System\suLbZFJ.exe

Filesize
2.7MB

MD5
1731693f1c22b55c06a020b4155b9a9f

SHA1
7cbb50f903db0177f1a4337c4fca28ba3708b276

SHA256
6defc0d60fc0e08eb6942707ee5214268320348c082ffe7bcd2731ccc46b1976

SHA512
8d3957d38d9e54041d0c7a6cbdcf2aa152358cd21db0f6d851bae378097713d4848f7259be6a1a3ebb7aad00dc0e2a970a5f896ab9bf370c9ddf679c1439c5a6

Download Submit
C:\Windows\System\yGXcnut.exe

Filesize
2.7MB

MD5
60923ff63c8025fe33932fd37af906a4

SHA1
63c8b1abb4439ed092a2512ed01064e87d33af6c

SHA256
945bb26e4032e1ad6fa82743614e19c2837866ed78405e622d669467f383febb

SHA512
36d8cef380e2d5bbdaa07745f670dbdc587f6726334b6fea5586f3d0bee5b2ba0bd9f73068bc17e0e19ba07542e622352ad10877d91a555f0b41e41223193bca

Download Submit
C:\Windows\System\zrGREur.exe

Filesize
2.7MB

MD5
b2d7d11f8abd22c458c8f0f4be4b5310

SHA1
4961ebce3c9356225dea0e321f61c55885616d78

SHA256
9c1bcd4d845ce9c4ae26cbe142b8401207f4c2084c60f7c09e619940f5333aae

SHA512
0caeb8d1dd380ddaa09eaf12771f057ff61ddc39d783da24510846e0b9b08f45e37b4db7de9a2b23d0c8df1fd15c9464685d2ba607c752e212da74572cea03f3

Download Submit
memory/612-2049-0x00007FF7B2C00000-0x00007FF7B2FF6000-memory.dmp

Filesize
4.0MB

Download
memory/612-145-0x00007FF7B2C00000-0x00007FF7B2FF6000-memory.dmp

Filesize
4.0MB

Download
memory/944-2051-0x00007FF6BF4C0000-0x00007FF6BF8B6000-memory.dmp

Filesize
4.0MB

Download
memory/944-120-0x00007FF6BF4C0000-0x00007FF6BF8B6000-memory.dmp

Filesize
4.0MB

Download
memory/952-129-0x00007FF749DE0000-0x00007FF74A1D6000-memory.dmp

Filesize
4.0MB

Download
memory/952-2052-0x00007FF749DE0000-0x00007FF74A1D6000-memory.dmp

Filesize
4.0MB

Download
memory/1068-2066-0x00007FF65E4F0000-0x00007FF65E8E6000-memory.dmp

Filesize
4.0MB

Download
memory/1068-2036-0x00007FF65E4F0000-0x00007FF65E8E6000-memory.dmp

Filesize
4.0MB

Download
memory/1068-144-0x00007FF65E4F0000-0x00007FF65E8E6000-memory.dmp

Filesize
4.0MB

Download
memory/1272-2063-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp

Filesize
4.0MB

Download
memory/1272-142-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp

Filesize
4.0MB

Download
memory/1272-2034-0x00007FF72ACE0000-0x00007FF72B0D6000-memory.dmp

Filesize
4.0MB

Download
memory/1560-128-0x00007FF7A8DB0000-0x00007FF7A91A6000-memory.dmp

Filesize
4.0MB

Download
memory/1560-2050-0x00007FF7A8DB0000-0x00007FF7A91A6000-memory.dmp

Filesize
4.0MB

Download
memory/1660-132-0x00007FF692360000-0x00007FF692756000-memory.dmp

Filesize
4.0MB

Download
memory/1660-2060-0x00007FF692360000-0x00007FF692756000-memory.dmp

Filesize
4.0MB

Download
memory/1704-136-0x00007FF688240000-0x00007FF688636000-memory.dmp

Filesize
4.0MB

Download
memory/1704-2059-0x00007FF688240000-0x00007FF688636000-memory.dmp

Filesize
4.0MB

Download
memory/2260-1-0x0000020EE4580000-0x0000020EE4590000-memory.dmp

Filesize
64KB

Download
memory/2260-0-0x00007FF68E8E0000-0x00007FF68ECD6000-memory.dmp

Filesize
4.0MB

Download
memory/2412-139-0x00007FF65C140000-0x00007FF65C536000-memory.dmp

Filesize
4.0MB

Download
memory/2412-2068-0x00007FF65C140000-0x00007FF65C536000-memory.dmp

Filesize
4.0MB

Download
memory/2412-2031-0x00007FF65C140000-0x00007FF65C536000-memory.dmp

Filesize
4.0MB

Download
memory/2460-2048-0x00007FF652880000-0x00007FF652C76000-memory.dmp

Filesize
4.0MB

Download
memory/2460-33-0x00007FF652880000-0x00007FF652C76000-memory.dmp

Filesize
4.0MB

Download
memory/2688-2069-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp

Filesize
4.0MB

Download
memory/2688-141-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp

Filesize
4.0MB

Download
memory/2688-2033-0x00007FF7E9350000-0x00007FF7E9746000-memory.dmp

Filesize
4.0MB

Download
memory/2724-147-0x00007FF659480000-0x00007FF659876000-memory.dmp

Filesize
4.0MB

Download
memory/2724-2055-0x00007FF659480000-0x00007FF659876000-memory.dmp

Filesize
4.0MB

Download
memory/2836-135-0x00007FF6CFA00000-0x00007FF6CFDF6000-memory.dmp

Filesize
4.0MB

Download
memory/2836-2062-0x00007FF6CFA00000-0x00007FF6CFDF6000-memory.dmp

Filesize
4.0MB

Download
memory/3040-2065-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp

Filesize
4.0MB

Download
memory/3040-140-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp

Filesize
4.0MB

Download
memory/3040-2032-0x00007FF7D3FB0000-0x00007FF7D43A6000-memory.dmp

Filesize
4.0MB

Download
memory/3160-2037-0x00007FF649500000-0x00007FF6498F6000-memory.dmp

Filesize
4.0MB

Download
memory/3160-148-0x00007FF649500000-0x00007FF6498F6000-memory.dmp

Filesize
4.0MB

Download
memory/3160-2064-0x00007FF649500000-0x00007FF6498F6000-memory.dmp

Filesize
4.0MB

Download
memory/3508-134-0x00007FF6F8AD0000-0x00007FF6F8EC6000-memory.dmp

Filesize
4.0MB

Download
memory/3508-2054-0x00007FF6F8AD0000-0x00007FF6F8EC6000-memory.dmp

Filesize
4.0MB

Download
memory/3568-130-0x00007FF77FA30000-0x00007FF77FE26000-memory.dmp

Filesize
4.0MB

Download
memory/3568-2057-0x00007FF77FA30000-0x00007FF77FE26000-memory.dmp

Filesize
4.0MB

Download
memory/3736-2030-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp

Filesize
4.0MB

Download
memory/3736-2070-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp

Filesize
4.0MB

Download
memory/3736-137-0x00007FF7A8C20000-0x00007FF7A9016000-memory.dmp

Filesize
4.0MB

Download
memory/4012-131-0x00007FF7F51A0000-0x00007FF7F5596000-memory.dmp

Filesize
4.0MB

Download
memory/4012-2058-0x00007FF7F51A0000-0x00007FF7F5596000-memory.dmp

Filesize
4.0MB

Download
memory/4040-133-0x00007FF77FA00000-0x00007FF77FDF6000-memory.dmp

Filesize
4.0MB

Download
memory/4040-2061-0x00007FF77FA00000-0x00007FF77FDF6000-memory.dmp

Filesize
4.0MB

Download
memory/4120-2067-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp

Filesize
4.0MB

Download
memory/4120-2035-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp

Filesize
4.0MB

Download
memory/4120-143-0x00007FF7FEE70000-0x00007FF7FF266000-memory.dmp

Filesize
4.0MB

Download
memory/4240-138-0x00007FF7C6870000-0x00007FF7C6C66000-memory.dmp

Filesize
4.0MB

Download
memory/4240-2056-0x00007FF7C6870000-0x00007FF7C6C66000-memory.dmp

Filesize
4.0MB

Download
memory/4988-24-0x00007FF65B950000-0x00007FF65BD46000-memory.dmp

Filesize
4.0MB

Download
memory/4988-2047-0x00007FF65B950000-0x00007FF65BD46000-memory.dmp

Filesize
4.0MB

Download
memory/5016-2053-0x00007FF656ED0000-0x00007FF6572C6000-memory.dmp

Filesize
4.0MB

Download
memory/5016-146-0x00007FF656ED0000-0x00007FF6572C6000-memory.dmp

Filesize
4.0MB

Download
memory/5056-125-0x0000021455310000-0x0000021455332000-memory.dmp

Filesize
136KB

Download
memory/5056-2028-0x00007FFC66ED0000-0x00007FFC67991000-memory.dmp

Filesize
10.8MB

Download
memory/5056-2046-0x00007FFC66ED0000-0x00007FFC67991000-memory.dmp

Filesize
10.8MB

Download
memory/5056-101-0x00007FFC66ED0000-0x00007FFC67991000-memory.dmp

Filesize
10.8MB

Download
memory/5056-67-0x00007FFC66ED0000-0x00007FFC67991000-memory.dmp

Filesize
10.8MB

Download
memory/5056-2029-0x00007FFC66ED3000-0x00007FFC66ED5000-memory.dmp

Filesize
8KB

Download
memory/5056-34-0x00007FFC66ED3000-0x00007FFC66ED5000-memory.dmp

Filesize
8KB

Download
memory/5056-228-0x0000021455F70000-0x0000021456716000-memory.dmp

Filesize
7.6MB

Download