xmrig | f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9

Analysis

max time kernel
128s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
Size

1.7MB
MD5

15d3da1d76972bfbcbf5c19e5d475380
SHA1

a666c15e0d73241a00a9c19e085475889cb4deaa
SHA256

f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9
SHA512

3c671ddd281b177ca3095809480e0789403ea62bc7f7507c42f8e4121ac4b758bf48b198a2f7298f3bc322b8f3cae38184b83f4be933e8cf51af956a03b226b7
SSDEEP

24576:BezaTnG99Q8FcNrpyNdfE0bLBgDOp2iSLz9LbEwlKjpv32wT83PzKgAm0PyFLb/B:BezaTF8FcNkNdfE0pZ9ozt4wIXGvAFef

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1564-0-0x00007FF6574C0000-0x00007FF657814000-memory.dmp	UPX
behavioral2/files/0x000800000002342d-5.dat	UPX
behavioral2/memory/1540-12-0x00007FF7835F0000-0x00007FF783944000-memory.dmp	UPX
behavioral2/memory/392-32-0x00007FF6633A0000-0x00007FF6636F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023434-21.dat	UPX
behavioral2/files/0x0007000000023432-18.dat	UPX
behavioral2/files/0x0007000000023431-9.dat	UPX
behavioral2/files/0x0007000000023439-48.dat	UPX
behavioral2/files/0x000700000002343f-75.dat	UPX
behavioral2/files/0x000700000002343a-106.dat	UPX
behavioral2/files/0x000700000002344e-141.dat	UPX
behavioral2/files/0x0007000000023448-156.dat	UPX
behavioral2/memory/668-200-0x00007FF639170000-0x00007FF6394C4000-memory.dmp	UPX
behavioral2/memory/1944-213-0x00007FF7A4DE0000-0x00007FF7A5134000-memory.dmp	UPX
behavioral2/memory/3272-221-0x00007FF71CCA0000-0x00007FF71CFF4000-memory.dmp	UPX
behavioral2/memory/5092-224-0x00007FF7E3CF0000-0x00007FF7E4044000-memory.dmp	UPX
behavioral2/memory/4052-223-0x00007FF75BD70000-0x00007FF75C0C4000-memory.dmp	UPX
behavioral2/memory/1208-222-0x00007FF7196F0000-0x00007FF719A44000-memory.dmp	UPX
behavioral2/memory/4244-220-0x00007FF730040000-0x00007FF730394000-memory.dmp	UPX
behavioral2/memory/3596-219-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	UPX
behavioral2/memory/4936-218-0x00007FF73B0E0000-0x00007FF73B434000-memory.dmp	UPX
behavioral2/memory/1652-217-0x00007FF75B110000-0x00007FF75B464000-memory.dmp	UPX
behavioral2/memory/4232-216-0x00007FF66DE80000-0x00007FF66E1D4000-memory.dmp	UPX
behavioral2/memory/860-215-0x00007FF72EE50000-0x00007FF72F1A4000-memory.dmp	UPX
behavioral2/memory/5068-214-0x00007FF69F900000-0x00007FF69FC54000-memory.dmp	UPX
behavioral2/memory/1388-212-0x00007FF7AE1D0000-0x00007FF7AE524000-memory.dmp	UPX
behavioral2/memory/4012-208-0x00007FF717040000-0x00007FF717394000-memory.dmp	UPX
behavioral2/memory/4420-207-0x00007FF7CB900000-0x00007FF7CBC54000-memory.dmp	UPX
behavioral2/memory/4680-199-0x00007FF7B0B40000-0x00007FF7B0E94000-memory.dmp	UPX
behavioral2/memory/4332-192-0x00007FF6A3820000-0x00007FF6A3B74000-memory.dmp	UPX
behavioral2/files/0x000700000002344d-173.dat	UPX
behavioral2/files/0x000700000002344c-172.dat	UPX
behavioral2/files/0x0007000000023446-170.dat	UPX
behavioral2/files/0x000700000002344b-167.dat	UPX
behavioral2/files/0x0007000000023450-166.dat	UPX
behavioral2/memory/2704-164-0x00007FF6DAC90000-0x00007FF6DAFE4000-memory.dmp	UPX
behavioral2/files/0x000700000002344f-161.dat	UPX
behavioral2/files/0x0007000000023449-160.dat	UPX
behavioral2/memory/3920-159-0x00007FF701C90000-0x00007FF701FE4000-memory.dmp	UPX
behavioral2/files/0x0007000000023447-154.dat	UPX
behavioral2/files/0x0007000000023445-152.dat	UPX
behavioral2/files/0x0007000000023444-150.dat	UPX
behavioral2/files/0x0007000000023443-148.dat	UPX
behavioral2/memory/2728-142-0x00007FF623310000-0x00007FF623664000-memory.dmp	UPX
behavioral2/files/0x0007000000023440-133.dat	UPX
behavioral2/files/0x000700000002344a-130.dat	UPX
behavioral2/files/0x0007000000023442-128.dat	UPX
behavioral2/memory/3736-124-0x00007FF7712C0000-0x00007FF771614000-memory.dmp	UPX
behavioral2/files/0x0007000000023441-110.dat	UPX
behavioral2/files/0x0007000000023435-108.dat	UPX
behavioral2/files/0x000700000002343e-102.dat	UPX
behavioral2/files/0x000700000002343d-99.dat	UPX
behavioral2/files/0x000700000002343c-126.dat	UPX
behavioral2/memory/3692-92-0x00007FF77F7E0000-0x00007FF77FB34000-memory.dmp	UPX
behavioral2/files/0x0007000000023438-88.dat	UPX
behavioral2/files/0x0007000000023436-81.dat	UPX
behavioral2/files/0x0007000000023437-77.dat	UPX
behavioral2/files/0x000700000002343b-89.dat	UPX
behavioral2/memory/1864-83-0x00007FF7A35C0000-0x00007FF7A3914000-memory.dmp	UPX
behavioral2/memory/4484-60-0x00007FF615980000-0x00007FF615CD4000-memory.dmp	UPX
behavioral2/memory/2696-50-0x00007FF7BFF10000-0x00007FF7C0264000-memory.dmp	UPX
behavioral2/files/0x0007000000023433-43.dat	UPX
behavioral2/memory/3444-27-0x00007FF673440000-0x00007FF673794000-memory.dmp	UPX
behavioral2/memory/1564-2109-0x00007FF6574C0000-0x00007FF657814000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1564-0-0x00007FF6574C0000-0x00007FF657814000-memory.dmp	xmrig
behavioral2/files/0x000800000002342d-5.dat	xmrig
behavioral2/memory/1540-12-0x00007FF7835F0000-0x00007FF783944000-memory.dmp	xmrig
behavioral2/memory/392-32-0x00007FF6633A0000-0x00007FF6636F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023434-21.dat	xmrig
behavioral2/files/0x0007000000023432-18.dat	xmrig
behavioral2/files/0x0007000000023431-9.dat	xmrig
behavioral2/files/0x0007000000023439-48.dat	xmrig
behavioral2/files/0x000700000002343f-75.dat	xmrig
behavioral2/files/0x000700000002343a-106.dat	xmrig
behavioral2/files/0x000700000002344e-141.dat	xmrig
behavioral2/files/0x0007000000023448-156.dat	xmrig
behavioral2/memory/668-200-0x00007FF639170000-0x00007FF6394C4000-memory.dmp	xmrig
behavioral2/memory/1944-213-0x00007FF7A4DE0000-0x00007FF7A5134000-memory.dmp	xmrig
behavioral2/memory/3272-221-0x00007FF71CCA0000-0x00007FF71CFF4000-memory.dmp	xmrig
behavioral2/memory/5092-224-0x00007FF7E3CF0000-0x00007FF7E4044000-memory.dmp	xmrig
behavioral2/memory/4052-223-0x00007FF75BD70000-0x00007FF75C0C4000-memory.dmp	xmrig
behavioral2/memory/1208-222-0x00007FF7196F0000-0x00007FF719A44000-memory.dmp	xmrig
behavioral2/memory/4244-220-0x00007FF730040000-0x00007FF730394000-memory.dmp	xmrig
behavioral2/memory/3596-219-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	xmrig
behavioral2/memory/4936-218-0x00007FF73B0E0000-0x00007FF73B434000-memory.dmp	xmrig
behavioral2/memory/1652-217-0x00007FF75B110000-0x00007FF75B464000-memory.dmp	xmrig
behavioral2/memory/4232-216-0x00007FF66DE80000-0x00007FF66E1D4000-memory.dmp	xmrig
behavioral2/memory/860-215-0x00007FF72EE50000-0x00007FF72F1A4000-memory.dmp	xmrig
behavioral2/memory/5068-214-0x00007FF69F900000-0x00007FF69FC54000-memory.dmp	xmrig
behavioral2/memory/1388-212-0x00007FF7AE1D0000-0x00007FF7AE524000-memory.dmp	xmrig
behavioral2/memory/4012-208-0x00007FF717040000-0x00007FF717394000-memory.dmp	xmrig
behavioral2/memory/4420-207-0x00007FF7CB900000-0x00007FF7CBC54000-memory.dmp	xmrig
behavioral2/memory/4680-199-0x00007FF7B0B40000-0x00007FF7B0E94000-memory.dmp	xmrig
behavioral2/memory/4332-192-0x00007FF6A3820000-0x00007FF6A3B74000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-173.dat	xmrig
behavioral2/files/0x000700000002344c-172.dat	xmrig
behavioral2/files/0x0007000000023446-170.dat	xmrig
behavioral2/files/0x000700000002344b-167.dat	xmrig
behavioral2/files/0x0007000000023450-166.dat	xmrig
behavioral2/memory/2704-164-0x00007FF6DAC90000-0x00007FF6DAFE4000-memory.dmp	xmrig
behavioral2/files/0x000700000002344f-161.dat	xmrig
behavioral2/files/0x0007000000023449-160.dat	xmrig
behavioral2/memory/3920-159-0x00007FF701C90000-0x00007FF701FE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023447-154.dat	xmrig
behavioral2/files/0x0007000000023445-152.dat	xmrig
behavioral2/files/0x0007000000023444-150.dat	xmrig
behavioral2/files/0x0007000000023443-148.dat	xmrig
behavioral2/memory/2728-142-0x00007FF623310000-0x00007FF623664000-memory.dmp	xmrig
behavioral2/files/0x0007000000023440-133.dat	xmrig
behavioral2/files/0x000700000002344a-130.dat	xmrig
behavioral2/files/0x0007000000023442-128.dat	xmrig
behavioral2/memory/3736-124-0x00007FF7712C0000-0x00007FF771614000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-110.dat	xmrig
behavioral2/files/0x0007000000023435-108.dat	xmrig
behavioral2/files/0x000700000002343e-102.dat	xmrig
behavioral2/files/0x000700000002343d-99.dat	xmrig
behavioral2/files/0x000700000002343c-126.dat	xmrig
behavioral2/memory/3692-92-0x00007FF77F7E0000-0x00007FF77FB34000-memory.dmp	xmrig
behavioral2/files/0x0007000000023438-88.dat	xmrig
behavioral2/files/0x0007000000023436-81.dat	xmrig
behavioral2/files/0x0007000000023437-77.dat	xmrig
behavioral2/files/0x000700000002343b-89.dat	xmrig
behavioral2/memory/1864-83-0x00007FF7A35C0000-0x00007FF7A3914000-memory.dmp	xmrig
behavioral2/memory/4484-60-0x00007FF615980000-0x00007FF615CD4000-memory.dmp	xmrig
behavioral2/memory/2696-50-0x00007FF7BFF10000-0x00007FF7C0264000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-43.dat	xmrig
behavioral2/memory/3444-27-0x00007FF673440000-0x00007FF673794000-memory.dmp	xmrig
behavioral2/memory/1564-2109-0x00007FF6574C0000-0x00007FF657814000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1540	kwNXOFN.exe
3444	rpkxWUj.exe
2696	oHBsOCx.exe
392	ZkhxNsK.exe
4484	NPxNQlQ.exe
4244	cuNDzUr.exe
1864	UvpdXQP.exe
3692	cUaBSDx.exe
3736	TFklPSu.exe
3272	iAwpRmv.exe
2728	TdmvIMM.exe
3920	dxoaOXJ.exe
1208	mRRdrPz.exe
2704	JcEHZqi.exe
4332	TCujbZb.exe
4680	JotiZoZ.exe
668	FgGFhQs.exe
4420	UCabxyz.exe
4052	MvFmVUO.exe
4012	dwVbqAD.exe
1388	jmKgjxb.exe
1944	eWpRtYE.exe
5068	mwDLiNe.exe
860	BkRqevM.exe
4232	CzuhBvO.exe
5092	hWdxMWJ.exe
1652	nuCZDsJ.exe
4936	sUpuoUa.exe
3596	HZTWnIa.exe
3320	QMBMXLT.exe
4340	TWPTESK.exe
3732	DGLUPDe.exe
1232	gpHkQUw.exe
8	bgZfaRj.exe
1736	CihqIem.exe
3000	CcEqMdy.exe
3592	PQuQqMQ.exe
3032	GUOLlaH.exe
2664	hBAjfxD.exe
4108	BKdWtUc.exe
1892	pwPjJQS.exe
4924	uKQtbEm.exe
384	sOjrbQu.exe
1008	fwDFpFi.exe
3324	wSSXAEy.exe
3332	VkfgEiE.exe
1984	TABAkeD.exe
4492	zayhAEw.exe
3144	NXZSLLL.exe
3608	TOMrWat.exe
4164	AkpCdwi.exe
1536	GgyFOpd.exe
2268	aJQMKUs.exe
2652	LXNfPrW.exe
880	NsNLQeE.exe
4984	TbhYBGW.exe
4744	cIFISyU.exe
3372	UFBltjT.exe
4636	xDxStkK.exe
5056	yqWgbBs.exe
2636	gaUZsNX.exe
5016	DVEZpkD.exe
3292	usUggbN.exe
1656	DRRwTZp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1564-0-0x00007FF6574C0000-0x00007FF657814000-memory.dmp	upx
behavioral2/files/0x000800000002342d-5.dat	upx
behavioral2/memory/1540-12-0x00007FF7835F0000-0x00007FF783944000-memory.dmp	upx
behavioral2/memory/392-32-0x00007FF6633A0000-0x00007FF6636F4000-memory.dmp	upx
behavioral2/files/0x0007000000023434-21.dat	upx
behavioral2/files/0x0007000000023432-18.dat	upx
behavioral2/files/0x0007000000023431-9.dat	upx
behavioral2/files/0x0007000000023439-48.dat	upx
behavioral2/files/0x000700000002343f-75.dat	upx
behavioral2/files/0x000700000002343a-106.dat	upx
behavioral2/files/0x000700000002344e-141.dat	upx
behavioral2/files/0x0007000000023448-156.dat	upx
behavioral2/memory/668-200-0x00007FF639170000-0x00007FF6394C4000-memory.dmp	upx
behavioral2/memory/1944-213-0x00007FF7A4DE0000-0x00007FF7A5134000-memory.dmp	upx
behavioral2/memory/3272-221-0x00007FF71CCA0000-0x00007FF71CFF4000-memory.dmp	upx
behavioral2/memory/5092-224-0x00007FF7E3CF0000-0x00007FF7E4044000-memory.dmp	upx
behavioral2/memory/4052-223-0x00007FF75BD70000-0x00007FF75C0C4000-memory.dmp	upx
behavioral2/memory/1208-222-0x00007FF7196F0000-0x00007FF719A44000-memory.dmp	upx
behavioral2/memory/4244-220-0x00007FF730040000-0x00007FF730394000-memory.dmp	upx
behavioral2/memory/3596-219-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp	upx
behavioral2/memory/4936-218-0x00007FF73B0E0000-0x00007FF73B434000-memory.dmp	upx
behavioral2/memory/1652-217-0x00007FF75B110000-0x00007FF75B464000-memory.dmp	upx
behavioral2/memory/4232-216-0x00007FF66DE80000-0x00007FF66E1D4000-memory.dmp	upx
behavioral2/memory/860-215-0x00007FF72EE50000-0x00007FF72F1A4000-memory.dmp	upx
behavioral2/memory/5068-214-0x00007FF69F900000-0x00007FF69FC54000-memory.dmp	upx
behavioral2/memory/1388-212-0x00007FF7AE1D0000-0x00007FF7AE524000-memory.dmp	upx
behavioral2/memory/4012-208-0x00007FF717040000-0x00007FF717394000-memory.dmp	upx
behavioral2/memory/4420-207-0x00007FF7CB900000-0x00007FF7CBC54000-memory.dmp	upx
behavioral2/memory/4680-199-0x00007FF7B0B40000-0x00007FF7B0E94000-memory.dmp	upx
behavioral2/memory/4332-192-0x00007FF6A3820000-0x00007FF6A3B74000-memory.dmp	upx
behavioral2/files/0x000700000002344d-173.dat	upx
behavioral2/files/0x000700000002344c-172.dat	upx
behavioral2/files/0x0007000000023446-170.dat	upx
behavioral2/files/0x000700000002344b-167.dat	upx
behavioral2/files/0x0007000000023450-166.dat	upx
behavioral2/memory/2704-164-0x00007FF6DAC90000-0x00007FF6DAFE4000-memory.dmp	upx
behavioral2/files/0x000700000002344f-161.dat	upx
behavioral2/files/0x0007000000023449-160.dat	upx
behavioral2/memory/3920-159-0x00007FF701C90000-0x00007FF701FE4000-memory.dmp	upx
behavioral2/files/0x0007000000023447-154.dat	upx
behavioral2/files/0x0007000000023445-152.dat	upx
behavioral2/files/0x0007000000023444-150.dat	upx
behavioral2/files/0x0007000000023443-148.dat	upx
behavioral2/memory/2728-142-0x00007FF623310000-0x00007FF623664000-memory.dmp	upx
behavioral2/files/0x0007000000023440-133.dat	upx
behavioral2/files/0x000700000002344a-130.dat	upx
behavioral2/files/0x0007000000023442-128.dat	upx
behavioral2/memory/3736-124-0x00007FF7712C0000-0x00007FF771614000-memory.dmp	upx
behavioral2/files/0x0007000000023441-110.dat	upx
behavioral2/files/0x0007000000023435-108.dat	upx
behavioral2/files/0x000700000002343e-102.dat	upx
behavioral2/files/0x000700000002343d-99.dat	upx
behavioral2/files/0x000700000002343c-126.dat	upx
behavioral2/memory/3692-92-0x00007FF77F7E0000-0x00007FF77FB34000-memory.dmp	upx
behavioral2/files/0x0007000000023438-88.dat	upx
behavioral2/files/0x0007000000023436-81.dat	upx
behavioral2/files/0x0007000000023437-77.dat	upx
behavioral2/files/0x000700000002343b-89.dat	upx
behavioral2/memory/1864-83-0x00007FF7A35C0000-0x00007FF7A3914000-memory.dmp	upx
behavioral2/memory/4484-60-0x00007FF615980000-0x00007FF615CD4000-memory.dmp	upx
behavioral2/memory/2696-50-0x00007FF7BFF10000-0x00007FF7C0264000-memory.dmp	upx
behavioral2/files/0x0007000000023433-43.dat	upx
behavioral2/memory/3444-27-0x00007FF673440000-0x00007FF673794000-memory.dmp	upx
behavioral2/memory/1564-2109-0x00007FF6574C0000-0x00007FF657814000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\Mhsfbgq.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\Nnquwud.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\jZtJmDC.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\mhbhFta.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\UroLIrY.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\gjMBrvT.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\SCnEXiN.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\qYvwKql.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\zBaArQe.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\ijimpqq.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\hHEQvzA.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\erUnaeY.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\QHXaXhd.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\LnEproH.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\OxFMPeT.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\qHkxKzm.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\eezoIhv.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\czXbUAq.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\xUFRumh.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\pCEPLXK.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\QKupcdd.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\QkpYAtS.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\FPKVMja.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\FrxIvKZ.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\cvknWMG.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\ejaIumN.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\IGPldDf.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\bUksPJe.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\ImbmNVE.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\DGnpnxN.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\xgqDymg.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\PeXkFPY.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\fuzlseb.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\gzoHoYc.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\tvIociF.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\KoJLRRO.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\mXwlwYc.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\NZIdtiT.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\RqbjkKS.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\oOMLqVL.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\AqKXtBM.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\tKSRwqN.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\zGguVPK.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\zEsoXWT.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\HRuvSOM.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\KfcZlOa.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\rqPuaLB.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\qsIDueU.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\ZtwUgHh.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\AEBAgFc.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\lcZBpfw.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\FjItMQQ.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\RhuCPBj.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\SieRFYH.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\YwHKLzr.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\UhoySIH.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\sNPnVDA.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\aRqMqAT.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\eFHjGnu.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\LSEtwtr.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\oaiyFku.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\OXDbjIe.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\HqHiQgG.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
File created	C:\Windows\System\ElEDcRd.exe	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	14236	dwm.exe
Token: SeChangeNotifyPrivilege	14236	dwm.exe
Token: 33	14236	dwm.exe
Token: SeIncBasePriorityPrivilege	14236	dwm.exe
Token: SeShutdownPrivilege	14236	dwm.exe
Token: SeCreatePagefilePrivilege	14236	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 1540	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	85
PID 1564 wrote to memory of 1540	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	85
PID 1564 wrote to memory of 3444	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	86
PID 1564 wrote to memory of 3444	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	86
PID 1564 wrote to memory of 2696	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	87
PID 1564 wrote to memory of 2696	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	87
PID 1564 wrote to memory of 4484	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	88
PID 1564 wrote to memory of 4484	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	88
PID 1564 wrote to memory of 392	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	89
PID 1564 wrote to memory of 392	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	89
PID 1564 wrote to memory of 3692	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	90
PID 1564 wrote to memory of 3692	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	90
PID 1564 wrote to memory of 4244	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	91
PID 1564 wrote to memory of 4244	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	91
PID 1564 wrote to memory of 1864	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	92
PID 1564 wrote to memory of 1864	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	92
PID 1564 wrote to memory of 2728	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	93
PID 1564 wrote to memory of 2728	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	93
PID 1564 wrote to memory of 3736	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	94
PID 1564 wrote to memory of 3736	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	94
PID 1564 wrote to memory of 3272	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	95
PID 1564 wrote to memory of 3272	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	95
PID 1564 wrote to memory of 3920	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	96
PID 1564 wrote to memory of 3920	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	96
PID 1564 wrote to memory of 1208	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	97
PID 1564 wrote to memory of 1208	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	97
PID 1564 wrote to memory of 2704	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	98
PID 1564 wrote to memory of 2704	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	98
PID 1564 wrote to memory of 4332	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	99
PID 1564 wrote to memory of 4332	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	99
PID 1564 wrote to memory of 4680	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	100
PID 1564 wrote to memory of 4680	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	100
PID 1564 wrote to memory of 668	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	101
PID 1564 wrote to memory of 668	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	101
PID 1564 wrote to memory of 4420	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	102
PID 1564 wrote to memory of 4420	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	102
PID 1564 wrote to memory of 4052	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	103
PID 1564 wrote to memory of 4052	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	103
PID 1564 wrote to memory of 4012	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	104
PID 1564 wrote to memory of 4012	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	104
PID 1564 wrote to memory of 1388	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	105
PID 1564 wrote to memory of 1388	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	105
PID 1564 wrote to memory of 1944	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	106
PID 1564 wrote to memory of 1944	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	106
PID 1564 wrote to memory of 5068	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	107
PID 1564 wrote to memory of 5068	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	107
PID 1564 wrote to memory of 860	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	108
PID 1564 wrote to memory of 860	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	108
PID 1564 wrote to memory of 4232	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	109
PID 1564 wrote to memory of 4232	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	109
PID 1564 wrote to memory of 5092	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	110
PID 1564 wrote to memory of 5092	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	110
PID 1564 wrote to memory of 1652	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	111
PID 1564 wrote to memory of 1652	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	111
PID 1564 wrote to memory of 4936	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	112
PID 1564 wrote to memory of 4936	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	112
PID 1564 wrote to memory of 3596	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	113
PID 1564 wrote to memory of 3596	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	113
PID 1564 wrote to memory of 3320	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	114
PID 1564 wrote to memory of 3320	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	114
PID 1564 wrote to memory of 4340	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	115
PID 1564 wrote to memory of 4340	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	115
PID 1564 wrote to memory of 3732	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	116
PID 1564 wrote to memory of 3732	1564	f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe	116

C:\Users\Admin\AppData\Local\Temp\f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe
"C:\Users\Admin\AppData\Local\Temp\f72a0bff442c87423b98d8874d1fee9e0eb05233260b9ed7e55ee652e5f3aad9.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\System\kwNXOFN.exe
  C:\Windows\System\kwNXOFN.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\rpkxWUj.exe
  C:\Windows\System\rpkxWUj.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\oHBsOCx.exe
  C:\Windows\System\oHBsOCx.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\NPxNQlQ.exe
  C:\Windows\System\NPxNQlQ.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\ZkhxNsK.exe
  C:\Windows\System\ZkhxNsK.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\cUaBSDx.exe
  C:\Windows\System\cUaBSDx.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\cuNDzUr.exe
  C:\Windows\System\cuNDzUr.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\UvpdXQP.exe
  C:\Windows\System\UvpdXQP.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\TdmvIMM.exe
  C:\Windows\System\TdmvIMM.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\TFklPSu.exe
  C:\Windows\System\TFklPSu.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\iAwpRmv.exe
  C:\Windows\System\iAwpRmv.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\dxoaOXJ.exe
  C:\Windows\System\dxoaOXJ.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\mRRdrPz.exe
  C:\Windows\System\mRRdrPz.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\JcEHZqi.exe
  C:\Windows\System\JcEHZqi.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\TCujbZb.exe
  C:\Windows\System\TCujbZb.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\JotiZoZ.exe
  C:\Windows\System\JotiZoZ.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\FgGFhQs.exe
  C:\Windows\System\FgGFhQs.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\UCabxyz.exe
  C:\Windows\System\UCabxyz.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\MvFmVUO.exe
  C:\Windows\System\MvFmVUO.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\dwVbqAD.exe
  C:\Windows\System\dwVbqAD.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\jmKgjxb.exe
  C:\Windows\System\jmKgjxb.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\eWpRtYE.exe
  C:\Windows\System\eWpRtYE.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\mwDLiNe.exe
  C:\Windows\System\mwDLiNe.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\BkRqevM.exe
  C:\Windows\System\BkRqevM.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\CzuhBvO.exe
  C:\Windows\System\CzuhBvO.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\hWdxMWJ.exe
  C:\Windows\System\hWdxMWJ.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\nuCZDsJ.exe
  C:\Windows\System\nuCZDsJ.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\sUpuoUa.exe
  C:\Windows\System\sUpuoUa.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\HZTWnIa.exe
  C:\Windows\System\HZTWnIa.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\QMBMXLT.exe
  C:\Windows\System\QMBMXLT.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\TWPTESK.exe
  C:\Windows\System\TWPTESK.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\DGLUPDe.exe
  C:\Windows\System\DGLUPDe.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\gpHkQUw.exe
  C:\Windows\System\gpHkQUw.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\bgZfaRj.exe
  C:\Windows\System\bgZfaRj.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\CihqIem.exe
  C:\Windows\System\CihqIem.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\CcEqMdy.exe
  C:\Windows\System\CcEqMdy.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\PQuQqMQ.exe
  C:\Windows\System\PQuQqMQ.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\GUOLlaH.exe
  C:\Windows\System\GUOLlaH.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\hBAjfxD.exe
  C:\Windows\System\hBAjfxD.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\BKdWtUc.exe
  C:\Windows\System\BKdWtUc.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\pwPjJQS.exe
  C:\Windows\System\pwPjJQS.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\uKQtbEm.exe
  C:\Windows\System\uKQtbEm.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\sOjrbQu.exe
  C:\Windows\System\sOjrbQu.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\fwDFpFi.exe
  C:\Windows\System\fwDFpFi.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\wSSXAEy.exe
  C:\Windows\System\wSSXAEy.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\VkfgEiE.exe
  C:\Windows\System\VkfgEiE.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\TABAkeD.exe
  C:\Windows\System\TABAkeD.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\zayhAEw.exe
  C:\Windows\System\zayhAEw.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\NXZSLLL.exe
  C:\Windows\System\NXZSLLL.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\TOMrWat.exe
  C:\Windows\System\TOMrWat.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\AkpCdwi.exe
  C:\Windows\System\AkpCdwi.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\GgyFOpd.exe
  C:\Windows\System\GgyFOpd.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\aJQMKUs.exe
  C:\Windows\System\aJQMKUs.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\LXNfPrW.exe
  C:\Windows\System\LXNfPrW.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\NsNLQeE.exe
  C:\Windows\System\NsNLQeE.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\TbhYBGW.exe
  C:\Windows\System\TbhYBGW.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\cIFISyU.exe
  C:\Windows\System\cIFISyU.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\UFBltjT.exe
  C:\Windows\System\UFBltjT.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\xDxStkK.exe
  C:\Windows\System\xDxStkK.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\yqWgbBs.exe
  C:\Windows\System\yqWgbBs.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\gaUZsNX.exe
  C:\Windows\System\gaUZsNX.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\DVEZpkD.exe
  C:\Windows\System\DVEZpkD.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\usUggbN.exe
  C:\Windows\System\usUggbN.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\DRRwTZp.exe
  C:\Windows\System\DRRwTZp.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\CaYqKIo.exe
  C:\Windows\System\CaYqKIo.exe
  2⤵
  PID:3672
- C:\Windows\System\bIDSsOQ.exe
  C:\Windows\System\bIDSsOQ.exe
  2⤵
  PID:2632
- C:\Windows\System\mfIPsiI.exe
  C:\Windows\System\mfIPsiI.exe
  2⤵
  PID:3160
- C:\Windows\System\nJKApaE.exe
  C:\Windows\System\nJKApaE.exe
  2⤵
  PID:2096
- C:\Windows\System\FPKVMja.exe
  C:\Windows\System\FPKVMja.exe
  2⤵
  PID:1224
- C:\Windows\System\sPsCUTx.exe
  C:\Windows\System\sPsCUTx.exe
  2⤵
  PID:3752
- C:\Windows\System\NnuXqqx.exe
  C:\Windows\System\NnuXqqx.exe
  2⤵
  PID:1028
- C:\Windows\System\GcohTST.exe
  C:\Windows\System\GcohTST.exe
  2⤵
  PID:3784
- C:\Windows\System\gSxpQjJ.exe
  C:\Windows\System\gSxpQjJ.exe
  2⤵
  PID:3496
- C:\Windows\System\jVNeVXD.exe
  C:\Windows\System\jVNeVXD.exe
  2⤵
  PID:3224
- C:\Windows\System\xgCfkur.exe
  C:\Windows\System\xgCfkur.exe
  2⤵
  PID:4684
- C:\Windows\System\sxKHQwD.exe
  C:\Windows\System\sxKHQwD.exe
  2⤵
  PID:1852
- C:\Windows\System\mcAInpm.exe
  C:\Windows\System\mcAInpm.exe
  2⤵
  PID:4472
- C:\Windows\System\UXgvdtX.exe
  C:\Windows\System\UXgvdtX.exe
  2⤵
  PID:4036
- C:\Windows\System\ZHXgwGV.exe
  C:\Windows\System\ZHXgwGV.exe
  2⤵
  PID:3068
- C:\Windows\System\OPcUFUc.exe
  C:\Windows\System\OPcUFUc.exe
  2⤵
  PID:3340
- C:\Windows\System\AXSCoRE.exe
  C:\Windows\System\AXSCoRE.exe
  2⤵
  PID:4928
- C:\Windows\System\ugPomgW.exe
  C:\Windows\System\ugPomgW.exe
  2⤵
  PID:1064
- C:\Windows\System\mbwkfvx.exe
  C:\Windows\System\mbwkfvx.exe
  2⤵
  PID:3076
- C:\Windows\System\GcZuORq.exe
  C:\Windows\System\GcZuORq.exe
  2⤵
  PID:3528
- C:\Windows\System\XSgQgUX.exe
  C:\Windows\System\XSgQgUX.exe
  2⤵
  PID:964
- C:\Windows\System\UdDlINt.exe
  C:\Windows\System\UdDlINt.exe
  2⤵
  PID:1152
- C:\Windows\System\ZtgSbGX.exe
  C:\Windows\System\ZtgSbGX.exe
  2⤵
  PID:804
- C:\Windows\System\VfhatFG.exe
  C:\Windows\System\VfhatFG.exe
  2⤵
  PID:4024
- C:\Windows\System\SMOmcNo.exe
  C:\Windows\System\SMOmcNo.exe
  2⤵
  PID:4836
- C:\Windows\System\PpIEWup.exe
  C:\Windows\System\PpIEWup.exe
  2⤵
  PID:4256
- C:\Windows\System\lCaxdNo.exe
  C:\Windows\System\lCaxdNo.exe
  2⤵
  PID:2848
- C:\Windows\System\pEsHtov.exe
  C:\Windows\System\pEsHtov.exe
  2⤵
  PID:5136
- C:\Windows\System\IGPldDf.exe
  C:\Windows\System\IGPldDf.exe
  2⤵
  PID:5168
- C:\Windows\System\ZYXOmxO.exe
  C:\Windows\System\ZYXOmxO.exe
  2⤵
  PID:5200
- C:\Windows\System\nCNxOtJ.exe
  C:\Windows\System\nCNxOtJ.exe
  2⤵
  PID:5240
- C:\Windows\System\GDKqwWP.exe
  C:\Windows\System\GDKqwWP.exe
  2⤵
  PID:5272
- C:\Windows\System\jqFuCBL.exe
  C:\Windows\System\jqFuCBL.exe
  2⤵
  PID:5308
- C:\Windows\System\tKFczOe.exe
  C:\Windows\System\tKFczOe.exe
  2⤵
  PID:5340
- C:\Windows\System\aRsElif.exe
  C:\Windows\System\aRsElif.exe
  2⤵
  PID:5368
- C:\Windows\System\Mhsfbgq.exe
  C:\Windows\System\Mhsfbgq.exe
  2⤵
  PID:5392
- C:\Windows\System\irSVCFH.exe
  C:\Windows\System\irSVCFH.exe
  2⤵
  PID:5424
- C:\Windows\System\jUXycsH.exe
  C:\Windows\System\jUXycsH.exe
  2⤵
  PID:5452
- C:\Windows\System\xyGXxDP.exe
  C:\Windows\System\xyGXxDP.exe
  2⤵
  PID:5488
- C:\Windows\System\lOImtFW.exe
  C:\Windows\System\lOImtFW.exe
  2⤵
  PID:5524
- C:\Windows\System\RHblBUh.exe
  C:\Windows\System\RHblBUh.exe
  2⤵
  PID:5556
- C:\Windows\System\tbbPSHK.exe
  C:\Windows\System\tbbPSHK.exe
  2⤵
  PID:5584
- C:\Windows\System\uXwiquF.exe
  C:\Windows\System\uXwiquF.exe
  2⤵
  PID:5612
- C:\Windows\System\YwHKLzr.exe
  C:\Windows\System\YwHKLzr.exe
  2⤵
  PID:5640
- C:\Windows\System\JHqYCmX.exe
  C:\Windows\System\JHqYCmX.exe
  2⤵
  PID:5672
- C:\Windows\System\HzNHkav.exe
  C:\Windows\System\HzNHkav.exe
  2⤵
  PID:5696
- C:\Windows\System\aaSbOtR.exe
  C:\Windows\System\aaSbOtR.exe
  2⤵
  PID:5724
- C:\Windows\System\sOfjttv.exe
  C:\Windows\System\sOfjttv.exe
  2⤵
  PID:5756
- C:\Windows\System\tbMpAHU.exe
  C:\Windows\System\tbMpAHU.exe
  2⤵
  PID:5784
- C:\Windows\System\zShQhEq.exe
  C:\Windows\System\zShQhEq.exe
  2⤵
  PID:5812
- C:\Windows\System\rOsfufW.exe
  C:\Windows\System\rOsfufW.exe
  2⤵
  PID:5840
- C:\Windows\System\cuWaZYc.exe
  C:\Windows\System\cuWaZYc.exe
  2⤵
  PID:5868
- C:\Windows\System\yNkUwBs.exe
  C:\Windows\System\yNkUwBs.exe
  2⤵
  PID:5904
- C:\Windows\System\SrDtQqf.exe
  C:\Windows\System\SrDtQqf.exe
  2⤵
  PID:5924
- C:\Windows\System\zGguVPK.exe
  C:\Windows\System\zGguVPK.exe
  2⤵
  PID:5952
- C:\Windows\System\JBpgaEi.exe
  C:\Windows\System\JBpgaEi.exe
  2⤵
  PID:5980
- C:\Windows\System\vJyBZBc.exe
  C:\Windows\System\vJyBZBc.exe
  2⤵
  PID:6012
- C:\Windows\System\HiGxfLu.exe
  C:\Windows\System\HiGxfLu.exe
  2⤵
  PID:6036
- C:\Windows\System\LbIHwzg.exe
  C:\Windows\System\LbIHwzg.exe
  2⤵
  PID:6064
- C:\Windows\System\eezoIhv.exe
  C:\Windows\System\eezoIhv.exe
  2⤵
  PID:6092
- C:\Windows\System\zFBbdvW.exe
  C:\Windows\System\zFBbdvW.exe
  2⤵
  PID:6120
- C:\Windows\System\fNLTkCQ.exe
  C:\Windows\System\fNLTkCQ.exe
  2⤵
  PID:2516
- C:\Windows\System\HmJUUEU.exe
  C:\Windows\System\HmJUUEU.exe
  2⤵
  PID:5160
- C:\Windows\System\pOHqOtI.exe
  C:\Windows\System\pOHqOtI.exe
  2⤵
  PID:5156
- C:\Windows\System\tEayPnT.exe
  C:\Windows\System\tEayPnT.exe
  2⤵
  PID:3492
- C:\Windows\System\rJDBjiQ.exe
  C:\Windows\System\rJDBjiQ.exe
  2⤵
  PID:5296
- C:\Windows\System\bUksPJe.exe
  C:\Windows\System\bUksPJe.exe
  2⤵
  PID:5384
- C:\Windows\System\yXijaAQ.exe
  C:\Windows\System\yXijaAQ.exe
  2⤵
  PID:5476
- C:\Windows\System\bfczFqI.exe
  C:\Windows\System\bfczFqI.exe
  2⤵
  PID:5512
- C:\Windows\System\qYlbprq.exe
  C:\Windows\System\qYlbprq.exe
  2⤵
  PID:5576
- C:\Windows\System\gzoHoYc.exe
  C:\Windows\System\gzoHoYc.exe
  2⤵
  PID:2124
- C:\Windows\System\wDXHKSG.exe
  C:\Windows\System\wDXHKSG.exe
  2⤵
  PID:5680
- C:\Windows\System\rlhfUIm.exe
  C:\Windows\System\rlhfUIm.exe
  2⤵
  PID:5744
- C:\Windows\System\qbvFtkP.exe
  C:\Windows\System\qbvFtkP.exe
  2⤵
  PID:5804
- C:\Windows\System\rhIwxAe.exe
  C:\Windows\System\rhIwxAe.exe
  2⤵
  PID:5880
- C:\Windows\System\cEPcuuS.exe
  C:\Windows\System\cEPcuuS.exe
  2⤵
  PID:5944
- C:\Windows\System\tvIociF.exe
  C:\Windows\System\tvIociF.exe
  2⤵
  PID:872
- C:\Windows\System\ImbmNVE.exe
  C:\Windows\System\ImbmNVE.exe
  2⤵
  PID:6048
- C:\Windows\System\iyLlLLP.exe
  C:\Windows\System\iyLlLLP.exe
  2⤵
  PID:6112
- C:\Windows\System\zEsoXWT.exe
  C:\Windows\System\zEsoXWT.exe
  2⤵
  PID:3108
- C:\Windows\System\dIADqjh.exe
  C:\Windows\System\dIADqjh.exe
  2⤵
  PID:2944
- C:\Windows\System\HbcYkRQ.exe
  C:\Windows\System\HbcYkRQ.exe
  2⤵
  PID:5356
- C:\Windows\System\zBaArQe.exe
  C:\Windows\System\zBaArQe.exe
  2⤵
  PID:5484
- C:\Windows\System\IgsZrDd.exe
  C:\Windows\System\IgsZrDd.exe
  2⤵
  PID:2672
- C:\Windows\System\zfmRGPa.exe
  C:\Windows\System\zfmRGPa.exe
  2⤵
  PID:5768
- C:\Windows\System\bChEvHY.exe
  C:\Windows\System\bChEvHY.exe
  2⤵
  PID:5936
- C:\Windows\System\jepxgIX.exe
  C:\Windows\System\jepxgIX.exe
  2⤵
  PID:6028
- C:\Windows\System\tYVRODb.exe
  C:\Windows\System\tYVRODb.exe
  2⤵
  PID:6140
- C:\Windows\System\AEoQDVE.exe
  C:\Windows\System\AEoQDVE.exe
  2⤵
  PID:5412
- C:\Windows\System\CGvVlwX.exe
  C:\Windows\System\CGvVlwX.exe
  2⤵
  PID:5732
- C:\Windows\System\ySzDqlV.exe
  C:\Windows\System\ySzDqlV.exe
  2⤵
  PID:5284
- C:\Windows\System\wEvjZVw.exe
  C:\Windows\System\wEvjZVw.exe
  2⤵
  PID:3476
- C:\Windows\System\FINOctT.exe
  C:\Windows\System\FINOctT.exe
  2⤵
  PID:6152
- C:\Windows\System\snPlFEG.exe
  C:\Windows\System\snPlFEG.exe
  2⤵
  PID:6172
- C:\Windows\System\wNiwnZo.exe
  C:\Windows\System\wNiwnZo.exe
  2⤵
  PID:6200
- C:\Windows\System\rNutLkl.exe
  C:\Windows\System\rNutLkl.exe
  2⤵
  PID:6224
- C:\Windows\System\kJaXATD.exe
  C:\Windows\System\kJaXATD.exe
  2⤵
  PID:6248
- C:\Windows\System\ihyapGg.exe
  C:\Windows\System\ihyapGg.exe
  2⤵
  PID:6280
- C:\Windows\System\FQYwDQZ.exe
  C:\Windows\System\FQYwDQZ.exe
  2⤵
  PID:6312
- C:\Windows\System\IMwkqJK.exe
  C:\Windows\System\IMwkqJK.exe
  2⤵
  PID:6340
- C:\Windows\System\BwGcASZ.exe
  C:\Windows\System\BwGcASZ.exe
  2⤵
  PID:6368
- C:\Windows\System\mvTmvXB.exe
  C:\Windows\System\mvTmvXB.exe
  2⤵
  PID:6404
- C:\Windows\System\HRuvSOM.exe
  C:\Windows\System\HRuvSOM.exe
  2⤵
  PID:6432
- C:\Windows\System\VjrrWyO.exe
  C:\Windows\System\VjrrWyO.exe
  2⤵
  PID:6460
- C:\Windows\System\nCNfdhY.exe
  C:\Windows\System\nCNfdhY.exe
  2⤵
  PID:6484
- C:\Windows\System\JxjYqhC.exe
  C:\Windows\System\JxjYqhC.exe
  2⤵
  PID:6512
- C:\Windows\System\QtooEqn.exe
  C:\Windows\System\QtooEqn.exe
  2⤵
  PID:6532
- C:\Windows\System\LelrcGt.exe
  C:\Windows\System\LelrcGt.exe
  2⤵
  PID:6552
- C:\Windows\System\mJWcOfL.exe
  C:\Windows\System\mJWcOfL.exe
  2⤵
  PID:6588
- C:\Windows\System\ikVywau.exe
  C:\Windows\System\ikVywau.exe
  2⤵
  PID:6616
- C:\Windows\System\jzFWvdT.exe
  C:\Windows\System\jzFWvdT.exe
  2⤵
  PID:6644
- C:\Windows\System\drJcTls.exe
  C:\Windows\System\drJcTls.exe
  2⤵
  PID:6672
- C:\Windows\System\feeJgjt.exe
  C:\Windows\System\feeJgjt.exe
  2⤵
  PID:6700
- C:\Windows\System\KnmyWEZ.exe
  C:\Windows\System\KnmyWEZ.exe
  2⤵
  PID:6728
- C:\Windows\System\CyLmMYd.exe
  C:\Windows\System\CyLmMYd.exe
  2⤵
  PID:6756
- C:\Windows\System\rbofDJM.exe
  C:\Windows\System\rbofDJM.exe
  2⤵
  PID:6776
- C:\Windows\System\enVrqtC.exe
  C:\Windows\System\enVrqtC.exe
  2⤵
  PID:6808
- C:\Windows\System\aqwWdbK.exe
  C:\Windows\System\aqwWdbK.exe
  2⤵
  PID:6840
- C:\Windows\System\beyOmya.exe
  C:\Windows\System\beyOmya.exe
  2⤵
  PID:6868
- C:\Windows\System\WoBmONg.exe
  C:\Windows\System\WoBmONg.exe
  2⤵
  PID:6900
- C:\Windows\System\LkRGEpS.exe
  C:\Windows\System\LkRGEpS.exe
  2⤵
  PID:6924
- C:\Windows\System\FHgbjDg.exe
  C:\Windows\System\FHgbjDg.exe
  2⤵
  PID:6952
- C:\Windows\System\AsDXdFU.exe
  C:\Windows\System\AsDXdFU.exe
  2⤵
  PID:6984
- C:\Windows\System\jSvsNTe.exe
  C:\Windows\System\jSvsNTe.exe
  2⤵
  PID:7008
- C:\Windows\System\KCOXLRr.exe
  C:\Windows\System\KCOXLRr.exe
  2⤵
  PID:7044
- C:\Windows\System\sPxWOWu.exe
  C:\Windows\System\sPxWOWu.exe
  2⤵
  PID:7076
- C:\Windows\System\SHZpLKM.exe
  C:\Windows\System\SHZpLKM.exe
  2⤵
  PID:7096
- C:\Windows\System\KoJLRRO.exe
  C:\Windows\System\KoJLRRO.exe
  2⤵
  PID:7120
- C:\Windows\System\GAaNfMA.exe
  C:\Windows\System\GAaNfMA.exe
  2⤵
  PID:7152
- C:\Windows\System\OiwaBGf.exe
  C:\Windows\System\OiwaBGf.exe
  2⤵
  PID:6180
- C:\Windows\System\wKhoQvy.exe
  C:\Windows\System\wKhoQvy.exe
  2⤵
  PID:6272
- C:\Windows\System\XsNSanB.exe
  C:\Windows\System\XsNSanB.exe
  2⤵
  PID:6320
- C:\Windows\System\GdnnnsB.exe
  C:\Windows\System\GdnnnsB.exe
  2⤵
  PID:6364
- C:\Windows\System\eRcVeoM.exe
  C:\Windows\System\eRcVeoM.exe
  2⤵
  PID:6444
- C:\Windows\System\oCWLFoH.exe
  C:\Windows\System\oCWLFoH.exe
  2⤵
  PID:6520
- C:\Windows\System\ZKCwhuI.exe
  C:\Windows\System\ZKCwhuI.exe
  2⤵
  PID:6568
- C:\Windows\System\EztlshH.exe
  C:\Windows\System\EztlshH.exe
  2⤵
  PID:6656
- C:\Windows\System\BBpDOna.exe
  C:\Windows\System\BBpDOna.exe
  2⤵
  PID:6688
- C:\Windows\System\tIETXaP.exe
  C:\Windows\System\tIETXaP.exe
  2⤵
  PID:6724
- C:\Windows\System\CiOunCm.exe
  C:\Windows\System\CiOunCm.exe
  2⤵
  PID:6800
- C:\Windows\System\LUBLmfG.exe
  C:\Windows\System\LUBLmfG.exe
  2⤵
  PID:6884
- C:\Windows\System\KfcZlOa.exe
  C:\Windows\System\KfcZlOa.exe
  2⤵
  PID:6948
- C:\Windows\System\LltOiOB.exe
  C:\Windows\System\LltOiOB.exe
  2⤵
  PID:6996
- C:\Windows\System\UhoySIH.exe
  C:\Windows\System\UhoySIH.exe
  2⤵
  PID:7072
- C:\Windows\System\wRFFwCP.exe
  C:\Windows\System\wRFFwCP.exe
  2⤵
  PID:7136
- C:\Windows\System\Nnquwud.exe
  C:\Windows\System\Nnquwud.exe
  2⤵
  PID:6160
- C:\Windows\System\gzetAFm.exe
  C:\Windows\System\gzetAFm.exe
  2⤵
  PID:6352
- C:\Windows\System\FrxIvKZ.exe
  C:\Windows\System\FrxIvKZ.exe
  2⤵
  PID:6528
- C:\Windows\System\aCRNtkY.exe
  C:\Windows\System\aCRNtkY.exe
  2⤵
  PID:6664
- C:\Windows\System\wLlMOnq.exe
  C:\Windows\System\wLlMOnq.exe
  2⤵
  PID:6860
- C:\Windows\System\VKgANrx.exe
  C:\Windows\System\VKgANrx.exe
  2⤵
  PID:7056
- C:\Windows\System\UZWGcHG.exe
  C:\Windows\System\UZWGcHG.exe
  2⤵
  PID:7068
- C:\Windows\System\jXFhJyX.exe
  C:\Windows\System\jXFhJyX.exe
  2⤵
  PID:6208
- C:\Windows\System\IIMgqNN.exe
  C:\Windows\System\IIMgqNN.exe
  2⤵
  PID:6940
- C:\Windows\System\fMQzvRl.exe
  C:\Windows\System\fMQzvRl.exe
  2⤵
  PID:5688
- C:\Windows\System\cvknWMG.exe
  C:\Windows\System\cvknWMG.exe
  2⤵
  PID:6712
- C:\Windows\System\ijimpqq.exe
  C:\Windows\System\ijimpqq.exe
  2⤵
  PID:7176
- C:\Windows\System\YdWHHVW.exe
  C:\Windows\System\YdWHHVW.exe
  2⤵
  PID:7204
- C:\Windows\System\cAxQwVI.exe
  C:\Windows\System\cAxQwVI.exe
  2⤵
  PID:7244
- C:\Windows\System\xcjvQpD.exe
  C:\Windows\System\xcjvQpD.exe
  2⤵
  PID:7280
- C:\Windows\System\WLCdmms.exe
  C:\Windows\System\WLCdmms.exe
  2⤵
  PID:7308
- C:\Windows\System\vtXSiNY.exe
  C:\Windows\System\vtXSiNY.exe
  2⤵
  PID:7336
- C:\Windows\System\vdZLeub.exe
  C:\Windows\System\vdZLeub.exe
  2⤵
  PID:7364
- C:\Windows\System\eeWhoWz.exe
  C:\Windows\System\eeWhoWz.exe
  2⤵
  PID:7384
- C:\Windows\System\DGnpnxN.exe
  C:\Windows\System\DGnpnxN.exe
  2⤵
  PID:7412
- C:\Windows\System\adqJZfH.exe
  C:\Windows\System\adqJZfH.exe
  2⤵
  PID:7432
- C:\Windows\System\KwsrIam.exe
  C:\Windows\System\KwsrIam.exe
  2⤵
  PID:7464
- C:\Windows\System\wALDUFR.exe
  C:\Windows\System\wALDUFR.exe
  2⤵
  PID:7480
- C:\Windows\System\WgxaMAA.exe
  C:\Windows\System\WgxaMAA.exe
  2⤵
  PID:7512
- C:\Windows\System\DoPusuX.exe
  C:\Windows\System\DoPusuX.exe
  2⤵
  PID:7544
- C:\Windows\System\SfOsPNk.exe
  C:\Windows\System\SfOsPNk.exe
  2⤵
  PID:7564
- C:\Windows\System\sMqEOGy.exe
  C:\Windows\System\sMqEOGy.exe
  2⤵
  PID:7600
- C:\Windows\System\aozigTV.exe
  C:\Windows\System\aozigTV.exe
  2⤵
  PID:7624
- C:\Windows\System\jNoSbYf.exe
  C:\Windows\System\jNoSbYf.exe
  2⤵
  PID:7648
- C:\Windows\System\KkvZcOW.exe
  C:\Windows\System\KkvZcOW.exe
  2⤵
  PID:7680
- C:\Windows\System\FCYMLMM.exe
  C:\Windows\System\FCYMLMM.exe
  2⤵
  PID:7708
- C:\Windows\System\noCQrVX.exe
  C:\Windows\System\noCQrVX.exe
  2⤵
  PID:7736
- C:\Windows\System\FyUHpYf.exe
  C:\Windows\System\FyUHpYf.exe
  2⤵
  PID:7760
- C:\Windows\System\czXbUAq.exe
  C:\Windows\System\czXbUAq.exe
  2⤵
  PID:7788
- C:\Windows\System\EzxMxWE.exe
  C:\Windows\System\EzxMxWE.exe
  2⤵
  PID:7804
- C:\Windows\System\piOnvMf.exe
  C:\Windows\System\piOnvMf.exe
  2⤵
  PID:7828
- C:\Windows\System\sEjMJCt.exe
  C:\Windows\System\sEjMJCt.exe
  2⤵
  PID:7852
- C:\Windows\System\Bludadl.exe
  C:\Windows\System\Bludadl.exe
  2⤵
  PID:7880
- C:\Windows\System\gUjWPhR.exe
  C:\Windows\System\gUjWPhR.exe
  2⤵
  PID:7912
- C:\Windows\System\hHEQvzA.exe
  C:\Windows\System\hHEQvzA.exe
  2⤵
  PID:7944
- C:\Windows\System\WBiDESh.exe
  C:\Windows\System\WBiDESh.exe
  2⤵
  PID:7972
- C:\Windows\System\gGfIkKI.exe
  C:\Windows\System\gGfIkKI.exe
  2⤵
  PID:8004
- C:\Windows\System\TwVZVvS.exe
  C:\Windows\System\TwVZVvS.exe
  2⤵
  PID:8040
- C:\Windows\System\pnYxfaf.exe
  C:\Windows\System\pnYxfaf.exe
  2⤵
  PID:8056
- C:\Windows\System\vhSgcrZ.exe
  C:\Windows\System\vhSgcrZ.exe
  2⤵
  PID:8084
- C:\Windows\System\erUnaeY.exe
  C:\Windows\System\erUnaeY.exe
  2⤵
  PID:8116
- C:\Windows\System\cYwdvQX.exe
  C:\Windows\System\cYwdvQX.exe
  2⤵
  PID:8140
- C:\Windows\System\xUFRumh.exe
  C:\Windows\System\xUFRumh.exe
  2⤵
  PID:8172
- C:\Windows\System\FRByMkp.exe
  C:\Windows\System\FRByMkp.exe
  2⤵
  PID:6768
- C:\Windows\System\QVyBikZ.exe
  C:\Windows\System\QVyBikZ.exe
  2⤵
  PID:7236
- C:\Windows\System\iUTtyjS.exe
  C:\Windows\System\iUTtyjS.exe
  2⤵
  PID:7328
- C:\Windows\System\QHXaXhd.exe
  C:\Windows\System\QHXaXhd.exe
  2⤵
  PID:7372
- C:\Windows\System\XNuTuaO.exe
  C:\Windows\System\XNuTuaO.exe
  2⤵
  PID:7476
- C:\Windows\System\LsuwKln.exe
  C:\Windows\System\LsuwKln.exe
  2⤵
  PID:7536
- C:\Windows\System\GyTjzdh.exe
  C:\Windows\System\GyTjzdh.exe
  2⤵
  PID:7592
- C:\Windows\System\CdbkHcq.exe
  C:\Windows\System\CdbkHcq.exe
  2⤵
  PID:7672
- C:\Windows\System\QpbuRmP.exe
  C:\Windows\System\QpbuRmP.exe
  2⤵
  PID:7744
- C:\Windows\System\rPkPrzr.exe
  C:\Windows\System\rPkPrzr.exe
  2⤵
  PID:7796
- C:\Windows\System\xjAPwKq.exe
  C:\Windows\System\xjAPwKq.exe
  2⤵
  PID:7816
- C:\Windows\System\KquMLud.exe
  C:\Windows\System\KquMLud.exe
  2⤵
  PID:7900
- C:\Windows\System\mXwlwYc.exe
  C:\Windows\System\mXwlwYc.exe
  2⤵
  PID:7956
- C:\Windows\System\PbiHBid.exe
  C:\Windows\System\PbiHBid.exe
  2⤵
  PID:8108
- C:\Windows\System\kAdqbEL.exe
  C:\Windows\System\kAdqbEL.exe
  2⤵
  PID:8148
- C:\Windows\System\osVfZyV.exe
  C:\Windows\System\osVfZyV.exe
  2⤵
  PID:6456
- C:\Windows\System\VkxqNlo.exe
  C:\Windows\System\VkxqNlo.exe
  2⤵
  PID:7452
- C:\Windows\System\keydHdx.exe
  C:\Windows\System\keydHdx.exe
  2⤵
  PID:7492
- C:\Windows\System\HwNbjOq.exe
  C:\Windows\System\HwNbjOq.exe
  2⤵
  PID:7588
- C:\Windows\System\BdlOfhg.exe
  C:\Windows\System\BdlOfhg.exe
  2⤵
  PID:7732
- C:\Windows\System\zqHkAQC.exe
  C:\Windows\System\zqHkAQC.exe
  2⤵
  PID:7964
- C:\Windows\System\ORmolLz.exe
  C:\Windows\System\ORmolLz.exe
  2⤵
  PID:8080
- C:\Windows\System\nkjeMrk.exe
  C:\Windows\System\nkjeMrk.exe
  2⤵
  PID:7296
- C:\Windows\System\PBlGsUU.exe
  C:\Windows\System\PBlGsUU.exe
  2⤵
  PID:7584
- C:\Windows\System\BLodAqc.exe
  C:\Windows\System\BLodAqc.exe
  2⤵
  PID:7780
- C:\Windows\System\QXSdGsQ.exe
  C:\Windows\System\QXSdGsQ.exe
  2⤵
  PID:7392
- C:\Windows\System\CNnEOIk.exe
  C:\Windows\System\CNnEOIk.exe
  2⤵
  PID:8196
- C:\Windows\System\izNrgDf.exe
  C:\Windows\System\izNrgDf.exe
  2⤵
  PID:8212
- C:\Windows\System\WPYpNGr.exe
  C:\Windows\System\WPYpNGr.exe
  2⤵
  PID:8240
- C:\Windows\System\VxinZTM.exe
  C:\Windows\System\VxinZTM.exe
  2⤵
  PID:8268
- C:\Windows\System\KIwjquH.exe
  C:\Windows\System\KIwjquH.exe
  2⤵
  PID:8296
- C:\Windows\System\dwMqnHV.exe
  C:\Windows\System\dwMqnHV.exe
  2⤵
  PID:8328
- C:\Windows\System\QCgVDPH.exe
  C:\Windows\System\QCgVDPH.exe
  2⤵
  PID:8352
- C:\Windows\System\qmufYfb.exe
  C:\Windows\System\qmufYfb.exe
  2⤵
  PID:8380
- C:\Windows\System\pwHmRpp.exe
  C:\Windows\System\pwHmRpp.exe
  2⤵
  PID:8408
- C:\Windows\System\hdZwPIE.exe
  C:\Windows\System\hdZwPIE.exe
  2⤵
  PID:8436
- C:\Windows\System\MHfxYop.exe
  C:\Windows\System\MHfxYop.exe
  2⤵
  PID:8464
- C:\Windows\System\nFqIhcU.exe
  C:\Windows\System\nFqIhcU.exe
  2⤵
  PID:8496
- C:\Windows\System\XDMQFgb.exe
  C:\Windows\System\XDMQFgb.exe
  2⤵
  PID:8524
- C:\Windows\System\AVdMDXJ.exe
  C:\Windows\System\AVdMDXJ.exe
  2⤵
  PID:8552
- C:\Windows\System\OcgnoXo.exe
  C:\Windows\System\OcgnoXo.exe
  2⤵
  PID:8572
- C:\Windows\System\IUMSUfL.exe
  C:\Windows\System\IUMSUfL.exe
  2⤵
  PID:8604
- C:\Windows\System\msxGDnB.exe
  C:\Windows\System\msxGDnB.exe
  2⤵
  PID:8620
- C:\Windows\System\SQZZzOO.exe
  C:\Windows\System\SQZZzOO.exe
  2⤵
  PID:8652
- C:\Windows\System\eJlhWnr.exe
  C:\Windows\System\eJlhWnr.exe
  2⤵
  PID:8684
- C:\Windows\System\CzjAFMi.exe
  C:\Windows\System\CzjAFMi.exe
  2⤵
  PID:8704
- C:\Windows\System\NZIdtiT.exe
  C:\Windows\System\NZIdtiT.exe
  2⤵
  PID:8736
- C:\Windows\System\UFJcrHp.exe
  C:\Windows\System\UFJcrHp.exe
  2⤵
  PID:8764
- C:\Windows\System\sNPnVDA.exe
  C:\Windows\System\sNPnVDA.exe
  2⤵
  PID:8800
- C:\Windows\System\uVwSeMa.exe
  C:\Windows\System\uVwSeMa.exe
  2⤵
  PID:8828
- C:\Windows\System\vWwpLxJ.exe
  C:\Windows\System\vWwpLxJ.exe
  2⤵
  PID:8864
- C:\Windows\System\jLweRbq.exe
  C:\Windows\System\jLweRbq.exe
  2⤵
  PID:8884
- C:\Windows\System\TRpCidx.exe
  C:\Windows\System\TRpCidx.exe
  2⤵
  PID:8916
- C:\Windows\System\sQFBGOG.exe
  C:\Windows\System\sQFBGOG.exe
  2⤵
  PID:8940
- C:\Windows\System\oNUICJg.exe
  C:\Windows\System\oNUICJg.exe
  2⤵
  PID:8968
- C:\Windows\System\JdpJNpj.exe
  C:\Windows\System\JdpJNpj.exe
  2⤵
  PID:9000
- C:\Windows\System\gRmhgpQ.exe
  C:\Windows\System\gRmhgpQ.exe
  2⤵
  PID:9036
- C:\Windows\System\RqbjkKS.exe
  C:\Windows\System\RqbjkKS.exe
  2⤵
  PID:9052
- C:\Windows\System\nlmBEvj.exe
  C:\Windows\System\nlmBEvj.exe
  2⤵
  PID:9068
- C:\Windows\System\Cizeguu.exe
  C:\Windows\System\Cizeguu.exe
  2⤵
  PID:9096
- C:\Windows\System\kKkTSVI.exe
  C:\Windows\System\kKkTSVI.exe
  2⤵
  PID:9136
- C:\Windows\System\wOtUpmk.exe
  C:\Windows\System\wOtUpmk.exe
  2⤵
  PID:8404
- C:\Windows\System\RkECmiD.exe
  C:\Windows\System\RkECmiD.exe
  2⤵
  PID:8488
- C:\Windows\System\KPLVBNq.exe
  C:\Windows\System\KPLVBNq.exe
  2⤵
  PID:8520
- C:\Windows\System\kFXAwCF.exe
  C:\Windows\System\kFXAwCF.exe
  2⤵
  PID:8568
- C:\Windows\System\QprYupm.exe
  C:\Windows\System\QprYupm.exe
  2⤵
  PID:8632
- C:\Windows\System\eDbAVIE.exe
  C:\Windows\System\eDbAVIE.exe
  2⤵
  PID:8732
- C:\Windows\System\aGzyQZT.exe
  C:\Windows\System\aGzyQZT.exe
  2⤵
  PID:3868
- C:\Windows\System\WUfFGiZ.exe
  C:\Windows\System\WUfFGiZ.exe
  2⤵
  PID:8816
- C:\Windows\System\KpkcPXE.exe
  C:\Windows\System\KpkcPXE.exe
  2⤵
  PID:8876
- C:\Windows\System\HscoeEE.exe
  C:\Windows\System\HscoeEE.exe
  2⤵
  PID:8928
- C:\Windows\System\WFbmaMt.exe
  C:\Windows\System\WFbmaMt.exe
  2⤵
  PID:9008
- C:\Windows\System\eBXAhwf.exe
  C:\Windows\System\eBXAhwf.exe
  2⤵
  PID:9080
- C:\Windows\System\owEWJXa.exe
  C:\Windows\System\owEWJXa.exe
  2⤵
  PID:9160
- C:\Windows\System\GHZppUb.exe
  C:\Windows\System\GHZppUb.exe
  2⤵
  PID:9180
- C:\Windows\System\gpgXFxY.exe
  C:\Windows\System\gpgXFxY.exe
  2⤵
  PID:7928
- C:\Windows\System\XHXAmQs.exe
  C:\Windows\System\XHXAmQs.exe
  2⤵
  PID:1724
- C:\Windows\System\EQqMUfd.exe
  C:\Windows\System\EQqMUfd.exe
  2⤵
  PID:8208
- C:\Windows\System\YMrQlIF.exe
  C:\Windows\System\YMrQlIF.exe
  2⤵
  PID:8316
- C:\Windows\System\KrzReIb.exe
  C:\Windows\System\KrzReIb.exe
  2⤵
  PID:9120
- C:\Windows\System\GOgIYku.exe
  C:\Windows\System\GOgIYku.exe
  2⤵
  PID:8612
- C:\Windows\System\UbnnAUW.exe
  C:\Windows\System\UbnnAUW.exe
  2⤵
  PID:8680
- C:\Windows\System\ORMriAP.exe
  C:\Windows\System\ORMriAP.exe
  2⤵
  PID:8664
- C:\Windows\System\UWViulT.exe
  C:\Windows\System\UWViulT.exe
  2⤵
  PID:8788
- C:\Windows\System\XhtzytG.exe
  C:\Windows\System\XhtzytG.exe
  2⤵
  PID:8924
- C:\Windows\System\wvCjZcO.exe
  C:\Windows\System\wvCjZcO.exe
  2⤵
  PID:9064
- C:\Windows\System\CsBDdSl.exe
  C:\Windows\System\CsBDdSl.exe
  2⤵
  PID:9032
- C:\Windows\System\CfDYtrx.exe
  C:\Windows\System\CfDYtrx.exe
  2⤵
  PID:9196
- C:\Windows\System\iriUUmf.exe
  C:\Windows\System\iriUUmf.exe
  2⤵
  PID:8228
- C:\Windows\System\krNuXph.exe
  C:\Windows\System\krNuXph.exe
  2⤵
  PID:8368
- C:\Windows\System\Saqclgr.exe
  C:\Windows\System\Saqclgr.exe
  2⤵
  PID:8532
- C:\Windows\System\eAEKIab.exe
  C:\Windows\System\eAEKIab.exe
  2⤵
  PID:7252
- C:\Windows\System\azMEDhc.exe
  C:\Windows\System\azMEDhc.exe
  2⤵
  PID:9232
- C:\Windows\System\rqPuaLB.exe
  C:\Windows\System\rqPuaLB.exe
  2⤵
  PID:9260
- C:\Windows\System\DpOQiJC.exe
  C:\Windows\System\DpOQiJC.exe
  2⤵
  PID:9284
- C:\Windows\System\jRNEkUv.exe
  C:\Windows\System\jRNEkUv.exe
  2⤵
  PID:9304
- C:\Windows\System\clvOndQ.exe
  C:\Windows\System\clvOndQ.exe
  2⤵
  PID:9340
- C:\Windows\System\zdkefaW.exe
  C:\Windows\System\zdkefaW.exe
  2⤵
  PID:9372
- C:\Windows\System\aRqMqAT.exe
  C:\Windows\System\aRqMqAT.exe
  2⤵
  PID:9408
- C:\Windows\System\CZfeSxq.exe
  C:\Windows\System\CZfeSxq.exe
  2⤵
  PID:9444
- C:\Windows\System\kjbBJCx.exe
  C:\Windows\System\kjbBJCx.exe
  2⤵
  PID:9476
- C:\Windows\System\xGicyuv.exe
  C:\Windows\System\xGicyuv.exe
  2⤵
  PID:9496
- C:\Windows\System\lPVoPRj.exe
  C:\Windows\System\lPVoPRj.exe
  2⤵
  PID:9520
- C:\Windows\System\eFHjGnu.exe
  C:\Windows\System\eFHjGnu.exe
  2⤵
  PID:9544
- C:\Windows\System\wJmKZif.exe
  C:\Windows\System\wJmKZif.exe
  2⤵
  PID:9576
- C:\Windows\System\JtTCCRJ.exe
  C:\Windows\System\JtTCCRJ.exe
  2⤵
  PID:9604
- C:\Windows\System\aQvszxk.exe
  C:\Windows\System\aQvszxk.exe
  2⤵
  PID:9632
- C:\Windows\System\yqXXwsm.exe
  C:\Windows\System\yqXXwsm.exe
  2⤵
  PID:9660
- C:\Windows\System\eZpJknB.exe
  C:\Windows\System\eZpJknB.exe
  2⤵
  PID:9688
- C:\Windows\System\MJmraQO.exe
  C:\Windows\System\MJmraQO.exe
  2⤵
  PID:9724
- C:\Windows\System\ZtwUgHh.exe
  C:\Windows\System\ZtwUgHh.exe
  2⤵
  PID:9764
- C:\Windows\System\PeXkFPY.exe
  C:\Windows\System\PeXkFPY.exe
  2⤵
  PID:9804
- C:\Windows\System\KCyAPVT.exe
  C:\Windows\System\KCyAPVT.exe
  2⤵
  PID:9836
- C:\Windows\System\AUJLxLw.exe
  C:\Windows\System\AUJLxLw.exe
  2⤵
  PID:9856
- C:\Windows\System\glmrAVD.exe
  C:\Windows\System\glmrAVD.exe
  2⤵
  PID:9872
- C:\Windows\System\iMjLdAg.exe
  C:\Windows\System\iMjLdAg.exe
  2⤵
  PID:9900
- C:\Windows\System\Ntakxhp.exe
  C:\Windows\System\Ntakxhp.exe
  2⤵
  PID:9936
- C:\Windows\System\BVLohcP.exe
  C:\Windows\System\BVLohcP.exe
  2⤵
  PID:9952
- C:\Windows\System\tUfVGTW.exe
  C:\Windows\System\tUfVGTW.exe
  2⤵
  PID:9984
- C:\Windows\System\OKUHShK.exe
  C:\Windows\System\OKUHShK.exe
  2⤵
  PID:10020
- C:\Windows\System\JNppoWe.exe
  C:\Windows\System\JNppoWe.exe
  2⤵
  PID:10052
- C:\Windows\System\FeoBJle.exe
  C:\Windows\System\FeoBJle.exe
  2⤵
  PID:10092
- C:\Windows\System\NySiUMo.exe
  C:\Windows\System\NySiUMo.exe
  2⤵
  PID:10108
- C:\Windows\System\YRfAztL.exe
  C:\Windows\System\YRfAztL.exe
  2⤵
  PID:10124
- C:\Windows\System\HqOdcFn.exe
  C:\Windows\System\HqOdcFn.exe
  2⤵
  PID:10152
- C:\Windows\System\XccVHQC.exe
  C:\Windows\System\XccVHQC.exe
  2⤵
  PID:10172
- C:\Windows\System\laIFTbd.exe
  C:\Windows\System\laIFTbd.exe
  2⤵
  PID:10204
- C:\Windows\System\gZvpcZQ.exe
  C:\Windows\System\gZvpcZQ.exe
  2⤵
  PID:10236
- C:\Windows\System\qWWTajs.exe
  C:\Windows\System\qWWTajs.exe
  2⤵
  PID:8224
- C:\Windows\System\ITyugwC.exe
  C:\Windows\System\ITyugwC.exe
  2⤵
  PID:9248
- C:\Windows\System\ftJYEGz.exe
  C:\Windows\System\ftJYEGz.exe
  2⤵
  PID:9280
- C:\Windows\System\DvvoTMs.exe
  C:\Windows\System\DvvoTMs.exe
  2⤵
  PID:9316
- C:\Windows\System\SCCKGfQ.exe
  C:\Windows\System\SCCKGfQ.exe
  2⤵
  PID:9392
- C:\Windows\System\olGRgmh.exe
  C:\Windows\System\olGRgmh.exe
  2⤵
  PID:9428
- C:\Windows\System\PSNePlN.exe
  C:\Windows\System\PSNePlN.exe
  2⤵
  PID:9572
- C:\Windows\System\AZPFIpQ.exe
  C:\Windows\System\AZPFIpQ.exe
  2⤵
  PID:9620
- C:\Windows\System\kTaoYZd.exe
  C:\Windows\System\kTaoYZd.exe
  2⤵
  PID:9708
- C:\Windows\System\RGlQEOr.exe
  C:\Windows\System\RGlQEOr.exe
  2⤵
  PID:9740
- C:\Windows\System\NngbNyp.exe
  C:\Windows\System\NngbNyp.exe
  2⤵
  PID:9792
- C:\Windows\System\ZBWQIvA.exe
  C:\Windows\System\ZBWQIvA.exe
  2⤵
  PID:9868
- C:\Windows\System\eyIUtso.exe
  C:\Windows\System\eyIUtso.exe
  2⤵
  PID:9944
- C:\Windows\System\TIEuKxh.exe
  C:\Windows\System\TIEuKxh.exe
  2⤵
  PID:10076
- C:\Windows\System\jZtJmDC.exe
  C:\Windows\System\jZtJmDC.exe
  2⤵
  PID:10064
- C:\Windows\System\SBweDib.exe
  C:\Windows\System\SBweDib.exe
  2⤵
  PID:10140
- C:\Windows\System\mhbhFta.exe
  C:\Windows\System\mhbhFta.exe
  2⤵
  PID:10164
- C:\Windows\System\olZfWbV.exe
  C:\Windows\System\olZfWbV.exe
  2⤵
  PID:3668
- C:\Windows\System\TpWqhuF.exe
  C:\Windows\System\TpWqhuF.exe
  2⤵
  PID:3908
- C:\Windows\System\aEagaoo.exe
  C:\Windows\System\aEagaoo.exe
  2⤵
  PID:9352
- C:\Windows\System\NLsfXYj.exe
  C:\Windows\System\NLsfXYj.exe
  2⤵
  PID:9564
- C:\Windows\System\MQlnUit.exe
  C:\Windows\System\MQlnUit.exe
  2⤵
  PID:9592
- C:\Windows\System\opwqcck.exe
  C:\Windows\System\opwqcck.exe
  2⤵
  PID:2620
- C:\Windows\System\eLUmTfS.exe
  C:\Windows\System\eLUmTfS.exe
  2⤵
  PID:9964
- C:\Windows\System\zwwtNlA.exe
  C:\Windows\System\zwwtNlA.exe
  2⤵
  PID:10040
- C:\Windows\System\QwUdiet.exe
  C:\Windows\System\QwUdiet.exe
  2⤵
  PID:8580
- C:\Windows\System\fuzlseb.exe
  C:\Windows\System\fuzlseb.exe
  2⤵
  PID:8776
- C:\Windows\System\BWnIKRu.exe
  C:\Windows\System\BWnIKRu.exe
  2⤵
  PID:9652
- C:\Windows\System\fjLXIxu.exe
  C:\Windows\System\fjLXIxu.exe
  2⤵
  PID:10136
- C:\Windows\System\cCuKSjP.exe
  C:\Windows\System\cCuKSjP.exe
  2⤵
  PID:9540
- C:\Windows\System\fEVIcMD.exe
  C:\Windows\System\fEVIcMD.exe
  2⤵
  PID:10272
- C:\Windows\System\SVNGdbq.exe
  C:\Windows\System\SVNGdbq.exe
  2⤵
  PID:10304
- C:\Windows\System\AEBAgFc.exe
  C:\Windows\System\AEBAgFc.exe
  2⤵
  PID:10324
- C:\Windows\System\tZnurxn.exe
  C:\Windows\System\tZnurxn.exe
  2⤵
  PID:10356
- C:\Windows\System\hVkNvBy.exe
  C:\Windows\System\hVkNvBy.exe
  2⤵
  PID:10376
- C:\Windows\System\vCGRRWy.exe
  C:\Windows\System\vCGRRWy.exe
  2⤵
  PID:10404
- C:\Windows\System\pnpxbpc.exe
  C:\Windows\System\pnpxbpc.exe
  2⤵
  PID:10436
- C:\Windows\System\hOAVOem.exe
  C:\Windows\System\hOAVOem.exe
  2⤵
  PID:10456
- C:\Windows\System\sZHCuaa.exe
  C:\Windows\System\sZHCuaa.exe
  2⤵
  PID:10480
- C:\Windows\System\nFTBIpk.exe
  C:\Windows\System\nFTBIpk.exe
  2⤵
  PID:10512
- C:\Windows\System\OAAGkBd.exe
  C:\Windows\System\OAAGkBd.exe
  2⤵
  PID:10556
- C:\Windows\System\ejaIumN.exe
  C:\Windows\System\ejaIumN.exe
  2⤵
  PID:10580
- C:\Windows\System\QXAFbAg.exe
  C:\Windows\System\QXAFbAg.exe
  2⤵
  PID:10608
- C:\Windows\System\xgqDymg.exe
  C:\Windows\System\xgqDymg.exe
  2⤵
  PID:10628
- C:\Windows\System\LnEproH.exe
  C:\Windows\System\LnEproH.exe
  2⤵
  PID:10652
- C:\Windows\System\gXsLSIP.exe
  C:\Windows\System\gXsLSIP.exe
  2⤵
  PID:10688
- C:\Windows\System\IbUWlwp.exe
  C:\Windows\System\IbUWlwp.exe
  2⤵
  PID:10708
- C:\Windows\System\fBPwgwg.exe
  C:\Windows\System\fBPwgwg.exe
  2⤵
  PID:10736
- C:\Windows\System\kEynaXE.exe
  C:\Windows\System\kEynaXE.exe
  2⤵
  PID:10772
- C:\Windows\System\yYPWmcF.exe
  C:\Windows\System\yYPWmcF.exe
  2⤵
  PID:10812
- C:\Windows\System\FrbclKN.exe
  C:\Windows\System\FrbclKN.exe
  2⤵
  PID:10852
- C:\Windows\System\MaSuixp.exe
  C:\Windows\System\MaSuixp.exe
  2⤵
  PID:10880
- C:\Windows\System\HRFeNzm.exe
  C:\Windows\System\HRFeNzm.exe
  2⤵
  PID:10904
- C:\Windows\System\wmnURXQ.exe
  C:\Windows\System\wmnURXQ.exe
  2⤵
  PID:10932
- C:\Windows\System\lPmfwlD.exe
  C:\Windows\System\lPmfwlD.exe
  2⤵
  PID:10948
- C:\Windows\System\lyzZfmS.exe
  C:\Windows\System\lyzZfmS.exe
  2⤵
  PID:10972
- C:\Windows\System\dXKELWK.exe
  C:\Windows\System\dXKELWK.exe
  2⤵
  PID:10996
- C:\Windows\System\AcyRVol.exe
  C:\Windows\System\AcyRVol.exe
  2⤵
  PID:11020
- C:\Windows\System\pCEPLXK.exe
  C:\Windows\System\pCEPLXK.exe
  2⤵
  PID:11060
- C:\Windows\System\FCeZkvj.exe
  C:\Windows\System\FCeZkvj.exe
  2⤵
  PID:11076
- C:\Windows\System\jZmMhxw.exe
  C:\Windows\System\jZmMhxw.exe
  2⤵
  PID:11108
- C:\Windows\System\EKPfxXw.exe
  C:\Windows\System\EKPfxXw.exe
  2⤵
  PID:11124
- C:\Windows\System\lVhuBQW.exe
  C:\Windows\System\lVhuBQW.exe
  2⤵
  PID:11148
- C:\Windows\System\kDudDef.exe
  C:\Windows\System\kDudDef.exe
  2⤵
  PID:11172
- C:\Windows\System\kklRWrh.exe
  C:\Windows\System\kklRWrh.exe
  2⤵
  PID:11196
- C:\Windows\System\HZBCDrN.exe
  C:\Windows\System\HZBCDrN.exe
  2⤵
  PID:11220
- C:\Windows\System\TrbzHRu.exe
  C:\Windows\System\TrbzHRu.exe
  2⤵
  PID:11244
- C:\Windows\System\sNdVMDv.exe
  C:\Windows\System\sNdVMDv.exe
  2⤵
  PID:10224
- C:\Windows\System\EjEBNkJ.exe
  C:\Windows\System\EjEBNkJ.exe
  2⤵
  PID:10228
- C:\Windows\System\npSiEar.exe
  C:\Windows\System\npSiEar.exe
  2⤵
  PID:10300
- C:\Windows\System\rqXbVtK.exe
  C:\Windows\System\rqXbVtK.exe
  2⤵
  PID:10396
- C:\Windows\System\vopsOfE.exe
  C:\Windows\System\vopsOfE.exe
  2⤵
  PID:10428
- C:\Windows\System\FqnKDZi.exe
  C:\Windows\System\FqnKDZi.exe
  2⤵
  PID:10452
- C:\Windows\System\WRTjQMr.exe
  C:\Windows\System\WRTjQMr.exe
  2⤵
  PID:10504
- C:\Windows\System\pRukRSP.exe
  C:\Windows\System\pRukRSP.exe
  2⤵
  PID:10600
- C:\Windows\System\OyiHBAQ.exe
  C:\Windows\System\OyiHBAQ.exe
  2⤵
  PID:10684
- C:\Windows\System\CcUcrKo.exe
  C:\Windows\System\CcUcrKo.exe
  2⤵
  PID:10768
- C:\Windows\System\DflDUsC.exe
  C:\Windows\System\DflDUsC.exe
  2⤵
  PID:10840
- C:\Windows\System\rbMvXNh.exe
  C:\Windows\System\rbMvXNh.exe
  2⤵
  PID:10876
- C:\Windows\System\LSEtwtr.exe
  C:\Windows\System\LSEtwtr.exe
  2⤵
  PID:10968
- C:\Windows\System\OSonfuF.exe
  C:\Windows\System\OSonfuF.exe
  2⤵
  PID:11044
- C:\Windows\System\rHDmlwI.exe
  C:\Windows\System\rHDmlwI.exe
  2⤵
  PID:11120
- C:\Windows\System\SFJWECn.exe
  C:\Windows\System\SFJWECn.exe
  2⤵
  PID:11164
- C:\Windows\System\AfPwkOA.exe
  C:\Windows\System\AfPwkOA.exe
  2⤵
  PID:9192
- C:\Windows\System\QUfjREU.exe
  C:\Windows\System\QUfjREU.exe
  2⤵
  PID:9752
- C:\Windows\System\NMaTfuJ.exe
  C:\Windows\System\NMaTfuJ.exe
  2⤵
  PID:10388
- C:\Windows\System\arzUppm.exe
  C:\Windows\System\arzUppm.exe
  2⤵
  PID:10532
- C:\Windows\System\zrEoEth.exe
  C:\Windows\System\zrEoEth.exe
  2⤵
  PID:10800
- C:\Windows\System\Iybxdzr.exe
  C:\Windows\System\Iybxdzr.exe
  2⤵
  PID:10920
- C:\Windows\System\fiQNmqP.exe
  C:\Windows\System\fiQNmqP.exe
  2⤵
  PID:11204
- C:\Windows\System\RhuCPBj.exe
  C:\Windows\System\RhuCPBj.exe
  2⤵
  PID:11236
- C:\Windows\System\MKQPqPL.exe
  C:\Windows\System\MKQPqPL.exe
  2⤵
  PID:10784
- C:\Windows\System\ChoeRSF.exe
  C:\Windows\System\ChoeRSF.exe
  2⤵
  PID:11184
- C:\Windows\System\RNnJFMl.exe
  C:\Windows\System\RNnJFMl.exe
  2⤵
  PID:11260
- C:\Windows\System\TbsKryT.exe
  C:\Windows\System\TbsKryT.exe
  2⤵
  PID:11280
- C:\Windows\System\mjXQBDB.exe
  C:\Windows\System\mjXQBDB.exe
  2⤵
  PID:11312
- C:\Windows\System\MZxJaJL.exe
  C:\Windows\System\MZxJaJL.exe
  2⤵
  PID:11340
- C:\Windows\System\SieRFYH.exe
  C:\Windows\System\SieRFYH.exe
  2⤵
  PID:11380
- C:\Windows\System\pMZfcvG.exe
  C:\Windows\System\pMZfcvG.exe
  2⤵
  PID:11408
- C:\Windows\System\QIyjvGs.exe
  C:\Windows\System\QIyjvGs.exe
  2⤵
  PID:11424
- C:\Windows\System\QKupcdd.exe
  C:\Windows\System\QKupcdd.exe
  2⤵
  PID:11456
- C:\Windows\System\jdqSWfW.exe
  C:\Windows\System\jdqSWfW.exe
  2⤵
  PID:11480
- C:\Windows\System\JPCGXSo.exe
  C:\Windows\System\JPCGXSo.exe
  2⤵
  PID:11508
- C:\Windows\System\dnXYCkW.exe
  C:\Windows\System\dnXYCkW.exe
  2⤵
  PID:11536
- C:\Windows\System\fbDRRSp.exe
  C:\Windows\System\fbDRRSp.exe
  2⤵
  PID:11568
- C:\Windows\System\qzvwnBI.exe
  C:\Windows\System\qzvwnBI.exe
  2⤵
  PID:11596
- C:\Windows\System\bhfbrUd.exe
  C:\Windows\System\bhfbrUd.exe
  2⤵
  PID:11620
- C:\Windows\System\gYlVWeZ.exe
  C:\Windows\System\gYlVWeZ.exe
  2⤵
  PID:11648
- C:\Windows\System\HgpVMGq.exe
  C:\Windows\System\HgpVMGq.exe
  2⤵
  PID:11672
- C:\Windows\System\BcsOFeY.exe
  C:\Windows\System\BcsOFeY.exe
  2⤵
  PID:11692
- C:\Windows\System\jiuBUjz.exe
  C:\Windows\System\jiuBUjz.exe
  2⤵
  PID:11720
- C:\Windows\System\dIiYiOs.exe
  C:\Windows\System\dIiYiOs.exe
  2⤵
  PID:11748
- C:\Windows\System\OjbtDzt.exe
  C:\Windows\System\OjbtDzt.exe
  2⤵
  PID:11788
- C:\Windows\System\beZnoVJ.exe
  C:\Windows\System\beZnoVJ.exe
  2⤵
  PID:11820
- C:\Windows\System\ZXCaNdM.exe
  C:\Windows\System\ZXCaNdM.exe
  2⤵
  PID:11856
- C:\Windows\System\memTtIZ.exe
  C:\Windows\System\memTtIZ.exe
  2⤵
  PID:11876
- C:\Windows\System\ggjQUJk.exe
  C:\Windows\System\ggjQUJk.exe
  2⤵
  PID:11900
- C:\Windows\System\oyCwnDT.exe
  C:\Windows\System\oyCwnDT.exe
  2⤵
  PID:11920
- C:\Windows\System\QkpYAtS.exe
  C:\Windows\System\QkpYAtS.exe
  2⤵
  PID:11956
- C:\Windows\System\BRMeAsD.exe
  C:\Windows\System\BRMeAsD.exe
  2⤵
  PID:11984
- C:\Windows\System\SCnEXiN.exe
  C:\Windows\System\SCnEXiN.exe
  2⤵
  PID:12000
- C:\Windows\System\oOMLqVL.exe
  C:\Windows\System\oOMLqVL.exe
  2⤵
  PID:12024
- C:\Windows\System\rBtwtmh.exe
  C:\Windows\System\rBtwtmh.exe
  2⤵
  PID:12044
- C:\Windows\System\CobTnMN.exe
  C:\Windows\System\CobTnMN.exe
  2⤵
  PID:12076
- C:\Windows\System\xbJnJTJ.exe
  C:\Windows\System\xbJnJTJ.exe
  2⤵
  PID:12104
- C:\Windows\System\XukdzbO.exe
  C:\Windows\System\XukdzbO.exe
  2⤵
  PID:12148
- C:\Windows\System\FxaVtzJ.exe
  C:\Windows\System\FxaVtzJ.exe
  2⤵
  PID:12168
- C:\Windows\System\VPHdlov.exe
  C:\Windows\System\VPHdlov.exe
  2⤵
  PID:12200
- C:\Windows\System\pPNVgGp.exe
  C:\Windows\System\pPNVgGp.exe
  2⤵
  PID:12236
- C:\Windows\System\KxkIUAa.exe
  C:\Windows\System\KxkIUAa.exe
  2⤵
  PID:12268
- C:\Windows\System\sXfjVmC.exe
  C:\Windows\System\sXfjVmC.exe
  2⤵
  PID:10864
- C:\Windows\System\AMfIqIB.exe
  C:\Windows\System\AMfIqIB.exe
  2⤵
  PID:11288
- C:\Windows\System\IbYDozZ.exe
  C:\Windows\System\IbYDozZ.exe
  2⤵
  PID:11364
- C:\Windows\System\HQQigIR.exe
  C:\Windows\System\HQQigIR.exe
  2⤵
  PID:11420
- C:\Windows\System\WXGbddl.exe
  C:\Windows\System\WXGbddl.exe
  2⤵
  PID:11436
- C:\Windows\System\kKJvUOF.exe
  C:\Windows\System\kKJvUOF.exe
  2⤵
  PID:11520
- C:\Windows\System\qmQelNS.exe
  C:\Windows\System\qmQelNS.exe
  2⤵
  PID:11548
- C:\Windows\System\KVJsvaB.exe
  C:\Windows\System\KVJsvaB.exe
  2⤵
  PID:11592
- C:\Windows\System\LXyikLu.exe
  C:\Windows\System\LXyikLu.exe
  2⤵
  PID:11688
- C:\Windows\System\DAdEUwK.exe
  C:\Windows\System\DAdEUwK.exe
  2⤵
  PID:11756
- C:\Windows\System\FxKEIBN.exe
  C:\Windows\System\FxKEIBN.exe
  2⤵
  PID:11800
- C:\Windows\System\ypJtFwM.exe
  C:\Windows\System\ypJtFwM.exe
  2⤵
  PID:11884
- C:\Windows\System\hDUEfGn.exe
  C:\Windows\System\hDUEfGn.exe
  2⤵
  PID:11940
- C:\Windows\System\lOezvuD.exe
  C:\Windows\System\lOezvuD.exe
  2⤵
  PID:12020
- C:\Windows\System\pHlIbWH.exe
  C:\Windows\System\pHlIbWH.exe
  2⤵
  PID:12164
- C:\Windows\System\SjtmnoN.exe
  C:\Windows\System\SjtmnoN.exe
  2⤵
  PID:12180
- C:\Windows\System\qHkxKzm.exe
  C:\Windows\System\qHkxKzm.exe
  2⤵
  PID:12224
- C:\Windows\System\VHRbkoD.exe
  C:\Windows\System\VHRbkoD.exe
  2⤵
  PID:12260
- C:\Windows\System\xQgYNKm.exe
  C:\Windows\System\xQgYNKm.exe
  2⤵
  PID:11324
- C:\Windows\System\ckHXqSq.exe
  C:\Windows\System\ckHXqSq.exe
  2⤵
  PID:11500
- C:\Windows\System\jinkohH.exe
  C:\Windows\System\jinkohH.exe
  2⤵
  PID:11608
- C:\Windows\System\nCiJsfo.exe
  C:\Windows\System\nCiJsfo.exe
  2⤵
  PID:11872
- C:\Windows\System\oaiyFku.exe
  C:\Windows\System\oaiyFku.exe
  2⤵
  PID:11996
- C:\Windows\System\yJVsQZE.exe
  C:\Windows\System\yJVsQZE.exe
  2⤵
  PID:12016
- C:\Windows\System\qsIDueU.exe
  C:\Windows\System\qsIDueU.exe
  2⤵
  PID:12196
- C:\Windows\System\fahZLoX.exe
  C:\Windows\System\fahZLoX.exe
  2⤵
  PID:11268
- C:\Windows\System\XTNdtgs.exe
  C:\Windows\System\XTNdtgs.exe
  2⤵
  PID:11612
- C:\Windows\System\FLsxdHo.exe
  C:\Windows\System\FLsxdHo.exe
  2⤵
  PID:12316
- C:\Windows\System\ToLPAnu.exe
  C:\Windows\System\ToLPAnu.exe
  2⤵
  PID:12348
- C:\Windows\System\MtwGdkx.exe
  C:\Windows\System\MtwGdkx.exe
  2⤵
  PID:12372
- C:\Windows\System\HnVhvvs.exe
  C:\Windows\System\HnVhvvs.exe
  2⤵
  PID:12404
- C:\Windows\System\jpmmFFy.exe
  C:\Windows\System\jpmmFFy.exe
  2⤵
  PID:12424
- C:\Windows\System\bWQVYOq.exe
  C:\Windows\System\bWQVYOq.exe
  2⤵
  PID:12456
- C:\Windows\System\gbCnWpq.exe
  C:\Windows\System\gbCnWpq.exe
  2⤵
  PID:12492
- C:\Windows\System\kICVpji.exe
  C:\Windows\System\kICVpji.exe
  2⤵
  PID:12520
- C:\Windows\System\DgBjNdz.exe
  C:\Windows\System\DgBjNdz.exe
  2⤵
  PID:12540
- C:\Windows\System\PbxJihw.exe
  C:\Windows\System\PbxJihw.exe
  2⤵
  PID:12564
- C:\Windows\System\AJYnIXN.exe
  C:\Windows\System\AJYnIXN.exe
  2⤵
  PID:12584
- C:\Windows\System\sIGinDg.exe
  C:\Windows\System\sIGinDg.exe
  2⤵
  PID:12616
- C:\Windows\System\OXDbjIe.exe
  C:\Windows\System\OXDbjIe.exe
  2⤵
  PID:12648
- C:\Windows\System\EnNxieW.exe
  C:\Windows\System\EnNxieW.exe
  2⤵
  PID:12676
- C:\Windows\System\TFBmwmE.exe
  C:\Windows\System\TFBmwmE.exe
  2⤵
  PID:12704
- C:\Windows\System\kZlheel.exe
  C:\Windows\System\kZlheel.exe
  2⤵
  PID:12728
- C:\Windows\System\IcjCMBi.exe
  C:\Windows\System\IcjCMBi.exe
  2⤵
  PID:12756
- C:\Windows\System\SWgvQSx.exe
  C:\Windows\System\SWgvQSx.exe
  2⤵
  PID:12792
- C:\Windows\System\ERnYwVx.exe
  C:\Windows\System\ERnYwVx.exe
  2⤵
  PID:12820
- C:\Windows\System\HbsgmDo.exe
  C:\Windows\System\HbsgmDo.exe
  2⤵
  PID:12876
- C:\Windows\System\fIkHQBz.exe
  C:\Windows\System\fIkHQBz.exe
  2⤵
  PID:12896
- C:\Windows\System\uHkQFcP.exe
  C:\Windows\System\uHkQFcP.exe
  2⤵
  PID:12924
- C:\Windows\System\fLeXBfn.exe
  C:\Windows\System\fLeXBfn.exe
  2⤵
  PID:12960
- C:\Windows\System\RxDKCla.exe
  C:\Windows\System\RxDKCla.exe
  2⤵
  PID:12988
- C:\Windows\System\yVIAmMS.exe
  C:\Windows\System\yVIAmMS.exe
  2⤵
  PID:13016
- C:\Windows\System\AqKXtBM.exe
  C:\Windows\System\AqKXtBM.exe
  2⤵
  PID:13048
- C:\Windows\System\XUHYVLU.exe
  C:\Windows\System\XUHYVLU.exe
  2⤵
  PID:13072
- C:\Windows\System\ZGIzoIC.exe
  C:\Windows\System\ZGIzoIC.exe
  2⤵
  PID:13104
- C:\Windows\System\PiLfQWD.exe
  C:\Windows\System\PiLfQWD.exe
  2⤵
  PID:13128
- C:\Windows\System\uroZwTU.exe
  C:\Windows\System\uroZwTU.exe
  2⤵
  PID:13160
- C:\Windows\System\znQgvBz.exe
  C:\Windows\System\znQgvBz.exe
  2⤵
  PID:13196
- C:\Windows\System\MtHKWRy.exe
  C:\Windows\System\MtHKWRy.exe
  2⤵
  PID:13212
- C:\Windows\System\HqHiQgG.exe
  C:\Windows\System\HqHiQgG.exe
  2⤵
  PID:13240
- C:\Windows\System\pSITDxX.exe
  C:\Windows\System\pSITDxX.exe
  2⤵
  PID:13268
- C:\Windows\System\kyPtCon.exe
  C:\Windows\System\kyPtCon.exe
  2⤵
  PID:13288
- C:\Windows\System\KcZnLMo.exe
  C:\Windows\System\KcZnLMo.exe
  2⤵
  PID:11404
- C:\Windows\System\RCMwrxi.exe
  C:\Windows\System\RCMwrxi.exe
  2⤵
  PID:12092
- C:\Windows\System\ufZrzoD.exe
  C:\Windows\System\ufZrzoD.exe
  2⤵
  PID:12300
- C:\Windows\System\JYlRSdu.exe
  C:\Windows\System\JYlRSdu.exe
  2⤵
  PID:12368
- C:\Windows\System\NznFKnT.exe
  C:\Windows\System\NznFKnT.exe
  2⤵
  PID:12480
- C:\Windows\System\iBVMrao.exe
  C:\Windows\System\iBVMrao.exe
  2⤵
  PID:12556
- C:\Windows\System\GVNojje.exe
  C:\Windows\System\GVNojje.exe
  2⤵
  PID:12580
- C:\Windows\System\WPoCtLm.exe
  C:\Windows\System\WPoCtLm.exe
  2⤵
  PID:12672
- C:\Windows\System\jomcMLg.exe
  C:\Windows\System\jomcMLg.exe
  2⤵
  PID:12716
- C:\Windows\System\meoEfWi.exe
  C:\Windows\System\meoEfWi.exe
  2⤵
  PID:12696
- C:\Windows\System\ngFQIZB.exe
  C:\Windows\System\ngFQIZB.exe
  2⤵
  PID:12744
- C:\Windows\System\vXGPwnT.exe
  C:\Windows\System\vXGPwnT.exe
  2⤵
  PID:12840
- C:\Windows\System\YNXQFBL.exe
  C:\Windows\System\YNXQFBL.exe
  2⤵
  PID:12904
- C:\Windows\System\ZnbnyNO.exe
  C:\Windows\System\ZnbnyNO.exe
  2⤵
  PID:12944
- C:\Windows\System\UroLIrY.exe
  C:\Windows\System\UroLIrY.exe
  2⤵
  PID:13056
- C:\Windows\System\aVuVTgJ.exe
  C:\Windows\System\aVuVTgJ.exe
  2⤵
  PID:13124
- C:\Windows\System\QSWyAlf.exe
  C:\Windows\System\QSWyAlf.exe
  2⤵
  PID:13204
- C:\Windows\System\sUdBSko.exe
  C:\Windows\System\sUdBSko.exe
  2⤵
  PID:13256
- C:\Windows\System\gMFZMZy.exe
  C:\Windows\System\gMFZMZy.exe
  2⤵
  PID:13296
- C:\Windows\System\OoAHhUk.exe
  C:\Windows\System\OoAHhUk.exe
  2⤵
  PID:12360
- C:\Windows\System\wPUsWkE.exe
  C:\Windows\System\wPUsWkE.exe
  2⤵
  PID:12444
- C:\Windows\System\JGZjkAX.exe
  C:\Windows\System\JGZjkAX.exe
  2⤵
  PID:12692
- C:\Windows\System\oWAZcJu.exe
  C:\Windows\System\oWAZcJu.exe
  2⤵
  PID:12844
- C:\Windows\System\knXcVTL.exe
  C:\Windows\System\knXcVTL.exe
  2⤵
  PID:13120
- C:\Windows\System\bmiqcsf.exe
  C:\Windows\System\bmiqcsf.exe
  2⤵
  PID:13308
- C:\Windows\System\NCCJDkE.exe
  C:\Windows\System\NCCJDkE.exe
  2⤵
  PID:13260
- C:\Windows\System\ANJosTm.exe
  C:\Windows\System\ANJosTm.exe
  2⤵
  PID:12336
- C:\Windows\System\xIqtekB.exe
  C:\Windows\System\xIqtekB.exe
  2⤵
  PID:13252
- C:\Windows\System\FobIGjM.exe
  C:\Windows\System\FobIGjM.exe
  2⤵
  PID:13040
- C:\Windows\System\KgrxgCs.exe
  C:\Windows\System\KgrxgCs.exe
  2⤵
  PID:13336
- C:\Windows\System\eBkVTTL.exe
  C:\Windows\System\eBkVTTL.exe
  2⤵
  PID:13364
- C:\Windows\System\oaDphiN.exe
  C:\Windows\System\oaDphiN.exe
  2⤵
  PID:13396
- C:\Windows\System\WquKIlU.exe
  C:\Windows\System\WquKIlU.exe
  2⤵
  PID:13416
- C:\Windows\System\XgXhORj.exe
  C:\Windows\System\XgXhORj.exe
  2⤵
  PID:13444
- C:\Windows\System\KXiGMWT.exe
  C:\Windows\System\KXiGMWT.exe
  2⤵
  PID:13468
- C:\Windows\System\cwvtHzK.exe
  C:\Windows\System\cwvtHzK.exe
  2⤵
  PID:13504
- C:\Windows\System\WNcqZVg.exe
  C:\Windows\System\WNcqZVg.exe
  2⤵
  PID:13536
- C:\Windows\System\QpgYQkp.exe
  C:\Windows\System\QpgYQkp.exe
  2⤵
  PID:13568
- C:\Windows\System\gjMBrvT.exe
  C:\Windows\System\gjMBrvT.exe
  2⤵
  PID:13592
- C:\Windows\System\ydNeFop.exe
  C:\Windows\System\ydNeFop.exe
  2⤵
  PID:13616
- C:\Windows\System\kCjqXfB.exe
  C:\Windows\System\kCjqXfB.exe
  2⤵
  PID:13640
- C:\Windows\System\VtNDzWm.exe
  C:\Windows\System\VtNDzWm.exe
  2⤵
  PID:13672
- C:\Windows\System\GzZkFcn.exe
  C:\Windows\System\GzZkFcn.exe
  2⤵
  PID:13700
- C:\Windows\System\dLSMLVm.exe
  C:\Windows\System\dLSMLVm.exe
  2⤵
  PID:13724
- C:\Windows\System\ScLhzCp.exe
  C:\Windows\System\ScLhzCp.exe
  2⤵
  PID:13744
- C:\Windows\System\drluDdZ.exe
  C:\Windows\System\drluDdZ.exe
  2⤵
  PID:13776
- C:\Windows\System\IDqHigV.exe
  C:\Windows\System\IDqHigV.exe
  2⤵
  PID:13816
- C:\Windows\System\SOHBRGO.exe
  C:\Windows\System\SOHBRGO.exe
  2⤵
  PID:13852
- C:\Windows\System\gUKGCNB.exe
  C:\Windows\System\gUKGCNB.exe
  2⤵
  PID:13884
- C:\Windows\System\UoswmRM.exe
  C:\Windows\System\UoswmRM.exe
  2⤵
  PID:13908
- C:\Windows\System\dWsKhMb.exe
  C:\Windows\System\dWsKhMb.exe
  2⤵
  PID:13936
- C:\Windows\System\oZXsIFj.exe
  C:\Windows\System\oZXsIFj.exe
  2⤵
  PID:13964
- C:\Windows\System\tKSRwqN.exe
  C:\Windows\System\tKSRwqN.exe
  2⤵
  PID:13988
- C:\Windows\System\drMIIHN.exe
  C:\Windows\System\drMIIHN.exe
  2⤵
  PID:14004
- C:\Windows\System\aBSUQUR.exe
  C:\Windows\System\aBSUQUR.exe
  2⤵
  PID:14032
- C:\Windows\System\XdtDtPS.exe
  C:\Windows\System\XdtDtPS.exe
  2⤵
  PID:14068
- C:\Windows\System\FnPAIeT.exe
  C:\Windows\System\FnPAIeT.exe
  2⤵
  PID:14104
- C:\Windows\System\pvKtxyy.exe
  C:\Windows\System\pvKtxyy.exe
  2⤵
  PID:14136
- C:\Windows\System\LUKSOdE.exe
  C:\Windows\System\LUKSOdE.exe
  2⤵
  PID:14156
- C:\Windows\System\DjWPEJm.exe
  C:\Windows\System\DjWPEJm.exe
  2⤵
  PID:14188
- C:\Windows\System\JVTmtBk.exe
  C:\Windows\System\JVTmtBk.exe
  2⤵
  PID:14216
- C:\Windows\System\hlpIdWS.exe
  C:\Windows\System\hlpIdWS.exe
  2⤵
  PID:14244
- C:\Windows\System\YRTuanj.exe
  C:\Windows\System\YRTuanj.exe
  2⤵
  PID:14268
- C:\Windows\System\RdqtAxr.exe
  C:\Windows\System\RdqtAxr.exe
  2⤵
  PID:14296
- C:\Windows\System\DNKcAmd.exe
  C:\Windows\System\DNKcAmd.exe
  2⤵
  PID:14324
- C:\Windows\System\HPRKTFV.exe
  C:\Windows\System\HPRKTFV.exe
  2⤵
  PID:13316
- C:\Windows\System\zSCrZCM.exe
  C:\Windows\System\zSCrZCM.exe
  2⤵
  PID:12720
- C:\Windows\System\ElEDcRd.exe
  C:\Windows\System\ElEDcRd.exe
  2⤵
  PID:13492
- C:\Windows\System\gttggYx.exe
  C:\Windows\System\gttggYx.exe
  2⤵
  PID:13476
- C:\Windows\System\pihVamk.exe
  C:\Windows\System\pihVamk.exe
  2⤵
  PID:13548
- C:\Windows\System\AgpvOVO.exe
  C:\Windows\System\AgpvOVO.exe
  2⤵
  PID:13624
- C:\Windows\System\WjqJmkk.exe
  C:\Windows\System\WjqJmkk.exe
  2⤵
  PID:13660
- C:\Windows\System\bKsAkRR.exe
  C:\Windows\System\bKsAkRR.exe
  2⤵
  PID:13688
- C:\Windows\System\dgIdUyW.exe
  C:\Windows\System\dgIdUyW.exe
  2⤵
  PID:13844
- C:\Windows\System\QwnjGMZ.exe
  C:\Windows\System\QwnjGMZ.exe
  2⤵
  PID:13772
- C:\Windows\System\bMLxiCm.exe
  C:\Windows\System\bMLxiCm.exe
  2⤵
  PID:13896

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BkRqevM.exe

Filesize
1.7MB

MD5
87a96694a689b7b237e927a857587df1

SHA1
59b4928e9c3389e49036347416f50a9ef5d882ba

SHA256
a337f0c1a28ae9ed942d38a151837014ca7fbba92cdbbd720aec3cc4f4c16ffb

SHA512
0153cbd3863a6e10471204374cab2e05c5897334ed094bfe4655d20af0c346432abc9011f7aba2fcca49a2f137401c5d8598c1ea6bd7c37a0bc9d4fa83404723

Download Submit
C:\Windows\System\CzuhBvO.exe

Filesize
1.7MB

MD5
7575be7685ac5c537388f7a79b45fc23

SHA1
6f452839852cd38ea394242e0385d9a4c5213cbb

SHA256
b5a2bbebd91a69c78e9ad4db683da22a74d436c877ce57040ab2cf1ade2effe3

SHA512
d06fa1a0b0e3cca8755835b90fc0e5a43b0252f805429794452acd4773f0bb5fdbc17d059ca66168263d025071d78f37a48aea0454de936ef1f7807df238a041

Download Submit
C:\Windows\System\DGLUPDe.exe

Filesize
1.7MB

MD5
76a0b9f5410b81841a1576009d5076fb

SHA1
c4e095c3750c6203163eab94c0f79f2604fe4eb0

SHA256
c33bbef58c3b40884963472042a8ebb129093d776578ddb6bf5fb126b58e26fa

SHA512
84f8f74839a53db0a4d4fc22f537c77d10f482d2d0017cb4fb7e56fe2e83663eff4611ea657bae884b540afd2bd632bef2db77542c1fcbe3107e5fd1c40e778e

Download Submit
C:\Windows\System\FgGFhQs.exe

Filesize
1.7MB

MD5
5af74b66cd763e09839b2cfee6a08b1e

SHA1
480ea6240795cdc8caf18c2e92c934b90df7f6c0

SHA256
3475fb430d57b3b86abc1f2f9e52692f89294f3f77ccafa868c0bfa0409fd4f3

SHA512
37f93e15c281b3f3e0785a8a814695d5dad8e7ab2401c8ecc73e48bee1754868711431204bc9ddf73e0e16fa622cacd1a0a5231a6d116d85b23da15f4b45bd0f

Download Submit
C:\Windows\System\HZTWnIa.exe

Filesize
1.7MB

MD5
a4438eb0aace3ff76c268e42c82facd5

SHA1
4b8db616494dfd128cc4298148cb24702055e138

SHA256
0dac0f0aaabbbdbaf4f308258c9967c6053df24ae3a07e65d42b1e16ec68faa4

SHA512
3ba402d75bc6aa5b58af743c0a3b8eaada75f3822ad3c203224a5fd88e3965d415cfa724072a6802797d044bd501cf7b62ee5152a653ad380b913c98b2898dea

Download Submit
C:\Windows\System\JcEHZqi.exe

Filesize
1.7MB

MD5
0d85159b7e05dc817d5619905373694a

SHA1
5a50b308856d073b6a4c24008a803814b495dcd0

SHA256
67c4c18926de8c3d31c64b1e50d04b846ec030123e76f2a15f5848a6e6a8aa46

SHA512
78c2176d2c612e4429faad9b6255aed0e517531c29c219bb391af83982885265bd1a932851534315446120a0fdf82cb83188d55f5d4ec192ead1a59d92562e21

Download Submit
C:\Windows\System\JotiZoZ.exe

Filesize
1.7MB

MD5
35552aa4ca100d49e082fa8cfcdec519

SHA1
88ff916a035be4b7e5ad2fcba3913b61092ec3f3

SHA256
484735d260565ca22459e88f61d8f78eb1c88265e1961e78bf22a05ce088a89e

SHA512
9cf92ddfa2d823d5caaca98f72411c94c94b437f102f244bd1535de41dc36e236fa6a1dbfca2dec2c6535ee82ed0ae06cde50e4d21f9f57fed9119b9e5171153

Download Submit
C:\Windows\System\MvFmVUO.exe

Filesize
1.7MB

MD5
ec7b2a4e39d242a9226070c27fae4ab7

SHA1
45767bf2dfdc59bd55f91770b029c6656ff97666

SHA256
9f7c1fd89be47df2120210f33bb798e4c487e0b88b17b81cd0f423946aae9861

SHA512
1ce4c1e8454ff1c49edaa08b2e2fa5a19e0c7ad69a4e3f9b9e4b87ce320de06c699e3d1ce6f75310c5b5d0dfd15a3ac3b1cea2cda1c6709ce7ff7517b758489e

Download Submit
C:\Windows\System\NPxNQlQ.exe

Filesize
1.7MB

MD5
c824d92293b5c1e91a33c640d95daa28

SHA1
dde1d559f97f367fbbe00f9558a6dffacd59fb3d

SHA256
31e55c151f9293a827c592ef64ed78fa5c96e19a2cbf779891a9472bc80e564a

SHA512
92e8c0d3d2336d1666e84b8597945b5ab3b6f576439ade9b1e4196a0db5f42018cf0e15f926eb04cf6ac1ab991aad89959ceca485eae24b77ca68bd551617d1f

Download Submit
C:\Windows\System\QMBMXLT.exe

Filesize
1.7MB

MD5
b1e4e31a173285caf592b8f10bd97099

SHA1
2064002c6b394e9eaa9e14e8923a48273c95e83a

SHA256
eb4ec117688a51f1c01b51cb16dc6375927baa5052df6480edb53a1986537265

SHA512
b76bddacfa951402c0e6fe5f7cdddfa33e895d3fa33908a78ed40c98cbc64c9aa987695d83b341d9d9b00f2b91c33491a9de548a4c591f88f7f48560949479ee

Download Submit
C:\Windows\System\TCujbZb.exe

Filesize
1.7MB

MD5
7ecadd8b26bd73b8b98a330e13b7650d

SHA1
3d27904249dd164adf3b5e15a940984a9c4c105d

SHA256
8ba881706c63435538ea0795a7d1a24c3a334b704eeed3d100c3a88c634f6ac8

SHA512
d8c3c5b993607b1b699ad423b5b75e4cd347d8457baf5f9d694b3e6d69ec15b5145fcaef4483e868fb20bb9d390a37ad866136b15d94a74df791dc106a8ac8e2

Download Submit
C:\Windows\System\TFklPSu.exe

Filesize
1.7MB

MD5
ad188e8d7ead472efe58190a66e8b4ec

SHA1
332e4263077547dc8d340bda9aaab0b4241bc686

SHA256
b910a1dc99a63188df09b4d2f305198bc3b6f37a215101a8027e3b0d9ac40f79

SHA512
362ea09f17c5f9f6a6278b4fd786c57d62e69dabfc1e72e47c9945ce02f8ee53b2441af905e35785ce85ff5c20eec37596dcc0b9e126181a4f7ae6ffb1d4343e

Download Submit
C:\Windows\System\TWPTESK.exe

Filesize
1.7MB

MD5
6c72c564ce74c2ddcd88c0595fe55603

SHA1
327a9cb4369d6a1a14d8d7b7cb2e38dcc84dbfc1

SHA256
bea7029b458823378a0e37c508b8c239ff50a8a535d3d2d2a3327f9d23fe8d88

SHA512
eec2a9173ce93ecdd7b4c40bb01052c77c6eb19e83b7005d6289fbc7a84b6535226a37cd2d995428ab4eb72d0e79f52cb7d2cf02b35a527d8a491e8658a37514

Download Submit
C:\Windows\System\TdmvIMM.exe

Filesize
1.7MB

MD5
d5d7c2f045deca1fbf653a16e51cb5f1

SHA1
49f84e5be7eafe22871427272757e14c5f9dbb9b

SHA256
f1dd1f7d2c75ae3d92d506f06e5e00b650203829abaad5130d76bb58b8ee8244

SHA512
fe43f2e672b8e996c1b68a31a47ea65fbdf5522bb2e966bc62572f5f18e1b75bcf5814d5ab9e13f47ecf171a56257c15b6408be779df4a8fa29f6e007842210c

Download Submit
C:\Windows\System\UCabxyz.exe

Filesize
1.7MB

MD5
f5174db0b4bf4e6b4d25ebc25e585d5c

SHA1
fe8f0f9109d47122f9e8f81c32b3b783e509e111

SHA256
1a6241e21db480fb3edb2875bb5daae0635e06141548a0e9b58f7df26b39da3e

SHA512
3a09db971328032921cd6ee7b3e11184f3a1c28346e392cab5615ace6ad1c2f9a9bc7a94eb020620e438946c95c858f648bb8463d12c550634d7fa988571c4eb

Download Submit
C:\Windows\System\UvpdXQP.exe

Filesize
1.7MB

MD5
26058f7ddcf24c354fd0f2bcef0b7b25

SHA1
74edb8b33654dbbbe3f59367ad2cf871060c3635

SHA256
ee50a357e2f735e3c8f55c330b21cc0e5364caefbf99bbe5d90b71a1e7c4eb0f

SHA512
7c3dd7c7e7b74a61ef8cd49bbf22a878c692b42d945cb773e2b8086a342f79078f0d21a1fa170cc1faf40488e43aa309e693c45c4af718d25b3e239458b2cf07

Download Submit
C:\Windows\System\ZkhxNsK.exe

Filesize
1.7MB

MD5
ce1d7fb1c8dc635176882dd024e8359e

SHA1
c57bcdb49db9ba91799349e9d8680768db08e669

SHA256
794880e441814af474486b987ad0708f540f8ebc54a8581976f89b775a65f314

SHA512
607b1abbd6c79eb5aaebd209bab48ba23b7ae457db8831406543e8cd43af0516a12c1a48cab5f26bde1376be6084a9c1b4e407c2b166b0125bbba939c4eaeaeb

Download Submit
C:\Windows\System\cUaBSDx.exe

Filesize
1.7MB

MD5
4ef8004bcc9c6ff971cdad89d59e4e46

SHA1
0e7563f117e84959bc9df6742a18ba7efe869eba

SHA256
627b29eda5bd144b7bfa24fab9ae9fab96d4c1d5143c263b81fa98e2ea92b288

SHA512
93721c80e23443963ad0f19ab24a16841c85ca053f87e6ee1c384847a3a5e37e6c475ff6371fa78e635d11b138872abd94b22c681d1611210de4b3fa39f2823f

Download Submit
C:\Windows\System\cuNDzUr.exe

Filesize
1.7MB

MD5
ae54417d7c34c78e818f327e6085c491

SHA1
8f3b7ab84d3ca7965de9acbb686566f297b29eb8

SHA256
e69f653e70e4372156b8741bad1655b46b53da6a9249bb937a2c87277ff22202

SHA512
49af0c957ef1e03850b39c0deece58f82ec66fd37fa1c32543cf08d4373bb382fe19626355730b7ab0cb61ae5deae41b82f0f89214efe6aa5b38c3d2906cfbb6

Download Submit
C:\Windows\System\dwVbqAD.exe

Filesize
1.7MB

MD5
ffee4063961d9a6c83686f790c7b83e1

SHA1
295d1afd916b39253f773a73c114be54ddf51547

SHA256
639070e837b479a1df0ba70fd85893f3b5f0410160d0f9750826cc30b7a77053

SHA512
d4f819cd71eef74945d50d92065f66762aa09ea1132ac29a58387c6c4f92000bc140c519148edf661a0383816199ef39f2b1cfb8c7cd035bd3a349ac1f9a1e17

Download Submit
C:\Windows\System\dxoaOXJ.exe

Filesize
1.7MB

MD5
49f0bf16855dd45adabcd2be6ac50f10

SHA1
404906c44aeef9238d174bd109e08d1930658993

SHA256
4e49a317d1f27c4aa40abd1613f7d0f0e9303cb1bd32cdc7f0038fdb87895e2e

SHA512
dcc6d23f43e8d1a9977f1fe663a67fd5779574f8c4a527d10202732041df34e7554a829ce3b0651dc3faaf74f490bf93d21a1c3b9ddfca65b7d8eddadff64599

Download Submit
C:\Windows\System\eWpRtYE.exe

Filesize
1.7MB

MD5
6f5111a5861aefefa23f12e96f8904aa

SHA1
05d147a73b9acc14b92877411847a33e8e93a847

SHA256
8f464475e8869a5f90c08b8fee25047398e9bbf39bc2328d5bb00ebde8988ce2

SHA512
ce4680016749b8707ec1972676a1bf021a785485018498dd4e42e6bf9997f9d88d47a2697e3ed018e2a66b4576fdfb8dce3bee95f095711bd15e39dc32ea8f09

Download Submit
C:\Windows\System\gpHkQUw.exe

Filesize
1.7MB

MD5
a5aa264353d1ac53201a2eed222fd0ca

SHA1
ebd58498de60ba65843b13c50ac299ca79376880

SHA256
79e554402c7dd27335543a9365c439814f1ad1921a828511addf593c0ec04127

SHA512
ec22210f42bda8be1419107a78e44e66dae67f37728c9f97e28920fd7d3567876569e37f6a2a3d6e8f8bf87ff4a687398e6421d96ffe230da4ec977f1d932712

Download Submit
C:\Windows\System\hWdxMWJ.exe

Filesize
1.7MB

MD5
8d3efefaa0a15bacec8939f78a4eb858

SHA1
cfffc4499a9491d0dc46f6575d948face164123e

SHA256
2bb522dceda790b56c1bcfd42f3f71ec41fda3025083ca7db03ea623c7ff98e9

SHA512
6f98dec72cf8079567a289d1e555266bb097a456dabeda7cc3f581972f61c7fccbcf6909d9bc37cc43fb7b9aeb46646b731b3f30f1013a3a7914473034b1e685

Download Submit
C:\Windows\System\iAwpRmv.exe

Filesize
1.7MB

MD5
c0ef37ac133907ea377ff0698fe8855e

SHA1
e14bef47cabf36342cef540eaf1f081c0068f123

SHA256
e2c50c6de5028458e16b0145b61238a5f81e7e8c4199e4307f1e52921e9c292c

SHA512
03ba88984f529f086568ac9afc4beafb7065cb4dea6773ed14e078ffd5894e2e78f9ea5f4514f2e92da415845310a7b8dd58d394de9d536020341da8ddc7c3a4

Download Submit
C:\Windows\System\jmKgjxb.exe

Filesize
1.7MB

MD5
c10cc675c75567ff1540226de942ff08

SHA1
9cfde3354ccc544f15364fbaab2cbae1eab0c333

SHA256
0884d0e2fd78de9f1eff76d5eb43fb37bc58c52adb54400f395548a34937e1fe

SHA512
c3f4e9873a17779407f22c07f15dbeee928cb1308fefdf425e2969fab8b860c86cfbb534277027747fa4817dd80eaa1cd87a7635ec5e79506041434f1268350c

Download Submit
C:\Windows\System\kwNXOFN.exe

Filesize
1.7MB

MD5
72885b78cc93e11925a9491cdbdfafc2

SHA1
d82a4422424767001f397d007f84b0b09804af31

SHA256
11fb09975cc03ca2f8af92143c28de0096fbd2ed7d94689f74e34a84fc7e241f

SHA512
f9f0784922a30552f5425986b3cafa157d3f6cf9d406d03c68e69c173a950400eb7311c38aeaf9d3eaa2414d0c26cb8564cf02ed1f9aac93a27a833fed3e6541

Download Submit
C:\Windows\System\mRRdrPz.exe

Filesize
1.7MB

MD5
90feba51f1f6d29d275bfde4d3ca5e81

SHA1
954b456f26ce57d3971eb60fba1f9aa0fd84b919

SHA256
fdb116b6ff3efc5ac27c2e13d571c4c31eddbe53d0c1a0bec0031527fcba1d53

SHA512
74c98df11be2d5bcf39eb58ca8465ddd5a2c1746c13d07583871478218677503c16418107e692fa38b07b620f3766c83ffb027b0435be48a43fc2aa68d85db14

Download Submit
C:\Windows\System\mwDLiNe.exe

Filesize
1.7MB

MD5
2c95dce2fee5e7afe266eb9c080194e0

SHA1
ef745dc23d21811ed933630cc6d77c283380aef0

SHA256
ea42997ea619f854677d127c6df01eb417be4a09b6a199268492dbc5bd26fd9f

SHA512
426f575c69a8005bc5fbd283fe785c316cb9a9ef6d0be1b2208786a7e0c5526c732a927e1fa6f99578e715d0757bc4f6d7546e803feb0086fb92e3e5edfe8916

Download Submit
C:\Windows\System\nuCZDsJ.exe

Filesize
1.7MB

MD5
7eb7f521e1731e878da31de967e75628

SHA1
d951564e4f29934d395e9a8c76cc6621a1c711c4

SHA256
436ad365bd5ddc268e1c694d29caef4f617f7b22a0a6d7355724aa3df08fd3c4

SHA512
99f6b12402a9c4a5fa28742c4c60968ec9806ed85402d90b50f4b012e06773b8cc0fad49c5e8a5da813ea70b77e2ed5e146dfd122cbb2593a62744e8355ab76b

Download Submit
C:\Windows\System\oHBsOCx.exe

Filesize
1.7MB

MD5
8d808be585e5474a38391b00cf9e6ae8

SHA1
c9abd031e3d6adf4a6a34f904fcb47423b51e997

SHA256
089b343d1153af3e2801d1586c333c91d81e9429b4ded5ff8f95df4dfbd9c44d

SHA512
2cc60b0486b9fd483f849445fa477b63969d9f0f1bf23fc537395a135443d5ed2617b632a56e24624db1ec867dacd7b55a9922db63d284d407f3654dd80b0fdc

Download Submit
C:\Windows\System\rpkxWUj.exe

Filesize
1.7MB

MD5
d780c50b00558494cd0fc1c8228db04f

SHA1
a5fd14e2ca0fc24c2bb425db3048349306d6c3ce

SHA256
b80b769d58f6d3f08bd483fc868736ec17ade3a5ad6a38425282a1a573b1ef4d

SHA512
8cf95c827c07fabacca53a747d9ff539eeb8c97332601ff10231dcb1e4881112e04db29c2fa6cf30ecc4893726730d54a8cd1204735f910752f15094f204cfd7

Download Submit
C:\Windows\System\sUpuoUa.exe

Filesize
1.7MB

MD5
a7a07eb6e934276e1ba74776039ef1f9

SHA1
bfe249fd879585e980f0909d575f0a3b5b0a8a47

SHA256
387dbb60b2a11aa0b9917cdfb0b43d49487d87a9bc33c5ebf69523e2d7220664

SHA512
096c88d3d26c52a60de335bfa8fa4c164e00378683b66eedae1030cfed0408c27c8495064b48d781d8e80077b59ff96f2326ff241d21711cecb5548ae1480e8b

Download Submit
memory/392-2119-0x00007FF6633A0000-0x00007FF6636F4000-memory.dmp

Filesize
3.3MB

Download
memory/392-2112-0x00007FF6633A0000-0x00007FF6636F4000-memory.dmp

Filesize
3.3MB

Download
memory/392-32-0x00007FF6633A0000-0x00007FF6636F4000-memory.dmp

Filesize
3.3MB

Download
memory/668-200-0x00007FF639170000-0x00007FF6394C4000-memory.dmp

Filesize
3.3MB

Download
memory/668-2133-0x00007FF639170000-0x00007FF6394C4000-memory.dmp

Filesize
3.3MB

Download
memory/860-215-0x00007FF72EE50000-0x00007FF72F1A4000-memory.dmp

Filesize
3.3MB

Download
memory/860-2143-0x00007FF72EE50000-0x00007FF72F1A4000-memory.dmp

Filesize
3.3MB

Download
memory/1208-2130-0x00007FF7196F0000-0x00007FF719A44000-memory.dmp

Filesize
3.3MB

Download
memory/1208-222-0x00007FF7196F0000-0x00007FF719A44000-memory.dmp

Filesize
3.3MB

Download
memory/1388-212-0x00007FF7AE1D0000-0x00007FF7AE524000-memory.dmp

Filesize
3.3MB

Download
memory/1388-2137-0x00007FF7AE1D0000-0x00007FF7AE524000-memory.dmp

Filesize
3.3MB

Download
memory/1540-2110-0x00007FF7835F0000-0x00007FF783944000-memory.dmp

Filesize
3.3MB

Download
memory/1540-2117-0x00007FF7835F0000-0x00007FF783944000-memory.dmp

Filesize
3.3MB

Download
memory/1540-12-0x00007FF7835F0000-0x00007FF783944000-memory.dmp

Filesize
3.3MB

Download
memory/1564-2109-0x00007FF6574C0000-0x00007FF657814000-memory.dmp

Filesize
3.3MB

Download
memory/1564-1-0x000001B8ED790000-0x000001B8ED7A0000-memory.dmp

Filesize
64KB

Download
memory/1564-0-0x00007FF6574C0000-0x00007FF657814000-memory.dmp

Filesize
3.3MB

Download
memory/1652-217-0x00007FF75B110000-0x00007FF75B464000-memory.dmp

Filesize
3.3MB

Download
memory/1652-2140-0x00007FF75B110000-0x00007FF75B464000-memory.dmp

Filesize
3.3MB

Download
memory/1864-2115-0x00007FF7A35C0000-0x00007FF7A3914000-memory.dmp

Filesize
3.3MB

Download
memory/1864-83-0x00007FF7A35C0000-0x00007FF7A3914000-memory.dmp

Filesize
3.3MB

Download
memory/1864-2123-0x00007FF7A35C0000-0x00007FF7A3914000-memory.dmp

Filesize
3.3MB

Download
memory/1944-213-0x00007FF7A4DE0000-0x00007FF7A5134000-memory.dmp

Filesize
3.3MB

Download
memory/1944-2136-0x00007FF7A4DE0000-0x00007FF7A5134000-memory.dmp

Filesize
3.3MB

Download
memory/2696-2121-0x00007FF7BFF10000-0x00007FF7C0264000-memory.dmp

Filesize
3.3MB

Download
memory/2696-50-0x00007FF7BFF10000-0x00007FF7C0264000-memory.dmp

Filesize
3.3MB

Download
memory/2696-2113-0x00007FF7BFF10000-0x00007FF7C0264000-memory.dmp

Filesize
3.3MB

Download
memory/2704-2125-0x00007FF6DAC90000-0x00007FF6DAFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2704-164-0x00007FF6DAC90000-0x00007FF6DAFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-2127-0x00007FF623310000-0x00007FF623664000-memory.dmp

Filesize
3.3MB

Download
memory/2728-142-0x00007FF623310000-0x00007FF623664000-memory.dmp

Filesize
3.3MB

Download
memory/3272-221-0x00007FF71CCA0000-0x00007FF71CFF4000-memory.dmp

Filesize
3.3MB

Download
memory/3272-2126-0x00007FF71CCA0000-0x00007FF71CFF4000-memory.dmp

Filesize
3.3MB

Download
memory/3444-2118-0x00007FF673440000-0x00007FF673794000-memory.dmp

Filesize
3.3MB

Download
memory/3444-27-0x00007FF673440000-0x00007FF673794000-memory.dmp

Filesize
3.3MB

Download
memory/3444-2111-0x00007FF673440000-0x00007FF673794000-memory.dmp

Filesize
3.3MB

Download
memory/3596-219-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3596-2145-0x00007FF7D4980000-0x00007FF7D4CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3692-92-0x00007FF77F7E0000-0x00007FF77FB34000-memory.dmp

Filesize
3.3MB

Download
memory/3692-2116-0x00007FF77F7E0000-0x00007FF77FB34000-memory.dmp

Filesize
3.3MB

Download
memory/3692-2128-0x00007FF77F7E0000-0x00007FF77FB34000-memory.dmp

Filesize
3.3MB

Download
memory/3736-2120-0x00007FF7712C0000-0x00007FF771614000-memory.dmp

Filesize
3.3MB

Download
memory/3736-124-0x00007FF7712C0000-0x00007FF771614000-memory.dmp

Filesize
3.3MB

Download
memory/3920-159-0x00007FF701C90000-0x00007FF701FE4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-2124-0x00007FF701C90000-0x00007FF701FE4000-memory.dmp

Filesize
3.3MB

Download
memory/4012-208-0x00007FF717040000-0x00007FF717394000-memory.dmp

Filesize
3.3MB

Download
memory/4012-2138-0x00007FF717040000-0x00007FF717394000-memory.dmp

Filesize
3.3MB

Download
memory/4052-223-0x00007FF75BD70000-0x00007FF75C0C4000-memory.dmp

Filesize
3.3MB

Download
memory/4052-2129-0x00007FF75BD70000-0x00007FF75C0C4000-memory.dmp

Filesize
3.3MB

Download
memory/4232-216-0x00007FF66DE80000-0x00007FF66E1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4232-2142-0x00007FF66DE80000-0x00007FF66E1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-220-0x00007FF730040000-0x00007FF730394000-memory.dmp

Filesize
3.3MB

Download
memory/4244-2132-0x00007FF730040000-0x00007FF730394000-memory.dmp

Filesize
3.3MB

Download
memory/4332-2134-0x00007FF6A3820000-0x00007FF6A3B74000-memory.dmp

Filesize
3.3MB

Download
memory/4332-192-0x00007FF6A3820000-0x00007FF6A3B74000-memory.dmp

Filesize
3.3MB

Download
memory/4420-207-0x00007FF7CB900000-0x00007FF7CBC54000-memory.dmp

Filesize
3.3MB

Download
memory/4420-2131-0x00007FF7CB900000-0x00007FF7CBC54000-memory.dmp

Filesize
3.3MB

Download
memory/4484-2122-0x00007FF615980000-0x00007FF615CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4484-2114-0x00007FF615980000-0x00007FF615CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4484-60-0x00007FF615980000-0x00007FF615CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4680-2135-0x00007FF7B0B40000-0x00007FF7B0E94000-memory.dmp

Filesize
3.3MB

Download
memory/4680-199-0x00007FF7B0B40000-0x00007FF7B0E94000-memory.dmp

Filesize
3.3MB

Download
memory/4936-218-0x00007FF73B0E0000-0x00007FF73B434000-memory.dmp

Filesize
3.3MB

Download
memory/4936-2141-0x00007FF73B0E0000-0x00007FF73B434000-memory.dmp

Filesize
3.3MB

Download
memory/5068-2144-0x00007FF69F900000-0x00007FF69FC54000-memory.dmp

Filesize
3.3MB

Download
memory/5068-214-0x00007FF69F900000-0x00007FF69FC54000-memory.dmp

Filesize
3.3MB

Download
memory/5092-2139-0x00007FF7E3CF0000-0x00007FF7E4044000-memory.dmp

Filesize
3.3MB

Download
memory/5092-224-0x00007FF7E3CF0000-0x00007FF7E4044000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads